Puppet users - Jan 2008 - puppetd changing ownership of /var/puppet/{facts, plugins} ?

Hi puppeteers,

I''m just starting with puppet, please be gentle :)

I have created a very simple test setup:

"server" is a Linux box (OpenSUSE 10.3), puppet 0.24.0 installed from
RPMs
(from the links given on the DownloadingPuppet Wiki page).  I created an 
almost empty site.pp (only "node default {}") and started
puppetmasterd.

"client" is an OpenBSD 4.2 (actually a Xen domU, but I don''t
think that
matters here).  Puppet 0.22.4 package from an OpenBSD ftp mirror.  The 
package installs a user and group "_puppet", who own stuff below
$vardir
like this:

# ls -la /var/puppet
total 20
drwxr-xr-x   5 _puppet  _puppet  512 Jan 30 15:20 .
drwxr-xr-x  25 root     wheel    512 Jan 30 15:20 ..
drwxr-xr-x   2 _puppet  _puppet  512 Jan 30 15:20 facts
drwxr-xr-x   2 _puppet  _puppet  512 Jan 30 15:20 plugins
drwxr-xr-x   2 _puppet  _puppet  512 Jan 30 15:20 reports


Then I test the connection between client and server by running "puppetd 
--server 192.168.45.16 --waitforcert 60 --test", run "puppetca
--list"
and "--sign" on the server, and I see the SSL cert gets created.  Fine
so far.

Next, I run "puppetd --verbose" on the client, and this happens:

# puppetd --server 192.168.45.16 --verbose
warning: peer certificate won''t be verified in this SSL session
notice: Got signed certificate
notice: Starting Puppet client version 0.22.4
info: Retrieving facts
err: /fact_collector/File[/var/puppet/facts]: Failed to generate additional
resources during transaction: Fileserver module ''facts'' not
mounted
err: /fact_collector/File[/var/puppet/facts]/source: Could not describe /facts:
Fileserver module ''facts'' not mounted
info: /fact_collector/File[/var/puppet/facts]/source: No specified sources exist
notice: /fact_collector/File[/var/puppet/facts]/owner: owner changed
''_puppet'' to ''root''
notice: /fact_collector/File[/var/puppet/facts]/group: group changed
''_puppet'' to ''wheel''
info: Retrieving plugins
info: /plugin_collector/File[/var/puppet/plugins]/source: No specified sources
exist
notice: /plugin_collector/File[/var/puppet/plugins]/owner: owner changed
''_puppet'' to ''root''
notice: /plugin_collector/File[/var/puppet/plugins]/group: group changed
''_puppet'' to ''wheel''
info: Caching configuration at /var/puppet/state/localconfig.yaml
notice: Starting configuration run
info: Creating state file /var/puppet/state/state.yaml
info: Sent transaction report in 0.40 seconds
notice: Finished configuration run in 0.56 seconds

I don''t care (yet) for some errors like "facts not mounted". 
But I see that
it changed /var/puppet/facts and /var/puppet/plugins from _puppet:_puppet 
to root:wheel.

I''m not sure whether this is correct.  And I don''t understand
WHY this
happens - can''t find a manifest file with these settings, probably
built
into puppet?

Should I be worried?  I would assume that puppetd running as user
"_puppet"
will have trouble writing to /var/puppet/{facts,plugins} owned by root..

Any hints?


Thanks,
chakl

On Jan 31, 2008, at 1:54 AM, Olaf Schreck wrote:
>  don''t care (yet) for some errors like "facts not
mounted".  But I
> see that
> it changed /var/puppet/facts and /var/puppet/plugins from  
> _puppet:_puppet
> to root:wheel.
>
> I''m not sure whether this is correct.  And I don''t
understand WHY this
> happens - can''t find a manifest file with these settings, probably
> built
> into puppet?
>
> Should I be worried?  I would assume that puppetd running as user  
> "_puppet"
> will have trouble writing to /var/puppet/{facts,plugins} owned by  
> root..

Puppet is running as root, as it must if it''s going to install  
packages, start services, etc., so this is no problem.

And if you look at lib/puppet/defaults.rb, you''ll see the permissions  
for that.  You can override it in puppet.conf:

factdir = /path/to/factdir {owner = puppet, group = puppet}

-- 
Finn''s Law:
     Uncertainty is the final test of innovation.
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com