Hello readers,
I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our
internal security guidelines I have only rw- rights on the file itself, but
not the directory it''s in.
Now this happens:
err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content:
change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to
{md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied - *
/etc/sysconfig/apache2.puppettmp_5605*
For me it''s pretty obvious that puppet tries to actually create a temp
file
in the directory /etc/sysconfig, which of course must fail. (Funnily I see
the diff output before, which is kind of interesting, because puppet seems
to actually use a temp file under /tmp/... for that - why not simply copy
this one over, which is permitted by the file system rights?)
Can anyone help me out here? It''s not urgent, but somewhat annoying,
and I
don''t really get why this does not work.
thanks!
Axel.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/PAoGfEbsUF0J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Tue, Sep 11, 2012 at 2:00 AM, Axel Bock <axel.bock@arbeitsagentur.de> wrote:> > I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our > internal security guidelines I have only rw- rights on the file itself, but > not the directory it''s in. > > Now this happens: > err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content: > change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to > {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied - > /etc/sysconfig/apache2.puppettmp_5605 > > For me it''s pretty obvious that puppet tries to actually create a temp file > in the directory /etc/sysconfig, which of course must fail. (Funnily I see > the diff output before, which is kind of interesting, because puppet seems > to actually use a temp file under /tmp/... for that - why not simply copy > this one over, which is permitted by the file system rights?)The answer to "why do it this way?" is simple: If we write directly over the file, or if we write to /tmp and then copy over the target file, there is a window when the system can crash and you have neither the old version or new version of the file. For larger files there is also a window where other processes can see a half-written file. Instead we write a temporary file and then use rename to replace it in one atomic rename - which is the Unix way to achieve this result.> Can anyone help me out here? It''s not urgent, but somewhat annoying, and I > don''t really get why this does not work.The semantics of Unix make it impractical to safely overwrite a file, and you can''t perform an atomic rename across devices. That means that the only really safe bet is to use the same directory for temporary files. There isn''t a switch to run in "please, risk data loss for me" mode or anything, so you would have to patch the core file type in Puppet to change this. (Which you probably don''t want anyhow.) -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
hi Daniel, thanks for your long explanation. Knowing this it actually makes sense what puppet does :) , although it kind of crashes with our (brilliant) rights management :) . greetings! Axel. Am Dienstag, 11. September 2012 17:41:07 UTC+2 schrieb Daniel Pittman:> > On Tue, Sep 11, 2012 at 2:00 AM, Axel Bock <axel...@arbeitsagentur.de<javascript:>> > wrote: > > > > I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our > > internal security guidelines I have only rw- rights on the file itself, > but > > not the directory it''s in. > > > > Now this happens: > > err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content: > > change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to > > {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied - > > /etc/sysconfig/apache2.puppettmp_5605 > > > > For me it''s pretty obvious that puppet tries to actually create a temp > file > > in the directory /etc/sysconfig, which of course must fail. (Funnily I > see > > the diff output before, which is kind of interesting, because puppet > seems > > to actually use a temp file under /tmp/... for that - why not simply > copy > > this one over, which is permitted by the file system rights?) > > The answer to "why do it this way?" is simple: > > If we write directly over the file, or if we write to /tmp and then > copy over the target file, there is a window when the system can crash > and you have neither the old version or new version of the file. For > larger files there is also a window where other processes can see a > half-written file. > > Instead we write a temporary file and then use rename to replace it in > one atomic rename - which is the Unix way to achieve this result. > > > Can anyone help me out here? It''s not urgent, but somewhat annoying, and > I > > don''t really get why this does not work. > > The semantics of Unix make it impractical to safely overwrite a file, > and you can''t perform an atomic rename across devices. That means > that the only really safe bet is to use the same directory for > temporary files. > > There isn''t a switch to run in "please, risk data loss for me" mode or > anything, so you would have to patch the core file type in Puppet to > change this. (Which you probably don''t want anyhow.) > > -- > Daniel Pittman > ⎋ Puppet Labs Developer – http://puppetlabs.com > ♲ Made with 100 percent post-consumer electrons >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/S8LY2eWVgdcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.