Ubuntu
puppet package

puppetmaster-passenger postinst creates wrong certificate files and puppetmaster vhost if puppet config print has an error

Bug #950183 reported by Glenn Aaldering
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Fix Released
Undecided
Marc Cluet

Bug Description

How to reproduce:

echo abc > /etc/puppet/puppet.conf

root@host:~# puppet config print
err: Could not parse /etc/puppet/puppet.conf: Could not match line abc at /etc/puppet/puppet.conf:abc

root@host:~# aptitude install puppetmaster-passenger
The following NEW packages will be installed:
  puppetmaster-common{a} puppetmaster-passenger
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/27.9 kB of archives. After unpacking 635 kB will be used.
Do you want to continue? [Y/n/?] y
Selecting previously unselected package puppetmaster-common.
(Reading database ... 25302 files and directories currently installed.)
Unpacking puppetmaster-common (from .../puppetmaster-common_2.7.11-1_all.deb) ...
Selecting previously unselected package puppetmaster-passenger.
Unpacking puppetmaster-passenger (from .../puppetmaster-passenger_2.7.11-1_all.deb) ...
Processing triggers for man-db ...
Processing triggers for ureadahead ...
Setting up puppetmaster-common (2.7.11-1) ...
 * Starting puppet queue [ OK ]
Setting up puppetmaster-passenger (2.7.11-1) ...
err: Could not parse /etc/puppet/puppet.conf: Could not match line abc at /etc/puppet/puppet.conf:abc
notice: err: has a waiting certificate request
notice: Signed certificate request for err:
notice: Removing file Puppet::SSL::CertificateRequest err: at '/etc/puppet/ssl/ca/requests/err:.pem'
notice: Removing file Puppet::SSL::CertificateRequest err: at '/etc/puppet/ssl/certificate_requests/err:.pem'
notice: could has a waiting certificate request
notice: Signed certificate request for could
notice: Removing file Puppet::SSL::CertificateRequest could at '/etc/puppet/ssl/ca/requests/could.pem'
notice: Removing file Puppet::SSL::CertificateRequest could at '/etc/puppet/ssl/certificate_requests/could.pem'
notice: not has a waiting certificate request
notice: Signed certificate request for not
notice: Removing file Puppet::SSL::CertificateRequest not at '/etc/puppet/ssl/ca/requests/not.pem'
notice: Removing file Puppet::SSL::CertificateRequest not at '/etc/puppet/ssl/certificate_requests/not.pem'
notice: parse has a waiting certificate request
notice: Signed certificate request for parse
notice: Removing file Puppet::SSL::CertificateRequest parse at '/etc/puppet/ssl/ca/requests/parse.pem'
notice: Removing file Puppet::SSL::CertificateRequest parse at '/etc/puppet/ssl/certificate_requests/parse.pem'
crit: directory traversal detected in Puppet::SSL::Certificate::File: "/etc/puppet/puppet.conf:"
err: Cached certificate for /etc/puppet/puppet.conf: failed: invalid key
crit: directory traversal detected in Puppet::SSL::Certificate::Ca: "/etc/puppet/puppet.conf:"
err: Could not call generate: invalid key
Module ssl already enabled
Enabling site puppetmaster.
To activate the new configuration, you need to run:
  service apache2 reload
Syntax error on line 18 of /etc/apache2/sites-enabled/puppetmaster:
SSLCertificateFile: file '/etc/puppet/ssl/certs/squigley.namespace.at.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.
   ...fail!
invoke-rc.d: initscript apache2, action "restart" failed.
dpkg: error processing puppetmaster-passenger (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 puppetmaster-passenger
E: Sub-process /usr/bin/dpkg returned an error code (1)
A package failed to install. Trying to recover:
Setting up puppetmaster-passenger (2.7.11-1) ...
err: Could not parse /etc/puppet/puppet.conf: Could not match line abc at /etc/puppet/puppet.conf:abc
err: Could not call generate: A Certificate already exists for err:
Module ssl already enabled
Site puppetmaster already enabled
Syntax error on line 18 of /etc/apache2/sites-enabled/puppetmaster:
SSLCertificateFile: file '/etc/puppet/ssl/certs/squigley.namespace.at.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.
   ...fail!
invoke-rc.d: initscript apache2, action "restart" failed.
dpkg: error processing puppetmaster-passenger (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 puppetmaster-passenger

