Opened 6 months ago

Last modified 4 months ago

#29663 reopened enhancement

Deploy /etc/puppet as a role account

Reported by: ln5 Owned by: anarcat
Priority: Medium Milestone:
Component: Internal Services/Services Admin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On our puppet master (alberti.tpo), the post-receive git hook deploys the tor-puppet repo in /etc/puppet as the user pushing. As long as umask is correct and the stars are aligned, things are good. Sometimes files end up with 0644 when we need them to be 0664 in order for other accounts (in group 'adm') to be able to change existing files.

Start using a role account instead of individual admin accounts for deploying to /etc/puppet.

Child Tickets

Change History (4)

comment:1 Changed 5 months ago by anarcat

Owner: set to anarcat
Status: newassigned

just had this problem:

anarcat@pauli:/etc/puppet/modules/ipsec/misc$ git pull
Mise à jour a4dea802..d9e168b5
error: unable to unlink old 'modules/ipsec/misc/config.yaml': Permission non accordée
anarcat@pauli:/etc/puppet/modules/ipsec/misc$ ls -al 
total 12
drwxrwxr-x 2 weasel weasel 4096 mai  3  2018 .
drwxr-xr-x 5 weasel weasel 4096 jui 27  2017 ..
-rw-rw-r-- 1 weasel weasel 1076 mai  3  2018 config.yaml

I am not sure that we need a role to fix this problem. Git should be able to set the proper permissions everywhere with the sharedMode variable, so I did the following:

sudo chown -R root:adm /etc/puppet
sudo chown :puppet /etc/puppet/secret
sudo chmod -R g+w /etc/puppet
sudo chmod g-w /etc/puppet/secret
git -C /etc/puppet config core.sharedRepository group
git -C /srv/puppet.torproject.org/git/tor-puppet.git/ config core.sharedRepository group

Hopefully this will fix the problem indefinitely.

comment:2 Changed 5 months ago by anarcat

Resolution: fixed
Status: assignedclosed

i did a push and it worked. considering that all files are now owned by root, if there was a problem it would have failed so I'll assume we're good from here on.

comment:3 Changed 5 months ago by anarcat

Resolution: fixed
Status: closedreopened

this was obviously naive, on hetzner-hel1-01:

Error: /Stage[main]/Ssl/File[/etc/ssl/torproject-auto/serverkeys/thishost.key]: Could not evaluate: Could not retrieve file metadata for puppet:///modules/ssl/certs/hetzner-hel1-01.torproject.org.key: Error 500 on SERVER: Server Error: Permission denied @ rb_sysopen - /srv/puppet.torproject.org/stages/production/modules/ssl/files/certs/hetzner-hel1-01.torproject.org.key

Those files are now:

-rw-rw-r-- 1 root adm  5550 mar 13 16:05 hetzner-nbg1-01.torproject.org.crt
-rw--w---- 1 root adm  1675 mar 13 16:05 hetzner-nbg1-01.torproject.org.key

Not sure what the permissions were before, but I'll grant a+r.

comment:4 Changed 4 months ago by weasel

I have fixed the permissions in /etc/puppet/modules/ssl/files again. Please don't take them away from puppet, else everything will be sad

Note: See TracTickets for help on using tickets.