On clients of standalone puppetmasters, /usr/local/sbin/block-for-export and /usr/local/sbin/nfs-mount-manager get the group 998 (gitpuppet):
scfc@toolsbeta-puppetmaster8:~$ sudo rm -f /usr/local/sbin/block-for-export /usr/local/sbin/nfs-mount-manager && sudo puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for toolsbeta-puppetmaster8.toolsbeta.eqiad.wmflabs
Info: Applying configuration version '1480598564'
Notice: /Stage[main]/Role::Labs::Nfsclient/Labstore::Nfs_mount[project-on-labstoresvc]/File[/usr/local/sbin/block-for-export]/ensure: defined content as '{md5}ec735bc3e24aee651dc5a11fa669cfa4'
Notice: /Stage[main]/Role::Labs::Nfsclient/Labstore::Nfs_mount[project-on-labstoresvc]/File[/usr/local/sbin/nfs-mount-manager]/ensure: defined content as '{md5}e31d8868f7a356f6986a650804951136'
Notice: Finished catalog run in 18.40 seconds
scfc@toolsbeta-puppetmaster8:~$ ll /usr/local/sbin/block-for-export /usr/local/sbin/nfs-mount-manager
-r-xr-xr-x 1 root 998 873 Dec 1 13:31 /usr/local/sbin/block-for-export*
-rw-r-xr-x 1 root 998 1680 Dec 1 13:31 /usr/local/sbin/nfs-mount-manager*
scfc@toolsbeta-puppetmaster8:~$This is due to the file being owned by 998 (gitpuppet) on the standalone puppetmaster (cf. T152059):
scfc@toolsbeta-puppetmaster7:~$ ll /var/lib/git/operations/puppet/modules/labstore/files/nfs-mount-manager -rw-r--r-- 1 gitpuppet gitpuppet 1680 Nov 30 21:37 /var/lib/git/operations/puppet/modules/labstore/files/nfs-mount-manager scfc@toolsbeta-puppetmaster7:~$
The file resources in labstore::nfs_mount should have explicit group attributes.