Puppet users - Oct 2012 - Failed to set group to '0': Operation not permitted

Hi everyone,

Here is the task, I just need to get the file from master, untar it and 
execute a file.

Step 1: 

Working as a root user,having the default puppet.conf for root and the 
agent could get the source file  from master , untar it and execute it.

Step 2: 

Moving to non-root user, I have a different puppet.conf with the conf the 
master validates the agent and gets me the source , and untar it to the 
agent , but on the agent side I got the error. 


Here is my puppet.conf

[main]
    logdir = /home/user/var/log/puppet
    rundir = /home/user/var/run/puppet
    vardir = /home/user/var/lib/puppet
    ssldir = $vardir/ssl
 
    server=puppetmaster.example.com
[agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
[master]
    certname=puppetmaster.example.com

On executing, 

puppet agent --confdir-/home/user/etc -t, 

Error: Failed to set group to ''0'': Operation not permitted - 
/home/user/unix.tar.gz
Error: /File[/home/user/unix.tar.gz]/ensure: change from absent to file 
failed: Failed to set group to ''0'': Operation not permitted - 
/home/user/.tar.gz

Though I set the tarball of the source in master to 777 permissions, I get 
the same error.

Your help is great appreciated, please let me know if you need any further 
info.

Thanks,

Dominic








-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/aXLCj3-DvsQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Friday, October 19, 2012 9:38:25 AM UTC-5, Dominic
wrote:
>
> Hi everyone,
>
> Here is the task, I just need to get the file from master, untar it and 
> execute a file.
>
> Step 1: 
>
> Working as a root user,having the default puppet.conf for root and the 
> agent could get the source file  from master , untar it and execute it.
>
> Step 2: 
>
> Moving to non-root user, I have a different puppet.conf with the conf the 
> master validates the agent and gets me the source , and untar it to the 
> agent , but on the agent side I got the error. 
>
>
> Here is my puppet.conf
>
> [main]
>     logdir = /home/user/var/log/puppet
>     rundir = /home/user/var/run/puppet
>     vardir = /home/user/var/lib/puppet
>     ssldir = $vardir/ssl
>  
>     server=puppetmaster.example.com
> [agent]
>     classfile = $vardir/classes.txt
>     localconfig = $vardir/localconfig
> [master]
>     certname=puppetmaster.example.com
>
> On executing, 
>
> puppet agent --confdir-/home/user/etc -t, 
>
> Error: Failed to set group to ''0'': Operation not
permitted -
> /home/user/unix.tar.gz
> Error: /File[/home/user/unix.tar.gz]/ensure: change from absent to file 
> failed: Failed to set group to ''0'': Operation not
permitted -
> /home/user/.tar.gz
>
> Though I set the tarball of the source in master to 777 permissions, I get 
> the same error.
>
> Your help is great appreciated, please let me know if you need any further 
> info.
>
>
This problem is not directly related to puppet.conf.  It is probably in 
issue in your init.pp file on the master (because that appears to be where 
you declare File[/home/user/unix.tar.gz]).  The manifest leads Puppet to 
believe that the target file is supposed to have group 0, but changing the 
downloaded file''s group requires the agent to run as root.

If you post the declaration of that file, then we may be able to tell you 
more.

I have a question, though: what is the purpose of having this run by an 
unprivileged user in the first place?


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/m_CIZDBB3B0J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi JCBollinger, Thank you so much for your suggestions.

Here goes my manifests:


#init.pp

class rabbitmq {
    include rabbitmq::source, rabbitmq::service
} 


#source.pp

class rabbitmq::source {
    file { "/home/user": ensure => directory }
    file { "/home/user/rabbitmq-server-generic-unix-2.8.7.tar.gz":
source => 
"puppet:///modules/rabbitmq/rabbitmq-server-generic-unix-2.8.7.tar.gz",
alias => "rabbitmq-source-tgz",
before => Exec["untar-rabbitmq-source"]
    }
    exec { "/bin/tar xzvf rabbitmq-server-generic-unix-2.8.7.tar.gz":
cwd => "/home/user/",
creates => "/home/user/rabbitmq_server-2.8.7",
alias => "untar-rabbitmq-source",
subscribe => File["rabbitmq-source-tgz"]
    }
} 

#service.pp

class rabbitmq::service  {
  exec { "rabbitmq_service":
      environment => "HOME=/home/user",
      command=> "/home/user/rabbitmq_server-2.8.7/sbin/rabbitmq-server 
-detached ",
      require => Class["rabbitmq::source"]
   }
  }

We dont have root permissions, as we are hosting it in the Cloud.

But when I do extract the unix.tar.gz in user mode without any root 
permissions manually ,  and execute the ./sbin/rabbitmq-server, it gets 
executed.

I really appreciate your suggestions and thoughts.

Thanks again,

Dominic.




