I wrote a custom fuction to read a root read-only file, it raised an Permission Denied error. During debug, i found this fuction seems to run as user puppet, it is this a feature or a bug? -- System Administrator, Focus on System Management and Basic Development -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2011-Jul-14 13:27 UTC
[Puppet Users] Re: puppet custom fuction run as user pupprt?
On Jul 14, 1:15 am, flex <frostyn...@gmail.com> wrote:> I wrote a custom fuction to read a root read-only file, it raised an > Permission Denied error. > During debug, i found this fuction seems to run as user puppet, it is this > a feature or a bug?This is a feature. Puppet functions run in the master process, which is intentionally unprivileged. Compare with other service daemons, such as web or database servers, which also run without privilege. There are two main possibilities for how you can proceed: 1) If you really did want the function to run on the master then just make the file readable by the Puppet user or group. If there''s some reason why that is unsatisfactory, then you''ll need to tell us more about what you''re trying to do. 2) If you meant the function to be evaluated on the client then a function is the wrong tool. Instead you want a custom fact, a custom type or provider, or possibly an Exec. Any of these will be evaluated / run by the Puppet agent (on the client), which normally runs as root. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
PBWebGuy
2011-Jul-14 16:57 UTC
[Puppet Users] Re: puppet custom fuction run as user pupprt?
John, You bring up a good point and I wanted to ask this question anyways. To the best of my knowledge, functions run on the master and facts run on the node. If that is the case, it perplexes me that functions get sync''d to the node in the /var/lib/puppet/lib... directory. That is unless functions can then be used in a fact which is something that I have yet to test. Do you have any clarification? Thanks, John On Jul 14, 9:27 am, jcbollinger <John.Bollin...@stJude.org> wrote:> On Jul 14, 1:15 am, flex <frostyn...@gmail.com> wrote: > > > I wrote a custom fuction to read a root read-only file, it raised an > > Permission Denied error. > > During debug, i found this fuction seems to run as user puppet, it is this > > a feature or a bug? > > This is a feature. Puppet functions run in the master process, which > is intentionally unprivileged. Compare with other service daemons, > such as web or database servers, which also run without privilege. > > There are two main possibilities for how you can proceed: > > 1) If you really did want the function to run on the master then just > make the file readable by the Puppet user or group. If there''s some > reason why that is unsatisfactory, then you''ll need to tell us more > about what you''re trying to do. > > 2) If you meant the function to be evaluated on the client then a > function is the wrong tool. Instead you want a custom fact, a custom > type or provider, or possibly an Exec. Any of these will be > evaluated / run by the Puppet agent (on the client), which normally > runs as root. > > John-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2011-Jul-15 13:57 UTC
[Puppet Users] Re: puppet custom fuction run as user pupprt?
On Jul 14, 11:57 am, PBWebGuy <pbweb...@gmail.com> wrote:> You bring up a good point and I wanted to ask this question anyways. > To the best of my knowledge, functions run on the master and facts run > on the node. If that is the case, it perplexes me that functions get > sync''d to the node in the /var/lib/puppet/lib... directory. That is > unless functions can then be used in a fact which is something that I > have yet to test. Do you have any clarification?If you want an authoritative answer, then the question might be better posed on the dev list. I speculate, however, that functions in modules are synced to nodes as a harmless side effect of the overall plugin sync mechanism. Since they *are* synced to nodes, it should be possible to use them (their Ruby implementations, that is) in custom facts. But again, the kinds of things you want a Puppet function for tend to be quite different from the kinds of things you want a fact for, so the likelihood that such a capability would be useful seems small. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
R.I.Pienaar
2011-Jul-15 14:00 UTC
Re: [Puppet Users] Re: puppet custom fuction run as user pupprt?
----- Original Message -----> > > On Jul 14, 11:57 am, PBWebGuy <pbweb...@gmail.com> wrote: > > You bring up a good point and I wanted to ask this question > > anyways. > > To the best of my knowledge, functions run on the master and facts > > run > > on the node. If that is the case, it perplexes me that functions > > get > > sync''d to the node in the /var/lib/puppet/lib... directory. That > > is > > unless functions can then be used in a fact which is something that > > I > > have yet to test. Do you have any clarification? > > > If you want an authoritative answer, then the question might be > better > posed on the dev list. > > I speculate, however, that functions in modules are synced to nodes > as a harmless side effect of the overall plugin sync mechanism. Since > they *are* synced to nodes, it should be possible to use them (their > Ruby implementations, that is) in custom facts. But again, the kinds > of things you want a Puppet function for tend to be quite different > from the kinds of things you want a fact for, so the likelihood that > such a capability would be useful seems small.they are also usable in running manifests using puppet apply on nodes. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.