On Tuesday, April 28, 2020 at 7:00:28 AM UTC-7, Miroslav Kalina wrote:
>
> Hello guys,
>
> I am trying to audit directory on server and automaticaly regenerate (with
> custom script run by *exec*) it's content whenever user touches it. With
> single files it's easy to do with
>
> file {'/etc/myconfig':
> audit => content,
> }
>
> -> exec {'/usr/local/bin/generate-myconfig.sh':
> refreshonly => true,
> }
>
> Unfortunately when I try to audit directory, content of it's file is not
> audited (which I kinda understand) and even list of files is not audited
> (which I can understand less). When I try to switch to `audit => mtime`, I
> am getting strange errors with `transaction.yaml` format and missing class
> Time.
>
> file {'/etc/mysoft/conf.d':
> ensure => directory,
> audit => mtime,
> }
>
> -> exec {'/usr/local/bin/generate-mysoft-conf.sh':
> refreshonly => true,
> }
>
> On first puppet agent run everything is completely fine, in verbose run I
> got notice
> Notice: /Stage[main]/MySoftModule::Config/File[/etc/mysoft/conf.d]/mtime:
> audit change: previously recorded value '2020-04-28 11:11:00 +0200' has
> been changed to '2020-04-28 11:27:16 +0200'
>
> but another runs gives me always an error
> Error: Transaction store file /opt/puppetlabs/puppet/cache/state/
> transactionstore.yaml is corrupt ((/opt/puppetlabs/puppet/cache/state/
> transactionstore.yaml): Tried to load unspecified class: Time); replacing
> Wrapped exception:
> Tried to load unspecified class: Time
>
> and when I searched `transactionstore.yaml` I can found this section,
> which I belive is related to this error
> File[/etc/mysoft/conf.d]:
> parameters:
> ensure:
> system_value:
> - :directory
> mtime:
> system_value:
> - 2020-04-28 11:27:16.291317766 +02:00
>
> Do you have any idea what am I doing wrong? I believe it's supposed to be
> used like that, but I cannot find much oficial reference and examples to
> audit metaparameter usage. I am using oficial puppetlabs packages,
> currently in version 6.14.0-buster1, but this behaves exactly same at in
> previous versions.
>
> Thank you for any advice.
>
Puppet safely loads YAML by restricting which classes can be loaded
<https://github.com/puppetlabs/puppet/blob/master/lib/puppet/util/yaml.rb#L8-L26>.
The Time class isn't in that list, and the code that loads the
transactionstore doesn't explicitly allow it
<https://github.com/puppetlabs/puppet/blob/9047506d745dc8bd4dc6cca9e67c2c56649f5447/lib/puppet/transaction/persistence.rb#L65>,
so the load fails. Puppet should probably allow the Time class, in addition
to Symbol. Could you file a PUP ticket? Also pull requests are welcome!
Josh
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/bacba452-b58a-41a2-9547-64cd9fe94409%40googlegroups.com.
