Jira (PUP-10016) Systemd provider is not correctly selected as the service provider if puppet is run as non root
Title: Message Title
Andreas Ntaflos commented on PUP-10016
Re: Systemd provider is not correctly selected as the service provider if puppet is run as non root
Gheorghe Popescu Thank you for creating a ticket for this! Since commenting in https://tickets.puppetlabs.com/browse/PUP-7312 I have not been able to reliably reproduce the issue I was having using Vagrant. I have created a minimal Puppet module for this at https://github.com/antaflos/puppet-foobar. On our in-house built Ubuntu 18.04 Vagrant boxes the spec tests would reliably fail with the aforementioned error message, but on the official ubuntu/bionic64 boxes (https://app.vagrantup.com/ubuntu/boxes/bionic64) the spec tests would reliably pass. I have no idea why and still cannot figure it out. Drives me crazy I am glad this issue got attention and a fix so quickly! Thanks to all involved! Not that it matters much now, and just out of curiosity: couldn't Puppet also just look at /sbin/init, much like it looked at /proc/1/exe and read the symlink target? This works for regular users, not just root. As in:
confine :true => Puppet::FileSystem.exist?('/sbin/init') && Puppet::FileSystem.readlink('/sbin/init').include?('systemd')
Maybe in addition to looking at /proc/1/exe, i.e.:
confine :true => (Puppet::FileSystem.exist?('/proc/1/exe') && Puppet::FileSystem.readlink('/proc/1/exe').include?('systemd')) ||
(Puppet::FileSystem.exist?('/sbin/init') && Puppet::FileSystem.readlink('/sbin/init').include?('systemd'))
Add Comment
Jira (PUP-7312) Confine systemd provider to init system matching systemd
Title: Message Title
Andreas Ntaflos commented on PUP-7312
Re: Confine systemd provider to init system matching systemd
It seems that this change breaks a few things when Puppet is not being run as root, for example during spec tests (i.e. pdk test unit). At least under Ubuntu 16.04 and 18.04 the file /proc/1/exe is not accessible by regular users, so Puppet::FileSystem.exist?('/proc/1/exe') returns false and Puppet::FileSystem.readlink('/proc/1/exe').include?('systemd') fails with Errno::EACCES. ls also fails, obviously:
$ ls /proc/1/exe
ls: cannot read symbolic link '/proc/1/exe': Permission denied
lrwxrwxrwx 1 root root 0 Sep 7 00:13 /proc/1/exe
This has interesting implications in that now Puppet no longer recognizes that systemd is the correct service provider for recent Debian and Ubuntu releases. Thus spec tests for services fail with cryptic error messages like this:
$ pdk test unit
...
failed: rspec: ./spec/classes/service_spec.rb:9: Could not find the daemon directory (tested [/etc/sv,/var/lib/service])
Jira (PUP-9395) provider gem in package type doesn't work anymore when rubygems is >= 3.0.0
Title: Message Title Andreas Ntaflos commented on PUP-9395 Re: provider gem in package type doesn't work anymore when rubygems is >= 3.0.0 We ran into the same issue today, with Puppet 5.5.6 on Ubuntu 16.04 and 18.04: Error: Could not update: Execution of '/usr/bin/gem install -v 2.7.7 --no-rdoc --no-ri rubygems-update' returned 1: ERROR: While executing gem ... (OptionParser::InvalidOption) invalid option: --no-rdoc Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For
Jira (PUP-8477) selinux types are being set on every run
Title: Message Title
Andreas Ntaflos commented on PUP-8477
Re: selinux types are being set on every run
We observe similar problems on Ubuntu 14.04 and 16.04 using Puppet 5.4.0. SELinux properties are set on every Puppet agent run for the .k5login files we manage. The output of a typical Puppet agent run looks like this:
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/seluser: seluser changed to 'user_u'
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/selrole: selrole changed to 'object_r'
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/seltype: seltype changed to 'krb5_home_t'
Notice: /Stage[main]/Profile::K5login/K5login[/root/.k5login]/selrange: selrange changed to 's0'
Notice: Applied catalog in 22.20 seconds
We manage the .k5login files using a profile that looks like this:
class profile::k5login {
$k5login_defaults = lookup('profile::k5login::k5login_defaults', Hash, 'deep', {})
$k5logins = lookup('profile::k5login::k5logins', Hash, 'deep', {})
create_resources('k5login', $k5logins, $k5login_defaults)
Jira (PUP-8255) gem package provider broken with Rubygems 2.7.x
