Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10228

Puppet 6 daemons do not release ssl_lockfile

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 6.11.1
    • Fix Version/s: PUP 6.15.0
    • Component/s: None
    • Labels:
    • Template:
      PUP Bug Template
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      Previously, daemonized puppet agents kept the ssl lockfile locked while waiting for the puppetserver to issue their certificate. That prevented foreground puppet commands from working. Now the agent will release the ssl lockfile while it sleeps and reacquire the lock when it wakes up.
      Show
      Previously, daemonized puppet agents kept the ssl lockfile locked while waiting for the puppetserver to issue their certificate. That prevented foreground puppet commands from working. Now the agent will release the ssl lockfile while it sleeps and reacquire the lock when it wakes up.
    • QA Risk Assessment:
      Needs Assessment

      Description

      The puppet service holds ssl_lockfile after submiting a Certificate
      Signing Request. This blocks other processes from running puppet agent -t
      or puppet ssl download_cert after the request has been signed by the
      Puppet CA.

      Reproduction Case

      • Install Puppet Server 6.7 on CentOS 7 and initialize it:

      yum install -y http://yum.puppetlabs.com/puppet6-release-el-7.noarch.rpm
      yum install -y puppetserver
       
      source /etc/profile.d/puppet-agent.sh
      puppet config set server $(hostname -f)
      puppetserver ca setup
      systemctl start puppetserver
      

      • Install Puppet Agent 6.11.1 on another CentOS 7 node, configure it to talk
        with the server, and start the daemon:

      yum install -y http://yum.puppetlabs.com/puppet6-release-el-7.noarch.rpm
      yum install -y puppet-agent
       
      source /etc/profile.d/puppet-agent.sh
      puppet config set server <hostname of server from step 1>
      systemctl start puppet
      

      • Sign the certificate on the server:

      puppetserver ca sign --certname=<hostname of agent from step 2>
      

      • Run puppet agent -t or puppet ssl download_cert on the agent.

      Outcome

      Both commands fail with "Could not run: Another puppet instance is already running; exiting"

      # puppet agent -t --trace
      Error: Could not run: Another puppet instance is already running; exiting
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:421:in `with_lock'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:392:in `run_machine'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:370:in `ensure_client_certificate'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:505:in `wait_for_certificates'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/agent.rb:368:in `run_command'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:687:in `exit_on_fail'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
      /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
       
      # puppet ssl download_cert --trace
      Error: Could not run: Another puppet instance is already running; exiting
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:421:in `with_lock'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:392:in `run_machine'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/ssl/state_machine.rb:361:in `ensure_ca_certificates'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/ssl.rb:130:in `main'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:390:in `run_command'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `block in run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util.rb:687:in `exit_on_fail'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:382:in `run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:143:in `run'
      /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util/command_line.rb:77:in `execute'
      /opt/puppetlabs/puppet/bin/puppet:5:in `<main>'
      

      This is because the ssl_lockfile exists and is held by the daemon:

      # ls $(puppet config print ssl_lockfile)
      /etc/puppetlabs/puppet/ssl/ssl.lock
       
      # echo $(cat $(puppet config print ssl_lockfile))
      10460
       
      # systemctl show -p MainPID puppet
      MainPID=10460
      

      Expected Outcome

      The daemon releases the ssl_lockfile when it is not actively updating certificate state.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support