consul-template file ownership
509 views
Skip to first unread message
Mark Wick
Aug 4, 2017, 4:14:39 PM8/4/17
to Consul
I'm having an issue where my destination file has ownership x:y but after running template it is changing the ownership to y:y.
According to consul-template issue #461, if the destination file is there and has a specific ownership, that ownership will be retained once consul-template does a replace/update with changed data.
Using consul-template v0.19.0
The ctmpl source file is referencing a vault secret for watching and data replacement on change.
Any help would be appreciated.
Thanks,
Mark
James Phillips
Sep 1, 2017, 9:03:41 PM9/1/17
to consu...@googlegroups.com
Hi Mark,
It looks like the README might need to be updated around the `perms`
option, in v0.11.0 this was changed
(https://github.com/hashicorp/consul-template/blob/master/CHANGELOG.md#v0110-october-9-2015):
> Previously, Consul Template would inspect the file at the destination path and mirror those file permissions, if a file existed. If a file did not exist, Consul Template would render the file with 0644 permissions. This was acceptable behavior in a pre-Vault world, but now that Consul Template is capable of rendering secrets, there is a desire for increased security. As such, Consul Template no longer mirrors existing destination file permissions. Instead, users can specify the file permissions in the configuration file. Please see the README for examples. If you were previously relying on an existing file's file permissions to enfore the destination file permissions, you must switch to specifying the file permissions in the configuration file. If you were not dependent on this behavior, nothing has changed; the default value is still 0644.
If you are still seeing this it's probably best to open an issue over
on the consul-template repo to clarify the docs.
-- James
> --
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/059b200f-0dbb-4e09-8c56-2414059912a1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
It looks like the README might need to be updated around the `perms`
option, in v0.11.0 this was changed
(https://github.com/hashicorp/consul-template/blob/master/CHANGELOG.md#v0110-october-9-2015):
> Previously, Consul Template would inspect the file at the destination path and mirror those file permissions, if a file existed. If a file did not exist, Consul Template would render the file with 0644 permissions. This was acceptable behavior in a pre-Vault world, but now that Consul Template is capable of rendering secrets, there is a desire for increased security. As such, Consul Template no longer mirrors existing destination file permissions. Instead, users can specify the file permissions in the configuration file. Please see the README for examples. If you were previously relying on an existing file's file permissions to enfore the destination file permissions, you must switch to specifying the file permissions in the configuration file. If you were not dependent on this behavior, nothing has changed; the default value is still 0644.
If you are still seeing this it's probably best to open an issue over
on the consul-template repo to clarify the docs.
-- James
> This mailing list is governed under the HashiCorp Community Guidelines -
> https://www.hashicorp.com/community-guidelines.html. Behavior in violation
> of those guidelines may result in your removal from this mailing list.
>
> GitHub Issues: https://github.com/hashicorp/consul/issues
> IRC: #consul on Freenode
> ---
> You received this message because you are subscribed to the Google Groups
> "Consul" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to consul-tool...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/consul-tool/059b200f-0dbb-4e09-8c56-2414059912a1%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages