Rudder

Three solutions I see:

• initialize the repo before setting permissions
• Modify system techniques so cfengine ensure that the repo si OK
• set acl on /var/rudder/configuration-repo so the perms should always be OK

I don't know which one is better ... I would go for the first (easier) or the third ( would assure that it works over time )

Jon, Matthieu, what do you think of this ?

• git init --share=2775 looks good to me.
• The system Techniques are bloated enough, and using them to manage git is dangerous are they are themselves stored in it. Chicken and egg problem :) break the system promises, break git, break rudder, no more system promises deployed :)
• I'd rather not rely on ACLs, we just can't ask every person deploying rudder to remount his/her / or /var partition with the acl option :/ and it would reduce the portability potential to other OSes, even it is not the same level of concern.

For all those reasons, I'd stick to the first option, and if it does not work maybe try something else :)

I agree, the git config option seems best.

However, caution: it is called "--shared" not "--share". Also, from the man page:

       --shared[=(false|true|umask|group|all|world|everybody|0xxx)]
           Specify that the git repository is to be shared amongst several users. This allows users belonging to the same group to push into that repository. When
           specified, the config variable "core.sharedRepository" is set so that files and directories under $GIT_DIR are created with the requested permissions.
           When not specified, git will use permissions reported by umask(2).

       The option can have the following values, defaulting to group if no value is given:

       ·    umask (or false): Use permissions reported by umask(2). The default, when --shared is not specified.

       ·    group (or true): Make the repository group-writable, (and g+sx, since the git group may be not the primary group of all users). This is used to loosen
           the permissions of an otherwise safe umask(2) value. Note that the umask still applies to the other permission bits (e.g. if umask is 0022, using group
           will not remove read privileges from other (non-group) users). See 0xxx for how to exactly specify the repository permissions.

       ·    all (or world or everybody): Same as group, but make the repository readable by all users.

       ·    0xxx: 0xxx is an octal number and each file will have mode 0xxx.  0xxx will override users' umask(2) value (and not only loosen permissions as group
           and all does).  0640 will create a repository which is group-readable, but not group-writable or accessible to others.  0660 will create a repo that is
           readable and writable to the current user and group, but inaccessible to others.

Therefore, it does not seem that "2775" is an applicable mode. I suggest we simply use "--shared=group", since that is our intent (it will always be clearer to write an intent with a word than using obscure octal modes).

PR here: https://github.com/Normation/rudder-packages/pull/429

Applied in changeset packages:commit:d1f710e27cf5bbc15d698b5145aa0ec67653c333.

This bug has been fixed in Rudder 2.11.0~rc1 (announcement , changelog), which was released today.

• Download information: https://www.rudder-project.org/site/get-rudder/downloads/