Chris Phillips
2011-May-25 14:11 UTC
[Puppet Users] mode on private_keys file for nagios / func integration
Hi, I''ve successfully hooked up func to use the puppet certs, mostly nicely. I''m now looking at using func to perform nagios checks (instead of installing nrpe, which is more pants than func). Here the nagios service runs as the nagios user, and so func also runs as that user, I thought I was sorted but making the private key mode 640 so func could read the private as the nagios user, but the puppet private key is always changed to mdoe 600 then puppet runs. How can a non root / puppet user access the private key for func? I can''t see any way to disable to rights and chattr-ing it makes puppet choke. Is there a better way I could be approaching this overall? sudoing as part of the check doesn''t sound like fun to me. Thanks Chris -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nigel Kersten
2011-May-25 16:17 UTC
Re: [Puppet Users] mode on private_keys file for nagios / func integration
On Wed, May 25, 2011 at 7:11 AM, Chris Phillips <chris@untrepid.com> wrote:> Hi, > > I''ve successfully hooked up func to use the puppet certs, mostly nicely. > I''m now looking at using func to perform nagios checks (instead of > installing nrpe, which is more pants than func). Here the nagios service > runs as the nagios user, and so func also runs as that user, I thought I was > sorted but making the private key mode 640 so func could read the private as > the nagios user, but the puppet private key is always changed to mdoe 600 > then puppet runs. >You should be able to do this in your puppet.conf [agent] privatekeydir = /etc/puppet/ssl/private_keys { mode = 0750 } hostprivkey = /etc/puppet/ssl/private_keys/$certname.pem { mode = 0640 } and Puppet will ensure those permissions. There may be some edge cases here, as this isn''t a widely used feature. For those of you following along with the bug where we overwrite symlinks, http://projects.puppetlabs.com/issues/650, you can''t use this to ensure that a given file is actually a symlink. Sorry.> How can a non root / puppet user access the private key for func? I can''t > see any way to disable to rights and chattr-ing it makes puppet choke. > > Is there a better way I could be approaching this overall? sudoing as part > of the check doesn''t sound like fun to me. > > Thanks > > Chris > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.