Peter Meier
2009-Jun-09 14:42 UTC
[Puppet Users] problem with exec and environment variables
Hi
the following exec fails with the trace added:
exec{"create_gitosis_git":
command => "gitosis-init < initial_admin_pubkey.puppet",
cwd => "/home/git",
unless => "test -d /home/git/repositories",
user => git,
path => "/bin:/sbin:/usr/sbin:/usr/bin",
}
# puppet --debug --trace foo.pp
info: Loading fact interfaces
info: Loading fact xen
info: Loading fact acpi_available
info: Loading fact selinux
info: Loading fact urm
info: Loading fact edac_module
info: Loading fact virtual
info: Loading fact pbp
info: Loading fact sshkeys
info: Loading fact configured_ntp_servers
info: Loading fact ucm_remote_publickey
info: Loading fact mysql
info: Loading fact vserver
debug: Creating default schedules
debug: //Exec[create_gitosis_git]: Executing check ''test -d
/home/git/repositories''
debug: Executing ''test -d /home/git/repositories''
debug: //Exec[create_gitosis_git]: Changing returns
debug: //Exec[create_gitosis_git]: 1 change(s)
debug: //Exec[create_gitosis_git]: Executing ''gitosis-init <
initial_admin_pubkey.puppet''
debug: Executing ''gitosis-init <
initial_admin_pubkey.puppet''
/usr/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:602:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/util/execution.rb:14:in `withenv''
/usr/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:594:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:568:in `chdir''
/usr/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:568:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/type/exec.rb:111:in `sync''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction/change.rb:54:in `go''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction/change.rb:72:in
`forward''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:118:in
`apply_changes''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:111:in `collect''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:111:in
`apply_changes''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:83:in `apply''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:239:in
`eval_resource''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:425:in `thinmark''
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure''
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:424:in `thinmark''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:238:in
`eval_resource''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:310:in `evaluate''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:425:in `thinmark''
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure''
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:424:in `thinmark''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:309:in `evaluate''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:303:in `collect''
/usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:303:in `evaluate''
/usr/lib/ruby/site_ruby/1.8/puppet/node/catalog.rb:124:in `apply''
/usr/bin/puppet:233
err: //Exec[create_gitosis_git]/returns: change from notrun to 0 failed:
debug: Finishing transaction 23489170055520 with 1 changes
The exitcode of the suidmanager.execution is 256.
However if I add the "env -i" exec, everything works fine:
exec{"create_gitosis_git":
command => "env -i gitosis-init <
initial_admin_pubkey.puppet",
cwd => "/home/git",
unless => "test -d /home/git/repositories",
user => git,
path => "/bin:/sbin:/usr/sbin:/usr/bin",
}
# puppet --debug --trace foo2.pp
info: Loading fact interfaces
info: Loading fact xen
info: Loading fact acpi_available
info: Loading fact selinux
info: Loading fact urm
info: Loading fact edac_module
info: Loading fact virtual
info: Loading fact pbp
info: Loading fact sshkeys
info: Loading fact configured_ntp_servers
info: Loading fact ucm_remote_publickey
info: Loading fact mysql
info: Loading fact vserver
debug: Creating default schedules
PATH:/bin:/sbin:/usr/sbin:/usr/bin
debug: //Exec[create_gitosis_git]: Executing check ''test -d
/home/git/repositories''
debug: Executing ''test -d /home/git/repositories''
debug: //Exec[create_gitosis_git]: Changing returns
debug: //Exec[create_gitosis_git]: 1 change(s)
debug: //Exec[create_gitosis_git]: Executing ''env -i gitosis-init <
initial_admin_pubkey.puppet''
PATH:/bin:/sbin:/usr/sbin:/usr/bin
debug: Executing ''env -i gitosis-init <
initial_admin_pubkey.puppet''
notice: //Exec[create_gitosis_git]/returns: executed successfully
debug: Finishing transaction 23659412670000 with 1 changes
as I assume that gitosis-init is using environment variables (like HOME
etc.) this might explain the problem. However I''m not sure if this is
the expected behavior if we''d like to run an exec as a different user
with puppet. This can definitely lead to strange problems, like I
debugged now for a while.
On the other side we can say that the users should know which
environment variables the bins are depending on, which they like to
execute, so they can easily set them in puppet.
Somehow both options smell and I''m unsure which one might be the less
smelly one. Opinions?
cheers pete
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
David Schmitt
2009-Jun-10 07:31 UTC
[Puppet Users] Re: problem with exec and environment variables
Peter Meier schrieb:> Hi > > the following exec fails with the trace added: > > exec{"create_gitosis_git": > command => "gitosis-init < initial_admin_pubkey.puppet", > cwd => "/home/git", > unless => "test -d /home/git/repositories", > user => git, > path => "/bin:/sbin:/usr/sbin:/usr/bin", > }> as I assume that gitosis-init is using environment variables (like HOME > etc.) this might explain the problem. However I''m not sure if this is > the expected behavior if we''d like to run an exec as a different user > with puppet. This can definitely lead to strange problems, like I > debugged now for a while. > On the other side we can say that the users should know which > environment variables the bins are depending on, which they like to > execute, so they can easily set them in puppet. > > Somehow both options smell and I''m unsure which one might be the less > smelly one. Opinions?For the sake of debuggability, I would tend towards having no environment at all (perhaps add a warning in that case if none is set at all) or emulating "su -", creating a proper environment according to the target user. The former requires more work by the user, but is debuggable. The latter probably requires actually using su to avoid the intricacies of implementing a user environment setup (pam, shell, etc) by hand. Regards, DavidS -- dasz.at OG Tel: +43 (0)664 2602670 Web: http://dasz.at Klosterneuburg UID: ATU64260999 FB-Nr.: FN 309285 g FB-Gericht: LG Korneuburg --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---