Jira (PUP-10106) Since update to puppet 5.5.17 puppetdb forge module cannot connect to puppetdb

27 views
Skip to first unread message

Tom Parker (JIRA)

unread,
Oct 19, 2019, 2:53:03 PM10/19/19
to puppe...@googlegroups.com
Tom Parker created an issue
 
Puppet / Bug PUP-10106
Since update to puppet 5.5.17 puppetdb forge module cannot connect to puppetdb
Issue Type: Bug Bug
Affects Versions: PUP 5.5.17
Assignee: Unassigned
Created: 2019/10/19 11:52 AM
Priority: Normal Normal
Reporter: Tom Parker

Puppet Version: 5.5.17
Puppet Server Version: 5.3.10
OS Name/Version: CentOS 7

Since the update to puppet agent 5.5.17 the puppetdb forge module is using the configured proxy server and ignoring the no_proxy setting when trying to validate the connection to puppetdb.  This worked properly on 5.5.16. 

My environment proxy settings are:

*http_proxy=http://ottinstall.ls.cbn:3128*
*ftp_proxy=http://ottinstall.ls.cbn:3128*
*https_proxy=http://ottinstall.ls.cbn:3128*
no_proxy=ls.cbn, localhost, puppet, 127.0.0.1

My puppetdb server is: *https://glycon.ls.cbn:8081*

Desired Behavior: 

Respect the no_proxy value ls.cbn and not proxy connections to https://glycon.ls.cbn:8018

Actual Behavior:
opening connection to ottinstall.ls.cbn:3128...
opened
<- "CONNECT glycon.ls.cbn:8081 HTTP/1.1\r\nHost: glycon.ls.cbn:8081\r\n\r\n"
-> "HTTP/1.1 403 Forbidden\r\n"
-> "Server: squid/3.5.20\r\n"
-> "Mime-Version: 1.0\r\n"
-> "Date: Sat, 19 Oct 2019 18:46:40 GMT\r\n"
-> "Content-Type: text/html;charset=utf-8\r\n"
-> "Content-Length: 3448\r\n"
-> "X-Squid-Error: ERR_ACCESS_DENIED 0\r\n"
-> "Vary: Accept-Language\r\n"
-> "Content-Language: en\r\n"
-> "X-Cache: MISS from ottinstall.ls.cbn\r\n"
-> "X-Cache-Lookup: NONE from ottinstall.ls.cbn:80\r\n"
-> "Via: 1.1 ottinstall.ls.cbn (squid/3.5.20)\r\n"
-> "Connection: keep-alive\r\n"
-> "\r\n"
Conn close because of connect error 403 "Forbidden"
Notice: Unable to connect to puppetdb server (https://glycon.ls.cbn:8081): 403 "Forbidden"
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Tom Parker (JIRA)

unread,
Oct 19, 2019, 4:43:02 PM10/19/19
to puppe...@googlegroups.com
Tom Parker commented on Bug PUP-10106
 
Re: Since update to puppet 5.5.17 puppetdb forge module cannot connect to puppetdb

Further testing shows that the issue is in the handling of no_proxy for a domain match. 

NO_PROXY="ls.cbn, localhost, puppet, 127.0.0.1" fails.

NO_PROXY="glycon.ls.cbn, ls.cbn, localhost, puppet, 127.0.0.1" works.  

As far as I know this is incorrect behaviour as ls.cbn should match *.ls.cbn 

Rob Braden (JIRA)

unread,
Oct 21, 2019, 12:52:03 PM10/21/19
to puppe...@googlegroups.com
Rob Braden updated an issue
 
Change By: Rob Braden
Team: Coremunity

Rob Braden (JIRA)

unread,
Oct 21, 2019, 12:52:04 PM10/21/19
to puppe...@googlegroups.com
Rob Braden updated an issue
Change By: Rob Braden
Sprint: Coremunity Hopper

Josh Cooper (JIRA)

unread,
Oct 21, 2019, 7:49:02 PM10/21/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10106
 
Re: Since update to puppet 5.5.17 puppetdb forge module cannot connect to puppetdb

Thanks Tom Parker. This is indeed a behavior change from 5.5.16 as puppet and ruby interpret the no_proxy environment variable differently. Unfortunately there isn't a specification, which makes this more confusing.

In order to exclude hosts in a domain, I'd recommend prefixing the domain with a dot, as in no_proxy=.ls.cbn, localhost, puppet, 127.0.0.1. That syntax should work universally for puppet, curl and [ruby 2.4.0 and up|https://github.com/ruby/ruby/commit/423d042371d0402071c309dc403ea2701600a98b)

Using the parent domain ls.cbn works for ruby, but not puppet. Other applications may have issues like https://github.com/httplib2/httplib2/pull/95

Using the wildcard *.ls.cbn works for puppet, but not ruby nor curl, so is not recommended.

I'm going to keep this issue open, as it looks like there are some unexpected differences between specifying no_proxy as a puppet setting vs environment variable:

RUBY to http://www.google.com
 
ENV['no_proxy']
 
*                => http://proxy.example.com
 
*.google.com     => http://proxy.example.com
 
.google.com      => direct
 
www.google.com   => direct
 
google.com       => direct
 
.com             => direct
 
 
 
PUPPET to http://www.google.com
 
ENV['no_proxy']
 
*                => proxy.example.com
 
*.google.com     => proxy.example.com
 
.google.com      => direct
 
www.google.com   => direct
 
google.com       => proxy.example.com
 
.com             => direct
 
 
 
PUPPET to http://www.google.com
 
Puppet[:no_proxy]
 
*                => direct
 
*.google.com     => direct
 
.google.com      => direct
 
www.google.com   => direct
 
google.com       => http://proxy.example.com
 
.com             => direct

Josh Cooper (JIRA)

unread,
Oct 21, 2019, 7:54:02 PM10/21/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-10106

Also looks like 6.9.0 behaves differently than earlier versions when setting no_proxy as an environment variable due to PUP-9990

PUPPET to http://www.google.com
 
ENV['no_proxy']
 
*                => direct
 
*.google.com     => direct
 
.google.com      => direct
 
www.google.com   => direct
 
google.com       => proxy.example.com
 
.com             => direct

Tom Parker (JIRA)

unread,
Oct 23, 2019, 11:30:04 AM10/23/19
to puppe...@googlegroups.com
Tom Parker commented on Bug PUP-10106

Thanks Josh Cooper

 

I will have to do some experiments to see how other applications on my system behave with .ls.cbn vs ls.cbn including python and older versions of ruby.   For everything so far with the exception of puppet/ruby the ls.cbn has always matched.

I appreciate you keeping this ticket open.  The behaviour is indeed odd between ENV[no_proxy] and puppet.conf no_proxy although the .domain seems to be pretty consistent across the various environments and applications.
Reply all
Reply to author
Forward
0 new messages