Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2958

Rapid-fire puppet runs cause race condition with SSL data

    Details

    • CS Priority:
      Normal
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet will prevent multiple puppet processes from concurrently bootstrapping its SSL keys and certs.

      Description

      It appears that two rapid-fire puppet runs can cause a race condition of some kind when:

      1. Puppet requests a certificate from the master.
      2. An additional puppet run is triggered immediately, before the signed certificate is received.
      3. New private keys are generated - but the master has already received the original CSR.
      4. The master continuously returns the original certificate, which does not match the newly generated private keys / csr on the agent, from the second puppet run.

      This shouldn't be possible, but I've seen it demonstrated by a customer.

      It's also possible I'm misinterpreting exactly what is happening.

      /cc Reid Vandewiele for comment - he's seen the bug in the past but couldn't nail it down cohesively.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  josh Josh Cooper
                  Reporter:
                  zee Zee Alexander
                • Votes:
                  3 Vote for this issue
                  Watchers:
                  20 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support