Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-115

Concurrent access to the CRL can corrupt it

    XMLWordPrintable

Details

    • Major
    • 3 - 25-50% of Customers
    • 4 - Major
    • 4 - $$$$$
    • The CRL process does not seem to lock the file as it should, this can lead to duplicate indexes or corruption. As we have more customers with more dynamic workloads that add or remove nodes automatically this will become more and more of an issue.
    • 33162,34556
    • 2
    • Bug Fix
    • We have synchronized write access to the CRL, so that each revoked certificate will write the CRL in serial, preventing corruption from competing requests writing to the file.

    Description

      It seems like there is no locking when the server is revoking a cert and updating the CRL file. This should have similar locking as when it issues new certs and updates the inventory and serial files.

      The code in question is here: https://github.com/puppetlabs/puppet-server/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L977-L989

      This is the same issue as PUP-2189 really, except for the clojure code.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              dalen Erik Dalén
              Erik Dasher Erik Dasher
              Votes:
              0 Vote for this issue
              Watchers:
              23 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support