The puppet service holds ssl_lockfile after submiting a Certificate
Signing Request. This blocks other processes from running puppet agent -t
or puppet ssl download_cert after the request has been signed by the
Puppet CA.
Reproduction Case
- Install Puppet Server 6.7 on CentOS 7 and initialize it:
yum install -y http://yum.puppetlabs.com/puppet6-release-el-7.noarch.rpm
|
yum install -y puppetserver
|
|
source /etc/profile.d/puppet-agent.sh
|
puppet config set server $(hostname -f)
|
puppetserver ca setup
|
systemctl start puppetserver
|
- Install Puppet Agent 6.11.1 on another CentOS 7 node, configure it to talk
with the server, and start the daemon:
yum install -y http://yum.puppetlabs.com/puppet6-release-el-7.noarch.rpm
|
yum install -y puppet-agent
|
|
source /etc/profile.d/puppet-agent.sh
|
puppet config set server <hostname of server from step 1>
|
systemctl start puppet
|
- Sign the certificate on the server:
puppetserver ca sign --certname=<hostname of agent from step 2>
|
- Run puppet agent -t or puppet ssl download_cert on the agent.
Outcome
Both commands fail with "Could not run: Another puppet instance is already running; exiting"
# puppet agent -t --trace
|
Error: Could not run: Another puppet instance is already running; exiting
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:421:in `with_lock'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:392:in `run_machine'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:370:in `ensure_client_certificate'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:505:in `wait_for_certificates'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:368:in `run_command'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:687:in `exit_on_fail'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
|
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
|
|
# puppet ssl download_cert --trace
|
Error: Could not run: Another puppet instance is already running; exiting
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:421:in `with_lock'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:392:in `run_machine'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:361:in `ensure_ca_certificates'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/ssl.rb:130:in `main'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:390:in `run_command'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:687:in `exit_on_fail'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
|
/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
|
/opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
|
This is because the ssl_lockfile exists and is held by the daemon:
# ls $(puppet config print ssl_lockfile)
|
/etc/puppetlabs/puppet/ssl/ssl.lock
|
|
# echo $(cat $(puppet config print ssl_lockfile))
|
10460
|
|
# systemctl show -p MainPID puppet
|
MainPID=10460
|
Expected Outcome
The daemon releases the ssl_lockfile when it is not actively updating certificate state.
Bug
Normal
