[Puppet - Bug #22273] Puppet does not manage group for all of it's configuration.

[tickets]

Issue #22273 has been updated by Josh Partlow.

Target version changed from 3.x to 3.4.0
Branch set to https://github.com/puppetlabs/puppet/pull/1891

----------------------------------------
Bug #22273: Puppet does not manage group for all of it's configuration.
https://projects.puppetlabs.com/issues/22273#change-97416

* Author: Josh Partlow
* Status: Unreviewed
* Priority: Normal
* Assignee: 
* Category: settings
* Target version: 3.4.0
* Affected Puppet version: 3.2.4
* Keywords: packages settings mkusers ca
* Branch: https://github.com/puppetlabs/puppet/pull/1891
----------------------------------------
This was identified on rhel6, with puppet installed from the rhel6 packages.  I 
was testing 
acceptance/tests/config/puppet_manages_own_configuration_in_robust_manner.rb 
while updating the acceptance suite for the changes from pe.

On rhel6, when installed from packages, the puppet user and group are created 
with low numbered system ids (in this case 52).  If they are removed and `sudo 
puppet master --mkusers` is executed, a new puppet user and group are created 
in the 500's.  But not all groups are adjusted, and the group does not 
accidentally match (which it might hadve had the original system and group been 
installed with non-system ids and been in the 500's to begin with...so this 
problem may not be visible if installing from source).

A subsequent `sudo puppet master` fails with the following log output:

    Aug 22 16:03:13 localhost puppet-master[2697]: Reopening log files
    Aug 22 16:03:13 localhost puppet-master[2697]: Starting Puppet master 
version 3.2.4
    Aug 22 16:03:13 localhost puppet-master[2697]: Could not run: Could not 
find CA certificate

Steps to reproduce:

    [root@ykkh8vilnuwe3d2 ~]# facter | grep -E '^(os|op|pu|ru)'
    operatingsystem => RedHat
    operatingsystemmajrelease => 6
    operatingsystemrelease => 6.3
    osfamily => RedHat
    puppetversion => 3.2.4
    rubysitedir => /usr/lib/ruby/site_ruby/1.8
    rubyversion => 1.8.7

First capturing original user/group state:

    [root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet
    user { 'puppet':
      ensure           => 'present',
      comment          => 'Puppet',
      gid              => '52',
      home             => '/var/lib/puppet',
      password         => '!!',
      password_max_age => '-1',
      password_min_age => '-1',
      shell            => '/sbin/nologin',
      uid              => '52',
    }
    [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet
    group { 'puppet':
      ensure => 'present',
      gid    => '52',
    }
    [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet > 
original_user_group_state
    [root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet > 
original_user_group_state
    [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet >> 
original_user_group_state
    [root@ykkh8vilnuwe3d2 ~]# echo "Group['puppet'] -> User['puppet']" >> 
original_user_group_state 
    [root@ykkh8vilnuwe3d2 ~]# cat original_user_group_state 
    user { 'puppet':
      ensure           => 'present',
      comment          => 'Puppet',
      gid              => '52',
      home             => '/var/lib/puppet',
      password         => '!!',
      password_max_age => '-1',
      password_min_age => '-1',
      shell            => '/sbin/nologin',
      uid              => '52',
    }
    group { 'puppet':
      ensure => 'present',
      gid    => '52',
    }
    Group['puppet'] -> User['puppet']

Then removing the user and group:

    [root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet 'ensure=absent'
    Notice: /User[puppet]/ensure: removed
    user { 'puppet':
      ensure => 'absent',
    }
    [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet 'ensure=absent'
    group { 'puppet':
      ensure => 'absent',
    }

Add try to start up master with --mkusers:

    [root@ykkh8vilnuwe3d2 ~]# tail -f /var/log/messages &

    ...