Title: Message Title Andreas Ntaflos created an issue Puppet / PUP-8255 gem package provider broken with Rubygems 2.7.x Issue Type: Bug Affects Versions: PUP 5.3.3 Assignee: Unassigned Created: 2017/12/14 12:33 PM Environment: Ubuntu 16.04 Priority: Normal Reporter: Andreas Ntaflos The format of gem list --local changed with the recent Rubygems 2.7.0 release. It now indicates default Gems, which looks like this: $ gem list --local
Jira (PUP-5601) Puppet settings not setup prior to test runs due to PUP-1118 implementation
Title: Message Title
Andreas Ntaflos commented on PUP-5601
Re: Puppet settings not setup prior to test runs due to PUP-1118 implementation
It seems to me this problem, or a similar one, still exists in puppetlabs_spec_helper 2.3.0. Using the following spec/classes/skeleton_spec.rb I get this when running rspec:
/home/ant/.rbenv/versions/2.3.3/bin/ruby -I/home/ant/.rbenv/versions/2.3.3/gemsets/puppetmoduledev/gems/rspec-core-3.6.0/lib:/home/ant/.rbenv/versions/2.3.3/gemsets/puppetmoduledev/gems/rspec-support-3.6.0/lib /home/ant/.rbenv/versions/2.3.3/gemsets/puppetmoduledev/gems/rspec-core-3.6.0/exe/rspec --pattern spec/\{aliases,classes,defines,unit,functions,hosts,integration,type_aliases,types\}/\*\*/\*_spec.rb --color
confdir is set to ''
An error occurred while loading ./spec/classes/skeleton_spec.rb.
Failure/Error: puts Puppet[:ssldir]
Puppet::Settings::InterpolationError:
Error converting value for param 'ssldir': Could not find value for $confdir
#
Jira (PUP-7474) PuppetCA should issue certs with Subject Alternative Name containing the CN for compliance with RFC 2818
Title: Message Title Andreas Ntaflos created an issue Puppet / PUP-7474 PuppetCA should issue certs with Subject Alternative Name containing the CN for compliance with RFC 2818 Issue Type: Bug Affects Versions: PUP 4.10.0 Assignee: Unassigned Created: 2017/04/26 11:01 AM Priority: Normal Reporter: Andreas Ntaflos Recently Chrome 58 was released and https://www.chromestatus.com/feature/4981025180483584 states the following: RFC 2818 describes two methods to match a domain name against a certificate - using the available names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName. The fallback to the commonName was deprecated in RFC 2818 (published in 2000), but support still remains in a number of TLS clients, often incorrectly. Unfortunately this means that PuppetCA-issued certificates are considered invalid by Chrome 58, because by default they don't have the subjectAlternativeName extension and therefore don't include the certificate's common name (CN) as a SAN field. The implication is that many (usually internal) services that use PuppetCA-issued certificates as server certificates are now inaccessible with Chrome. Typical examples include Foreman, Puppetboard and other such services. I imagine this is also a problem for PE and its various web interfaces, but we are not PE users so I can't say for sure. In order for PuppetCA
Jira (PUP-7464) Warning when trying to JSON-serialise undef value ("hash will be converted to string")
Title: Message Title
Andreas Ntaflos updated an issue
Puppet / PUP-7464
Warning when trying to JSON-serialise undef value ("hash will be converted to string")
Change By:
Andreas Ntaflos
A warning message like the following appears in Puppetserver's logs (line breaks added for readability):{code}2017-04-23 16:12:15,935 WARN [qtp2095795815-27357] [puppetserver] Puppet Resource 'Icinga2::Object::Host[dns01.prod.example.com]'contains a Hash value. It will be converted to the String '{"distro"=>"Ubuntu", "is_virtual"=>true, "manufacturer"=>"QEMU", "os"=>"Linux", "parent"=>:undef, "project"=>"dns", "fqdn"=>"dns01.prod.example.com", "service"=>"dns-cluster","stage"=>"prod", "virtual"=>"kvm","notification"=>{"mail"=>{"groups"=>["admins"]}, "sms"=>{"groups"=>["admins"]}}}'{code}The resource in question looks like this:{code}...if getvar('::virtualisation_host') { $_parent = $::virtualisation_host} else { $_parent = undef}...@@icinga2::object::host { $::fqdn: import => $_import, display_name => $::fqdn, address => $::fqdn, target => '/etc/icinga2/objects/hosts.conf', tag => $::stage, vars => {applications => $_applications,distro => $::operatingsystem,fqdn => $::fqdn,is_virtual => $::is_virtual,manufacturer => $::manufacturer,os => $::kernel,parent => $_parent,project => $::project,service => $_service,stage=> $::stage,virtual => $::virtual,notification => { mail => {groups => $mail_groups, }, sms => {groups => $sms_groups, },}, },}{code}In this case ` {{ $_parent ` }} (and therefore the ` {{ parent ` }} value in the ` {{ vars ` }} hash) is set to ` {{ undef ` }} explicitly. This seems to trip up something in Puppet related to JSON-serialisation.I'll update this ticket with some reproducible code in the coming days.
