Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8297

Puppet webrick no longer functions in Ruby 2.3.6/2.4.3 and up

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 4.10.8
    • Fix Version/s: PUP 4.10.10
    • Component/s: Networking
    • Labels:
      None
    • Template:
      PUP Bug Template
    • Sub-team:
    • Team:
      Platform Core
    • Sprint:
      Platform Core KANBAN
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      The webrick puppet master did not work when running ruby 2.3.6 or 2.4.3 (and later)
    • QA Risk Assessment:
      No Action

      Description

      Puppet Version: 4.10.8
      OS Name/Version: FreeBSD 11.1-RELEASE (Affects Linux as well), with OpenSSL 1.0.2k

      When Launching the puppetmaster rc.d script on FreeBSD, which uses $Puppet_Location/puppet/network/http/webrick.rb, webrick fails to accept SSL/TLS connections, due to a change upstream in Ruby.

      https://bugs.ruby-lang.org/issues/14005

      The issue occurs in webrick.rb, supplied by puppet.
      webrick.rb:32

      { sock.accept }

      Due to the changes in Ruby, this should read:
      sock.accept_nonblock

      To reproduce, run a webrick puppetmaster with Ruby 2.3.6 or newer on any OS using OpenSSL.

      Desired Behavior:
      Webrick puppetmaster does the needful

      Actual Behavior:
      Webrick puppetmaster outputs the following to logs:
      [2017-12-25 21:30:26] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client hello B: unexpected record
      /usr/local/lib/ruby/site_ruby/2.3/puppet/network/http/webrick.rb:32:in `accept'
      /usr/local/lib/ruby/site_ruby/2.3/puppet/network/http/webrick.rb:32:in `block (2 levels) in listen'
      /usr/local/lib/ruby/2.3/webrick/server.rb:314:in `block in start_thread'

      and the following on the client:
      Error: /File[/var/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_read: decryption failed or bad record mac


      I am aware webrick is being deprecated, however it is still in use currently.
      I have filed a separate bug with FreeBSD to change the default puppet pkg to use sysutils/puppetserver from the ports system.
      https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224623

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              josh Josh Cooper
              Reporter:
              hackerhorse Rainbow
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support