Module assumes that a 'puppet' group exists
alexjfisher opened this issue · comments
Discovered when building a TFTP only server (no puppet proxy or any other proxies) on EL7.
Prior to puppet 4 (AIO packaging), the 'puppet' package created a puppet user and group. This now only happens if the puppetserver package is installed.
I ended up with this failure...
Error: Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G puppet foreman-proxy' returned 6: usermod: group 'puppet' does not exist
Error: /Stage[main]/Foreman_proxy::Config/User[foreman-proxy]/groups: change from to puppet failed: Could not set groups on user[foreman-proxy]: Execution of '/sbin/usermod -G puppet foreman-proxy' returned 6: usermod: group 'puppet' does not exist
I can easily enough workaround this by creating the group in my profile, but I guess it should probably be fixed in the module?
Perhaps skip the group membership if $puppet is disabled.
what about $puppetca? If a CA is running, they'll be a group, but perhaps the proxy doesn't need to be a member of it?
Unfortunately, the proxy refuses to start as it can't read /etc/puppetlabs/puppet/ssl/private_keys/${::fqdn}.pem
which is owned by root:root.
It's the puppetserver
RPM that chowns the keys...
https://github.com/puppetlabs/puppetserver/blob/master/resources/ext/ezbake.conf#L28
I've been working on a fix and hopefully will submit a PR for consideration shortly.
#261 is what I've got so far.
#261 got merged