Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8225

An "environment" fact will overwrite values from the ENC in Puppet 5

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: PUP 5.3.3
    • Fix Version/s: PUP 5.3.4, PUP 5.4.0
    • Component/s: Platform
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      Hide
      • Given:
        • An agent with environment set to 'production' in the agents puppet.conf file
        • With environment=production set as an external fact
        • With an ENC that returns an environment of 'dev' for that particular agent node:
      • I expect
        • A catalog request from that agent results in a catalog from dev when the agent's strict environment mode is off.
          • (/opt/puppetlabs/puppet/cache/client_data/catalog/ on an agent node after running `puppet agent -t`)
        • When strict environment mode is turned on, the run will fail.
      • Relevant existing tests are altered to produce a failure in the current state of the code
      • A unit test is in place, possibly stubbing an ENC to return an environment conflicting with the puppet agent's puppet.conf
      • Ideally an integration test is written. This may require coordination with the PE team.
      • The precedence for determining an agents environment will be otherwise preserved, resulting in:
        1. ENC
        2. command line
        3. puppet.conf
        4. facts , Jen says: unable to confirm that this was possible before without exploiting the bug, specifically, I cannot get a fact to determine an environment on a node with 'agent-specified' environment
        5. default to production (this is a setting)
      Show
      Given: An agent with environment set to 'production' in the agents puppet.conf file With environment=production set as an external fact With an ENC that returns an environment of 'dev' for that particular agent node: I expect A catalog request from that agent results in a catalog from dev when the agent's strict environment mode is off. (/opt/puppetlabs/puppet/cache/client_data/catalog/ on an agent node after running `puppet agent -t`) When strict environment mode is turned on, the run will fail. Relevant existing tests are altered to produce a failure in the current state of the code A unit test is in place, possibly stubbing an ENC to return an environment conflicting with the puppet agent's puppet.conf Ideally an integration test is written. This may require coordination with the PE team. The precedence for determining an agents environment will be otherwise preserved, resulting in: ENC command line puppet.conf facts , Jen says: unable to confirm that this was possible before without exploiting the bug, specifically, I cannot get a fact to determine an environment on a node with 'agent-specified' environment default to production (this is a setting)
    • Team:
      Platform Core
    • Sub-team:
    • CVE-ID:
      CVE-2017-10690
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Inspection
    • CS Priority:
      Critical
    • CS Frequency:
      3 - 25-50% of Customers
    • CS Severity:
      5 - Critical
    • CS Business Value:
      4 - $$$$$
    • CS Impact:
      Hide
      There have been 3 support issues related to users seeing nodes get different puppet environments which causes unexpected change to those nodes. In CS Triage we consider this "data corruption" as the bug impacts potentially production nodes beyond the puppet infrastructure.
      Show
      There have been 3 support issues related to users seeing nodes get different puppet environments which causes unexpected change to those nodes. In CS Triage we consider this "data corruption" as the bug impacts potentially production nodes beyond the puppet infrastructure.
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      * $::environment in a manifest will now always reflect the environment being used for catalog compilation. Previously, a node's facts could erroneously affect the value of this variable.
      * The environment (if there is one) returned by an ENC will now always be used to determine which environment should be used for catalog compilation of a node. Previously, there were circumstances where a node's facts would determine the environment used, ignoring the environment specified by an ENC.
      Show
      * $::environment in a manifest will now always reflect the environment being used for catalog compilation. Previously, a node's facts could erroneously affect the value of this variable. * The environment (if there is one) returned by an ENC will now always be used to determine which environment should be used for catalog compilation of a node. Previously, there were circumstances where a node's facts would determine the environment used, ignoring the environment specified by an ENC.
    • QA Risk Assessment:
      Manual

      Description

      Puppet 5 fixed an issue where stale facts were used for catalog requests if a master had a cold cache (PUP-3438 and PUP-7198). The fix was to merge facts submitted by the agent back into the node object instead of pulling facts from the cache. However, the merge is overwriting the environment returned by the ENC, which causes nodes to behave incorrectly if an environment fact is present.

      Reproduction Case

      • Install PE 2017.3.2.
      • Log into the PE console and verify that the classifier sets the master node environment to production via the "Production environment" Environment Group.
      • Copy the production environment to a new directory environment called facter_env:

      cp -r /etc/puppetlabs/code/environments/production /etc/puppetlabs/code/environments/facter_env
      chown -R pe-puppet /etc/puppetlabs/code/
      

      • Set environment and as an external fact:

      mkdir -p /etc/facter/facts.d
       
      cat << 'EOF' > /etc/facter/facts.d/facter_facts.txt
      environment=facter_env
      EOF
      

      • Run puppet agent -t

      Outcome

      The agent switches to facter_env despite the ENC setting:

      [root@pe-201732-master production]# puppet agent -t
      Info: Using configured environment 'production'
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Loading facts
      Info: Caching catalog for pe-201732-master.puppetdebug.vlan
       
      Notice: Local environment: 'production' doesn't match server specified environment 'facter_env', restarting agent run with environment 'facter_env'
       
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Loading facts
      Info: Caching catalog for pe-201732-master.puppetdebug.vlan
      Info: Applying configuration version '1512410109'
      Notice: Applied catalog in 13.11 seconds
      

      Expected Outcome

      The agent should stay in production:

      [root@pe-201732-master production]# puppet agent -t
       
      Info: Using configured environment 'production'
       
      Info: Retrieving pluginfacts
      Info: Retrieving plugin
      Info: Loading facts
      Info: Caching catalog for pe-201732-master.puppetdebug.vlan
      Info: Applying configuration version '1512409900'
      Notice: Applied catalog in 12.26 seconds
      

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  chuck Charlie Sharpsteen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  13 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: