On Wed, May 6, 2015 at 7:29 AM, Johnson Earls <[email protected]>
wrote:
> never mind. puppet agent ignores the user/group config settings, so those
> should be kept at puppet, and ${::settings::user} / ${::settings::group}
> should not be used to configure agent-related options (such as file
> ownership).
>
The `puppet` user and group are really server-side settings, to specify a
less privileged account to run the webrick/passenger/puppetserver process
as.
To confuse things, `puppet` packages (rpm/deb) have always created the
`puppet` user and group, but was unnecessary on the agent. In Puppet 4, we
have fixed this, so the puppet-agent package does not create a `puppet`
user or group. Only the puppetserver package does that.
On Tuesday, May 5, 2015 at 10:40:00 PM UTC-7, Johnson Earls wrote:
>>
>> I'm running into a frustrating issue, and I'm wondering if I'm just not
>> doing something right.
>>
>> My understanding is that the puppet agent has to run with the config
>> "user" and "group" set to "root" so that it can make changes to the system.
>> The puppet server, on the other hand, runs as user and group "puppet".
>>
>> However, every time the puppet agent activates, it changes the ownership
>> of *most* of the subdirectories and files within the
>> /etc/puppetlabs/puppet/ssl directory to root, which then prevents the
>> puppet server from either starting up or being able to sign certificates.
>>
>
In Puppet 4, you can get into this state if you install puppet-agent, and
run it at least once. Since the `puppet` user won't exist, the agent will
set permissions to `root:root:750` for file/directory-related settings like
`privatekeydir`.
If you then install puppetserver, it will create the `puppet` user, start
the server as that user, and fail to start, because the puppet user can't
read `privatekeydir`, etc. However, as soon as you run `puppet agent` (or
`apply`) on the master, it will restore the permissions to `puppet:puppet`
and the puppetserver will start successfully.
>
>> Am I misunderstanding how these two processes work and interact?
>>
>> Should the puppet agent run with the config user/group set to "puppet",
>> even though puppet won't have permission to make most of the changes on the
>> system?
>> Or should the puppet server run as root?
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
Josh Cooper
Developer, Puppet Labs
*PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland,
Oregon! Join us October 5-9.*
*Register now to take advantage of the Early Adopter discount
<https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter>
*
*—**save $349!*
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
