Here is a workaround for anyone else affected by the same issue, noting the
caveat is it will apply on every run -
class profile::puppetdb inherits puppetdb {
contain puppetdb
contain puppetdb::master::config
file {
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0700';
$ssl_key_path:
ensure => file,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0640';
$ssl_cert_path:
ensure => file,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0644';
$ssl_ca_cert_path:
ensure => file,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0644';
}
}
On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
> Trying to fix the problem with "chattr +i *pem" results in Puppet breaking
> fairly spectacularly, output:
> ```
> Error: Failed to set owner to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: Failed to set owner to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: Failed to set owner to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from
> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not
> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from
> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not
> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: Could not prepare for execution: Got 3 failure(s) while
> initializing:
> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]:
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]:
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to
> 'puppet' failed: Failed to set owner to '998': Operation not permitted @
> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem;
> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to
> 'puppet' failed: Failed to set group to '998': Operation not permitted @
> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> ```
>
> On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote:
>
>>
>> It seems the puppet agent, when invoked by the service or manually, is
>> resetting the permissions on the files in the puppetdb ssldir
>> (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to
>> puppet:puppet AND the mode on the
>> mode on the 'private.pem' file to 0640, which means the next time the
>> puppetdb service attempts to start, it fails due to a lack of permission.
>>
>> This only seems to have come up in the past week or so, as we've only
>> just started observing it, and causing problems. We have a temporary
>> workaround where we chown the files back to puppetdb, start PuppetDB and
>> that's fine, but next puppet agent invocation causes the above issue.
>>
>> Has anyone else observed this problem? Is it a bug?
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ffea35f9-2cc0-4cef-be66-525ed17d08a7n%40googlegroups.com.
