[Pkg-puppet-devel] autopkgtest issues in Ubuntu

Wed Feb 22 22:15:53 UTC 2017

Hello,

While by no means are you obligated to help me here, I'm hoping to get
some guidance!

It seems like some excellent autopkgtests have been recently
added/updated to puppet. Unfortunately, they fail on Ubuntu 17.04 (e.g.,
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-zesty/zesty/amd64/p/puppet/20170218_013744_0e945@/log.gz).
Initially they failed because Ubuntu does not ship a sysvinit-core
binary package. Skipping those tests on Ubuntu, though, I still see
failures.

It seems like the following is true:

1) There is an assumption that the puppet server is accessible at a
hostname of 'pupppet' in
d/t/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb.
Unfortunately, a https_proxy is used in the Ubuntu autopkgtest and since
the test-runner is not named puppet (nor is it an alias for localhost),
the proxy intercepts the request and rejects it.

My initial thought here is that the actual hostname should be used,
e.g.:

diff --git a/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb b/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb
index 7680d88..780f13a 100644
--- a/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb
+++ b/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb
@@ -3,22 +3,25 @@ require 'spec_helper'
 # Note that this should run after agent.example.com's certificate has been generated
 curl_cmd = 'curl --cert /var/lib/puppet/ssl/certs/agent.example.com.pem --key /var/lib/puppet/ssl/private_keys/agent.example.com.pem --cacert /var/lib/puppet/ssl/certs/ca.pem'
 
-describe command("#{curl_cmd} https://puppet:8140/production/status/test") do
+# do not assume hostname is 'puppet'
+hostname = `hostname --fqdn`.strip
+
+describe command("#{curl_cmd} https://#{hostname}:8140/production/status/test") do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should match /is_alive/ }
 end
 
-describe command("#{curl_cmd} https://puppet:8140/production/node/agent.example.com") do
+describe command("#{curl_cmd} https://#{hostname}:8140/production/node/agent.example.com") do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should match /"environment":\s*"production"/ }
 end
 
-describe command("#{curl_cmd} https://puppet:8140/production/catalog/agent.example.com") do
+describe command("#{curl_cmd} https://#{hostname}:8140/production/catalog/agent.example.com") do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should match /catalog_uuid/ }
 end
 
-describe command("#{curl_cmd} https://puppet:8140/production/certificate/agent.example.com") do
+describe command("#{curl_cmd} https://#{hostname}:8140/production/certificate/agent.example.com") do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should match /END CERTIFICATE/ }
 end

2) But even doing that leads to different issues, because there also is
somehow an assumption that the puppet master has a certificate for the
host (e.g., that `puppet cert print $(hostname --fqdn)` returns a valid
certificate). It seems like that might be true in some situations (e.g.,
lxd?) but not all. This shows up as test failures a la my following
PPA-based test:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-zesty-nacc-lp1570472/zesty/amd64/p/puppet/20170222_184732_6710c@/log.gz

using the following additional change:

diff --git a/debian/tests/control b/debian/tests/control
index 97cc989..570a8cc 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -2,7 +2,7 @@ Test-Command: cd debian/tests && rspec spec/puppet/*_spec.rb
 Depends: puppet,ruby-serverspec
 Restrictions: needs-root,isolation-container
 
-Test-Command: cd debian/tests && rspec spec/puppet-master/*_spec.rb
+Test-Command: cd debian/tests && (puppet cert print $(hostname --fqdn) || puppet cert generate $(hostname --fqdn) --dns-alt-names puppet,$(puppet master --configprint certname)) && rspec spec/puppet-master/*_spec.rb
 Depends: puppet-master,ruby-serverspec
 Restrictions: needs-root,isolation-container
 
But even that fails as logged above, although it does indicate that at
least in that instance, before the puppet-master tests run, there is no
certificate for $(hostname --fqdn). The reason for the dns-alt-names
change above is to have an alternative name show up (so the test passes)
but also it seems like if the certname and hostname don't match, the
puppet SSL negotation fails.

Having done all this, though, I'm really wondering if I'm missing
something obvious. Clearly the tests pass on Debian's CI. Any advice you
can provide as to how to resolve these issues would be great!

Thanks,
Nish

-- 
Nishanth Aravamudan
Ubuntu Server
Canonical Ltd

