2

is that even possible?

Summary, i'm running puppet master on a server and ideally we want root logins via ssh disabled, we want to force all access via sudo if root access required

however we have puppet installed using a git repo to manage the manifests, this repo is currently owned by root and currently i only know of 2 solutions

  1. (less ideal) allow root access via key auth only - if so, what can i lock it down to to only allow the git push commands?
  2. own the repo in /etc/puppet as a different owner - will puppet work reliably with this?
  3. Could relevant Sudo config and command work around this?

3 Answers 3

2

Git repos can be configured to maintain group write permissions (option --shared when creating the repository). Using that, then you can add any accounts that need access to the repository to a particular group, so that they can access it.

I do that for our git server. I also put a symlink in each user's home directory to each repository they have access too, so everyone can access with a relative URL.

2
  • so if understand this correctly when i clone or init the git repo on the server i add the --shared tag, make sure the directory is owned by a group (say puppet) and then add users pushing to it to the puppet group? Commented Nov 17, 2011 at 17:45
  • @anthonysomerset Pretty much. You have to make sure to do sg to the group you want to be the owner before creating the repository, so that git will know what use you want. Commented Nov 17, 2011 at 23:07
2

To answer my own question, i looked at the info Daniel Provided but it didnt tally up, i researched git group write and came accross http://andyregan.net/blog/archives/504

by giving my repository group ownership by a common group (puppet) and adding the relevant users to that group, and then running:

chmod -R g+swX /etc/puppet/ cd /etc/puppet git repo-config core.sharedRepository true 

worked perfectly for me, i can push to a root owned repository, puppet still works and i dont use a root ssh login to do so

Win, Win

UPDATE

I had this problem again also with puppet but looked to handle it in a better manner and solved this alternatively with the right bit of sudoers config by adding the following after the env_reset line:

Defaults env_keep += SSH_AUTH_SOCK 

this allows me to run a command like this:

cd /etc/puppet && sudo git pull && sudo git submodule sync && sudo git submodule update --init --recursive 

in say a Rakefile (my user already has nopasswd permissions via Sudo) and everything works accordingly. What i achieved was basically to pass my ssh-agent forwarded ssh-key through to the root user and then do a git pull as if i was connected as my non-root user without storing my ssh key under the root user (or my non-privileged account on the server) Win Win

1
  • I had to use git config core.sharedRepository true. Not repo-config. Commented Sep 29, 2021 at 8:02
1

What I like to do is have a "staging" bare git repo on the puppet master that I push to that runs various pre-commit and post-commit hooks. Pre-commit hooks check puppet syntax (so that code with bad syntax can't be committed) and post-commit hooks actually drop the code into /etc/puppet, and restart Apache (to fix an old cacheing bug in puppet 2.6)

Having a staging area that you push to makes the process of deploying puppet code more atomic. Otherwise, it may be possible for you puppetmaster to be serving half-commited code to clients.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.