Forge ACL Module 1.1.1 on Windows 7 x64 SP1
59 views
Skip to first unread message
jmp242
Sep 24, 2015, 12:25:55 PM9/24/15
to Puppet Users
So per my previous post, I'm now trying to replace the file POSIX permissions with ACLs. I'm apparently missing something though. I want to replicate what I had before in the new supported method, i.e.:
So I tried doing:
As I understand the documentation, this seems to map, mind you - being far more verbose and complicated - to the original permissions. However, I get errors:
This doesn't really help me figure out what I did wrong here...
owner => 'SYSTEM',
group => 'Administrators',
mode => '0775',
So I tried doing:
acl { 'chocolatey.config':
target => 'C:/ProgramData/chocolatey/config/chocolatey.config',
purge => false,
permissions => [
{
identity => 'SYSTEM',
rights => [
'full'],
perm_type => 'allow',
child_types => 'all',
affects => 'all'
}
,
{
identity => 'Administrators',
rights => [
'full'],
perm_type => 'allow',
child_types => 'all',
affects => 'all'
}
,
{
identity => 'Users',
rights => [
'read',
'execute'],
perm_type => 'allow',
child_types => 'all',
affects => 'all'
}
],
owner => 'SYSTEM', # Creator_Owner specific, doesn't manage unless specified
group => 'Administrators', # Creator_Group specific, doesn't manage unless specified
inherit_parent_permissions => true,
require => File['chocolatey.config'],
}
As I understand the documentation, this seems to map, mind you - being far more verbose and complicated - to the original permissions. However, I get errors:
Could not evaluate: The parameter is incorrect. - ReportEventThis doesn't really help me figure out what I did wrong here...
Rob Reynolds
Sep 25, 2015, 7:12:42 AM9/25/15
to puppet...@googlegroups.com
Sure, it's a LOT more verbose if you add all of the defaults in. Leaving out the defaults and considering that acl already does autorequires on a file with the same path (we'll leave the requires in), this looks a lot better:
acl { 'c:/ProgramData/chocolatey/config/chocolatey.config':
permissions => [
{ identity => 'SYSTEM', rights => ['full']},
{ identity => 'Administrators', rights => ['full']},
{ identity => 'Users', rights => ['read', 'execute']},
require => File['chocolatey.config'],
}
However, I get errors:
This doesn't really help me figure out what I did wrong here...
Not really sure what caused this. Might be good to see this with a `--debug --trace --verbose` run to see what may be causing the issue.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a49f14bc-6804-4ba8-a033-752a6da2a9cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rob Reynolds
Developer, Puppet Labs
jmp242
Sep 25, 2015, 3:31:51 PM9/25/15
to Puppet Users
Well . . . It doesn't give me anything else helpful. Out of 142KB of log, this seems relevant:
The
I am going to test with your simpler version to see if it makes a difference...
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["mask_specific"], mask => '2032063', affects => 'self_only' },
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["write", "read", "execute"], affects => 'self_only' },
{ identity => 'Everyone', rights => ["read", "execute"], affects => 'self_only' }
] to [
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
{ identity => 'BUILTIN\Administrators', rights => ["full"], affects => 'self_only' },
{ identity => 'BUILTIN\Users', rights => ["read", "execute"], affects => 'self_only' },
{ identity => 'Everyone', rights => ["read", "execute"], affects => 'self_only' }
] [0m
[1;31mError: /Stage[main]/Yum/Acl[chocolatey.config]: Could not evaluate: The parameter is incorrect. - ReportEventThe
{ identity => 'NT AUTHORITY\SYSTEM', rights => ["full"], affects => 'self_only' },
repeats several hundred times that I didn't bother to paste here.I am going to test with your simpler version to see if it makes a difference...
jmp242
Sep 25, 2015, 6:31:43 PM9/25/15
to Puppet Users
I tried with the simplified version:
Enter code here... acl { 'chocolatey.config':
target => 'C:/ProgramData/chocolatey/config/chocolatey.config',
permissions => [
{
identity => 'SYSTEM',
rights => [
'full']
}
,
{
identity => 'Administrators',
rights => [
'full']
}
,
{
identity => 'Users',
rights => [
'read',
'execute']
}
],
require => File['chocolatey.config'],
}I got the same error. Unless the problem is using
target=>I'm at a loss....
