On Thursday, October 10, 2013 6:58:10 AM UTC-5, alessandro mazzoli wrote: > > Thanks Jason and Jared, > I think, like Jared said, that the user trying to create the tempfile > cannot write to it (this user may well be puppet, not root. > So i checked on puppetmaster: > -permissions:/etc/init.d ls -la > -rwsr-xr-x 1 root root 3727 Sep 12 22:57 puppetmaster > >
That's bad. Initscripts should not be suid-root. Also, the master does not need to run as root and therefore should not do so (unlike the agent). If it is running as root then that could even be your problem. > /var/lib/puppet/yaml$ ls -la > total 16 > drwxr-xr-x 4 puppet puppet 4096 Sep 27 13:06 . > drwxrwxrwx 15 puppet puppet 4096 Sep 27 17:59 .. > drwxr-xr-x 2 root root 4096 Oct 9 15:33 facts > > That's wrong. /var/lib/puppet/yaml/facts should be writable by the puppetmaster user, which should not be root. Typically, it's a system user named 'puppet'. Hypothesis: the master is running as root, which is how the /var/lib/puppet/yaml/facts directory ended up with the ownership and permissions shown, but you are running SELinux in enforcing mode, and the installed policy and filesystem labels do not allow root to write to that directory. That could have resulted from a 'restorecon' running after the directory and perhaps some contents were initially created. If that hypothesis is correct, then the best solution would be to shut down the master, completely remove the facts/ directory, and restart the master as the user it is expected to run as. It may be that turning off the setuid bit on the initscript (which you should do in any case) is all it takes to get the correct user for future puppetmaster processes. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
