Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

[Justin Stoller]

On Fri, Jul 17, 2020 at 7:41 AM Peter Krawetzky 
wrote:

> Ok I figured out the curl command but I get this error:
>
> [root@mypuppetserver private_keys]# curl -v --header "Content-Type:
> application/json" --cert
> /etc/puppetlabs/puppet/ssl/certs/mypuppetserver.mydomain.com.pem
> --key
> /etc/puppetlabs/puppet/ssl/private_keys/mypuppetserver.mydomain.com.pem
> --cacert
> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -X DELETE
> https://mypuppetserver.mydomain.com:8140/puppet-admin-api/v1/environment-cache
> * About to connect() to mypuppetserver.mydomain.com port 8140 (#0)
> *   Trying xx.xx.xxx.xx...
> * Connected to mypuppetserver.mydomain.com (xx.xx.xxx.xx) port 8140 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
>   CApath: none
> * NSS: client certificate from file
> *   subject: CN=mypuppetserver.mydomain.com
> *   start date: Aug 14 15:32:34 2018 GMT
> *   expire date: Aug 14 15:32:34 2023 GMT
> *   common name: mypuppetserver.mydomain.com
> *   issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> * Server certificate:
> *   subject: CN=mypuppetserver.mydomain.com
> *   start date: Aug 14 15:32:34 2018 GMT
> *   expire date: Aug 14 15:32:34 2023 GMT
> *   common name: mypuppetserver.mydomain.com
> *   issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com
> > DELETE /puppet-admin-api/v1/environment-cache HTTP/1.1
> > User-Agent: curl/7.29.0
> > Host: mypuppetserver.mydomain.com:8140
> > Accept: */*
> > Content-Type: application/json
> >
> < HTTP/1.1 403 Forbidden
> < Date: Fri, 17 Jul 2020 13:41:37 GMT
> < Content-Length: 115
> < Server: Jetty(9.4.z-SNAPSHOT)
> <
> * Connection #0 to host mypuppetserver.mydomain.com left intact
> Forbidden request: /puppet-admin-api/v1/environment-cache (method
> :delete). Please see the server logs for details.[root@mypuppetserver
> private_keys]#
>
> *puppetserver.log entries*:
> 2020-07-17 09:07:45,577 ERROR [qtp2067827614-66] [p.t.a.rules] Forbidden
> request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:07:45,585 ERROR [qtp2067827614-65] [p.t.a.rules] Forbidden
> request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:12:02,951 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden
> request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:17:29,677 ERROR [qtp2067827614-61] [p.t.a.rules] Forbidden
> request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:41:37,401 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden
> request: mypuppetserver.mydomain.com(xx.xx.xxx.xx) access to
> /puppet-admin-api/v1/environment-cache (method :delete) (authenticated:
> true) denied by rule 'puppetlabs deny all'.
>

This is from our auth subsystem which is configured at
/etc/puppetlabs/puppetserver/conf.d/auth.conf

It means there was no explicit auth rule for
"/puppet-admin-api/v1/environment-cache" so the default "deny all" rule was
applied.

You can create a rule in that auth.conf file, it will look something like:
https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/auth.conf#L110-L119
The above rule allows any GET request to any url matching
":/puppet/v3/environments*" by a requester presenting a
certificate trusted by the Puppet CA and names that rule "puppetlabs
environments" for logging purposes. Copy pasting that and substituting
"/puppet-admin-api/v1/environment-cache" for the path, giving it a
different name, and a method of "delete" should work. If not (or you want
to do something different than allow any node to evict the cache) you can
see the complete docs on auth rules here:
https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md#rules
.

You also might want to confirm that you have an environment_timeout set to
something troublesome too. You should be able to run `puppet config
--section master --environment  print environment_timeout` to see the
environment_timeout for the foo environment.

HTH,
Justin

-- 
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/173aa581-ddde-4e2a-aa46-b9666f93e844o%40googlegroups.com
> 

Re: [Puppet Users] Bad security pratices in manifests

[Lucas Augusto Mota de Alcantara]

I'm sorry, here is a public link: 
https://akondrahman.github.io/papers/icse19_slic.pdf

Em sexta-feira, 17 de julho de 2020 às 07:02:32 UTC-3, LinuxDan escreveu:

> As one needs to be a member of IEEE to read the paper, it is tough to 
> provide feedback. 
>
> —-
>
> "Sometimes I think the surest sign that intelligent life exists elsewhere 
> in the universe is that none of it has tried to contact us."
>
> Bill Waterson (Calvin & Hobbes)
>
> On Jul 17, 2020, at 1:43 AM, Lucas Augusto Mota de Alcantara <
> la...@cin.ufpe.br> wrote:
>
> Hello everyone!
>
>
>
> Recently, I've found an academic research about bad coding practices in
> manifests which can lead to security issues. I found it interesting, but I
> notice that the practices that the researchers pointed out aren't specific 
> to
> Puppet nor even to infrastructure as code applications. So I wonder if is 
> there
> any material available, specially to the newcomers, talking about bad 
> practices
> in manifests, specially about the ones that can lead to security weakness.
>
> The research was this one: https://ieeexplore.ieee.org/document/8812041
>
> Does anyone knows about the existence of such material?
>
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/c282c833-95f2-4d1d-9b58-7b5ce1fb16dcn%40googlegroups.com
>  
> 
> .
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5ce61dd6-564b-458e-b5b7-b45b74cd39c5n%40googlegroups.com.