Rob Reynolds
Sep 25, 2015, 8:39:12 PM9/25/15
to puppet...@googlegroups.com
So let's remove target and give it a shot.
acl { 'c:/ProgramData/chocolatey/config/chocolatey.config':
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d944ede0-c388-4669-b433-866dc495a667%40googlegroups.com.
Rob Reynolds
Sep 25, 2015, 8:39:35 PM9/25/15
to puppet...@googlegroups.com
Actually I just went back and looked
Yum?
[1;31mError: /Stage[main]/Yum/Acl[chocolatey.config]: Could not evaluate: The parameter is incorrect. -ReportEvent
jmp242
Sep 28, 2015, 5:34:36 PM9/28/15
to Puppet Users
And I removed the "target" and put it in the ACL name as you showed, and get the same error.
Rob Reynolds
Sep 28, 2015, 7:19:50 PM9/28/15
to puppet...@googlegroups.com
Can you address the yum bit?
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/155fa6b9-2819-4b25-a311-a65a7094e895%40googlegroups.com.
jmp242
Sep 29, 2015, 7:43:46 PM9/29/15
to Puppet Users
Sure, that's perhaps misleading a little - our internal custom puppet module is called yum as it was created for EL6 first. When we got a package manager on Windows, i.e. chocolatey, it seemed to make sense to put it in the Windows section of the yum module. By that I mean we have a switch on kernel in our modules. Here's the complete module:
class yum ($choco_repo_url, $choco_repo_name) {
schedule { 'monday_updates':
range => '22:00 - 12:00',
weekday => 'Monday',
}
schedule { 'tuesday_updates':
range => '10:00 - 12:00',
weekday => 'Tuesday',
}
schedule { 'daily_updates':
period => daily,
range => '22:00-3:00',
}
define repo {
file { "${title}":
path => "/etc/yum.repos.d/${title}",
source => "puppet:///modules/${caller_module_name}/${title}",
ensure => 'present',
owner => root,
group => root,
mode => "644",
notify => Exec["yum-clean-all"],
}
}
case $kernel {
'linux' : {
package { 'yum': ensure => present, }
package { 'yum-autoupdate': ensure => present, }
repo { "sl-classe.repo": }
file { "sl-classe-testing":
content => template('yum/sl-classe-testing.repo.erb'),
path => "/etc/yum.repos.d/sl-classe-testing.repo",
owner => root,
group => root,
mode => 644,
ensure => present,
notify => Exec["yum-clean-all"],
}
file { "yum.conf":
source => "puppet:///modules/yum/yum.conf",
path => "/etc/yum.conf",
owner => root,
group => root,
mode => 644,
ensure => present,
}
file { "sl-lepp":
path => "/etc/yum.repos.d/sl-lepp.repo",
ensure => absent,
}
file { "sl-lepp-testing":
path => "/etc/yum.repos.d/sl-lepp-testing.repo",
ensure => absent,
}
exec { "yum-clean-all":
command => "yum clean all",
refreshonly => true,
}
case $operatingsystemmajrelease {
'6' : {
$sl6repos = ["devtoolset.repo", "sl-other.repo", "sl.repo"]
repo { $sl6repos: }
file { "softwarecollections":
source => "puppet:///modules/yum/sl6-softwarecollections.repo",
path => "/etc/yum.repos.d/softwarecollections.repo",
owner => root,
group => root,
mode => 644,
ensure => present,
notify => Exec["yum-clean-all"],
}
exec { "yum-autoupdate":
command => "mv /etc/cron.daily/yum-autoupdate /etc/cron.weekly/yum-autoupdate",
onlyif => "[ -f /etc/cron.daily/yum-autoupdate ]",
}
file { "/etc/cron.daily/yum-autoupdate": ensure => absent, }
file { "/etc/cron.weekly/yum-autoupdate": ensure => present, }