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-7464) Warning when trying to JSON-serialise undef value ("hash will be converted to string")
Title: Message Title
Andreas Ntaflos created an issue
Puppet / PUP-7464
Warning when trying to JSON-serialise undef value ("hash will be converted to string")
Issue Type:
Bug
Affects Versions:
PUP 4.10.0
Assignee:
Unassigned
Created:
2017/04/23 9:07 AM
Environment:
Puppet 4.8.3 and 4.10.0, Ubuntu 14.04, Puppetserver 2.7.2
Priority:
Normal
Reporter:
Andreas Ntaflos
A warning message like the following appears in Puppetserver's logs (line breaks added for readability):
2017-04-23 16:12:15,935 WARN [qtp2095795815-27357] [puppetserver] Puppet Resource 'Icinga2::Object::Host[dns01.prod.example.com]'
contains a Hash value. It will be converted to the String
Jira (PUP-7341) Regex Lookup isn't working with Puppet 4.9
Title: Message Title
Andreas Ntaflos commented on PUP-7341
Re: Regex Lookup isn't working with Puppet 4.9
Just noticed this problem as well. Using a regex with anchors, like "^profile::(.*)::foo$" results in the above error message. Removing the anchors from the regex ("profile::(.*)::foo") seems to turn it into a regular string as far as Puppet and Hiera are concerned and the lookup options for such keys are subsequently ignored (because no lookup key matches profile::(.*)::foo literally). At least that's my interpretation of what I am observing.
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (HI-561) Hiera 5 doesn't call lookup_with_segments method on hiera3_backend
Title: Message Title Andreas Ntaflos commented on HI-561 Re: Hiera 5 doesn't call lookup_with_segments method on hiera3_backend Note that the lookup works when quoting the lookup key: /opt/puppetlabs/bin/puppet lookup --render-as s '"example_ca.crt.pem"' -BEGIN CERTIFICATE- MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
Jira (HI-561) Hiera 5 doesn't call lookup_with_segments method on hiera3_backend
Title: Message Title Andreas Ntaflos created an issue Hiera / HI-561 Hiera 5 doesn't call lookup_with_segments method on hiera3_backend Issue Type: Bug Assignee: Unassigned Created: 2017/03/09 6:08 AM Environment: Puppet 4.9.3 on Ubuntu 16.04 Priority: Normal Reporter: Andreas Ntaflos We use a custom Hiera backend we call file_eyaml. It is based on the hiera-file backend from https://github.com/voxpupuli/hiera-file, which allows looking up file contents with Hiera. Our backend goes one step further and allows for the file contents to be Eyaml encrypted. Looking up a file this way decrypts the contents if they are encrypted or just returns them if they are not. The backend code is not really public but I've created a gist here (please don't judge, it is rather hackish and not that pretty): https://gist.github.com/antaflos/f4cb8844efa27d60d5179c77ad5b83ce The problem here is that the files in question (and thus the lookup keys) very often have periods in their filenames, so we implemented the lookup_with_segments method in our backend as discussed in https://tickets.puppetlabs.com/browse/HI-496. This works fine in Hiera 3 and Puppet 4.8.x (and Hiera 1 and Puppet 3.8.x) In Puppet 4.9.3 and Hiera 5 the lookup_with_segments method doesn't seem to get called at all. See below for the hiera.yaml file used and the defined hierarchy. In this example I have a file /etc/puppetlabs/code/environments/production/hierafiles/ssldata/common.d/example_ca.crt.pem that contains an unencrypted, regular
Jira (HI-496) Hiera subkeys lookup should be configurable
