Jira (PUP-11320) Regression on user resource

[Jouvanceau (Jira)]

Jouvanceau created an issue

Puppet / PUP-11320 Regression on user resource Issue Type: Bug Affects Versions: PUP 6.24.0, PUP 6.23.0, PUP 6.25.1 Assignee: Unassigned Created: 2021/10/15 5:29 AM Priority: Normal Reporter: Jouvanceau Puppet Version: 6.23.0 6.24.0 6.24.1 6.25.1 Puppet Server Version: - OS Name/Version: RHEL 7 RHEL 8 CENTOS 7 CENTOS 8 The user resource is not working as expected since puppet agent 6.23. During a puppet run, if a user is created by any utility (package / exec), the puppet user resource try to luseradd the same user instead of lusermod as the user already exists.   The following code: exec { '/sbin/luseradd -u 50080 -M myuser': } -> user { 'myuser': uid => 50081, forcelocal => true, } produce an error on user resource Desired Behavior: before version 6.23 Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully Notice: /Stage[main]/Main/User[myuser]/uid: uid changed '50080' to 50081   Actual Behavior: version 6.23 and after Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully Error: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. Error: /Stage[main]/Main/User[myuser]/ensure: change from 'absent' to 'present' failed: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. Seem regression introduced by https://tickets.puppetlabs.com/browse/PUP-11067 in the commit :5c8472c on user.rb adding the line 699 return [] if self[:ensure] == :present && !provider.exists?   Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Franck Jouvanceau (Jira)]

Franck Jouvanceau updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Franck Jouvanceau Affects Version/s: PUP 7.8.0

Add Comment

[Franck Jouvanceau (Jira)]

Franck Jouvanceau updated an issue

Puppet / PUP-11320 Regression on user resource Change By: Franck Jouvanceau

*Puppet Version: 7.8.0 6.23.0 6.24.0 6.24.1 6.25.1* *Puppet Server Version:* - *OS Name/Version: RHEL 7 RHEL 8 CENTOS 7 CENTOS 8*

The user resource is not working as expected since puppet agent 6.23. During a puppet run, if a user is created by any utility (package / exec), the puppet user resource try to luseradd the same user instead of lusermod as the user already exists.   The following code:

{code}exec { '/sbin/luseradd -u 50080 -M myuser': }

-> user { 'myuser':   uid        => 50081,   forcelocal => true,

}{code}

produce an error on user resource

*Desired Behavior:* before version 6.23 {code}Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully

Notice: /Stage[main]/Main/User[myuser]/uid: uid changed '50080' to 50081

{code}   *Actual Behavior:* version 6.23 and after {code}Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully

Error: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. Error: /Stage[main]/Main/User[myuser]/ensure: change from 'absent' to 'present' failed: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file.

{code}

Seem regression introduced by https://tickets.puppetlabs.com/browse/PUP-11067

in the commit :{{[5c8472c|https://github.com/puppetlabs/puppet/commit/5c8472ca2b6266cb22cfb896663ac0b191609c63]}}

on user.rb adding the line 699

{code}        return [] if self[:ensure] == :present && !provider.exists? {code}   seems puppet 7.9 has been fixed by https://tickets.puppetlabs.com/browse/PUP-11131 but not node on puppet 6 with: {code:java} -      if !self[:purge_ssh_keys].empty? +      if !self[:purge_ssh_keys].empty? && self[:purge_ssh_keys] != :false {code}   (I don't see exactly the link between the regression and this purge_ssh_keys setting, but changing this, is fixing it)

Add Comment

[Franck Jouvanceau (Jira)]

{code}

(I don't see exactly the link between the regression and this purge_ssh_keys setting, but changing this, is fixing it)

Add Comment

[Franck Jouvanceau (Jira)]

[Franck Jouvanceau (Jira)]

But if the purge_ssh_keys is set to true, it is not working anymore even in puppet 7.12 agent...

{code} exec { '/sbin/luseradd -u 50080 -M myuser': } -> user { 'myuser':   uid            => 50081,   forcelocal     => true,

purge_ssh_keys => true, } {code}

{code} Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully Error: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. Error: /Stage[main]/Main/User[myuser]/ensure: change from 'absent' to 'present' failed: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. {code}

Add Comment

[Franck Jouvanceau (Jira)]

Franck Jouvanceau updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Franck Jouvanceau Affects Version/s: PUP 7.12.0 Affects Version/s: PUP 7.9.0 Affects Version/s: PUP 7.10.0 Affects Version/s: PUP 7.11.0

*Puppet Version: 7.8.0 6.23.0 6.24.0 6.24.1 6.25.1* *Puppet Server Version:* - *OS Name/Version: RHEL 7 RHEL 8 CENTOS 7 CENTOS 8*

The user resource is not working as expected since puppet agent 6.23 /7 . 8.

seems puppet 7.9 has been fixed by https default behavior withhttps ://tickets.puppetlabs.com/browse/PUP-11131 but not node on puppet 6 .

