Development of Puppet, a declarative language for expressing system configuration, a client and server for distributing it, and a library for realizing the configuration.

Bryan Kearney | 1 Jul 2010 19:30

Setting the file metadata in puppet.conf

I am trying to configure the puppet master and puppet client to drive 
off of existing x.509 certificates. The default logic is for puppet to 
take over the permissions of the files. One solution, per [1], is to 
crack the defaults.rb file. This seems nasty.

The second option I saw [2] was to use {} to denote the same items. So, 
I added this to my puppet.conf file:

[puppetmasterd]
     cacert=/etc/candlepin/certs/candlepin-ca.crt {owner = fred, mode = 644}
     capub=/etc/candlepin/certs/candlepin-ca-pub.key
     cakey = /etc/candlepin/certs/candlepin-ca.key {owner = root, mode = 
644}
     capass = /etc/candlepin/certs/candlepin-ca-password.txt {owner = 
root, mode = 644}

But this is not picked up because meta overrides are only taken from the 
search path which is:  [:cli, :memory, :name, :main]. I am guessing that 
name in this case is meant to be puppetmasterd, but the magic of "turn 
:name into the application name" is only found in 
Puppet::Util::Settings.name method.

So, a couple of questions:

1) Is there good doco on how to use external certificates?
2) Is the goal to only set file permissions in the main section of 
puppet.conf, or is this a bug?
3) Would the preferred fix for 2, assuming a bug, to fix this in the 
Puppet::Util::Settings.searchpath method (substitute  <at> name for :name if 
known) or in the Puppet::Util::Settings.unsafe_parse method?

(Continue reading)

headers

Luke Kanies | 1 Jul 2010 20:51

Re: Setting the file metadata in puppet.conf

On Jul 1, 2010, at 10:30 AM, Bryan Kearney wrote:

> I am trying to configure the puppet master and puppet client to  
> drive off of existing x.509 certificates. The default logic is for  
> puppet to take over the permissions of the files. One solution, per  
> [1], is to crack the defaults.rb file. This seems nasty.
>
> The second option I saw [2] was to use {} to denote the same items.  
> So, I added this to my puppet.conf file:
>
> [puppetmasterd]
>    cacert=/etc/candlepin/certs/candlepin-ca.crt {owner = fred, mode  
> = 644}
>    capub=/etc/candlepin/certs/candlepin-ca-pub.key
>    cakey = /etc/candlepin/certs/candlepin-ca.key {owner = root, mode  
> = 644}
>    capass = /etc/candlepin/certs/candlepin-ca-password.txt {owner =  
> root, mode = 644}
>
>
> But this is not picked up because meta overrides are only taken from  
> the search path which is:  [:cli, :memory, :name, :main]. I am  
> guessing that name in this case is meant to be puppetmasterd, but  
> the magic of "turn :name into the application name" is only found in  
> Puppet::Util::Settings.name method.
>
> So, a couple of questions:
>
> 1) Is there good doco on how to use external certificates?

(Continue reading)

headers

Bryan Kearney | 1 Jul 2010 20:57

Re: Setting the file metadata in puppet.conf

On 07/01/2010 02:51 PM, Luke Kanies wrote:
> On Jul 1, 2010, at 10:30 AM, Bryan Kearney wrote:
>
>> I am trying to configure the puppet master and puppet client to drive
>> off of existing x.509 certificates. The default logic is for puppet to
>> take over the permissions of the files. One solution, per [1], is to
>> crack the defaults.rb file. This seems nasty.
>>
>> The second option I saw [2] was to use {} to denote the same items.
>> So, I added this to my puppet.conf file:
>>
>> [puppetmasterd]
>> cacert=/etc/candlepin/certs/candlepin-ca.crt {owner = fred, mode = 644}
>> capub=/etc/candlepin/certs/candlepin-ca-pub.key
>> cakey = /etc/candlepin/certs/candlepin-ca.key {owner = root, mode = 644}
>> capass = /etc/candlepin/certs/candlepin-ca-password.txt {owner = root,
>> mode = 644}
>>
>>
>> But this is not picked up because meta overrides are only taken from
>> the search path which is: [:cli, :memory, :name, :main]. I am guessing
>> that name in this case is meant to be puppetmasterd, but the magic of
>> "turn :name into the application name" is only found in
>> Puppet::Util::Settings.name method.
>>
>> So, a couple of questions:
>>
>> 1) Is there good doco on how to use external certificates?
>
> Probably not. Most examples I have seen do the opposite - use Puppet's

(Continue reading)

headers

Markus Roberts | 1 Jul 2010 21:04

Re: Setting the file metadata in puppet.conf

Bryan --

Obviously, the best thing is if this actually works for you. I think 2.6
will make this name-based searching work.

