On Feb 3, 3:26 pm, Arnau Bria <[email protected]> wrote: > I sometimes get a strange problem with some user's authorized_keys file. > The file should belong to user:users_group but puppet sets it as > root:root: > > i.e: > > err: /Stage[os]/Computing_ssh/Ssh_authorized_key[[email protected]]: > Could not evaluate: Permission denied - /home/neuroadm/.ssh/authorized_keys > > # ls -lsa /home/neuroadm/.ssh/ > total 12 > 4 drwx------ 2 neuroadm neuro 4096 Feb 3 21:02 . > 4 drwx------ 3 neuroadm neuro 4096 Feb 3 21:02 .. > 4 -rw------- 1 root root 578 Feb 3 21:02 authorized_keys
So Puppet is sometimes failing with a permission failure while attempting to synchronize the authorized_keys resource. Supposing that the agent is running as root, there aren't very many things that could cause it to be denied permission to access or change a file. Here's my short list: 1) /home is a remote filesystem (e.g. NFS), that is read-only or is performing root squashing. In that case, it should not be possible for local root to change the file in any way. 2) SELinux is running in enforcing mode, and under some circumstances users' .ssh directories are assigned a security context that prevents puppetd from accessing them. The fact that removing the .ssh directory and allowing Puppet to recreate it fixes the problem is more consistent with (2). Even if you think SELinux is not running or is not in enforcing mode, I encourage you to check: package updates sometimes silently change SELinux settings. Cheers, John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
