puppetmaster-passenger postinst creates wrong certificate files and puppetmaster vhost if puppet config print has an error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
puppet (Ubuntu) |
Fix Released
|
Undecided
|
Marc Cluet |
Bug Description
How to reproduce:
echo abc > /etc/puppet/
root@host:~# puppet config print
err: Could not parse /etc/puppet/
root@host:~# aptitude install puppetmaster-
The following NEW packages will be installed:
puppetmaster-
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/27.9 kB of archives. After unpacking 635 kB will be used.
Do you want to continue? [Y/n/?] y
Selecting previously unselected package puppetmaster-
(Reading database ... 25302 files and directories currently installed.)
Unpacking puppetmaster-common (from .../puppetmaste
Selecting previously unselected package puppetmaster-
Unpacking puppetmaster-
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up puppetmaster-common (2.7.11-1) ...
* Starting puppet queue [ OK ]
Setting up puppetmaster-
err: Could not parse /etc/puppet/
notice: err: has a waiting certificate request
notice: Signed certificate request for err:
notice: Removing file Puppet:
notice: Removing file Puppet:
notice: could has a waiting certificate request
notice: Signed certificate request for could
notice: Removing file Puppet:
notice: Removing file Puppet:
notice: not has a waiting certificate request
notice: Signed certificate request for not
notice: Removing file Puppet:
notice: Removing file Puppet:
notice: parse has a waiting certificate request
notice: Signed certificate request for parse
notice: Removing file Puppet:
notice: Removing file Puppet:
crit: directory traversal detected in Puppet:
err: Cached certificate for /etc/puppet/
crit: directory traversal detected in Puppet:
err: Could not call generate: invalid key
Module ssl already enabled
Enabling site puppetmaster.
To activate the new configuration, you need to run:
service apache2 reload
Syntax error on line 18 of /etc/apache2/
SSLCertificateFile: file '/etc/puppet/
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
invoke-rc.d: initscript apache2, action "restart" failed.
dpkg: error processing puppetmaster-
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
puppetmaster-
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install. Trying to recover:
Setting up puppetmaster-
err: Could not parse /etc/puppet/
err: Could not call generate: A Certificate already exists for err:
Module ssl already enabled
Site puppetmaster already enabled
Syntax error on line 18 of /etc/apache2/
SSLCertificateFile: file '/etc/puppet/
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
invoke-rc.d: initscript apache2, action "restart" failed.
dpkg: error processing puppetmaster-
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
puppetmaster-
Related branches
- James Page: Needs Fixing
- Ubuntu branches: Pending requested
-
Diff: 4139 lines (+3430/-399)29 files modified.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/applied-patches (+1/-0)
.pc/puppet-12844/lib/puppet/agent.rb (+114/-0)
.pc/puppet-12844/lib/puppet/agent/locker.rb (+30/-0)
.pc/puppet-12844/lib/puppet/application/agent.rb (+508/-0)
.pc/puppet-12844/lib/puppet/util/anonymous_filelock.rb (+36/-0)
.pc/puppet-12844/lib/puppet/util/pidlock.rb (+68/-0)
.pc/puppet-12844/spec/unit/agent/locker_spec.rb (+87/-0)
.pc/puppet-12844/spec/unit/agent_spec.rb (+285/-0)
.pc/puppet-12844/spec/unit/application/agent_spec.rb (+631/-0)
.pc/puppet-12844/spec/unit/util/anonymous_filelock_spec.rb (+78/-0)
.pc/puppet-12844/spec/unit/util/pidlock_spec.rb (+208/-0)
debian/changelog (+13/-0)
debian/patches/puppet-12844 (+979/-0)
debian/patches/series (+1/-0)
debian/puppetmaster-passenger.postinst (+7/-0)
lib/puppet/agent.rb (+2/-4)
lib/puppet/agent/locker.rb (+15/-1)
lib/puppet/application/agent.rb (+3/-11)
lib/puppet/util/anonymous_filelock.rb (+0/-36)
lib/puppet/util/pidlock.rb (+71/-22)
spec/unit/agent/locker_spec.rb (+12/-0)
spec/unit/agent_backward_compatibility_spec.rb (+152/-0)
spec/unit/agent_spec.rb (+0/-6)
spec/unit/application/agent_spec.rb (+1/-33)
spec/unit/util/anonymous_filelock_spec.rb (+0/-78)
spec/unit/util/pidlock_spec.rb (+0/-208)
test/util/pidlock.rb (+126/-0)
Changed in puppet (Ubuntu): | |
status: | New → Confirmed |
Changed in puppet (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in puppet (Ubuntu): | |
assignee: | nobody → Marc Cluet (lynxman) |
status: | Triaged → Fix Committed |
Hey Glen-- Thanks for reporting this and helping us make Ubuntu better!
I believe the issue here is that 'puppet config print' returns 0 on failure. The maintainer script is 'set -e', but in this case the errors are not caught. I'm wondering the script should be attempting to parse "err: " from calls to config print and fail early, or we should work on a patch to puppet to properly return non-zero on those errors.