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

[Peter Krawetzky]

Ok I figured out the curl command but I get this error:

[root@mypuppetserver private_keys]# curl -v --header "Content-Type: 
application/json" --cert 
/etc/puppetlabs/puppet/ssl/certs/mypuppetserver.mydomain.com.pem 
--key 
/etc/puppetlabs/puppet/ssl/private_keys/mypuppetserver.mydomain.com.pem 
--cacert
/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -X DELETE 
https://mypuppetserver.mydomain.com:8140/puppet-admin-api/v1/environment-cache
* About to connect() to mypuppetserver.mydomain.com port 8140 (#0)
*   Trying xx.xx.xxx.xx...
* Connected to mypuppetserver.mydomain.com (xx.xx.xxx.xx) port 8140 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
  CApath: none
* NSS: client certificate from file
*   subject: CN=mypuppetserver.mydomain.com
*   start date: Aug 14 15:32:34 2018 GMT
*   expire date: Aug 14 15:32:34 2023 GMT
*   common name: mypuppetserver.mydomain.com
*   issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=mypuppetserver.mydomain.com
*   start date: Aug 14 15:32:34 2018 GMT
*   expire date: Aug 14 15:32:34 2023 GMT
*   common name: mypuppetserver.mydomain.com
*   issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com
> DELETE /puppet-admin-api/v1/environment-cache HTTP/1.1
> User-Agent: curl/7.29.0
> Host: mypuppetserver.mydomain.com:8140
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 403 Forbidden
< Date: Fri, 17 Jul 2020 13:41:37 GMT
< Content-Length: 115
< Server: Jetty(9.4.z-SNAPSHOT)
<
* Connection #0 to host mypuppetserver.mydomain.com left intact
Forbidden request: /puppet-admin-api/v1/environment-cache (method :delete). 
Please see the server logs for details.[root@mypuppetserver private_keys]#

*puppetserver.log entries*:
2020-07-17 09:07:45,577 ERROR [qtp2067827614-66] [p.t.a.rules] Forbidden 
request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache 
(method :delete) (authenticated: false) denied by rule 'puppetlabs deny 
all'.
2020-07-17 09:07:45,585 ERROR [qtp2067827614-65] [p.t.a.rules] Forbidden 
request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache 
(method :delete) (authenticated: false) denied by rule 'puppetlabs deny 
all'.
2020-07-17 09:12:02,951 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden 
request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache 
(method :delete) (authenticated: false) denied by rule 'puppetlabs deny 
all'.
2020-07-17 09:17:29,677 ERROR [qtp2067827614-61] [p.t.a.rules] Forbidden 
request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache 
(method :delete) (authenticated: false) denied by rule 'puppetlabs deny 
all'.
2020-07-17 09:41:37,401 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden 
request: mypuppetserver.mydomain.com(xx.xx.xxx.xx) access to 
/puppet-admin-api/v1/environment-cache (method :delete) (authenticated: 
true) denied by rule 'puppetlabs deny all'.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/173aa581-ddde-4e2a-aa46-b9666f93e844o%40googlegroups.com.

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

[Peter Krawetzky]

Does this work for Open Source or PE?  My installation is using Open Source.

Also can you provide an example of the actual curl command?  I can't seem 
to get the exact syntax down for it to work.  

Thanks for the advice.

