Dominic,
Thanks for the speedy reply.
The puppet config is there and has been since I setup the smart-proxy
back in July of 2013, foreman-proxy user is a member of the puppet
group…actually I have puppet asserting it’s own config file with a
template designed for group shared ssl. So at least in 3.4.2 and 3.4.3,
the private_keys dir is not being set group to puppet, as of now
everything is root:root.
Honestly, I can’t recall what version of puppet I was running before
1/13/2014 when I upgraded all things Foreman from 1.2 -> 1.4, and
afterwards puppet to 3.4 as well. Last week I patched again and it
seems to have broken the permissions.
I can say that today I’ve added o+x to /var/lib/puppet,
/var/lib/puppet/ssl, and /var/lib/puppet/ssl/private_keys, as well as
changed their groups, but when puppet runs the directory resources get
reverted to root:root/750. The actual private key is fine.
Sean M. Alderman
Senior Engineer, UDit Systems Integration and Engineering
University of Dayton
salderman1@udayton.edu mailto:salderman1@udayton.edu
/“We are not some casual and meaningless product of evolution. Each of
us is the result of a thought of God. Each of us is willed. Each of us
is loved. Each of us is necessary.”/ - BXVI
On Tue, Mar 18, 2014 at 2:04 PM, Dominic Cleal <dcleal@redhat.com > mailto:dcleal@redhat.com> wrote:
On 18/03/14 17:42, Sean Alderman wrote:
> Hi,
> I think Dominic had a bug/feature
> <https://tickets.puppetlabs.com/browse/PUP-1120> over at puppetlabs on
> the group permissions of the puppet SSL dir. I recently upgraded
smart
> proxies and puppet, but didn't notice this bug. I have downgraded to
> 3.4.2 and am still hitting the issue on the private_keys dir. The
> smart-proxy service fails accessing the key, because even if I set the
> keys dir to 751, puppet reverts it on the next run...
>
> Debug: Using settings: adding file resource 'privatekeydir':
> 'File[/var/lib/puppet/ssl/private_keys]{:ensure=>:directory,
> :group=>"root", :loglevel=>:debug, :links=>:follow,
:owner=>"root",
> :mode=>"750", :path=>"/var/lib/puppet/ssl/private_keys",
> :backup=>false}'
>
> Debug: /File[/var/lib/puppet/ssl/private_keys]/mode: mode changed
> '0751' to '0750'
>
>
> Is there a known good puppet version?
You can reconfigure Puppet's internal file permissions. We usually
recommend you add foreman-proxy to the puppet group, leave private_keys
at 0750 but add group to read to the key inside. See this section
(scroll down a little) for a puppet.conf snippet to configure this:
http://theforeman.org/manuals/1.4/index.html#5.4.2SecuringSmartProxyRequests
If you want to force 0751, you can add mode to the privatekeydir line.
--
Dominic Cleal
Red Hat Engineering
--
You received this message because you are subscribed to the Google
Groups "Foreman users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com
<mailto:foreman-users%2Bunsubscribe@googlegroups.com>.
To post to this group, send email to foreman-users@googlegroups.com
<mailto:foreman-users@googlegroups.com>.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to foreman-users+unsubscribe@googlegroups.com
mailto:foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com
mailto:foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
