Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2565

Puppet Server should use atomic file operations when updating CA state

    XMLWordPrintable

    Details

    • CS Priority:
      Major
    • Zendesk Ticket IDs:
      35116,38360
    • Zendesk Ticket Count:
      2
    • CS Rank:
      2,000
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      The Puppet Server CA will now write all of its files atomically, preventing an issue where CRLs could be read partway through being written, resulting in a failed load and corruping CA state.
    • QA Risk Assessment:
      Needs Assessment

      Description

      When issuing or revoking certificates, the Puppet Server must update files that hold the state of the certificate authority. Currently, this is done by opening the file as O_WRONLY|O_CREAT|O_TRUNC and re-writing the entire thing. This approach means that a sudden halt, such as an OutOfMemory kill or exhaustion of disk space, will interrupt the file write and leave incomplete, corrupted state behind. To mitigate this, Puppet Server should use atomic file operations when updating CA state files like the CRL, inventory, and serial number.

      In addition, if another thread attempts to read these files while they are being written, an incomplete version will be read into memory, causing a local problem, even if the file ultimately writes to completion.

      Suggested Approach

      When updating CA state files, Puppet Server should:

      • Write the new content to a temporary file, then fsync it
      • Move the temporary file into place, then fsync the directory containing the file

      If the server is interrupted before step 2 completes, then the previously valid file will remain.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              patrick Patrick Carlisle
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support