Details
-
Bug
-
Status: Resolved
-
High
-
Resolution: Fixed
-
None
-
None
-
Tested in PE 2019.8, but I think this should happen for:
(1) any environment using safe_load
(2) any classes not in the default list
-
Coremunity
-
Platform Core KANBAN
-
Needs Assessment
-
40016
-
1
-
Bug Fix
-
-
Needs Assessment
Description
Puppet Version: 6.16.0
Puppet Server Version: PE 2019.8
OS Name/Version: RHEL
Customer is using `audit -> mtime` in a file resource. When the time is saved into transactionstore.yaml. The next puppet agent run will fail with the following error:
Error: Transaction store file /opt/puppetlabs/puppet/cache/state/transactionstore.yaml is corrupt ((/opt/puppetlabs/puppet/cache/state/transactionstore.yaml): Tried to load unspecified class: Time); replacing |
Wrapped exception:
|
Tried to load unspecified class: Time |
This should be because Puppet::Util::Yaml is using safe_load now and by default "Time" class is not permitted to load.
Desired Behavior:Â Understand that there should be some security concerns to contain only few classes by default. The Puppet::Util::Yaml has a parameter called 'allowed_classes'. Thus, an option to configure 'allowed_classes' from Puppet (for example) Hiera is expected. Otherwise, as long as there are needs such as auditing time from this case, the Classes out of the list will trigger the same error message.
Actual Behavior:Â
Error: Transaction store file /opt/puppetlabs/puppet/cache/state/transactionstore.yaml is corrupt ((/opt/puppetlabs/puppet/cache/state/transactionstore.yaml): Tried to load unspecified class: Time); replacing
Wrapped exception:
Tried to load unspecified class: Time
How to Reproduce:
Define a file resource in manifest:
file { $file_path :
|
audit => mtime,
|
}
|
(1) Touch the file.
(2) edited the file once.Â
(3) Run puppet agent -t, can see successful logging the time.
Info: Loading facts
|
Info: Caching catalog for pe-201980-agent.platform9.puppet.net |
Info: Applying configuration version 'pe-201980-master-production-6e5f8c73c43' |
Notice: /Stage[main]/Ggtest::Selva/File[/tmp/text.abc]/mtime: audit change: previously recorded value '2020-07-15 03:11:23 +0000' has been changed to '2020-07-15 03:43:48 +0000' |
Notice: Applied catalog in 0.12 seconds |
[root@pe-201980-agent ~]# |
Meanwhile, the content of /opt/puppetlabs/puppet/cache/state/transactionstore.yaml managed to store that data.
---
|
resources:
|
File[/tmp/text.abc]:
|
parameters:
|
mtime:
|
system_value:
|
- 2020-07-15 03:43:48.772919060 +00:00 |
ensure:
|
system_value:
|
(4) run puppet agent once more with the following error of unable to load Time class:
Info: Retrieving locales
|
Info: Loading facts
|
Info: Caching catalog for pe-201980-agent.platform9.puppet.net |
Error: Transaction store file /opt/puppetlabs/puppet/cache/state/transactionstore.yaml is corrupt ((/opt/puppetlabs/puppet/cache/state/transactionstore.yaml): Tried to load unspecified class: Time); replacing |
Wrapped exception:
|
Tried to load unspecified class: Time |
Info: Applying configuration version 'pe-201980-master-production-6e5f8c73c43' |
Notice: Applied catalog in 0.07 seconds |
[root@pe-201980-agent ~]# |
Â
Â