First off, does anyone use the puppet built in nagios types?
I just started to play with them, and I noticed that nagios_host
writes the nagios_host.cfg file as owned by root, and readable by
root, and no on else. Is there a reason for that? Since nagios runs as
the nagios user, it can''t read the file. Sure, I can change the
ownership later with a file {}, but I shouldn''t need to.
-rw------- 1 root root 294 Jul 5 16:30 nagios_host.cfg
James, hope my tone is acceptable.
Doug
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On 2010-07-05 19:34, Douglas Garstang wrote:> First off, does anyone use the puppet built in nagios types? > > I just started to play with them, and I noticed that nagios_host > writes the nagios_host.cfg file as owned by root, and readable by > root, and no on else. Is there a reason for that? Since nagios runs as > the nagios user, it can''t read the file. Sure, I can change the > ownership later with a file {}, but I shouldn''t need to. > > -rw------- 1 root root 294 Jul 5 16:30 nagios_host.cfg > > James, hope my tone is acceptable. > > Doug >This is probably the case since the puppet daemon must run as root to be able to install packages and create/remove/modify files. Also, the default umask for root is normally set to create files that are not accessible to everyone. As you mentioned, "file {...}" is probably the way to go: file { nagios_resource_cfg: path => "$nagios_basedir/resource.cfg", source => [ ... ], notify => Service[''nagios''], owner => root, group => nagios, mode => ''0640''; } Another possibility would be to use (I havent tested it yet) File { owner => root, group => nagios, mode => ''0640''; } inside the class in which you declare the nagio file resources so that those permissions are the default for the nagios config files. -- Gabriel Filion -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Jul 5, 2010 at 6:57 PM, Gabriel Filion <lelutin@gmail.com> wrote:> On 2010-07-05 19:34, Douglas Garstang wrote: >> First off, does anyone use the puppet built in nagios types? >> >> I just started to play with them, and I noticed that nagios_host >> writes the nagios_host.cfg file as owned by root, and readable by >> root, and no on else. Is there a reason for that? Since nagios runs as >> the nagios user, it can''t read the file. Sure, I can change the >> ownership later with a file {}, but I shouldn''t need to. >> >> -rw------- 1 root root 294 Jul 5 16:30 nagios_host.cfg >> >> James, hope my tone is acceptable. >> >> Doug >> > > This is probably the case since the puppet daemon must run as root to be > able to install packages and create/remove/modify files. Also, the > default umask for root is normally set to create files that are not > accessible to everyone. > > As you mentioned, "file {...}" is probably the way to go: > > file { nagios_resource_cfg: > path => "$nagios_basedir/resource.cfg", > source => [ ... ], > notify => Service[''nagios''], > owner => root, group => nagios, mode => ''0640''; > } > > Another possibility would be to use (I havent tested it yet) > > File { owner => root, group => nagios, mode => ''0640''; } > > inside the class in which you declare the nagio file resources so that > those permissions are the default for the nagios config files. >Gabriel, thanks for the reply, but I don''t really think that covers it. Umask for my root user creates files that are world readable: [root@test01 ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [root@test01 ~]# touch foo [root@test01 ~]# ls -l foo -rw-r--r-- 1 root root 0 Jul 5 20:00 foo Also, none of the other files created by puppet types are set to be readable only by root. I think this might be a bug in puppet. Surprised no one has noticed it before. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Also, none of the other files created by puppet types are set to be > readable only by root. I think this might be a bug in puppet. > Surprised no one has noticed it before.http://projects.puppetlabs.com/issues/3299 cheers pete -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwy30EACgkQbwltcAfKi39kBACfV08lOuHOiM6hCiBzDEolHyS7 mdcAniMatqJgAHxqYsZzG4QabOhCythe =1eXJ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Jul 6, 2010 at 12:46 AM, Peter Meier <peter.meier@immerda.ch> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> Also, none of the other files created by puppet types are set to be >> readable only by root. I think this might be a bug in puppet. >> Surprised no one has noticed it before. > > http://projects.puppetlabs.com/issues/3299I guess someone else did notice it then. Rather surprised by Luke''s response to the bug however. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang wrote:> On Tue, Jul 6, 2010 at 12:46 AM, Peter Meier <peter.meier@immerda.ch> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >>> Also, none of the other files created by puppet types are set to be >>> readable only by root. I think this might be a bug in puppet. >>> Surprised no one has noticed it before. >> http://projects.puppetlabs.com/issues/3299 > > I guess someone else did notice it then. Rather surprised by Luke''s > response to the bug however.The issue is duplication - if you allow people to manage owner, group and permissions in a type when you already have a capability to do so in another resource type. Regards James Turnbull -- Puppet Labs - http://www.puppetlabs.com C: 503-734-8571 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Jul 6, 2010 at 11:03 AM, James Turnbull <james@puppetlabs.com> wrote:> Douglas Garstang wrote: >> On Tue, Jul 6, 2010 at 12:46 AM, Peter Meier <peter.meier@immerda.ch> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>>> Also, none of the other files created by puppet types are set to be >>>> readable only by root. I think this might be a bug in puppet. >>>> Surprised no one has noticed it before. >>> http://projects.puppetlabs.com/issues/3299 >> >> I guess someone else did notice it then. Rather surprised by Luke''s >> response to the bug however. > > The issue is duplication - if you allow people to manage owner, group > and permissions in a type when you already have a capability to do so in > another resource type.Duplication... exactly... it takes you two operations to do something that could be done in one. Is there a particular reason that the files written by the nagios types are readable only by root? If there isn''t, then what is the point? Having to come along and clean up afterwards with a file type seems like a hack. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.