-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: SERVER 5.3.10, SERVER 6.7.0
-
Component/s: Puppet Server
-
Template:customfield_10700 56404
-
Epic Link:
-
Team:Froyo
-
Method Found:Customer Feedback
-
CS Priority:Major
-
CS Frequency:3 - 25-50% of Customers
-
CS Severity:4 - Major
-
CS Business Value:4 - $$$$$
-
CS Impact:The CRL process does not seem to lock the file as it should, this can lead to duplicate indexes or corruption. As we have more customers with more dynamic workloads that add or remove nodes automatically this will become more and more of an issue.
-
Zendesk Ticket IDs:33162,34556
-
Zendesk Ticket Count:2
-
Release Notes:Bug Fix
-
Release Notes Summary:We have synchronized write access to the CRL, so that each revoked certificate will write the CRL in serial, preventing corruption from competing requests writing to the file.
It seems like there is no locking when the server is revoking a cert and updating the CRL file. This should have similar locking as when it issues new certs and updates the inventory and serial files.
The code in question is here: https://github.com/puppetlabs/puppet-server/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L977-L989
This is the same issue as PUP-2189 really, except for the clojure code.
- is blocked by
-
SERVER-1999 Investigate puppet server CRL handling for atomicity
-
- Closed
-
- relates to
-
SERVER-2641 Backport CRL API serialization
-
- Resolved
-
-
PUP-2189 The CRL can get corrupted if two workers revoke certs at same time
-
- Closed
-
-
SERVER-2125 SPIKE: Investigate storing CA files in postgres as a means to provide HA
-
- Accepted
-
-
SERVER-2565 Puppet Server should use atomic file operations when updating CA state
-
- Resolved
-