> On May 6, 2015, at 22:32, Josh Cooper <[email protected]> wrote: > > On Wed, May 6, 2015 at 7:29 AM, Johnson Earls <[email protected] > <mailto:[email protected]>> wrote: > never mind. puppet agent ignores the user/group config settings, so those > should be kept at puppet, and ${::settings::user} / ${::settings::group} > should not be used to configure agent-related options (such as file > ownership). > > The `puppet` user and group are really server-side settings, to specify a > less privileged account to run the webrick/passenger/puppetserver process as.
So, maybe there should be a test to see if the user even exists before mass-chown’ing directories? > To confuse things, `puppet` packages (rpm/deb) have always created the > `puppet` user and group, but was unnecessary on the agent. In Puppet 4, we > have fixed this, so the puppet-agent package does not create a `puppet` user > or group. Only the puppetserver package does that. So there is at least a dependency/ordering problem, at most an unchecked firehose turned on to change permissions, and this should be considered a bug. Also, this is playing pretty fast and loose with idempotence if this can’t be configured around. > On Tuesday, May 5, 2015 at 10:40:00 PM UTC-7, Johnson Earls wrote: > I'm running into a frustrating issue, and I'm wondering if I'm just not doing > something right. > > My understanding is that the puppet agent has to run with the config "user" > and "group" set to "root" so that it can make changes to the system. > The puppet server, on the other hand, runs as user and group "puppet". > > However, every time the puppet agent activates, it changes the ownership of > most of the subdirectories and files within the /etc/puppetlabs/puppet/ssl > directory to root, which then prevents the puppet server from either starting > up or being able to sign certificates. > > In Puppet 4, you can get into this state if you install puppet-agent, and run > it at least once. Since the `puppet` user won't exist, the agent will set > permissions to `root:root:750` for file/directory-related settings like > `privatekeydir`. Ouch. This violates the “principle of least surprise” at least two different ways. > If you then install puppetserver, it will create the `puppet` user, start the > server as that user, and fail to start, because the puppet user can't read > `privatekeydir`, etc. However, as soon as you run `puppet agent` (or `apply`) > on the master, it will restore the permissions to `puppet:puppet` and the > puppetserver will start successfully. So, if I started the components in the wrong order once, it now takes an extra run to sort everything out, and doesn’t log it well enough to be deciphered? Double-ouch. > > Am I misunderstanding how these two processes work and interact? > > Should the puppet agent run with the config user/group set to "puppet", even > though puppet won't have permission to make most of the changes on the system? > Or should the puppet server run as root? > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com?utm_medium=email&utm_source=footer>. > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > > -- > Josh Cooper > Developer, Puppet Labs > > PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland, Oregon! > Join us October 5-9. > Register now to take advantage of the Early Adopter discount > <https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter> > —save $349! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com > > <https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/015ABFFD-CD73-4F7A-9813-23B1F2217C20%40gmail.com. For more options, visit https://groups.google.com/d/optout.