Title: Message Title Andreas Ntaflos commented on HI-496 Re: Hiera subkeys lookup should be configurable To add a related perspective: this also hits those who use the hiera-file. We don't have dots in any of our normal Hiera lookup keys but the content of files in the hiera-file backend is looked up using the file name as key, and that will almost invariably and naturally contain at least one dot. For example: ssldata/projects.d/www.example.com.crt.pem ssldata/mcollective.d/mcollective-servers.crt.pem ssldata/mcollective.d/mcollective-servers.key.pem Looking up mcollective-servers.crt.pem with Hiera returns the contents of the file ssldata/mcollective.d/mcollective-servers.crt.pem which we then pass to content of a File resource that manages that certificate on the target systems. To make this work with Hiera 2/3 we have to rename all files so something like this: ssldata/projects.d/www_example_com_crt_pem ssldata/mcollective.d/mcollective-servers_crt_pem ssldata/mcollective.d/mcollective-servers_key_pem Not exactly a showstopper but a PITA and somewhat unnatural for files.
Jira (HI-496) Hiera subkeys lookup should be configurable
Title: Message Title Andreas Ntaflos commented on HI-496 Re: Hiera subkeys lookup should be configurable Will do, thanks for the pointer! Add Comment This message was sent by Atlassian JIRA (v6.4.12#64027-sha1:e3691cc) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4516) Agent does not stop with Ctrl-C
Title: Message Title Andreas Ntaflos commented on PUP-4516 Re: Agent does not stop with Ctrl-C FWIW: a workaround (if you can call it that) is to put the running Puppet agent process in the background with Ctrl-Z and then destroy it with pkill -9 -f 'puppet agent'. Add Comment This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (HI-297) hiera (debian) package does not register as gem
Title: Message Title
Andreas Ntaflos commented on an issue
Re: hiera (debian) package does not register as gem
I had the same problem on my Vagrant boxes I use for Puppet module development. On the box that runs a Puppet master I had to use the --ignore-dependencies install option so that Puppet could install the hiera-file Gem without a dependency error:
package { 'hiera-file':
ensure = $hiera_file_package_ensure,
name= $hiera_file_package_name,
provider= 'gem',
install_options = '--ignore-dependencies',
}
So why would Puppet, when running `gem install` use a wrong GEM_PATH and not find Hiera as a Gem anywhere?
Add Comment
Jira (PUP-1515) Invalid parameter provider for custom types/providers
Title: Message Title Andreas Ntaflos commented on an issue Re: Invalid parameter provider for custom types/providers Me, too. Our Puppet master currently runs in the 'production' environment while a growing number of nodes run in a different environment (called 'production_redux', as we are overhauling the Puppet infrastructure on that site). Using the puppetlabs-mysql module in the 'production_redux' environment (but not in 'production') we get the invalid parameter provider exception trying to manage MySQL users and databases. Do I understand correctly that switching the Puppet master's own environment to (in our case) 'production_redux' would work around this problem? FWIW, running puppet plugin download --environment production_redux on the Puppet master results in this: # puppet plugin download --environment production_redux Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': undefined method `intern' for nil:NilClass Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet01.example.com/plugins: undefined method `intern' for nil:NilClass Wrapped exception: undefined method `intern' for nil:NilClass Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': undefined method `intern' for nil:NilClass Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet01.example.com/pluginfacts: undefined method `intern' for nil:NilClass Wrapped exception: undefined method `intern' for nil:NilClass No plugins downloaded. I have no idea what to make of this. Add Comment Puppet / PUP-1515 Invalid parameter provider for custom types/providers