Tags: patch

Related branches

lp:~lynxman/ubuntu/precise/puppet/puppetlabsfixbug12844
James Page: Needs Fixing
Ubuntu branches: Pending requested
Diff: 4139 lines (+3430/-399)
29 files modified
.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/applied-patches (+1/-0)
.pc/puppet-12844/lib/puppet/agent.rb (+114/-0)
.pc/puppet-12844/lib/puppet/agent/locker.rb (+30/-0)
.pc/puppet-12844/lib/puppet/application/agent.rb (+508/-0)
.pc/puppet-12844/lib/puppet/util/anonymous_filelock.rb (+36/-0)
.pc/puppet-12844/lib/puppet/util/pidlock.rb (+68/-0)
.pc/puppet-12844/spec/unit/agent/locker_spec.rb (+87/-0)
.pc/puppet-12844/spec/unit/agent_spec.rb (+285/-0)
.pc/puppet-12844/spec/unit/application/agent_spec.rb (+631/-0)
.pc/puppet-12844/spec/unit/util/anonymous_filelock_spec.rb (+78/-0)
.pc/puppet-12844/spec/unit/util/pidlock_spec.rb (+208/-0)
debian/changelog (+13/-0)
debian/patches/puppet-12844 (+979/-0)
debian/patches/series (+1/-0)
debian/puppetmaster-passenger.postinst (+7/-0)
lib/puppet/agent.rb (+2/-4)
lib/puppet/agent/locker.rb (+15/-1)
lib/puppet/application/agent.rb (+3/-11)
lib/puppet/util/anonymous_filelock.rb (+0/-36)
lib/puppet/util/pidlock.rb (+71/-22)
spec/unit/agent/locker_spec.rb (+12/-0)
spec/unit/agent_backward_compatibility_spec.rb (+152/-0)
spec/unit/agent_spec.rb (+0/-6)
spec/unit/application/agent_spec.rb (+1/-33)
spec/unit/util/anonymous_filelock_spec.rb (+0/-78)
spec/unit/util/pidlock_spec.rb (+0/-208)
test/util/pidlock.rb (+126/-0)
lp:ubuntu/precise/puppet
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Hey Glen-- Thanks for reporting this and helping us make Ubuntu better!

I believe the issue here is that 'puppet config print' returns 0 on failure. The maintainer script is 'set -e', but in this case the errors are not caught. I'm wondering the script should be attempting to parse "err: " from calls to config print and fail early, or we should work on a patch to puppet to properly return non-zero on those errors.

Adam Gandelman (gandelman-a)
Changed in puppet (Ubuntu):
status: New → Confirmed
Revision history for this message
Glenn Aaldering (glennaaldering) wrote :

Adem, I can confirm that if it returns 0 on failure, which is really bad behaviour. Its really sad that such simple things can cause so much trouble.

For now the fastest fix is to see if err: is returned by puppet config print in the postinst before even doing anything and if so the postinst should exit the install, roll back any changes and give a message that puppet.conf should be fixed first before reinstalling.

Adam Gandelman (gandelman-a)
Changed in puppet (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Glenn Aaldering (glennaaldering) wrote :

Ok, I think the puppet config print variable should be changed to puppet --configprint variable:

# puppet config print abc; echo $?
err: Could not parse /etc/puppet/puppet.conf: Could not match line abc at /etc/puppet/puppet.conf:bla
invalid parameter: abc
0

# puppet --configprint abc; echo $?
invalid parameter: abc
1

# puppet config print certname; echo $?
err: Could not parse /etc/puppet/puppet.conf: Could not match line abc at /etc/puppet/puppet.conf:bla
host.example.com
0

# puppet --configprint certname; echo $?
host.example.com
0

Revision history for this message
Glenn Aaldering (glennaaldering) wrote :

Yeah, that does the trick. Replace "puppet config print" in the postinst with "puppet --configprint" and this bug can be resolved:

root@host:/etc# dpkg -i puppetmaster-passenger_2.7.11-1_all.deb
Selecting previously unselected package puppetmaster-passenger.
(Reading database ... 25803 files and directories currently installed.)
Unpacking puppetmaster-passenger (from puppetmaster-passenger_2.7.11-1_all.deb) ...
Setting up puppetmaster-passenger (2.7.11-1) ...
err: Could not parse /etc/puppet/puppet.conf: Could not match line bla at /etc/puppet/puppet.conf:bla
notice: Signed certificate request for ca
notice: Rebuilding inventory file
notice: host.example.com has a waiting certificate request
notice: Signed certificate request for host.example.com
notice: Removing file Puppet::SSL::CertificateRequest host.example.com at '/etc/puppet/ssl/ca/requests/host.example.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest host.example.com at '/etc/puppet/ssl/certificate_requests/host.example.com.pem'
Module ssl already enabled
Enabling site puppetmaster.
To activate the new configuration, you need to run:
  service apache2 reload
 * Restarting web server apache2 ... waiting

Maybe someone else knows why the error is still in the output though?

Marc Cluet (lynxman)
Changed in puppet (Ubuntu):
assignee: nobody → Marc Cluet (lynxman)
status: Triaged → Fix Committed
Revision history for this message
Marc Cluet (lynxman) wrote :

debdiff from 2.7.11-1 to 2.7.11-1ubuntu2

Revision history for this message
Marc Cluet (lynxman) wrote :

This is the proper one, apologies

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "puppet_2.7.11-1ubuntu2.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.11-1ubuntu1

---------------
puppet (2.7.11-1ubuntu1) precise; urgency=low

  [ Marc Cluet ]
  * debian/patches/puppet-12844: Cherry picked patch from upstream
    2.7.12 to revert new agent lockfile behaviour as it breaks upgrades
    from versions < 2.7.10. This feature has been pushed out to
    puppet 3.x by upstream.
  * debian/puppetmaster-passenger.postinst (LP: #948983)
    - Fixed rack directory location
    - Added proper enabling of apache2 headers mod
  * debian/puppetmaster-passenger.postinst (LP: #950183)
    - Make sure we error if puppet config print doesn't work

  [ James Page ]
  * debian/puppetmaster-passenger.postinst:
    - Ensure upgrades from <= 2.7.11-1 fixup passenger apache
      configuration.
 -- Marc Cluet <email address hidden> Fri, 16 Mar 2012 15:36:35 +0000

Changed in puppet (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.