Ask Your Question
0

hiera-gpg backend does not work on PE 3.0.1

asked 2013-10-07 03:34:21 -0500

Ger Apeldoorn gravatar image

updated 2013-10-07 08:32:15 -0500

Hi,

I'm trying to implement hiera-gpg on PE3.0.1, but the PM cannot decrypt the contents. I'm following craig's writeup here: http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/

pe-httpd is running as user pe-apache, so if that user can decrypt my files I should be ok right? When I run Hiera as pe-apache from cli with sudo, it can decrypt the data.

sudo -u pe-apache gpg --homedir=/etc/puppetlabs/gpg -d [path]/common.gpg

Puppet cannot. How can I debug this further?

The PM has this in the log:

hiera(): [gpg_backend]:  No usable keys found in ...
(more)
edit retag flag offensive close merge delete

Comments

Can you post your hiera.yaml and nodes.pp files for review? Also, can you successfully retrieve the data you want by using the hiera command line?

GregLarkin gravatar imageGregLarkin ( 2013-10-07 08:11:16 -0500 )edit

Thanks, I updated the original question. As mentioned, CLI works like a charm.

Ger Apeldoorn gravatar imageGer Apeldoorn ( 2013-10-07 08:32:39 -0500 )edit

Regarding the CLI, the command you show above uses gpg to decrypt common.gpg, but I don't see a hiera command there. Did you do a test like in ...(more)

GregLarkin gravatar imageGregLarkin ( 2013-10-07 13:13:30 -0500 )edit

Ah yes, silly me.. :) It's been fixed. The owner should be pe-puppet, not pe-apache.

Ger Apeldoorn gravatar imageGer Apeldoorn ( 2013-10-11 00:57:44 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
2

answered 2013-10-07 11:05:35 -0500

jonuwz gravatar image

updated 2013-10-07 11:11:09 -0500

You create a pgp-pair for pe-puppet, and use the public key for encryption. ( not pe-apache )

If you do a ps -ef | grep Passenger - puppetmaster runs as pe-puppet

More specifically the passenger app will run as whoever owns the .ru file here :
/var/opt/lib/pe-puppetmaster/config.ru

I use this against PE 3.0.1

Have you also installed the gpgme rubygem ?

/opt/puppet/bin/gem list

edit flag offensive delete link more

Comments

That's it, the owner was wrong. Thanks for the help!

Ger Apeldoorn gravatar imageGer Apeldoorn ( 2013-10-11 00:58:03 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-10-07 03:34:21 -0500

Seen: 313 times

Last updated: Oct 07 '13