[Pkg-puppet-devel] autopkgtest issues in Ubuntu

Nish Aravamudan nish.aravamudan at canonical.com
Fri Feb 24 20:34:24 UTC 2017 

On 24.02.2017 [12:11:55 -0800], Nish Aravamudan wrote:
> On 24.02.2017 [11:58:29 -0800], Nish Aravamudan wrote:
> > On 24.02.2017 [11:54:11 -0800], Nish Aravamudan wrote:
> > > On 24.02.2017 [11:48:45 +0200], Apollon Oikonomopoulos wrote:
> > > > Hi Nish,
> > > > 
> > > > On 13:48 Thu 23 Feb     , Nish Aravamudan wrote:
> > > > > Ok, so adding ca-certificates did not seem to make any difference (and
> > > > > in fact, it seems like it is already installed in the Ubuntu autopkgtest
> > > > > environment so that was a red herring anyways). Any ideas why, e.g.:
> > > > 
> > > > Puppet has its own CA system and does not rely on ca-certificates on any 
> > > > way, so having ca-certificates installed or not should not make a 
> > > > difference.
> > > 
> > > Got it.
> > > 
> > > > > https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-zesty-nacc-lp1570472/zesty/amd64/p/puppet/20170223_203421_4dd8e@/log.gz
> > > > > 
> > > > > there is no certificate for the hostname by default on Ubuntu but there
> > > > > is on Debian? I don't see anything in the tests that ensure it exists
> > > > > and only puppet-master-passenger generates it in a postinst (hence those
> > > > > tests now pass, but I think it's technically incidental and dependent on
> > > > > the .postinst's behavior, which might be fine).
> > > > 
> > > > The certificate should have been generated by the master process itself 
> > > > if it does not exist, using Puppet's CA. Could you get the list of files 
> > > > under /var/lib/puppet/ssl and /var/cache/puppet/ssl at the end of the 
> > > > test?
> > > 
> > > So I just did a quick test in a LXD of 17.04 after installing
> > > puppet-master and ruby-serverspec.
> > > 
> > > # ps aux | grep puppet
> > > puppet    4421  0.0  0.2 216624 45424 ?        Ssl  19:52   0:00 /usr/bin/ruby /usr/bin/puppet master
> > > 
> > > # find /var/lib/puppet/ssl/
> > > /var/lib/puppet/ssl/
> > > /var/lib/puppet/ssl/certificate_requests
> > > /var/lib/puppet/ssl/public_keys
> > > /var/lib/puppet/ssl/public_keys/oriented-squirrel.lxd.pem
> > > /var/lib/puppet/ssl/certs
> > > /var/lib/puppet/ssl/certs/ca.pem
> > > /var/lib/puppet/ssl/certs/oriented-squirrel.lxd.pem
> > 
> > Ah that seems to be the disconnect?
> > 
> > # puppet cert print $(hostname --fqdn).lxd
> > 
> > *does* work, which seems tied to
> > 
> > # puppet master --configprint hostcert
> > /var/lib/puppet/ssl/certs/mighty-clam.lxd.pem
> > 
> > Note that this is all tied to LXD of course, and I can spin up a VM of
> > Zesty but I expect we might see something similar there?
> 
> Ah:
> 
> # ruby -e 'require "facter"' -e 'puts Facter.value :domain'
> lxd
> 
> while
> 
> # hostname --fqdn
> mighty-clam
> 
> And the tests then disagree with puppet? :)

So I think the following changes are needed/reasonable for Debian, but
I'd like some feedback. Also, are there plans to send
d/p/0005-use-systemd-as-the-default-service-provider.patch upstream? I
think we'd want to make the same change in Ubuntu there as well.

  * d/t/spec/puppet-master/install_spec.rb: the default puppet-master
    certificate uses Facter(:fqdn) not `hostname --fqdn` and they can
    differ. Specifically, on LXD containers, the former is
    <containername>.lxd while the latter is <containername>.
  * d/t/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb: specify
    to curl that 'puppet' should not be proxied.

diff -Nru puppet-4.8.2/debian/tests/spec/puppet-master/install_spec.rb puppet-4.8.2/debian/tests/spec/puppet-master/install_spec.rb
--- puppet-4.8.2/debian/tests/spec/puppet-master/install_spec.rb	2017-02-15 04:23:19.000000000 -0800
+++ puppet-4.8.2/debian/tests/spec/puppet-master/install_spec.rb	2017-02-24 12:29:14.000000000 -0800
@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'facter'
 
 describe package('puppet-master') do
   it { should be_installed }
@@ -13,7 +14,7 @@
   it { should be_listening.with('tcp') }
 end
 
-describe command('puppet cert print $(hostname --fqdn)') do
+describe command('puppet cert print #{Facter.value(:fqdn)}') do
   its(:exit_status) { should eq 0 }
   its(:stdout) { should match( /X509v3 Subject Alternative Name/) }
 end
diff -Nru puppet-4.8.2/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb puppet-4.8.2/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb
--- puppet-4.8.2/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb	2017-02-15 04:23:19.000000000 -0800
+++ puppet-4.8.2/debian/tests/spec/puppet-master-passenger/zz_puppet3_compat_spec.rb	2017-02-23 10:55:40.000000000 -0800
@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 # Note that this should run after agent.example.com's certificate has been generated
-curl_cmd = 'curl --cert /var/lib/puppet/ssl/certs/agent.example.com.pem --key /var/lib/puppet/ssl/private_keys/agent.example.com.pem --cacert /var/lib/puppet/ssl/certs/ca.pem'
+curl_cmd = 'curl --noproxy puppet --cert /var/lib/puppet/ssl/certs/agent.example.com.pem --key /var/lib/puppet/ssl/private_keys/agent.example.com.pem --cacert /var/lib/puppet/ssl/certs/ca.pem'
 
 describe command("#{curl_cmd} https://puppet:8140/production/status/test") do
   its(:exit_status) { should eq 0 }

-- 
Nishanth Aravamudan
Ubuntu Server
Canonical Ltd

More information about the Pkg-puppet-devel mailing list