On Monday, October 22, 2012 6:54:47 AM UTC-7, jcbollinger
wrote:
>
>
>
> On Friday, October 19, 2012 9:38:25 AM UTC-5, Dominic wrote:
>>
>> Hi everyone,
>>
>> Here is the task, I just need to get the file from master, untar it and
>> execute a file.
>>
>> Step 1: 
>>
>> Working as a root user,having the default puppet.conf for root and the 
>> agent could get the source file  from master , untar it and execute it.
>>
>> Step 2: 
>>
>> Moving to non-root user, I have a different puppet.conf with the conf
the
>> master validates the agent and gets me the source , and untar it to the
>> agent , but on the agent side I got the error. 
>>
>>
>> Here is my puppet.conf
>>
>> [main]
>>     logdir = /home/user/var/log/puppet
>>     rundir = /home/user/var/run/puppet
>>     vardir = /home/user/var/lib/puppet
>>     ssldir = $vardir/ssl
>>  
>>     server=puppetmaster.example.com
>> [agent]
>>     classfile = $vardir/classes.txt
>>     localconfig = $vardir/localconfig
>> [master]
>>     certname=puppetmaster.example.com
>>
>> On executing, 
>>
>> puppet agent --confdir-/home/user/etc -t, 
>>
>> Error: Failed to set group to ''0'': Operation not
permitted -
>> /home/user/unix.tar.gz
>> Error: /File[/home/user/unix.tar.gz]/ensure: change from absent to file
>> failed: Failed to set group to ''0'': Operation not
permitted -
>> /home/user/.tar.gz
>>
>> Though I set the tarball of the source in master to 777 permissions, I 
>> get the same error.
>>
>> Your help is great appreciated, please let me know if you need any 
>> further info.
>>
>>
> This problem is not directly related to puppet.conf.  It is probably in 
> issue in your init.pp file on the master (because that appears to be where 
> you declare File[/home/user/unix.tar.gz]).  The manifest leads Puppet to 
> believe that the target file is supposed to have group 0, but changing the 
> downloaded file''s group requires the agent to run as root.
>
> If you post the declaration of that file, then we may be able to tell you 
> more.
>
> I have a question, though: what is the purpose of having this run by an 
> unprivileged user in the first place?
>
>
> John
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/pW5PcOypT24J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Monday, October 22, 2012 12:55:25 PM UTC-5, Dominic
wrote:
>
> Hi JCBollinger, Thank you so much for your suggestions.
>
> Here goes my manifests:
>
>
> #init.pp
>
> class rabbitmq {
>     include rabbitmq::source, rabbitmq::service
> } 
>
>
> #source.pp
>
> class rabbitmq::source {
>     file { "/home/user": ensure => directory }
>     file {
"/home/user/rabbitmq-server-generic-unix-2.8.7.tar.gz":
> source => 
>
"puppet:///modules/rabbitmq/rabbitmq-server-generic-unix-2.8.7.tar.gz",
> alias => "rabbitmq-source-tgz",
> before => Exec["untar-rabbitmq-source"]
>     }
>     exec { "/bin/tar xzvf
rabbitmq-server-generic-unix-2.8.7.tar.gz":
> cwd => "/home/user/",
> creates => "/home/user/rabbitmq_server-2.8.7",
> alias => "untar-rabbitmq-source",
> subscribe => File["rabbitmq-source-tgz"]
>     }
> } 
>
> #service.pp
>
> class rabbitmq::service  {
>   exec { "rabbitmq_service":
>       environment => "HOME=/home/user",
>       command=>
"/home/user/rabbitmq_server-2.8.7/sbin/rabbitmq-server
> -detached ",
>       require => Class["rabbitmq::source"]
>    }
>   }
>
> We dont have root permissions, as we are hosting it in the Cloud.
>

I''m not sure why that inherently means you don''t have root,
but whatever.

So, supposing the issue is with 
File["/home/user/rabbitmq-server-generic-unix-2.8.7.tar.gz"],
it''s not
immediately clear to me whether Puppet''s behavior is correct here.  It 
seems to be defaulting the target group to 0 (since you don''t specify a
group, that has to be coming in as a default).  That''s not documented 
behavior, but it may still be intentional.  On the other hand, it is usual 
for the agent to run as root, which would mask this behavior.  I would 
suggest that you file a ticket.

In the mean time, I would try to work around the issue by adding a
''group''
parameter to the file that specifies the correct target group (presumably 
the primary group of the user who is running Puppet).

Good luck,

John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/JpSUJqdNUt4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Oct 22, 2012 at 03:05:40PM -0700, jcbollinger
wrote:
> I''m not sure why that inherently means you don''t have
root, but whatever.
> 
> So, supposing the issue is with 
> File["/home/user/rabbitmq-server-generic-unix-2.8.7.tar.gz"],
it''s not
> immediately clear to me whether Puppet''s behavior is correct here.
It
> seems to be defaulting the target group to 0 (since you don''t
specify a
> group, that has to be coming in as a default).  That''s not
documented
> behavior, but it may still be intentional.  On the other hand, it is usual 
> for the agent to run as root, which would mask this behavior.  I would 
> suggest that you file a ticket.
> 
If you do not specify owner/group/mode and you don''t have a global
default and the file needs to be created, it will be created with
owner/group/mode of the source file. This can of course fail if the
agent is not run as root.

FWIW there was a discussion about the current behaviour quite a while
ago, but the last comment is over a year old now:
http://projects.puppetlabs.com/issues/5240

-Stefan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.