On Friday, October 31, 2014 8:02:33 AM UTC-5, Felix.Frank wrote:
>
> On 10/31/2014 11:35 AM, JonY wrote:
> > I've simplified the script to this:
> >
> > #!/usr/local/bin/ruby
> >
> > open('test.out', 'w') { |f|
> > f.puts "Hello"
> > }
>
> Well, writing to a relative file path is bound to be potentially
> problematic.
>
>
In particular, if the working directory is not writable by puppet (which it
shouldn't be), or if there is already a file in it of the specified name,
and *that* isn't writable by puppet (which it shouldn't be), then the open()
will fail. I don't know off-hand what exit code Ruby returns when a
top-scope statement throws an exception, but my first guess would be 1.
> > .. and it still gives me 'error 1' when run as an ENC.
>
> No, it states that 'the script returned 1'. Which is weird, yes.
>
Maybe. I also don't know what exit code ruby yields when a script
completes normally. It should exit 0, and net sources claim it does, but
it's worth verifying that.
> > What would the effect of outputting incorrect YAML be? I'm wondering
> > about the syntax of what's being printed.
>
> I disbelieve that the content of stdout is the issue. The Ruby process
> exits with a non-zero status, meaning that something goes wrong.
>
>
Agreed.
> Can you wrap the Ruby in a shell script and tee its output somewhere?
>
> #!/bin/bash
> /path/to/ruby-enc 2>&1 | tee /tmp/enc-output
>
> Configure that scriptlet as your ENC script and see what ends up in the
> file.
>
>
Good idea.
> BTW, rereading your first mail - I don't think puppet should own the
> script. That's just horrible security. It should have permission to
> execute it, but only root (or a privileged user account) should be able
> to write it. Unless I'm missing something about ENC theory (never used
> those).
>
>
I don't claim to be an expert on ENC theory (and doesn't that sound
highbrow ;-) ), but I agree that the master should not have write
permission on the ENC script.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/143b4b66-bc41-4cbd-83a1-83035112d82c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
