[Pkg-puppet-devel] Bug#722614: puppetmaster-passenger: postinst querying SSL configuration information not from master config

Andreas Rütten AndreasRuetten at gmx.de
Thu Sep 12 20:01:55 UTC 2013


Package: puppetmaster-passenger
Severity: normal
Tags: patch 


Hi,

the postinst script of puppetmaster-passenger tries to get a lot of
information by querying the current puppet configuration via "puppet
config print $key".
By default puppet config will present the configuration values from the
user mode.

As I suppose that puppetmaster-passenger is always used in the context
of a puppetmaster it should therefore query the master section of the
puppet configuration.


To clarify this a bit please follow this example setup:

- one host which acts as puppetmaster and has also a local puppet agent

- the puppetmaster have to use in it's certificates the FQDN under
  which servicename he his is known by the other puppet agents and
  configured as a CNAME to that host in the DNS.
  For example: puppetmaster01.example.org

- the local puppet agent on that host likes to use his FQDN.
  For example: host01.example.org


So you will end up with a puppet.conf with these lines:

[master]
certname=puppetmaster01.example.org

[agent]
certname=host01.example.org


This will work for the puppet agent and the built in puppetmaster. As
you install puppetmaster-passenger, the postinst script will now query
the puppet config and ends up with the default certname which is the
FQDN of that host (host01.example.org). Therefore the apache vhost for
passenger will use for example.

SSLCertificateFile      /etc/puppet/ssl/certs/host01.example.org.pem

Which is the certificate of the agent and not the master. This even
will get worse if for whatever reason the FQDN of the host is neither
the certname of the master nor the agent.


In order to query the configuration which is set for the master you
should add the commandline option which specify the mode for puppet
(user, agent, master).


Older versions of puppet have the option "--mode".
I tested this with puppet 2.7.11 an prepared the attached patch called
2.7.11.patch

Since version 3.0.0rc1 this option is changed to --run_mode.
The commit where it was introduced to the manpage is:
http://anonscm.debian.org/gitweb/?p=pkg-puppet/puppet.git;a=commit;h=fdf1d9e3b5e2231daf5ddf26f1460e1dbb3c972a
It's still there at the head of master.

I tried this with a puppet version 3.1.0 but it fails and said that
this option is unknown.
Unfortunately I have no newer version here to check if --run_mode is
working in later versions.

Nevertheless I also attached a patch which uses this option in the
case it's now working, please see 3.1.0.patch.


Cheers,
Andreas


-- 
Andreas Rütten                           mailto:AndreasRuetten at gmx.de
                                           xmpp:AndreasRuetten at gmx.de
                                          irc://irc.oftc.net/aruetten

4096R: 0x6C9DFFB2 / 8394 99DA 59BD BCE2 3FC8 3A9E 6633 0089 6C9D FFB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.7.11.patch
Type: text/x-patch
Size: 2539 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130912/91e4216d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.1.0.patch
Type: text/x-patch
Size: 2563 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130912/91e4216d/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-puppet-devel/attachments/20130912/91e4216d/attachment.sig>


More information about the Pkg-puppet-devel mailing list