    [root@ykkh8vilnuwe3d2 ~]# puppet master --mkusers                           
                                                                                
                                                 
    Aug 22 16:40:30 localhost puppet-master[3282]: (/Group[puppet]/ensure) 
created
    Aug 22 16:40:30 localhost puppet-master[3282]: (/User[puppet]/ensure) 
created
    Aug 22 16:40:30 localhost puppet-master[3298]: Reopening log files
    Aug 22 16:40:30 localhost puppet-master[3298]: Starting Puppet master 
version 3.2.4
    Aug 22 16:40:30 localhost puppet-master[3298]: Could not run: Could not 
find CA certificate
    [root@ykkh8vilnuwe3d2 ~]# ps -ef | grep ruby                                
                                                                                
                                                 
    root      3301  3041  0 16:40 pts/1    00:00:00 grep ruby

Taking a look at what has which group in /var/lib/puppet:

    [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet                      
                                                                                
                                                 
    group { 'puppet':
      ensure => 'present',
      gid    => '500',
    }
    [root@ykkh8vilnuwe3d2 ~]# find /var/lib/puppet/ -gid 52
    /var/lib/puppet/
    /var/lib/puppet/ssl/ca/signed/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
    /var/lib/puppet/ssl/ca/signed/yblw2pcb1s33dpr.delivery.puppetlabs.net.pem
    /var/lib/puppet/ssl/certs/ca.pem
    /var/lib/puppet/ssl/certs/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
    /var/lib/puppet/ssl/crl.pem
    /var/lib/puppet/ssl/private_keys/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
    /var/lib/puppet/ssl/public_keys/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem
    /var/lib/puppet/reports/ykkh8vilnuwe3d2.delivery.puppetlabs.net
    
/var/lib/puppet/reports/ykkh8vilnuwe3d2.delivery.puppetlabs.net/201308222252.yaml
    /var/lib/puppet/reports/yblw2pcb1s33dpr.delivery.puppetlabs.net
    
/var/lib/puppet/reports/yblw2pcb1s33dpr.delivery.puppetlabs.net/201308222252.yaml
    [root@ykkh8vilnuwe3d2 ~]# find /var/lib/puppet/ -gid 500
    /var/lib/puppet/rrd
    /var/lib/puppet/yaml
    /var/lib/puppet/ssl/ca
    /var/lib/puppet/ssl/ca/requests
    /var/lib/puppet/ssl/ca/ca_crl.pem
    /var/lib/puppet/ssl/ca/ca_key.pem
    /var/lib/puppet/ssl/ca/serial
    /var/lib/puppet/ssl/ca/private
    /var/lib/puppet/ssl/ca/private/ca.pass
    /var/lib/puppet/ssl/ca/signed
    /var/lib/puppet/ssl/ca/ca_crt.pem
    /var/lib/puppet/ssl/ca/ca_pub.pem
    /var/lib/puppet/ssl/ca/inventory.txt
    /var/lib/puppet/server_data
    /var/lib/puppet/reports
    /var/lib/puppet/bucket

And now returning to original user and group:

    [root@ykkh8vilnuwe3d2 ~]# puppet apply original_user_group_state 
    Notice: Compiled catalog for ykkh8vilnuwe3d2.delivery.puppetlabs.net in 
environment production in 0.23 seconds
    Notice: /Stage[main]//Group[puppet]/gid: gid changed '500' to '52'
    Notice: /Stage[main]//User[puppet]/home: home changed '/home/puppet' to 
'/var/lib/puppet'
    Notice: /Stage[main]//User[puppet]/uid: uid changed '500' to '52'
    Notice: /Stage[main]//User[puppet]/comment: comment changed '' to 'Puppet'
    Notice: /Stage[main]//User[puppet]/shell: shell changed '/bin/bash' to 
'/sbin/nologin'
    Notice: /Stage[main]//User[puppet]/password_min_age: password_min_age 
changed '0' to '-1'
    Notice: /Stage[main]//User[puppet]/password_max_age: password_max_age 
changed '99999' to '-1'
    Notice: Finished catalog run in 0.46 seconds
    [root@ykkh8vilnuwe3d2 ~]# puppet master
    Aug 22 16:44:25 localhost puppet-master[3615]: Failed to set SELinux 
context system_u:object_r:puppet_var_run_t:s0 on /var/run/puppet/master.pid
    Aug 22 16:44:25 localhost puppet-master[3622]: Reopening log files
    Aug 22 16:44:25 localhost puppet-master[3622]: Starting Puppet master 
version 3.2.4
    [root@ykkh8vilnuwe3d2 ~]# ps -ef | grep ruby
    puppet    3622     1  0 16:44 ?        00:00:00 /usr/bin/ruby 
/usr/bin/puppet master
    root      3626  3041  0 16:44 pts/1    00:00:00 grep ruby


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.