1

I see many messages in my Puppet dashboard that say a change has taken place, changing ownership of a group from "users" to "users". It seems to be related to the group 'users' existing twice, once locally with group id 100 and once with group id 3000.

[root@tst-01 ~]# puppet agent --test
info: Caching catalog for tst-01.tst.domain.tld
info: Applying configuration version '1370937308'
notice: /File[/var/opt/dolphin]/group: group changed 'users' to 'users'
notice: Finished catalog run in 3.41 seconds
[root@tst-01 ~]#

[root@puppetmaster ~]# cat init.pp
class dolphin {
    file { "/var/opt/dolphin":
        ensure => "directory",
        owner  => "dolphin",
        group  => "users",
        mode   => 755,
    }
}
[root@puppetmaster ~]#

[root@tst-01 audit]# grep -A2 dolphin-own audit.log
type=SYSCALL msg=audit(1370894388.610:49571): arch=c000003e syscall=94 success=yes exit=0 a0=4e96770 a1=ffffffff a2=64 a3=8 items=1 ppid=1 pid=1687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe=2F7573722F62696E2F72756279202864656C6574656429 subj=system_u:system_r:puppet_t:s0 key="dolphin-own"
type=CWD msg=audit(1370894388.610:49571):  cwd="/"
type=PATH msg=audit(1370894388.610:49571): item=0 name="/var/opt/dolphin" inode=110 dev=fd:02 mode=040755 ouid=3550 ogid=3000 rdev=00:00 obj=system_u:object_r:var_t:s0
--
type=SYSCALL msg=audit(1370896195.626:49596): arch=c000003e syscall=94 success=yes exit=0 a0=4de42c0 a1=ffffffff a2=bb8 a3=8 items=1 ppid=1 pid=1687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe=2F7573722F62696E2F72756279202864656C6574656429 subj=system_u:system_r:puppet_t:s0 key="dolphin-own"
type=CWD msg=audit(1370896195.626:49596):  cwd="/"
type=PATH msg=audit(1370896195.626:49596): item=0 name="/var/opt/dolphin" inode=110 dev=fd:02 mode=040755 ouid=3550 ogid=100 rdev=00:00 obj=system_u:object_r:var_t:s0
--
type=SYSCALL msg=audit(1370917877.149:49861): arch=c000003e syscall=94 success=yes exit=0 a0=489a5f0 a1=ffffffff a2=64 a3=8 items=1 ppid=1 pid=1687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe=2F7573722F62696E2F72756279202864656C6574656429 subj=system_u:system_r:puppet_t:s0 key="dolphin-own"
type=CWD msg=audit(1370917877.149:49861):  cwd="/"
type=PATH msg=audit(1370917877.149:49861): item=0 name="/var/opt/dolphin" inode=110 dev=fd:02 mode=040755 ouid=3550 ogid=3000 rdev=00:00 obj=system_u:object_r:var_t:s0
--
type=SYSCALL msg=audit(1370919683.974:49886): arch=c000003e syscall=94 success=yes exit=0 a0=6072510 a1=ffffffff a2=bb8 a3=8 items=1 ppid=1 pid=1687 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="puppetd" exe=2F7573722F62696E2F72756279202864656C6574656429 subj=system_u:system_r:puppet_t:s0 key="dolphin-own"
type=CWD msg=audit(1370919683.974:49886):  cwd="/"
type=PATH msg=audit(1370919683.974:49886): item=0 name="/var/opt/dolphin" inode=110 dev=fd:02 mode=040755 ouid=3550 ogid=100 rdev=00:00 obj=system_u:object_r:var_t:s0
[root@tst-01 audit]#

[root@tst-01 ~]# getent group | grep users
users:x:100:
users:*:3000:
[root@tst-01 ~]#

It seems that most of the time Puppet does not change ownership. Puppet runs 48 times a day of which about 6-8 times per day it change the ownership of this directory. What makes Puppet choose between group id 100 and 3000 and what is the best way to solve this issue?

ujjain
  • 3,983
  • 16
  • 53
  • 91

1 Answers1

6

You have a duplicate group name, so all bets are off. puppet will be calling getgrnam(3), which in the case of duplicate group names will return one or the other: there's no way to tell what you'll get.

Duplicate group names are a bad thing in all sorts of ways, the most obvious being that you don't know for sure how the permissions on your files will be interpreted.

Flup
  • 7,978
  • 2
  • 32
  • 43