On Thursday, July 16, 2020 at 7:55:51 PM UTC-4, Justin Stoller wrote:
>
> It maybe because of a long environment timeout: 
> https://puppet.com/docs/puppet/5.5/environments_creating.html#task-3930
> In PE this is set to unlimited by default when using code management. The 
> code manager will then manually evict the cache after a code deployment to 
> ensure that new code is viewable and old code is cached for as long as 
> possible. If you are caching code with a long environment timeout, but not 
> using code management you can also evict the cache by using the 
> environment-cache endpoint:
>
> https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html
>
>  HTH, 
> Justin
>
> On Thu, Jul 16, 2020 at 10:52 AM Peter Krawetzky  > wrote:
>
>> I've reviewed sever 500 error posts in here but the answers seem to 
>> differ based on the situation.
>>
>>
>> One of our developers modified code to include a parameter available in 
>> httpfile 0.1.9 called quick_check.  
>>
>> We have two installation of puppetserver one in lab domain and one in 
>> production domain.  Neither talk to the other domain.  It is completely 
>> isolated to the nodes in each domain.
>>
>> What's odd is lab works but when they deploy the code to production, it 
>> doesn't work and received the 500 error below.  I've compared everything 
>> between puppetserver versions, puppet versions, httpfile module versions, 
>> etc and nothing is obvious.
>>
>>
>> This httpfile module is not installed using puppet module install but is 
>> placed in the same location as other modules created by the developers.
>>
>> I've verified the code was deployed correctly to each of the 4 production 
>> puppetservers (we use a load balancer to distribute the work) into the 
>> environment defined at the node (dev).
>>
>>
>> Code:
>> ### DOWNLOAD FROM REPO
>> define oracle::remote_file($remote_location=undef, $mode='0644', $owner='
>> root', $group='root'){
>>
>> httpfile { "${title}":
>> ensure => present,
>> path => "${title}",
>> source => "$remote_location",
>> quick_check => true,
>> # hash => 'hex form SHA2 hash OR an URL to the .sha file with that hash'
>> }
>> file{$title:
>> owner => $owner,
>> group => $group,
>> mode => $mode,
>> require => Httpfile["${title}"],
>> }
>> }
>>
>>
>> Error:
>>
>> 2020-07-15T08:35:15.325976-04:00 myserver puppet-agent[24036]: Could not 
>> retrieve catalog from remote server: Error 500 on SERVER: Server Error: no 
>> parameter named 'quick_check' (file: 
>> /u01/puppet/dev/modules/oracle/manifests/remote_file.pp, line: 6) on 
>> Httpfile[/var/opt/BESClient/LMT/oracle/options_packs_usage_statistics.sql] 
>> (file: /u01/puppet/dev/modules/oracle/manifests/remote_file.pp, line: 6) on 
>> node myserver.mydomain.com
>>
>>
>> Any ideas what might be causing this?  Is there some cache not being 
>> refreshed on the pupperserver?
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/886fd9da-c841-4d8b-80f3-d23bc2429e68o%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/506125c9-66df-4f67-84fc-1a10b1b137dbo%40googlegroups.com.

Re: [Puppet Users] undefined method platform for nil:NilClass since puppetserver upgrade

[Andy Hall]

So here's a strange onewe rebooted the server and the problem has 
stopped. I think some of the puppetserver instances were not running 
properlywhich is why it was intermittentbut hey all OK now. Thanks.

On Thursday, July 16, 2020 at 3:55:54 PM UTC+1, Becca Robinson wrote:
>
> Hi Andy,
>
> I haven’t seen this before, but I have a thought.
> Have you tried removing the new line at the end so the closing of the 
> package resource collector isn’t on a new line?
>
> Similar to this?
>
>
> if("${rhsmtrue}" and $::operatingsystem == 'RedHat'){
>   Rhsm_register <| |> 
>   -> Yumrepo <| |> 
>   -> Package <| provider != ‘rpm' |>
> }
> else{
>  Yumrepo <| |> -> Package <| provider != 'rpm' |>
> }
>
> -- 
> *Becca Robinson*
>
>
>
>
> On Jul 16, 2020, at 2:14 AM, Andy Hall > 
> wrote:
>
> if("${rhsmtrue}" and $::operatingsystem == 'RedHat'){
>  Rhsm_register <| |> -> Yumrepo <| |> -> Package <| provider != 'rpm'
> |>  <-- THIS IS THE LINE IN QUESTION
> }
> else{
>  Yumrepo <| |> -> Package <| provider != 'rpm' |>
> }
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cf1b9844-6912-4c8a-a2b2-b56bd8822e32o%40googlegroups.com.

Re: [Puppet Users] Bad security pratices in manifests

['Dan White' via Puppet Users]

As one needs to be a member of IEEE to read the paper, it is tough to provide 
feedback. 

—-
"Sometimes I think the surest sign that intelligent life exists elsewhere in 
the universe is that none of it has tried to contact us."
Bill Waterson (Calvin & Hobbes)

> On Jul 17, 2020, at 1:43 AM, Lucas Augusto Mota de Alcantara 
>  wrote:
> 
> Hello everyone!
> 
> Recently, I've found an academic research about bad coding practices in
> manifests which can lead to security issues. I found it interesting, but I
> notice that the practices that the researchers pointed out aren't specific to
> Puppet nor even to infrastructure as code applications. So I wonder if is 
> there
> any material available, specially to the newcomers, talking about bad 
> practices
> in manifests, specially about the ones that can lead to security weakness.
> 
> The research was this one: https://ieeexplore.ieee.org/document/8812041
> 
> Does anyone knows about the existence of such material?
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/c282c833-95f2-4d1d-9b58-7b5ce1fb16dcn%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/EA0AD224-6D84-4A83-B100-F359AE104054%40icloud.com.