I have a server that relies on puppet vcsrepo to update code in a local mercurial repository based on a tag.
When I change the required tag, using the vcsrepo "revision" parameter, vcsrepo should do a hg pull and hg update on the repo.
This is all working fine.
However, I have created a clone of this server to test something else, and now when I run the puppet update I get an error:
Not trusting file /var/hg/repo/.hg/hgrc from untrusted user *user*, group *group*
This happens because puppet is running as root, while the hgrc file is owned by user
The user parameter in vcsrepo is supposed to deal with this:
vcsrepo { '/var/hg/repo':
ensure => present,
provider => hg,
source => 'ssh://****',
user => 'user',
owner => 'user',
group => 'group',
revision => '1.12'
}
ie
the hg commands are supposed to run as user so that the Trust requirement in mercurial is satisfied.
But its not working. The clone server is a bit for bit copy of the original.
I figured this out.
Puppet runs as root. That means that for vcsrepo using mercurial, the root user needs to trust the user who owns the .hgrc file in the repo being updated.
To establish this trust, you add
To /root/.hgrc
When mercurial is executed, its looks in $HOME/.hgrc for trust relationships.
On my existing server, the puppet agent was being executed with cron, so cron would have seen $HOME as /root/.hgrc
On the cloned server, I was running the puppet update interactively, having opened a root shell using
However, this retains my $HOME variable with the same value as my initial user, so mercurial could not find the required trusted information in /root/.hgrc
When I established a root shell with
The correct $HOME variable was set and the puppet update worked.
The 'user' parameter in vcsrepo refers to the user used to authenticate to the mercurial remote server, not the user who runs the process on the local server.