EDIT: Do NOT use the previously provided workaround. For reasons I DO NOT
currently understand, it's also changing the ownership of the private key
located in ''/etc/puppetlabs/puppet/ssl/private_keys/*pem"
Not sure what to do next - downgrade? File a bug report?
On Tuesday, February 2, 2021 at 11:12:04 AM UTC+11 comport3 wrote:
> Here is a workaround for anyone else affected by the same issue, noting
> the caveat is it will apply on every run -
>
> class profile::puppetdb inherits puppetdb {
> contain puppetdb
> contain puppetdb::master::config
> file {
> $ssl_dir:
> ensure => directory,
> owner => $puppetdb_user,
> group => $puppetdb_group,
> mode => '0700';
> $ssl_key_path:
> ensure => file,
> owner => $puppetdb_user,
> group => $puppetdb_group,
> mode => '0640';
> $ssl_cert_path:
> ensure => file,
> owner => $puppetdb_user,
> group => $puppetdb_group,
> mode => '0644';
> $ssl_ca_cert_path:
> ensure => file,
> owner => $puppetdb_user,
> group => $puppetdb_group,
> mode => '0644';
> }
> }
>
>
> On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
>
>> Trying to fix the problem with "chattr +i *pem" results in Puppet
>> breaking fairly spectacularly, output:
>> ```
>> Error: Failed to set owner to '998': Operation not permitted @
>> apply2files -
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error:
>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>>
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error: Failed to set group to '998': Operation not permitted @
>> apply2files -
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error:
>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>>
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error: Failed to set owner to '998': Operation not permitted @
>> apply2files -
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error:
>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>>
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error: Failed to set group to '998': Operation not permitted @
>> apply2files -
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error:
>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>>
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error: Failed to set owner to '998': Operation not permitted @
>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from
>> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not
>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: Failed to set group to '998': Operation not permitted @
>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from
>> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not
>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: Could not prepare for execution: Got 3 failure(s) while
>> initializing:
>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]:
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem;
>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]:
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem;
>> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>>
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem;
>> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>>
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
>> Operation not permitted @ apply2files -
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem;
>> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to
>> 'puppet' failed: Failed to set owner to '998': Operation not permitted @
>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem;
>> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to
>> 'puppet' failed: Failed to set group to '998': Operation not permitted @
>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> ```
>>
>> On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote:
>>
>>>
>>> It seems the puppet agent, when invoked by the service or manually, is
>>> resetting the permissions on the files in the puppetdb ssldir
>>> (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to
>>> puppet:puppet AND the mode on the
>>> mode on the 'private.pem' file to 0640, which means the next time the
>>> puppetdb service attempts to start, it fails due to a lack of permission.
>>>
>>> This only seems to have come up in the past week or so, as we've only
>>> just started observing it, and causing problems. We have a temporary
>>> workaround where we chown the files back to puppetdb, start PuppetDB and
>>> that's fine, but next puppet agent invocation causes the above issue.
>>>
>>> Has anyone else observed this problem? Is it a bug?
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/e4f77f53-262b-4398-ada5-dce23ec4785an%40googlegroups.com.
