Jira (PUP-9366) puppet apply mangle /etc/puppet/ssl files ownership and permission.

2 views
Skip to first unread message

Sofer Athlan-Guyot (JIRA)

unread,
Dec 18, 2018, 7:57:02 AM12/18/18
to puppe...@googlegroups.com
Sofer Athlan-Guyot created an issue
 
Puppet / Bug PUP-9366
puppet apply mangle /etc/puppet/ssl files ownership and permission.
Issue Type: Bug Bug
Affects Versions: PUP 5.5.6
Assignee: Unassigned
Components: CLI
Created: 2018/12/18 4:56 AM
Priority: Normal Normal
Reporter: Sofer Athlan-Guyot

Hi,

I've mounted /etc/puppet:ro inside a container and the puppet's uid/gid is not sync between host and container. I just run `puppet apply` inside the container but `puppet apply` fails because it cannot adjust the ownership inside the container as the directory is mounted ro.

 

To replicate that behavior:

 

```

chown 88888 /etc/puppet/ssl/certs

puppet apply --debug -e 'notify{"blah":}'

ls -lrthd /etc/puppet/ssl/certs

```

then /etc/puppet/ssl/certs is back to puppet uid.

 

So the question here is why would puppet apply need to mangle with the /etc/puppet/ssl directory as it doesn't use them because it's masterless?  Or I'm missing something ?

 

It's kinda problematic in the container world where uid/gid matching is often troublesome (name mapping is not an option on the env I'm working on).

 

Currently I bindmount /etc/puppet/ssl rw from a dummy directory from the host.  Is that a security issue by any stretch of the mind in that use case ?

 

All in all I wish we could at least tell puppet apply to not touch those files at all if it's possible.

 
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Dec 20, 2018, 2:16:04 PM12/20/18
to puppe...@googlegroups.com

So the question here is why would puppet apply need to mangle with the /etc/puppet/ssl directory as it doesn't use them because it's masterless?

Some people configure masterless nodes to retrieve classification from an ENC and send reports to puppetserver/puppetdb. By default apply doesn't do those things, and ideally, shouldn't need to manage ssl directories. But puppet doesn't make that distinction.

All in all I wish we could at least tell puppet apply to not touch those files at all if it's possible.

Josh Cooper (JIRA)

unread,
Dec 20, 2018, 2:27:02 PM12/20/18
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9366

/cc Morgan Rhodes, Ethan Brown not sure if you ran into this also?

Ethan Brown (JIRA)

unread,
Jan 14, 2019, 7:50:03 PM1/14/19
to puppe...@googlegroups.com
Ethan Brown commented on Bug PUP-9366

I think we're only mapping the PDB ssl directory, and we're not mounting it read only:
https://github.com/puppetlabs/pupperware/blob/master/docker-compose.yml#L50

I don't believe we've run into any problems as a result.

We're providing an agent container, but I don't think we're using things in the same capacity as what is being described here.

Josh Cooper (JIRA)

unread,
Dec 12, 2019, 12:43:04 AM12/12/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-9366

Thanks for reporting this issue. However, we haven’t been able to reproduce this against the current version of Puppet, and are closing this issue now as Cannot Reproduce. If you have additional information or reproduction scenarios that may be of use, please comment in this ticket with details.
Reply all
Reply to author
Forward
0 new messages