2

Is it possible two run multiple puppet agents with different user rights on one host?

I have a server which should be administered by two non related users through puppet. (one user account for the developer and one root account for the server team)

elhombre
  • 435
  • 1
  • 8
  • 18

1 Answers1

2

The non-root account can just run puppet agent --one-time --no-daemonize and any other flavor of puppet agent.

Configuration and persistent data will be looked up and stored in

  • ~/.puppet/ for Puppet 3.x and older
  • ~/.puppetlabs/ for Puppet 4.x and later

Things you want to make sure via ~/.puppet/puppet.conf:

  • you use a distinct certname setting for the secondary agent
  • you likely want to use an alternate server as well so that the certificate is not trusted by your main master (yes, you will need a new Puppet master if you want this)
  • vardir and its children such as ssldir and statedir are distinct from the system central location and writeable to the user (it's safest not to touch these at all - the defaults are quite sane; see also puppet agent --configprint all).

Also, the manifest should be limited to resources that an unpriviliged agent can manage, such as

  • files owned by the user
  • cron jobs of the user's
  • Ruby gems installed in the user's home directory

etc.

Felix Frank
  • 3,093
  • 1
  • 16
  • 22
  • Why shouldn't the certname not be trusted by my main master? Can't I just have both certs (root, non-root user) on my master and deploy to the agent by using the same method as in the agent's case? (Running the master binary with different user privileges) – elhombre May 20 '15 at 05:57
  • If you feel comfortable trusting this certificate, then yes, just use the regular master. There are no implicit security implications. You should probably not run a second master process, though. From the master's POV, the two agents on that one box are distinct nodes, that is all. (If you *were* to run two masters, you would have to use an alternate `masterport` for one of them. But if they share the CA after all, that setup will become quite messy I imagine.) – Felix Frank May 20 '15 at 08:19
  • So It would be better to run two separate master instances with different masterports and different trusted certnames. If I want to have two managed master nodes (one non-root and one root instance) – elhombre May 20 '15 at 08:34
  • I think I caused confustion now. **If** you want distinct masters, one distinct machines, don't touch `masterport`. Two **masters** on the master host would need distinct ports. *Don't do either of those.* Just create the unprivileged agent. Make sure it has a `certname` different from the main agent. Create a `node` block for that certificate name on the master, so that it can compile a manifest for the secondary agent. – Felix Frank May 20 '15 at 12:19