Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3805

Puppet Windows service should not ignore waitforcert setting

    Details

    • Type: Improvement
    • Status: Accepted
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: PUP 3.7.3
    • Fix Version/s: None
    • Component/s: Windows
    • Environment:

      Any Windows guest

    • Template:
    • Team:
      Platform OS
    • Story Points:
      2

      Description

      The Windows service architecture is a bit different from other platforms, where the same agent code may be daemonized.

      On Windows, there is a separate supervisory service daemon implemented in daemon.rb that triggers the Puppet agent on the specified runinterval

      Each Puppet run is a new process creation, that has the --onetime flag specified:
      https://github.com/puppetlabs/puppet/blob/master/ext/windows/service/daemon.rb#L74

      Because --onetime is specified, that means that agent code will ignore the waitforcert setting that's specified in puppet.conf and will also ignore the default setting of 2m from defaults.rb
      https://github.com/puppetlabs/puppet/blob/master/lib/puppet/application/agent.rb#L433

      As a result, a time value of 0 is passed to wait_for_cert, and should any error arise during, for instance, an auto-signing cert request, then the agent will die:
      https://github.com/puppetlabs/puppet/blob/d7f7bb4ddd101ca1a0728d3a8fed4cd609a0b200/lib/puppet/ssl/host.rb#L327

      This presents a problem when there may be an auto-signing cert policy in place, and the default runinterval of 30 minutes is undesirably long.

      There are a couple of workarounds that could be employed, such as:

      • Changing the default runinterval in puppet.conf post Puppet installation
      • Reconfiguring the Windows service to add a command line override of --waitforcert which will take effect, even when puppet.conf is ignored with something like:

        sc.exe config pe-puppet binPath= "\"C:\Program Files\Puppet Labs\Puppet Enterprise\service\daemon.bat\" --waitforcert=120"
        

      Neither of these are a great solution.

      The most appropriate solution is likely to perform a better heuristic when determining what the waitforcert value should be.

      • Perhaps the check only works on Windows
      • Perhaps the check validates whether or not the cert has already been signed by the desired server, and only ignores waitforcert then

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  ethan Ethan Brown
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Zendesk Support