Add umask option to package resource type

[bobnegri]

Use Case

When the puppet agent runs in a scheduled manner under the puppet service on a Linux server, it uses umask 022 when it installs python modules and gems via the package resource type. When forced to run by sudo puppet agent --test, the python and gem packages get installed so that only root can use the packages. This is frustrating as the package then needs to be manually uninstalled, and then reinstalled being sure to set umask 022. This assumes the team member running the command even noticed there was an issue in the first place. Generally the issue appears when a GitLab Runner process begins to fail or another process begins to fail.

Describe the Solution You Would Like

I would like to see one of the following:

• Resource type package uses umask 022 by default in the background, maybe for:
  • gem
  • pip, pip2, pip3
  • puppet_gem
  • puppetserver_gem

Or

• Add attribute umask to resource type package

Describe Alternatives You've Considered

We currently use npwalker-recursive_file_permissions in our various Puppet modules based on server type and whether or not we are installing a gem or a python module.

Additional Context

N/A

[AriaXLi]

@bobnegri Thank you for opening this issue, would it be possible to check if this behavior is being caused by puppet or if it's being caused by running the python and gem commands? Thank you!

[bobnegri]

I have no idea how I missed the question. Sorry.

I know from experience that running the commands as 'root', one has to add 'umask 022' before executing the pip install or gem install commands, otherwise only the 'root' user can use the newly installed/updated module.

As I mentioned, when the puppet service kicks of the puppet agent run on a Linux server, things seems to install with the correct permissions. The issue is when we manually force the puppet agent to run due to limited change implementation windows. (At my company, the puppet agent runs hourly.)