Issue #22273 has been reported by Josh Partlow.
----------------------------------------
Bug #22273: Puppet does not manage group for all of it's configuration.
https://projects.puppetlabs.com/issues/22273
* Author: Josh Partlow
* Status: Unreviewed
* Priority: Normal
* Assignee:
* Category: settings
* Target version: 3.x
* Affected Puppet version: 3.2.4
* Keywords: rhel6 packages settings mkusers ca
* Branch:
----------------------------------------
This was identified on rhel6, with puppet installed from the rhel6 packages. I
was testing
acceptance/tests/config/puppet_manages_own_configuration_in_robust_manner.rb
while updating the acceptance suite for the changes from pe.
On rhel6, when installed from packages, the puppet user and group are created
with low numbered system ids (in this case 52). If they are removed and `sudo
puppet master --mkusers` is executed, a new puppet user and group are created
in the 500's. But not all groups are adjusted, and the group does not
accidentally match (which it might hadve had the original system and group been
installed with non-system ids and been in the 500's to begin with...so this
problem may not be visible if installing from source).
A subsequent `sudo puppet master` fails with the following log output:
Aug 22 16:03:13 localhost puppet-master[2697]: Reopening log files
Aug 22 16:03:13 localhost puppet-master[2697]: Starting Puppet master
version 3.2.4
Aug 22 16:03:13 localhost puppet-master[2697]: Could not run: Could not
find CA certificate
Steps to reproduce:
[root@ykkh8vilnuwe3d2 ~]# facter | grep -E '^(os|op|pu|ru)'
operatingsystem => RedHat
operatingsystemmajrelease => 6
operatingsystemrelease => 6.3
osfamily => RedHat
puppetversion => 3.2.4
rubysitedir => /usr/lib/ruby/site_ruby/1.8
rubyversion => 1.8.7
First capturing original user/group state:
[root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet
user { 'puppet':
ensure => 'present',
comment => 'Puppet',
gid => '52',
home => '/var/lib/puppet',
password => '!!',
password_max_age => '-1',
password_min_age => '-1',
shell => '/sbin/nologin',
uid => '52',
}
[root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet
group { 'puppet':
ensure => 'present',
gid => '52',
}
[root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet >
original_user_group_state
[root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet >
original_user_group_state
[root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet >>
original_user_group_state
[root@ykkh8vilnuwe3d2 ~]# echo "Group['puppet'] -> User['puppet']" >>
original_user_group_state
[root@ykkh8vilnuwe3d2 ~]# cat original_user_group_state
user { 'puppet':
ensure => 'present',
comment => 'Puppet',
gid => '52',
home => '/var/lib/puppet',
password => '!!',
password_max_age => '-1',
password_min_age => '-1',
shell => '/sbin/nologin',
uid => '52',
}
group { 'puppet':
ensure => 'present',
gid => '52',
}
Group['puppet'] -> User['puppet']
Then removing the user and group:
[root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet 'ensure=absent'
Notice: /User[puppet]/ensure: removed
user { 'puppet':
ensure => 'absent',
}
[root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet 'ensure=absent'
group { 'puppet':
ensure => 'absent',
}
Add try to start up master with --mkusers:
[root@ykkh8vilnuwe3d2 ~]# tail -f /var/log/messages &
...
[root@ykkh8vilnuwe3d2 ~]# puppet master --mkusers
Aug 22 16:40:30 localhost puppet-master[3282]: (/Group[puppet]/ensure)
created
Aug 22 16:40:30 localhost puppet-master[3282]: (/User[puppet]/ensure)
created
Aug 22 16:40:30 localhost puppet-master[3298]: Reopening log files
Aug 22 16:40:30 localhost puppet-master[3298]: Starting Puppet master
version 3.2.4
Aug 22 16:40:30 localhost puppet-master[3298]: Could not run: Could not
find CA certificate
[root@ykkh8vilnuwe3d2 ~]# ps -ef | grep ruby
root 3301 3041 0 16:40 pts/1 00:00:00 grep ruby
Taking a look at what has which group in /var/lib/puppet:
[root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet
group { 'puppet':
ensure => 'present',
gid => '500',
}
[root@ykkh8vilnuwe3d2 ~]# find /var/lib/puppet/ -gid 52
/var/lib/puppet/
/var/lib/puppet/ssl/ca/signed/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
/var/lib/puppet/ssl/ca/signed/yblw2pcb1s33dpr.delivery.puppetlabs.net.pem
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
/var/lib/puppet/ssl/crl.pem
/var/lib/puppet/ssl/private_keys/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
/var/lib/puppet/ssl/public_keys/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
/var/lib/puppet/reports/ykkh8vilnuwe3d2.delivery.puppetlabs.net
/var/lib/puppet/reports/ykkh8vilnuwe3d2.delivery.puppetlabs.net/201308222252.yaml
/var/lib/puppet/reports/yblw2pcb1s33dpr.delivery.puppetlabs.net
/var/lib/puppet/reports/yblw2pcb1s33dpr.delivery.puppetlabs.net/201308222252.yaml
[root@ykkh8vilnuwe3d2 ~]# find /var/lib/puppet/ -gid 500
/var/lib/puppet/rrd
/var/lib/puppet/yaml
/var/lib/puppet/ssl/ca
/var/lib/puppet/ssl/ca/requests
/var/lib/puppet/ssl/ca/ca_crl.pem
/var/lib/puppet/ssl/ca/ca_key.pem
/var/lib/puppet/ssl/ca/serial
/var/lib/puppet/ssl/ca/private
/var/lib/puppet/ssl/ca/private/ca.pass
/var/lib/puppet/ssl/ca/signed
/var/lib/puppet/ssl/ca/ca_crt.pem
/var/lib/puppet/ssl/ca/ca_pub.pem
/var/lib/puppet/ssl/ca/inventory.txt
/var/lib/puppet/server_data
/var/lib/puppet/reports
/var/lib/puppet/bucket
And now returning to original user and group:
[root@ykkh8vilnuwe3d2 ~]# puppet apply original_user_group_state
Notice: Compiled catalog for ykkh8vilnuwe3d2.delivery.puppetlabs.net in
environment production in 0.23 seconds
Notice: /Stage[main]//Group[puppet]/gid: gid changed '500' to '52'
Notice: /Stage[main]//User[puppet]/home: home changed '/home/puppet' to
'/var/lib/puppet'
Notice: /Stage[main]//User[puppet]/uid: uid changed '500' to '52'
Notice: /Stage[main]//User[puppet]/comment: comment changed '' to 'Puppet'
Notice: /Stage[main]//User[puppet]/shell: shell changed '/bin/bash' to
'/sbin/nologin'
Notice: /Stage[main]//User[puppet]/password_min_age: password_min_age
changed '0' to '-1'
Notice: /Stage[main]//User[puppet]/password_max_age: password_max_age
changed '99999' to '-1'
Notice: Finished catalog run in 0.46 seconds
[root@ykkh8vilnuwe3d2 ~]# puppet master
Aug 22 16:44:25 localhost puppet-master[3615]: Failed to set SELinux
context system_u:object_r:puppet_var_run_t:s0 on /var/run/puppet/master.pid
Aug 22 16:44:25 localhost puppet-master[3622]: Reopening log files
Aug 22 16:44:25 localhost puppet-master[3622]: Starting Puppet master
version 3.2.4
[root@ykkh8vilnuwe3d2 ~]# ps -ef | grep ruby
puppet 3622 1 0 16:44 ? 00:00:00 /usr/bin/ruby
/usr/bin/puppet master
root 3626 3041 0 16:44 pts/1 00:00:00 grep ruby
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
