Puppet

I have a system whose root filesystem is mounted read-only for various reasons. Puppet is still running, I simply have to log in and remount r/w to let changes propagate. The warnings I get when changes are pending while the system is r/o are a good reminder.

It turns out, however, that an augeas resource always wants to write to a file, even if there are no changes:

debug: Augeas[passwordless-root-login](provider=augeas): Opening augeas with root /, lens path , flags 0
debug: Augeas[passwordless-root-login](provider=augeas): Augeas version 0.7.0 is installed
debug: Augeas[passwordless-root-login](provider=augeas): Will attempt to save and only run if files changed
debug: Augeas[passwordless-root-login](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/PermitRootLogin", "without-password"]
debug: Augeas[passwordless-root-login](provider=augeas): Files changed, should execute
debug: Augeas[passwordless-root-login](provider=augeas): Closed the augeas connection
debug: //ssh::server::config/Augeas[passwordless-root-login]: Changing returns
debug: //ssh::server::config/Augeas[passwordless-root-login]: 1 change(s)
debug: Augeas[passwordless-root-login](provider=augeas): Opening augeas with root /, lens path , flags 0
debug: Augeas[passwordless-root-login](provider=augeas): Augeas version 0.7.0 is installed
debug: Augeas[passwordless-root-login](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/PermitRootLogin", "without-password"]
debug: Augeas[passwordless-root-login](provider=augeas): Closed the augeas connection
err: //ssh::server::config/Augeas[passwordless-root-login]/returns: change from need_to_run to 0 failed: Save failed with return code false

It really is not making any change though. Compare to when I run it while the system is mounted r/w:

debug: Augeas[passwordless-root-login](provider=augeas): Opening augeas with root /, lens path , flags 0
debug: Augeas[passwordless-root-login](provider=augeas): Augeas version 0.7.0 is installed
debug: Augeas[passwordless-root-login](provider=augeas): Will attempt to save and only run if files changed
debug: Augeas[passwordless-root-login](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/PermitRootLogin", "without-password"]
debug: Augeas[passwordless-root-login](provider=augeas): Skipping becuase no files were changed
debug: Augeas[passwordless-root-login](provider=augeas): Closed the augeas connection

I think augeas is trying to save the file (to where??), which fails, and then it compares the existing file to the non-existent new file, and they differ. Thus it thinks it needs to update the file for real.

Please make it do that in a proper location (e.g. /tmp), which is writeable even on r/o systems.