[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

comport3 Mon, 01 Feb 2021 20:25:23 -0800

The files '/etc/puppetlabs/puppet/ssl/private_keys/hostname.pem' and 
'/etc/puppetlabs/puppetdb/ssl/private.pem' seem to be linked to each other 
somehow.
Not symlinked or hardlinked (which can have different owner/permission) but 
something else I can't figure out.
Changing the ownership or mode on one file consistently impacts the other 
one.


Help ?!

On Tuesday, February 2, 2021 at 3:18:17 PM UTC+11 comport3 wrote:

> EDIT: Do NOT use the previously provided workaround. For reasons I DO NOT 
> currently understand, it's also changing the ownership of the private key 
> located in ''/etc/puppetlabs/puppet/ssl/private_keys/*pem"
>
> Not sure what to do next - downgrade? File a bug report?
>
> On Tuesday, February 2, 2021 at 11:12:04 AM UTC+11 comport3 wrote:
>
>> Here is a workaround for anyone else affected by the same issue, noting 
>> the caveat is it will apply on every run -
>>
>> class profile::puppetdb inherits puppetdb {
>>   contain puppetdb
>>   contain puppetdb::master::config
>>   file {
>>     $ssl_dir:
>>       ensure => directory,
>>       owner  => $puppetdb_user,
>>       group  => $puppetdb_group,
>>       mode   => '0700';
>>     $ssl_key_path:
>>       ensure  => file,
>>       owner   => $puppetdb_user,
>>       group   => $puppetdb_group,
>>       mode    => '0640';
>>     $ssl_cert_path:
>>       ensure  => file,
>>       owner   => $puppetdb_user,
>>       group   => $puppetdb_group,
>>       mode    => '0644';
>>     $ssl_ca_cert_path:
>>       ensure  => file,
>>       owner   => $puppetdb_user,
>>       group   => $puppetdb_group,
>>       mode    => '0644';
>>   }
>> }
>>
>>
>> On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
>>
>>> Trying to fix the problem with "chattr +i *pem" results in Puppet 
>>> breaking fairly spectacularly, output:
>>> ```
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 
>>> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not 
>>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 
>>> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not 
>>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: Could not prepare for execution: Got 3 failure(s) while 
>>> initializing: 
>>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
>>> 'puppet' failed: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem; 
>>> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
>>> 'puppet' failed: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> ```
>>>
>>> On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote:
>>>
>>>>
>>>> It seems the puppet agent, when invoked by the service or manually, is 
>>>> resetting the permissions on the files in the puppetdb ssldir 
>>>> (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to 
>>>> puppet:puppet AND the mode on the 
>>>> mode on the 'private.pem' file to 0640, which means the next time the 
>>>> puppetdb service attempts to start, it fails due to a lack of permission.
>>>>
>>>> This only seems to have come up in the past week or so, as we've only 
>>>> just started observing it, and causing problems. We have a temporary 
>>>> workaround where we chown the files back to puppetdb, start PuppetDB and 
>>>> that's fine, but next puppet agent invocation causes the above issue.
>>>>
>>>> Has anyone else observed this problem? Is it a bug?
>>>>
>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f0bdc796-1fc2-4eeb-bc60-3128aed56e63n%40googlegroups.com.

[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

Reply via email to