Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2189

The CRL can get corrupted if two workers revoke certs at same time

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: PUP 6.0.0
    • Component/s: Puppet Server
    • Labels:
    • Template:
    • Acceptance Criteria:
      Hide

      Testbed is success in PE in the Cloud etc.

      Show
      Testbed is success in PE in the Cloud etc.
    • Team:
      Server
    • Story Points:
      1
    • CS Priority:
      Major
    • CS Frequency:
      3 - 25-50% of Customers
    • CS Severity:
      4 - Major
    • CS Business Value:
      4 - $$$$$
    • CS Impact:
      Faced by anyone with large scale decommissioning of nodes.

      Description

      The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions.

      In Scope

      • Confirm that PE in the Cloud etc will be leveraging puppet cert command line tools (as opposed to modifying CRL directly or revoking certs via server http api) confirmed
      • Investigate filesystem-based locking of CRL file in ruby puppet on update
      • Limited to updates to CRL via the puppet cert CLI

      Out of Scope

      • Changes to puppet server CRL handling / API - PUP-7991

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  eric.sorenson Eric Sorenson
                  Reporter:
                  dalen Erik Dalén
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  23 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: