| To repro delete everything from the production environment:
# rm -rf /etc/puppetlabs/code/environments/production/
|
Create a new environment and install puppetlabs-concat into it:
# mkdir -p /etc/puppetlabs/code/environments/customer1/{manifests,files} |
# puppet module install puppetlabs-concat -v 7.1.1 --environment customer1 |
# cat <<END > /etc/puppetlabs/code/environments/customer1/manifests/site.pp |
include df_modsec |
END |
# cat <<END > /etc/puppetlabs/code/environments/customer1/modules/df_modsec/manifests/init.pp |
class df_modsec { |
$file = '/tmp/file' |
|
concat { $file: |
ensure => 'present', |
} -> concat::fragment { 'main': |
target => $file, |
source => 'puppet:///modules/df_modsec/modsecurity_main.conf', |
} |
} |
END |
# cat <<END > /etc/puppetlabs/code/environments/customer1/modules/df_modsec/files/modsecurity_main.conf |
# this is a comment |
END |
# chown -R puppet:puppet /etc/puppetlabs/code/environments
|
Configure the server to assign the environment:
# puppet config set node_terminus exec --section server |
# puppet config set external_nodes /etc/puppetlabs/puppet/enc.sh --section server |
# cat <<EOF > /etc/puppetlabs/puppet/enc.sh |
#!/bin/sh |
|
cat <<END |
--- |
environment: customer1 |
END |
EOF |
# chmod a+x /etc/puppetlabs/puppet/enc.sh |
# chown puppet:puppet /etc/puppetlabs/puppet/enc.sh |
# systemctl restart puppetserver
|
Delete the last run summary and run the agent once:
# rm -f /opt/puppetlabs/puppet/public/last_run_summary.yaml |
# puppet agent -t |
Info: Using environment 'production' |
... |
Notice: Local environment: 'production' doesn't match server specified environment 'customer1', restarting agent run with environment 'customer1' |
... |
# cat /tmp/file |
# this is a comment
|
Note the mismatched last environments:
# cat /opt/puppetlabs/puppet/public/last_run_summary.yaml |
--- |
version: |
config: 1632772088 |
puppet: 7.10.0 |
application: |
run_mode: agent |
initial_environment: production |
converged_environment: customer1
|
Run the agent a second time and it will fail:
# puppet agent -t |
... |
Error: /Stage[main]/Df_modsec/Concat[/tmp/file]/Concat_file[/tmp/file]: Failed to generate additional resources using 'eval_generate': Could not retrieve source(s) puppet:///modules/df_modsec/modsecurity_main.conf
|
This is because the concat module doesn't specify an environment when making the metadata request: https://github.com/puppetlabs/puppetlabs-concat/blob/7c356efc62b092b71eb40f63d9a7c362b825210f/lib/puppet/type/concat_file.rb#L305 so the indirector will fallback to the environment stored in the context https://github.com/puppetlabs/puppet/blob/3828aabe8d32368faa5cdc1a428189d0cb117e52/lib/puppet/indirector/request.rb#L33 But the agent doesn't push a new environment when it detects the mismatch: https://github.com/puppetlabs/puppet/blob/3828aabe8d32368faa5cdc1a428189d0cb117e52/lib/puppet/configurer.rb#L394 It needs to push a new environment and loaders like we do in https://github.com/puppetlabs/puppet/blob/3828aabe8d32368faa5cdc1a428189d0cb117e52/lib/puppet/configurer.rb#L449-L456 |