with: {code:java} -      if !self[:purge_ssh_keys].empty? +     if !self[:purge_ssh_keys].empty? && self[:purge_ssh_keys] != :false            return [] if self[:ensure] == :present && !provider.exists? {code}   (I don't see exactly the link between the regression and this purge_ssh_keys setting, but changing this, is fixing it) But if the purge_ssh_keys is set to true, it is not working anymore even in puppet 7.12 agent... {code} exec { '/sbin/luseradd -u 50080 -M myuser': } -> user { 'myuser':   uid            => 50081,   forcelocal     => true,   purge_ssh_keys => true, } {code} {code} Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully Error: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. Error: /Stage[main]/Main/User[myuser]/ensure: change from 'absent' to 'present' failed: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. {code}

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Ciprian Badescu Team: Night's Watch

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Ciprian Badescu Sprint: NW - 2021-11-17

Add Comment

[Franck Jouvanceau (Jira)]

Franck Jouvanceau updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Franck Jouvanceau

seems puppet 7.9 has fixed default behavior withhttps with https ://tickets.puppetlabs.com/browse/PUP-11131 but not node done on puppet 6.

with: {code:java} -      if !self[:purge_ssh_keys].empty? +     if !self[:purge_ssh_keys].empty? && self[:purge_ssh_keys] != :false            return [] if self[:ensure] == :present && !provider.exists? {code}   (I don't see exactly the link between the regression and this purge_ssh_keys setting, but changing this, is fixing it) But if the purge_ssh_keys is set to true, it is not working anymore even in puppet 7.12 agent... {code} exec { '/sbin/luseradd -u 50080 -M myuser': } -> user { 'myuser':   uid            => 50081,   forcelocal     => true,   purge_ssh_keys => true, } {code} {code} Notice: /Stage[main]/Main/Exec[/sbin/luseradd -u 50080 -M myuser]/returns: executed successfully Error: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. Error: /Stage[main]/Main/User[myuser]/ensure: change from 'absent' to 'present' failed: Could not create user myuser: Execution of '/usr/sbin/luseradd -g myuser -u 50081 -M myuser' returned 3: Account creation failed: entry already present in file. {code}

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Ciprian Badescu Story Points: 3

Add Comment

[Luchian Nemes (Jira)]

Luchian Nemes assigned an issue to Luchian Nemes

Puppet / PUP-11320 Regression on user resource

Change By: Luchian Nemes Assignee: Luchian Nemes

Add Comment

[Luchian Nemes (Jira)]

Luchian Nemes commented on PUP-11320

Re: Regression on user resource Franck Jouvanceau could you please detail the use case in the original manifest that surfaced this error to better understand the end goal?

Add Comment

[Franck Jouvanceau (Jira)]

Franck Jouvanceau commented on PUP-11320

Re: Regression on user resource

A standard use case, is when installing a package, to modify the user created by the package to be compliant with enterprise user management (UID/GID/shell/GECOS). Some time, the user can be created before installing the package, but some time it is not possible, as the user is hardcoded in postinstall script of package. This code is working with agent 6.22, but not 6.23. (user/group abrt are not defined on server before run) On 6.23 it works for the group (uses lgroupmod), but not for the user (wrongly uses lusedadd) => incoherence. package { 'abrt': ensure => 'present', } -> group { 'abrt': ensure => 'present', gid => '59998', forcelocal => true, } -> user { 'abrt': ensure => 'present', uid => '59998', gid => '59998', forcelocal => true, }     Notice: /Stage[main]/Unx_system::Crash_dump/Package[abrt]/ensure: created (corrective) Notice: /Stage[main]/Unx_system::Crash_dump/Group[abrt]/gid: gid changed '173' to 59998 (corrective) Error: Could not create user abrt: Execution of '/usr/sbin/luseradd -g 59998 -d /etc/abrt -s /sbin/nologin -u 59998 -M abrt' returned 3: Account creation failed: entry already present in file. Error: /Stage[main]/Unx_system::Crash_dump/User[abrt]/ensure: change from 'absent' to 'present' failed: Could not create user abrt: Execution of '/usr/sbin/luseradd -g 59998 -d /etc/abrt -s /sbin/nologin -u 59998 -M abrt' returned 3: Account creation failed: entry already present in file. (corrective)

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Ciprian Badescu Sprint: NW - 2021-11-17 , NW - 2021-12-06

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Josh Cooper Fix Version/s: PUP 6.26.0 Fix Version/s: PUP 7.13.0

Add Comment

[Luchian Nemes (Jira)]

Luchian Nemes updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Luchian Nemes Release Notes: Bug Fix Release Notes Summary: This release moves the `ssh_authorized_key` resources creation moment at the end of the user type flow, after all user properties and parameters were resolved to avoid order dependency errors.

Add Comment

[Parker Leach (Jira)]

Parker Leach updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Parker Leach Labels: docs_reviewed

Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-11320 Regression on user resource

Change By: Josh Cooper Fix Version/s: PUP 7.13.0 Fix Version/s: PUP 7.13.1

Add Comment