Jira (PUP-10896) Puppet users with forcelocal are no longer idempotent

34 views
Skip to first unread message

Trey Dockendorf (Jira)

unread,
Feb 10, 2021, 8:37:03 AM2/10/21
to puppe...@googlegroups.com
Trey Dockendorf updated an issue
 
Puppet / Bug PUP-10896
Puppet users with forcelocal are no longer idempotent
Change By: Trey Dockendorf
*Puppet Version:* 7.4.0 and 6.21.0
*Puppet Server Version:* Masterless to demonstrate issue
*OS Name/Version:* CentOS 7

Defining a `forcelocal` user results in Puppet constantly anting wanting to change the GID for the user.

*Desired Behavior:*

Idempotent apply of forcelocal user.


*Actual Behavior:*


{noformat}
[root@23aff6d4a202 /]# cat user-group.pp
user { 'keycloak':
  ensure     => 'present',
  name       => 'keycloak',
  forcelocal => true,
  shell      => '/sbin/nologin',
  gid        => 'keycloak',
  uid        => undef,
  home       => '/var/lib/keycloak',
  managehome => true,
  system     => true,
}
group { 'keycloak':
  ensure     => 'present',
  name       => 'keycloak',
  forcelocal => true,
  gid        => undef,
  system     => true,
}
[root@23aff6d4a202 /]# puppet apply user-group.pp
Notice: Compiled catalog for 23aff6d4a202 in environment production in 0.01 seconds
Notice: /Stage[main]/Main/Group[keycloak]/ensure: created
Notice: /Stage[main]/Main/User[keycloak]/ensure: created
Notice: Applied catalog in 0.04 seconds
[root@23aff6d4a202 /]# puppet apply user-group.pp
Notice: Compiled catalog for 23aff6d4a202 in environment production in 0.01 seconds
Notice: /Stage[main]/Main/User[keycloak]/gid: gid changed '13' to 'keycloak'
Notice: Applied catalog in 0.02 seconds

{noformat}

I am fairly certain the issue resides in this change: https://tickets.puppetlabs.com/browse/PUP-10857
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Trey Dockendorf (Jira)

unread,
Feb 10, 2021, 8:37:04 AM2/10/21
to puppe...@googlegroups.com
Trey Dockendorf created an issue
Issue Type: Bug Bug
Affects Versions: PUP 7.4.0, PUP 6.21.0
Assignee: Unassigned
Created: 2021/02/10 5:36 AM
Priority: Major Major
Reporter: Trey Dockendorf

Puppet Version: 7.4.0 and 6.21.0
Puppet Server Version: Masterless to demonstrate issue
OS Name/Version: CentOS 7

Defining a `forcelocal` user results in Puppet constantly anting to change the GID for the user.

Desired Behavior:

Idempotent apply of forcelocal user.

Actual Behavior:

I am fairly certain the issue resides in this change: https://tickets.puppetlabs.com/browse/PUP-10857

Trey Dockendorf (Jira)

unread,
Feb 10, 2021, 8:38:03 AM2/10/21
to puppe...@googlegroups.com
Trey Dockendorf commented on Bug PUP-10896
 
Re: Puppet users with forcelocal are no longer idempotent

This issue was not present with previous versions of Puppet. I have numerous modules with acceptance tests using code similar to this and Puppet 6.20.0 and Puppet 7.3.0 did not have this issue. I also do not see this issue on any of my Puppet 5 acceptance tests.

Mihai Buzgau (Jira)

unread,
Feb 10, 2021, 12:10:03 PM2/10/21
to puppe...@googlegroups.com
Mihai Buzgau commented on Bug PUP-10896

Trey Dockendorf (Jira)

unread,
Feb 10, 2021, 12:14:02 PM2/10/21
to puppe...@googlegroups.com

For the longest time it has been possible to assign a user to a group using that group's name since it's not always the case a module will enforce a specific GID or UID. It looks like based on this commit: https://github.com/puppetlabs/puppet/commit/0cd7bcefa47b90f3c8d24e60479f41766cbc04f3 the logic was changed to force the gid property to be a numeric ID when using forcelocal=true which I would consider a breaking change since that was not the behavior prior to this commit.

From the documentation on the "gid" property:

The user’s primary group. Can be specified numerically or by name.

Changing the behavior of a core type property in a feature release seems like not a great idea and should be reconsidered and reverted to the previous behavior or the logic for getting local users should be better about mapping a GID to a name and allowing it to be either numeric or a name like was previously allowed. Forcing the use of a numeric ID would essentially make impossible for module authors to create users and set the primary group when using "forcelocal" without also forcing a GID be provided.

Mihai Buzgau (Jira)

unread,
Feb 10, 2021, 12:26:03 PM2/10/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
 
Change By: Mihai Buzgau
Team: Night's Watch

Mihai Buzgau (Jira)

unread,
Feb 10, 2021, 12:26:03 PM2/10/21
to puppe...@googlegroups.com
Mihai Buzgau updated an issue
Change By: Mihai Buzgau
Sprint: NW - 2021-02-17

Trey Dockendorf (Jira)

unread,
Feb 10, 2021, 12:29:03 PM2/10/21
to puppe...@googlegroups.com
 
Re: Puppet users with forcelocal are no longer idempotent

Found a solution that works with my example test case:

@@ -104,7 +104,7 @@
 
 
   def localgid
 
     user = finduser(:account, resource[:name])
 
-    return user[:gid] if user
 
+    return user[:gid].to_i if user
 
     false
 
   end

I will open a pull request

Mihai Buzgau (Jira)

unread,
Feb 10, 2021, 12:32:02 PM2/10/21
to puppe...@googlegroups.com
Mihai Buzgau commented on Bug PUP-10896

Trey Dockendorf we do consider this as a regression and we've already implemented a fix here: https://github.com/puppetlabs/puppet/pull/8511

We're shooting for a new release in the next couple of days

Josh Cooper (Jira)

unread,
Feb 12, 2021, 12:04:03 PM2/12/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Fix Version/s: PUP 7.4.1

Josh Cooper (Jira)

unread,
Feb 12, 2021, 12:09:03 PM2/12/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.21.1

Josh Cooper (Jira)

unread,
Feb 12, 2021, 12:13:03 PM2/12/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10896
 
Re: Puppet users with forcelocal are no longer idempotent

Passed CI in c683110fc0c376d226750c2898ea724c33d75791

Gabriel Nagy (Jira)

unread,
Feb 15, 2021, 3:04:03 AM2/15/21
to puppe...@googlegroups.com
Gabriel Nagy assigned an issue to Gabriel Nagy
 
Change By: Gabriel Nagy
Assignee: Gabriel Nagy

Gabriel Nagy (Jira)

unread,
Feb 15, 2021, 3:04:03 AM2/15/21
to puppe...@googlegroups.com
Gabriel Nagy updated an issue
Change By: Gabriel Nagy
Release Notes: Bug Fix
Release Notes Summary: Fix a regression where setting the `gid` parameter on a user resource with `forcelocal` on is not idempotent.

Claire Cadman (Jira)

unread,
Feb 15, 2021, 5:26:03 AM2/15/21
to puppe...@googlegroups.com
Claire Cadman updated an issue
Change By: Claire Cadman
Labels: doc_reviewed
Reply all
Reply to author
Forward
0 new messages