Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10543

Puppet agents can't download file content from puppetserver via "raw" https

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 6.17.0
    • Component/s: None
    • Labels:
    • Template:
      PUP Bug Template
    • Team:
      Coremunity
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      If puppet tries to download file metadata from an HTTP(S) file source and the HEAD request results in HTTP 403 Forbidden or 405 Method Not Allowed, then it will fallback to a GET request with a 0 byte range.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Trying to download a file from puppetserver using as an https source instead of puppet:// will fail because puppetserver does not allow HEAD requests. This is similar to PUP-6380. For example, given:

      file { '/tmp/ca.pem':
        ensure => file,
        source => "https://${server_facts['servername']}:8140/puppet-ca/v1/certificate/ca?environment=production",
      }
      

      The agent will fail:

      $ puppet agent -t --http_debug
      ...
      <- "HEAD /puppet-ca/v1/certificate/ca?environment=production HTTP/1.1\r\nX-Puppet-Version: 6.17.0\r\nUser-Agent: Puppet/6.17.0 Ruby/2.5.7-p206 (x86_64-darwin18)\r\nAccept: */*\r\nHost: dusty-haulage.delivery.puppetlabs.net:8140\r\n\r\n"
      -> "HTTP/1.1 403 Forbidden\r\n"
      -> "Date: Wed, 17 Jun 2020 18:39:03 GMT\r\n"
      -> "X-Puppet-Version: 6.16.0\r\n"
      -> "Content-Length: 103\r\n"
      -> "\r\n"
      Conn end_transport
      Conn keep-alive
      Error: /Stage[main]/Main/File[/tmp/puppetserver]: Could not evaluate: Could not retrieve information from environment production source(s) https://dusty-haulage.delivery.puppetlabs.net:8140/puppet-ca/v1/certificate/ca?environment=production
      

      One possible solution is to sniff the response header and fallback to a partial GET request as is done for PUP-6380.

        Attachments

          Activity

            People

            Assignee:
            josh Josh Cooper
            Reporter:
            josh Josh Cooper
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support