[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

comport3 Mon, 01 Feb 2021 20:25:23 -0800

The files '/etc/puppetlabs/puppet/ssl/private_keys/hostname.pem' and 
'/etc/puppetlabs/puppetdb/ssl/private.pem' seem to be linked to each other 
somehow.
Not symlinked or hardlinked (which can have different owner/permission) but 
something else I can't figure out.
Changing the ownership or mode on one file consistently impacts the other 
one.


Help ?!

On Tuesday, February 2, 2021 at 3:18:17 PM UTC+11 comport3 wrote:

> EDIT: Do NOT use the previously provided workaround. For reasons I DO NOT 
> currently understand, it's also changing the ownership of the private key 
> located in ''/etc/puppetlabs/puppet/ssl/private_keys/*pem"
>
> Not sure what to do next - downgrade? File a bug report?
>
> On Tuesday, February 2, 2021 at 11:12:04 AM UTC+11 comport3 wrote:
>
>> Here is a workaround for anyone else affected by the same issue, noting 
>> the caveat is it will apply on every run -
>>
>> class profile::puppetdb inherits puppetdb {
>>   contain puppetdb
>>   contain puppetdb::master::config
>>   file {
>>     $ssl_dir:
>>       ensure => directory,
>>       owner  => $puppetdb_user,
>>       group  => $puppetdb_group,
>>       mode   => '0700';
>>     $ssl_key_path:
>>       ensure  => file,
>>       owner   => $puppetdb_user,
>>       group   => $puppetdb_group,
>>       mode    => '0640';
>>     $ssl_cert_path:
>>       ensure  => file,
>>       owner   => $puppetdb_user,
>>       group   => $puppetdb_group,
>>       mode    => '0644';
>>     $ssl_ca_cert_path:
>>       ensure  => file,
>>       owner   => $puppetdb_user,
>>       group   => $puppetdb_group,
>>       mode    => '0644';
>>   }
>> }
>>
>>
>> On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
>>
>>> Trying to fix the problem with "chattr +i *pem" results in Puppet 
>>> breaking fairly spectacularly, output:
>>> ```
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 
>>> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not 
>>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 
>>> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not 
>>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: Could not prepare for execution: Got 3 failure(s) while 
>>> initializing: 
>>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
>>> 'puppet' failed: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
>>> 'puppet' failed: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> ```
>>>
>>> On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote:
>>>
>>>>
>>>> It seems the puppet agent, when invoked by the service or manually, is 
>>>> resetting the permissions on the files in the puppetdb ssldir 
>>>> (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to 
>>>> puppet:puppet AND the mode on the 
>>>> mode on the 'private.pem' file to 0640, which means the next time the 
>>>> puppetdb service attempts to start, it fails due to a lack of permission.
>>>>
>>>> This only seems to have come up in the past week or so, as we've only 
>>>> just started observing it, and causing problems. We have a temporary 
>>>> workaround where we chown the files back to puppetdb, start PuppetDB and 
>>>> that's fine, but next puppet agent invocation causes the above issue.
>>>>
>>>> Has anyone else observed this problem? Is it a bug?
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f0bdc796-1fc2-4eeb-bc60-3128aed56e63n%40googlegroups.com.

[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

Reply via email to