I will try this. Is 2.6 "master" now? I could try running against master if that is better. Also.. I am happy to put in a patch for (2) if you like.

master is presently an alpha version of 2.6, to which we are applying bug fixes as a small, mostly inhouse group of testers find and report problems (next update expected in a few hours). When this process settles out (we stop turning up bugs) we plan on producing one or more release candidates and then the final release.

-- Markus
-----------------------------------------------------------
The power of accurate observation is
commonly called cynicism by those
who have not got it. ~George Bernard Shaw
------------------------------------------------------------

--
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppet-dev <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.

headers

Bryan Kearney | 1 Jul 2010 22:43

Re: Setting the file metadata in puppet.conf

On 07/01/2010 02:51 PM, Luke Kanies wrote:
>
>> 3) Would the preferred fix for 2, assuming a bug, to fix this in the
>> Puppet::Util::Settings.searchpath method (substitute  <at> name for :name
>> if known) or in the Puppet::Util::Settings.unsafe_parse method?
>
> If you're using a recent enough version, I'd recommend disabling
> 'manage_internal_file_permissions', at least for now.
>
> Obviously, the best thing is if this actually works for you. I think 2.6
> will make this name-based searching work.

Attached is a patch for the 0.25.x branch. It adds name lookup to the 
parsing of the config file.

-- bk

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppet-dev <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.

Attachment (0001-Use-the-name-in-the-search-path-for-looking-for-meta.patch): text/x-patch, 1460 bytes

headers

Luke Kanies | 2 Jul 2010 02:00

Re: Setting the file metadata in puppet.conf

On Jul 1, 2010, at 1:43 PM, Bryan Kearney wrote:

> On 07/01/2010 02:51 PM, Luke Kanies wrote:
>>
>>> 3) Would the preferred fix for 2, assuming a bug, to fix this in the
>>> Puppet::Util::Settings.searchpath method (substitute  <at> name for :name
>>> if known) or in the Puppet::Util::Settings.unsafe_parse method?
>>
>> If you're using a recent enough version, I'd recommend disabling
>> 'manage_internal_file_permissions', at least for now.
>>
>> Obviously, the best thing is if this actually works for you. I  
>> think 2.6
>> will make this name-based searching work.
>
> Attached is a patch for the 0.25.x branch. It adds name lookup to  
> the parsing of the config file.

Looks about right.  Can you open a ticket for it?

-- 
No matter how rich you become, how famous or powerful, when you die
the size of your funeral will still pretty much depend on the
weather. -- Michael Pritchard
---------------------------------------------------------------------
Luke Kanies  -|-   http://puppetlabs.com   -|-   +1(615)594-8199

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppet-dev <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.

headers

Bryan Kearney | 2 Jul 2010 13:26

Re: Setting the file metadata in puppet.conf

On 07/01/2010 08:00 PM, Luke Kanies wrote:
> On Jul 1, 2010, at 1:43 PM, Bryan Kearney wrote:
>
>> On 07/01/2010 02:51 PM, Luke Kanies wrote:
>>>
>>>> 3) Would the preferred fix for 2, assuming a bug, to fix this in the
>>>> Puppet::Util::Settings.searchpath method (substitute  <at> name for :name
>>>> if known) or in the Puppet::Util::Settings.unsafe_parse method?
>>>
>>> If you're using a recent enough version, I'd recommend disabling
>>> 'manage_internal_file_permissions', at least for now.
>>>
>>> Obviously, the best thing is if this actually works for you. I think 2.6
>>> will make this name-based searching work.
>>
>> Attached is a patch for the 0.25.x branch. It adds name lookup to the
>> parsing of the config file.
>
> Looks about right. Can you open a ticket for it?
>
Done:

http://projects.puppetlabs.com/issues/4129

-- bk

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Developers" group.
To post to this group, send email to puppet-dev <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-dev+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.