Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-6900

puppet agent --disable doesn't prevent agent certificate generation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:

      Description

      Running puppet agent --disable or dropping a lock file in /opt/puppet/cache/state/agent_disabled.lock is currently not respected by the Puppet Agent if the agent does not have a signed / valid certificate.

      This can cause a race condition where one needs to install Puppet, do host configuration after the package is installed, and then run the puppet agent and be certain the agent service has started with the right CA and ssl certificate they assumed they did. One use case is generating csr_attribute.yaml files post agent installation - if the service starts before that file is created, the certificate will not contain that data and that csr_attributes.yaml file wont be referenced again, so things like which role to deploy on the agent wont be set and the signing process leaves one with a dead / improperly configured puppet agent on a host that requires manual remediation.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              cbarker Chris Barker
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support