[PUP-3805] Puppet Windows service should not ignore waitforcert setting Created: 2015/01/02 Updated: 2020/03/04
|Affects Version/s:||PUP 3.7.3|
|Labels:||Windows, daemon, packaging, platform-os|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Any Windows guest
The Windows service architecture is a bit different from other platforms, where the same agent code may be daemonized.
On Windows, there is a separate supervisory service daemon implemented in daemon.rb that triggers the Puppet agent on the specified runinterval
Each Puppet run is a new process creation, that has the --onetime flag specified:
Because --onetime is specified, that means that agent code will ignore the waitforcert setting that's specified in puppet.conf and will also ignore the default setting of 2m from defaults.rb
As a result, a time value of 0 is passed to wait_for_cert, and should any error arise during, for instance, an auto-signing cert request, then the agent will die:
This presents a problem when there may be an auto-signing cert policy in place, and the default runinterval of 30 minutes is undesirably long.
There are a couple of workarounds that could be employed, such as:
Neither of these are a great solution.
The most appropriate solution is likely to perform a better heuristic when determining what the waitforcert value should be.