Uploaded image for project: 'PuppetDB'
  1. PuppetDB
  2. PDB-2267

puppetdb-access.log does not log access requests to a hostname/IP it is not listening to

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PDB 3.2.2
    • Fix Version/s: PDB 3.2.3
    • Component/s: None
    • Labels:
      None
    • Environment:

      Centos 7.2

    • Template:
    • Story Points:
      1
    • Sprint:
      PuppetDB 2016-01-13

      Description

      When attempting to access puppetdb, the puppetdb-access.log only logs requests that it accepts and does not log attempts that it is not configured to accept. I have a server with IP address 10.0.0.134 and hostname testbox.nelson.va. Here is the jetty.ini configuration:

      [jetty]
      # IP address or hostname to listen for clear-text HTTP. To avoid resolution
      # issues, IP addresses are recommended over hostnames.
      # Default is `localhost`.
      # host = <host>
      host = localhost
       
      # Port to listen on for clear-text HTTP.
      port = 8080
       
      # The following are SSL specific settings. They can be configured
      # automatically with the tool `puppetdb ssl-setup`, which is normally
      # ran during package installation.
       
      # IP address to listen on for HTTPS connections. Hostnames can also be used
      # but are not recommended to avoid DNS resolution issues. To listen on all
      # interfaces, use `0.0.0.0`.
      ssl-host = 0.0.0.0
       
      # The port to listen on for HTTPS connections
      ssl-port = 8081
       
      # Private key path
      ssl-key = /etc/puppetlabs/puppetdb/ssl/private.pem
       
      # Public certificate path
      ssl-cert = /etc/puppetlabs/puppetdb/ssl/public.pem
       
      # Certificate authority path
      ssl-ca-cert = /etc/puppetlabs/puppetdb/ssl/ca.pem
       
      # Access logging configuration path. To turn off access logging
      # comment out the line with `access-log-config=...`
      access-log-config = /etc/puppetlabs/puppetdb/request-logging.xml
      

      When I make the request from the node to localhost as curl http://localhost:8080/pdb/query/v4/nodes/testbox.nelson.va/facts -k -H "Accept: application/json", I see this in the log:

      [root@testbox puppetdb]# tail -f puppetdb-access.log
      127.0.0.1 - - [21/Dec/2015:15:44:15 +0000] "GET /pdb/query/v4/nodes/testbox.nelson.va/facts HTTP/1.1" 200 25414 "-" "curl/7.29.0"
      

      When I make a request to the hostname testbox or it's IP 10.0.0.134 via curl http://10.0.0.134:8080/pdb/query/v4/nodes/testbox.nelson.va/facts -k -H "Accept: application/json", nothing shows up in the log. However, I do see the packets being processed and rejected:

      [root@testbox puppetdb]# tcpdump -nni eno16780032 port 8080
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eno16780032, link-type EN10MB (Ethernet), capture size 65535 bytes
      15:36:54.742290 IP 10.0.0.201.50350 > 10.0.0.134.8080: Flags [S], seq 82872684, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      15:36:54.742334 IP 10.0.0.134.8080 > 10.0.0.201.50350: Flags [R.], seq 0, ack 82872685, win 0, length 0
      15:36:54.992636 IP 10.0.0.201.50351 > 10.0.0.134.8080: Flags [S], seq 2435678504, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      15:36:54.992679 IP 10.0.0.134.8080 > 10.0.0.201.50351: Flags [R.], seq 0, ack 2435678505, win 0, length 0
      15:36:55.242185 IP 10.0.0.201.50350 > 10.0.0.134.8080: Flags [S], seq 82872684, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      15:36:55.242218 IP 10.0.0.134.8080 > 10.0.0.201.50350: Flags [R.], seq 0, ack 1, win 0, length 0
      15:36:55.492292 IP 10.0.0.201.50351 > 10.0.0.134.8080: Flags [S], seq 2435678504, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      15:36:55.492332 IP 10.0.0.134.8080 > 10.0.0.201.50351: Flags [R.], seq 0, ack 1, win 0, length 0
      15:36:55.742088 IP 10.0.0.201.50350 > 10.0.0.134.8080: Flags [S], seq 82872684, win 8192, options [mss 1460,nop,nop,sackOK], length 0
      15:36:55.742140 IP 10.0.0.134.8080 > 10.0.0.201.50350: Flags [R.], seq 0, ack 1, win 0, length 0
      15:36:55.992320 IP 10.0.0.201.50351 > 10.0.0.134.8080: Flags [S], seq 2435678504, win 8192, options [mss 1460,nop,nop,sackOK], length 0
      15:36:55.992360 IP 10.0.0.134.8080 > 10.0.0.201.50351: Flags [R.], seq 0, ack 1, win 0, length 0
      15:36:55.993755 IP 10.0.0.201.50352 > 10.0.0.134.8080: Flags [S], seq 2631119819, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      15:36:55.993788 IP 10.0.0.134.8080 > 10.0.0.201.50352: Flags [R.], seq 0, ack 2631119820, win 0, length 0
      15:36:56.491254 IP 10.0.0.201.50352 > 10.0.0.134.8080: Flags [S], seq 2631119819, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
      15:36:56.491297 IP 10.0.0.134.8080 > 10.0.0.201.50352: Flags [R.], seq 0, ack 1, win 0, length 0
      15:36:56.991329 IP 10.0.0.201.50352 > 10.0.0.134.8080: Flags [S], seq 2631119819, win 8192, options [mss 1460,nop,nop,sackOK], length 0
      15:36:56.991383 IP 10.0.0.134.8080 > 10.0.0.201.50352: Flags [R.], seq 0, ack 1, win 0, length 0
      

      While this is properly being rejected by puppetdb, there is absolutely no log of these attempts or the reason why they are failing.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  rnelson0@gmail.com Rob Nelson
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: