Trying to fix the problem with "chattr +i *pem" results in Puppet breaking fairly spectacularly, output: ``` Error: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem Error: /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner: change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem Error: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem Error: /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group: change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem Error: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem Error: /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner: change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem Error: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem Error: /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group: change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem Error: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem Error: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem Error: Could not prepare for execution: Got 3 failure(s) while initializing: File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]: change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]: change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem; File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem ```
On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote: > > It seems the puppet agent, when invoked by the service or manually, is > resetting the permissions on the files in the puppetdb ssldir > (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to > puppet:puppet AND the mode on the > mode on the 'private.pem' file to 0640, which means the next time the > puppetdb service attempts to start, it fails due to a lack of permission. > > This only seems to have come up in the past week or so, as we've only just > started observing it, and causing problems. We have a temporary workaround > where we chown the files back to puppetdb, start PuppetDB and that's fine, > but next puppet agent invocation causes the above issue. > > Has anyone else observed this problem? Is it a bug? > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/22929de8-3dd2-4685-ace0-16607735c010n%40googlegroups.com.
