On Oct 30, 2013, at 6:47 PM, Hyunil Shin wrote:
Thank you very much.
I want to know more in your method.
As result, anyway, when you do fresh checkout, the files are like
664 petec petec site.pp
664 petec petec xxxxx
and petec is included in pe-puppet.
Am I right?
Also, I don't understand what setgid do.
Does setgid affect only execution?
I am not sure that modules and manifests need to be executed.
You seem to manage only modules and manifests.
I try to manage all the files under /etc/puppetlabs, so I wonder if your method can be applied.
My current method is
1. default mv /etc/puppetlabs to [another place]
2. create symbolic link
3. git commit [another place]
4. as root, git push, pull
This way, git pull does not modify permission and ownership.
But, very dangerous when fresh checkout.
On Wed, Oct 30, 2013 at 1:41 PM, Pete Cornell wrote:
It turns out I was overly cautious about changed ownership away from root. As long as you ensure the group owner is the puppet group, you can have mixed ownership for user.
My solution was to use the Setgid bit on all directories where puppet manifests are located and change the directories group ownership to the puppet group. I then place my regular user account into the puppet group and I edit puppet manifests as user, not as root.
In effect, when I edit puppet manifests they will have ownership of pete:pe-puppet. When we do commits / checkouts from SVN they keep this same group ownership and function fine in Puppet runs.
So the steps to make it work are:
On the puppet directories, change group ownership to the puppet group, set the setgid bit and set file mode of rwx for group,
e.g. as root:
# chgrp -R pe-puppet /etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests
# chmod -R 2774 /etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests
Placing the setgid bit will make files keep a group ownership of pe-puppet.
Then, add your regular user account to the puppet group, e.g.
# usermod -G pe-puppet petec
Do this for all uses who will edit puppet code and make sure that you edit puppet code and commit to Git using your regular user account, not as root.
This setup has been working fine for us. I also setup 3 Puppet environments in this way (for dev, QA and prod) and propagate code between environments with SVN.
On Oct 29, 2013, at 6:50 PM, Hyunil Shin wrote:
I have the same problem with you, except that I am using Git.
Can you describe your solution in more details?
As you said that /etc/puppet has mixed ownership of root and pe-puppet, how can you checkout puppet configuration from the svn with preserving permission and ownership?
On Tuesday, May 7, 2013 2:17:33 AM UTC+9, P Cornellio wrote:
That's correct, my concern is permissions/ownership changes inside /etc/puppet on the master after doing commits/check-outs, especially when new manifests are added on clients, outside of the master, then committed to the repo and updated onto the master. Our master currently has mixed ownership between both root and pe-puppet user. I will go with the approach of using the pe-puppet user on the master.
On Monday, May 6, 2013 5:43:20 AM UTC-7, Bernardo Costa wrote:
I suppose your concerns are about the check-outs of the svn repo on the puppet root direcctory, not about permissions and ownership inside the repo. Once you do svn co command as your user (not recommended), the new files will be created having being owned by you. It might fail if you user does not have permission tho create or modify these files inside the puppet tree source file. The best thing to do is run the svn co command as user puppet but you'll need to set its password or a sudo set of commands.
Em domingo, 5 de maio de 2013 00h58min18s UTC-3, P Cornellio escreveu:
I an in the process of putting my Puppet Master configs into version control using SVN. I'm concerned about file permission and ownership changes as a result of this. SVN does not store permissions. How does one safely use SVN with puppet configs?
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.