[PUP-6031] static catalogs do not copy source host and port to content_uri Created: 2016/03/09  Updated: 2016/03/17  Resolved: 2016/03/10

Status: Closed
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 4.4.0

Type: Bug Priority: Normal
Reporter: Josh Cooper Assignee: Unassigned
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Epic Link: (Burnside) Direct Puppet: Client Static Catalog
Story Points: 1
Sprint: Client 2016-03-23
Release Notes: Not Needed
Release Notes Summary: Bug fix for unreleased feature.

 Description   

If you define a file resource with a source parameter:

file { '/tmp/file':
  ensure => file,
  source => 'puppet://host:8888/modules/foo/bar',
}

Then the content_uri omits the host and port:

  "content_uri": "puppet:///modules/foo/bar"

which can cause the agent to retrieve the file from a different host/port than was originally specified.

We should preserve the host and port. The reason we don't is because we call CGI.escape which corrupts the URI.



 Comments   
Comment by Josh Cooper [ 2016/03/10 ]

One way to verify this is to specify an alternate file server in the manifest, and use a reverse proxy to ensure the agent uses the specified host and port when retrieving file content. On the agent, add a hosts file entry for myfileserver whose IP matches that of the master:

10.0.10.5 myfileserver

On the master, create a manifest like:

class foo {
  file { '/tmp/file':
    ensure => file,
    source => 'puppet://myfileserver:8888/modules/foo/bar',
  }
}

On the master wipe out the ssl directory and generate a cert whose dns alt names contains both the normal FQDN and myfileserver:

# puppet cert generate $(hostname -f) --dns_alt_names $(hostname),$(hostname -f),myfileserver

Run the agent, send the client CSR, sign the CSR on the master.

Run the agent with --debug and verify it tries to connect to myfileserver, but fails to connect:

$ bundle exec puppet agent -t --server XXX --debug | grep 'Creating new connection'
Debug: Creating new connection for https://XXX:8140
Debug: Creating new connection for https://myfileserver:8888
Error: Could not set 'file' on ensure: Connection refused - connect(2) for "myfileserver" port 8888 at 54:/etc/puppetlabs/code/environments/production/modules/ntp/manifests/init.pp

Install socat on the master and configure it to forward traffic from port 8888 to port 8140:

# socat TCP4-LISTEN:8888 TCP4:$(hostname):8140

Run the agent and it should download the file content:

$ bundle exec puppet agent -t --server XXX --debug | grep 'Creating new connection'
Debug: Creating new connection for https://XXX:8140
Debug: Creating new connection for https://myfileserver:8888
Debug: Creating new connection for https://XXX:8140

Generated at Thu Jan 23 00:36:11 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.