puppet temp file issue
757 views
Skip to first unread message
Axel Bock
Sep 11, 2012, 5:00:31 AM9/11/12
to puppet...@googlegroups.com
Hello readers,
I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our internal security guidelines I have only rw- rights on the file itself, but not the directory it's in.
Now this happens:
For me it's pretty obvious that puppet tries to actually create a temp file in the directory /etc/sysconfig, which of course must fail. (Funnily I see the diff output before, which is kind of interesting, because puppet seems to actually use a temp file under /tmp/... for that - why not simply copy this one over, which is permitted by the file system rights?)
Can anyone help me out here? It's not urgent, but somewhat annoying, and I don't really get why this does not work.
thanks!
Axel.
I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our internal security guidelines I have only rw- rights on the file itself, but not the directory it's in.
Now this happens:
err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content: change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied - /etc/sysconfig/apache2.puppettmp_5605
For me it's pretty obvious that puppet tries to actually create a temp file in the directory /etc/sysconfig, which of course must fail. (Funnily I see the diff output before, which is kind of interesting, because puppet seems to actually use a temp file under /tmp/... for that - why not simply copy this one over, which is permitted by the file system rights?)
Can anyone help me out here? It's not urgent, but somewhat annoying, and I don't really get why this does not work.
thanks!
Axel.
Daniel Pittman
Sep 11, 2012, 11:40:40 AM9/11/12
to puppet...@googlegroups.com
On Tue, Sep 11, 2012 at 2:00 AM, Axel Bock <axel...@arbeitsagentur.de> wrote:
>
> I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our
> internal security guidelines I have only rw- rights on the file itself, but
> not the directory it's in.
>
> Now this happens:
> err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content:
> change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to
> {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied -
> /etc/sysconfig/apache2.puppettmp_5605
>
> For me it's pretty obvious that puppet tries to actually create a temp file
> in the directory /etc/sysconfig, which of course must fail. (Funnily I see
> the diff output before, which is kind of interesting, because puppet seems
> to actually use a temp file under /tmp/... for that - why not simply copy
> this one over, which is permitted by the file system rights?)
The answer to "why do it this way?" is simple:
>
> I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our
> internal security guidelines I have only rw- rights on the file itself, but
> not the directory it's in.
>
> Now this happens:
> err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content:
> change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to
> {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied -
> /etc/sysconfig/apache2.puppettmp_5605
>
> For me it's pretty obvious that puppet tries to actually create a temp file
> in the directory /etc/sysconfig, which of course must fail. (Funnily I see
> the diff output before, which is kind of interesting, because puppet seems
> to actually use a temp file under /tmp/... for that - why not simply copy
> this one over, which is permitted by the file system rights?)
If we write directly over the file, or if we write to /tmp and then
copy over the target file, there is a window when the system can crash
and you have neither the old version or new version of the file. For
larger files there is also a window where other processes can see a
half-written file.
Instead we write a temporary file and then use rename to replace it in
one atomic rename - which is the Unix way to achieve this result.
> Can anyone help me out here? It's not urgent, but somewhat annoying, and I
> don't really get why this does not work.
and you can't perform an atomic rename across devices. That means
that the only really safe bet is to use the same directory for
temporary files.
There isn't a switch to run in "please, risk data loss for me" mode or
anything, so you would have to patch the core file type in Puppet to
change this. (Which you probably don't want anyhow.)
--
Daniel Pittman
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons
Axel Bock
Sep 12, 2012, 5:25:43 AM9/12/12
to puppet...@googlegroups.com
hi Daniel,
thanks for your long explanation. Knowing this it actually makes sense what puppet does :) , although it kind of crashes with our (brilliant) rights management :) .
greetings!
Axel.
thanks for your long explanation. Knowing this it actually makes sense what puppet does :) , although it kind of crashes with our (brilliant) rights management :) .
greetings!
Axel.
Reply all
Reply to author
Forward
0 new messages