Exec['yum-autoupdate'] -> File['/etc/cron.daily/yum-autoupdate'] -> File['/etc/cron.weekly/yum-autoupdate']
}
'7' : {
packages::removepackage { "yum-conf-sl7x": }
$sl7repos = [
"sl7-other.repo",
"sl7.repo",
"sl-extras.repo",
"sl7-security.repo",
"sl7-fastbugs.repo",
"sl7-rolling.repo",
"sl7-testing.repo"]
repo { $sl7repos: }
file { "softwarecollections":
source => "puppet:///modules/yum/sl7-softwarecollections.repo",
path => "/etc/yum.repos.d/sl-softwarecollections.repo",
owner => root,
group => root,
mode => 644,
ensure => present,
notify => Exec["yum-clean-all"],
}
exec { "yum-autoupdate":
command => "mv /etc/cron.daily/0yum-daily.cron /etc/cron.weekly/0yum-daily.cron",
onlyif => "[ -f /etc/cron.daily/0yum-daily.cron ]",
}
file { "/etc/cron.daily/0yum-daily.cron": ensure => absent, }
file { "/etc/cron.weekly/0yum-daily.cron": ensure => present, }
Exec['yum-autoupdate'] -> File['/etc/cron.daily/0yum-daily.cron'] -> File['/etc/cron.weekly/0yum-daily.cron']
}
}
}
'windows' : {
exec { 'chocolatelyinstall':
command => '$((iex ((new-object net.webclient).DownloadString("https://chocolatey.org/install.ps1")))>$null 2>&1)',
unless => 'if (Test-Path C:\ProgramData\chocolatey){ exit 0 } else { exit 1}',
provider => powershell,
}
file { 'chocolatey.config':
path => "C:/ProgramData/chocolatey/config/chocolatey.config",
content => template('yum/chocolatey.config.erb'),
ensure => present,
}
acl { 'C:/ProgramData/chocolatey/config/chocolatey.config':Rob Reynolds
Sep 30, 2015, 7:38:49 PM9/30/15
to puppet...@googlegroups.com
Thanks. I'm surprised that a 'puppet agent --trace --debug --verbose' didn't turn up any more information about the error.
Can you remind me again what version of Puppet you have installed?
And the modules, `puppet module list`. How are you installing these modules by the way?
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/84a989dc-bf77-43a9-82d1-800ae3b5b73b%40googlegroups.com.
jmp242
Oct 1, 2015, 1:09:39 PM10/1/15
to Puppet Users
Puppet 3.8.1 on Windows currently. puppet module list doesn't return anything for me. I'm downloading the zip file and unzipping the module into a folder. I then copy the folder into my local dev modules directory using Geppeto, and doing the same for any dependencies. I then check into our SVN the modules, and tag them with the version they are from forge if public, or an internal version for our custom modules. I then check out the tag or svn switch to the latest tag on the puppet server dev module directory.
...
Rob Reynolds
Oct 15, 2015, 4:27:34 AM10/15/15
to puppet...@googlegroups.com
On Thu, Oct 1, 2015 at 8:09 AM, jmp242 <jp1...@gmail.com> wrote:
Puppet 3.8.1 on Windows currently. puppet module list doesn't return anything for me. I'm downloading the zip file and unzipping the module into a folder. I then copy the folder into my local dev modules directory using Geppeto, and doing the same for any dependencies. I then check into our SVN the modules, and tag them with the version they are from forge if public, or an internal version for our custom modules. I then check out the tag or svn switch to the latest tag on the puppet server dev module directory.
