Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
Froyo
-
Customer Feedback
-
Major
-
3 - 25-50% of Customers
-
4 - Major
-
4 - $$$$$
-
The CRL process does not seem to lock the file as it should, this can lead to duplicate indexes or corruption. As we have more customers with more dynamic workloads that add or remove nodes automatically this will become more and more of an issue.
-
33162,34556
-
2
-
Bug Fix
-
We have synchronized write access to the CRL, so that each revoked certificate will write the CRL in serial, preventing corruption from competing requests writing to the file.
Description
It seems like there is no locking when the server is revoking a cert and updating the CRL file. This should have similar locking as when it issues new certs and updates the inventory and serial files.
The code in question is here: https://github.com/puppetlabs/puppet-server/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L977-L989
This is the same issue as PUP-2189 really, except for the clojure code.
Attachments
Issue Links
- is blocked by
-
SERVER-1999 Investigate puppet server CRL handling for atomicity
-
- Closed
-
- relates to
-
SERVER-2641 Backport CRL API serialization
-
- Resolved
-
-
PUP-2189 The CRL can get corrupted if two workers revoke certs at same time
-
- Closed
-
-
SERVER-2565 Puppet Server should use atomic file operations when updating CA state
-
- Resolved
-
-
SERVER-2125 SPIKE: Investigate storing CA files in postgres as a means to provide HA
-
- Closed
-