Ask Your Question
0

Any thought on below puppet concern ???

asked 2015-01-16 09:11:49 -0500

Prasad gravatar image

updated 2015-01-16 14:10:42 -0500

GregLarkin gravatar image

Dear All,

We saw Puppet make some crontab entry updates to the machines. We could not find any reason for Puppet to do this – we did not ‘tell’ it to configure anything new, and we did not remove anything in the crontab entries. This caused some concern...

When the systems were in a bad-state; owned by a non-root user, like “xyz” or some other account, root functions were running as this user. When Puppet ran, it ran as "xyz" and it looked for a crontab for that user – which it did not find. Puppet corrected this by creating a new crontab and mcollective entry for "xyz". All the while the original entry existed in the regular root crontab. These were the unexpected/unexplained updates that we saw that happened. At present we have stopped puppet on all those 25 nodes and made the manual changes reverting the ownership to root users.

Are there any configuration changes to be made for stopping such issues in future ? All the thoughts are welcomed.

Log Messages from one of the machine:

Jan 15 3:30:56 vm /usr/sbin/cron[15642]: (root) CMD (/opt/puppet/sbin/refresh-mcollective-metadata)
Jan 15 3:33:36 vm puppet-agent[16029]:    (at /opt/puppet/lib/ruby/site_ruby/1.9.1/puppet/type/package.rb:430:in `block (3 levels) in <module:Puppet>')
Jan 15 3:33:24 vm crontab[16304]: (xyz) LIST (xyz)
Jan 15 3:33:14 vm puppet-agent[16029]: (/Stage[main]/Puppet_enterprise::Mcollective::Server::Facter/Cron[pe-mcollective-metadata]/ensure) created
Jan 15 3:33:14 vm crontab[16305]: (xyz) REPLACE (xyz)
Jan 15 3:33:14 vm puppet-agent[16029]: Finished catalog run in 1.31 seconds

My Thoughts : 1. Making a manifests to confirm the root users on all folders can be done ? But again there would be issue that if at some point user ''xyz'' need to take ownership of that for so and so reason, puppet wont allow to do it. 2. Disabling the puppet run and doing an manual puppet, which doesn't make that sense. 3. Thinking ............

Thanking in advance.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2015-01-17 06:17:10 -0500

isn't this just the standard cron entry from the mcollective module? usually its ok - however I suspect your systems may have been in an unexplained state for other reasons?

edit flag offensive delete link more

Comments

From digging more into from one of the machine we could find the below log : mcollective-audit.log-20150118:[2015-01-14 17:05:38 UTC] reqid=6e5702a8bb2c57: reqtime=1421255138 caller=cert=puppet-dashboard-public@peconsole agent=puppetral action=search data={:type=>"user", :proce_results=>true}

Prasad gravatar imagePrasad ( 2015-01-27 10:37:28 -0500 )edit

... puppetral action=search data={:type=>"user", :proce_results=>true} .... is the one that triggers the issue. It's performing a system-wide scan on usernames Is this something automated scan going on?

Prasad gravatar imagePrasad ( 2015-01-27 10:39:05 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-01-16 09:11:49 -0500

Seen: 168 times

Last updated: Jan 17 '15