Ah okay. I'm wondering what might cause issues surrounding 3.8.1 and ACL provider. An ACE with the same structure 142 times though, I'm wondering if there is a memory issue there.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d0b1c436-de6f-47fb-912c-c28ea91e039b%40googlegroups.com.
jmp242
Oct 15, 2015, 12:54:59 PM10/15/15
to Puppet Users
I will try 1.8.3 to see if it makes a difference. Because I use Foreman, I can't go to Pupept 4 yet...
...
jmp242
Oct 15, 2015, 2:53:46 PM10/15/15
to Puppet Users
The update to puppet 3.8.3 seemed to fix my problem. So now to upgrade puppet.
...
jmp242
Oct 19, 2015, 3:10:13 PM10/19/15
to Puppet Users
Hmm, so on one test computer, the upgrade to puppet 3.8.3 fixed the issue. On the second test computer, it didn't - everything remains the same, but getting the same repeated ACE...
On Thursday, October 15, 2015 at 12:27:34 AM UTC-4, Rob Reynolds wrote:
...
Rob Reynolds
Nov 4, 2015, 6:32:07 PM11/4/15
to puppet...@googlegroups.com
On Mon, Oct 19, 2015 at 10:10 AM, jmp242 <jp1...@gmail.com> wrote:
Hmm, so on one test computer, the upgrade to puppet 3.8.3 fixed the issue. On the second test computer, it didn't - everything remains the same, but getting the same repeated ACE...
What does 'cacls folderlocation' return?
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c3e9e2e7-03d3-4bca-ae85-4644ca8e4b75%40googlegroups.com.
jmp242
Nov 9, 2015, 8:22:11 PM11/9/15
to Puppet Users
Ok, sorry everyone for a false alarm. I finally figured this out - something I thought wouldn't be relevant at all, hence my failure to mention, but what happened is this. I have a module that is applied via the Forman ENC. It uses the acl module as a "puppet feature extension" (I don't know the official term for these sorts of forge modules). The ACL module is never applied to a host group or host via the Foreman "puppet classes". So I hadn't imported it into Foreman. This apparently is a problem. I was building a new module today, and happened to say "why not import the acl module while I'm here?" and did. Bam, ACL module now works.
I apparently still don't totally understand how the ENC -> Puppet works wrt modules that aren't directly applied. Now in my notes for the future!
I apparently still don't totally understand how the ENC -> Puppet works wrt modules that aren't directly applied. Now in my notes for the future!
...
jmp242
Nov 10, 2015, 1:22:18 PM11/10/15
to Puppet Users
Ok, well, it was on one test computer. On others it's giving the same error, but I think the parameter issue is actually specific to the existing file / permissions. I moved the file and re-ran puppet, which as part of the manifest re-created the file and could set permissions fine. It seems like there is some issue with a certain permissions set that causes me issues with ACL module. Specifically, the original file doesn't have any user permissions set. I'm wondering if that is the issue?
...
Rob Reynolds
Nov 30, 2015, 9:48:19 PM11/30/15
to puppet...@googlegroups.com
On Tue, Nov 10, 2015 at 7:22 AM, jmp242 <jp1...@gmail.com> wrote:
Ok, well, it was on one test computer. On others it's giving the same error, but I think the parameter issue is actually specific to the existing file / permissions. I moved the file and re-ran puppet, which as part of the manifest re-created the file and could set permissions fine. It seems like there is some issue with a certain permissions set that causes me issues with ACL module. Specifically, the original file doesn't have any user permissions set. I'm wondering if that is the issue?
That's an interesting one and probably worth capturing as a ticket. Can you expand on that one just a bit more? Like icacls reports no permissions at all? Or right clicking, selecting Properties, and going to the Security tab is completely empty?
Or just that Puppet wouldn't have permissions to the file?
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c22bcfb6-b70e-48fd-8b83-4b07fccd3db9%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages