[SERVER-358] Moving 'puppet' user creation to puppet-server packaging Created: 2015/02/11  Updated: 2016/09/27  Resolved: 2015/03/13

Status: Closed
Project: Puppet Server
Component/s: None
Affects Version/s: None
Fix Version/s: SERVER 2.0.0

Type: Improvement Priority: Normal
Reporter: Rob Braden Assignee: Rob Braden
Resolution: Fixed Votes: 0
Labels: AIO, updated_release_notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
blocks PUP-3997 Audit and update puppet acceptance te... Closed
blocks SERVER-438 Produce puppetserver 2.0.0-rc2 Closed
relates to PUP-4194 Puppet's logdir permissions prevent p... Closed
Epic Link: Green: Puppet 4.0 Changes
Sub-team: emerald
Story Points: 2
Sprint: RE 2015-02-25, RE 2015-03-11, RE 2015-03-25
Release Notes: New Feature
QA Contact: Erik Dasher


In puppet-agent packaging, the 'puppet' user will no longer be created.

We will be moving the user/group creation to the puppet-server packaging.

In addition, the user will be standardized to 'puppet' across both FOSS and PE.

Comment by Chris Price [ 2015/02/17 ]

Ruth Linehan says that we're already doing this in the post-install on Puppet Server, but that it's a gross hack and needs to be cleaned up. (See SERVER-333.)

Nate Wolfe Jeff McCune I think that Rob Braden will end up owning this work when we tackle it, but I'm keeping it on our board because I think it might have implications for some of our other tickets.

Comment by Ruth Linehan [ 2015/02/18 ]

We're doing all of the chmoding etc necessary to have all of the directories have the right permissions in the postinstall in ezbake.conf (https://github.com/puppetlabs/puppet-server/blob/master/resources/ext/ezbake.conf#L18-L35). The creation of the puppet user and group is I believe done by ezbake since we're setting user and group to 'puppet' (at least for FOSS) (https://github.com/puppetlabs/puppet-server/blob/master/project.clj#L68-L69)

Comment by Steve Barlow [ 2015/02/18 ]

Rob Braden We were not sure in planning if you were going to work on this, or if the expectation was that the server team should work on it. Please let me know what you were expecting so I can make sure it ends up in the right place.

Comment by Rob Braden [ 2015/02/18 ]

Steve Barlow Sorry about that,this is all me, as far as the work is concerned. Informational for the server team.

Comment by Steve Barlow [ 2015/02/19 ]

Rob Braden Makes sense. We just wanted to make sure it did not fall between the cracks. Thanks.

Comment by Steve Barlow [ 2015/03/04 ]

Rob Braden This ticket came up in an AIO status meeting today. Just wanted to check in and see if you are blocked or waiting on anyone for this. I see it is targeted at the 03-11 sprint. Do you still think it will be done at the end of the sprint?

Comment by Jeff McCune [ 2015/03/06 ]

Just to confirm a question Josh Cooper asked this morning, puppet-server is currently not creating the puppet user and group as part of the package installation. This can be seen here: https://github.com/puppetlabs/puppet-server/blob/d837d8190b887238d02524ff2db2f889a7458eb6/resources/ext/ezbake.conf

Comment by Ruth Linehan [ 2015/03/06 ]

Jeff McCune It may not be doing it in ezbake.conf, but that's because it/ezbake is doing it as a result of setting user and group in project.clj in the lein-ezbake section: https://github.com/puppetlabs/puppet-server/blob/d837d8190b887238d02524ff2db2f889a7458eb6/project.clj#L68-L69

Comment by Jeff McCune [ 2015/03/06 ]

Ruth Linehan Ah, thanks for the information. Josh Cooper I was wrong, puppet-server packages are creating the user and group in the RPM spec template:


Comment by Jeff McCune [ 2015/03/06 ]

@josh Though, re-reading the ticket for the 3rd time, I realize there's actually two issues. One is the actual user and group creation. The second is making sure all of the new paths have the correct user and group ownership and file permissions. I'll chase this up and update the ticket with what exactly is required for AIO.

Comment by Jeff McCune [ 2015/03/09 ]

> The second is making sure all of the new paths have the correct user and group ownership and file permissions.

This second chunk of work was confirmed in the AIO standup today.

Comment by Rob Braden [ 2015/03/10 ]

The linked PRs update the packaging to include the application data dir (/opt/puppetlabs/server/data/$project), and update the pid dir with permissions applied for the app user and group.

Also included is an update to puppet-server to correctly set permissions on the ssldir

Comment by Jeff McCune [ 2015/03/12 ]

ezbake PR rebased and merged. SERVER-414 will update puppet-server to use ezbake 0.3.0 rather than a snapshot. Once SERVER-414 is merged, the puppet-server PR here will get merged and then we should be good to go.

Comment by Jeff McCune [ 2015/03/12 ]

puppet-server PR rebased and merged.

Comment by Jeff McCune [ 2015/04/13 ]

Release Notes

Puppet Server 2.0.0 creates the user and group the service runs as. In previous versions, puppetserver relied on the underlying puppet package to create the user and group. The overall result and behavior should be equivalent from the end user point of view.

Generated at Fri Aug 07 09:43:19 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.