Jira (PUP-11788) certname with .pp in the middle doesn't pick up its own manifest

3 views
Skip to first unread message

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 8:30:01 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia updated an issue
 
Puppet / Bug PUP-11788
certname with .pp in the middle doesn't pick up its own manifest
Change By: Jordi Garcia
Zendesk Ticket Count: 1
Zendesk Ticket IDs: 51436
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)
Atlassian logo

Charmaine Pritchett (Jira)

unread,
Mar 24, 2023, 8:30:02 AM3/24/23
to puppe...@googlegroups.com
Charmaine Pritchett updated an issue
Change By: Charmaine Pritchett
Labels: jira_escalated

Charmaine Pritchett (Jira)

unread,
Mar 24, 2023, 8:30:02 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia created an issue
Issue Type: Bug Bug
Assignee: Unassigned
Created: 2023/03/24 5:29 AM
Priority: Normal Normal
Reporter: Jordi Garcia

Customer upgraded from 2019.8.9 to 2021.7.0 but the below behaviour is reproduceable in 2021.7.2

If the certname of the machine has a .pp in the middle of the certname (e.g. pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal), the agent is not able to find the manifest pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal.pp . However, if the certname gets updated so there is no .pp in the middle of the certname (e.g. pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal) then the agent is able to find pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal.pp . I am able to replicate customer behaviour in the lab. Also, using a classification group from the console was able to get around the manifest issue (e.g. worked without issues)

* Please see Zendesk Support tab for further comments and attachments.

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 8:34:02 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia updated an issue
Change By: Jordi Garcia
Customer upgraded from 2019.8.9 to 2021.7.0 but the below behaviour is reproduceable in 2021.7.2

If the certname of the machine has a .pp in the middle of the certname (e.g. pe-node-a8cfec-1 {+} .pp {+} .us-west1-b.c.customer-support-scratchpad.internal), the agent is not able to find the manifest pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal.pp . However, if the certname gets updated so there is no .pp in the middle of the certname (e.g. pe-node-a8cfec-1 {+} .ipp {+} .us-west1-b.c.customer-support-scratchpad.internal) then the agent is able to find pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal.pp . I am able to replicate customer behaviour in the lab. Also

As a possible work around , using the customer could use a classification group from the console was able to get around make their classification instead of the manifest issue (e.g. worked without issues) as that option works

~* Please see Zendesk Support tab for further comments and attachments.~

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 8:35:01 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia updated an issue
Change By: Jordi Garcia
Labels: jira_escalated support

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 8:35:03 AM3/24/23
to puppe...@googlegroups.com

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 8:36:02 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia updated an issue
Change By: Jordi Garcia
Affects Version/s: PUP 7.21.0

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 8:55:02 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia commented on Bug PUP-11788
 
Re: certname with .pp in the middle doesn't pick up its own manifest

One can reproduce the issue by using a PE 2021.7.2 with a node's certname like `pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal` and a couple of manifest like the below under the manifest folder of your control repo:

pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal.pp

 

node "pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal"{  
  class { "exec_class":  
  }
 
}

and 

pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal.pp

 

node "pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal"{
 
  class { "exec_class":
 
  }
 
}

 

 

 

exec_class is a simple manifest with a notify 

class exec_class {
 
 
 
  notify { "This is a xnix box: ${facts['operatingsystem']} , ${facts['operatingsystemmajrelease']}":}
 
 
 
}

 

 

Whenever the certname is `pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal.pp` the `exec_class` is not getting applied hence the notify is not executed during `pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal.pp`'s agent run. However, if the certname gets updated to `pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal.pp`, the `exec_class` is getting applied hence the notify is executed during `pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal.pp`'s agent run.

The following is the procedure used to change certname of the agent node:

1. vi /etc/puppetlabs/puppet/puppet.conf => to update certname value
 
 
 
2. rm -fR /etc/puppetlabs/puppet/ssl => to clear all certs from the agent
 
 
 
3. puppet agent -t => to generate a new cert with the new certname

 

 

 

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 9:04:01 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia commented on Bug PUP-11788

 

`pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal`'s agent run

[root@pe-node-a8cfec-1 ~]# puppet agent -t
 
Info: Using environment 'production'
 
Info: Retrieving pluginfacts
 
Info: Retrieving plugin
 
Info: Loading facts
 
this is goodd
 
Jordi is testing code deployment
 
Info: Caching catalog for pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal
 
Info: Applying configuration version '1679659583'
 
Notice: This is a xnix box: CentOS , 7
 
Notice: /Stage[main]/Exec_class/Notify[This is a xnix box: CentOS , 7]/message: defined 'message' as 'This is a xnix box: CentOS , 7'
 
Notice: Applied catalog in 0.07 seconds

`pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal`'s agent runs

[root@pe-node-a8cfec-1 ~]# puppet agent -t
 
Info: Creating a new RSA SSL key for pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal
 
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
 
Info: Creating a new SSL certificate request for pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal
 
Info: Certificate Request fingerprint (SHA256): 18:32:6C:7F:7E:02:79:93:50:E2:F9:8A:6A:E1:20:82:AC:21:49:C9:49:EB:11:5E:5E:9D:E0:FC:AF:9B:44:3D
 
Info: Certificate for pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal has not been signed yet
 
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal).
 
Exiting now because the waitforcert setting is set to 0.
 
[root@pe-node-a8cfec-1 ~]# puppet agent -t
 
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
 
Info: Creating a new SSL certificate request for pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal
 
Info: Certificate Request fingerprint (SHA256): 18:32:6C:7F:7E:02:79:93:50:E2:F9:8A:6A:E1:20:82:AC:21:49:C9:49:EB:11:5E:5E:9D:E0:FC:AF:9B:44:3D
 
Info: Downloaded certificate for pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal from https://puppet.pe-compiler-lb-a8cfec.il4.us-west1.lb.customer-support-scratchpad.internal:8140/puppet-ca/v1
 
Info: Using environment 'production'
 
Info: Retrieving pluginfacts
 
Info: Retrieving plugin
 
Info: Loading facts
 
this is goodd
 
Jordi is testing code deployment
 
Info: Caching catalog for pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal
 
Info: Applying configuration version '1679659583'
 
Notice: Applied catalog in 0.33 seconds

Jordi Garcia (Jira)

unread,
Mar 24, 2023, 9:07:02 AM3/24/23
to puppe...@googlegroups.com
Jordi Garcia updated an issue
Change By: Jordi Garcia
Customer upgraded from 2019.8.9 to 2021.7.0 but the below behaviour is reproduceable in 2021.7.2

If the certname of the machine has a .pp in the middle of the certname (e.g. pe-node-a8cfec-1{+}.pp{+}.us-west1-b.c.customer-support-scratchpad.internal), the agent is not able to find the manifest pe-node-a8cfec-1.pp.us-west1-b.c.customer-support-scratchpad.internal.pp . However, if the certname gets updated so there is no .pp in the middle of the certname (e.g. pe-node-a8cfec-1{+}.ipp{+}.us-west1-b.c.customer-support-scratchpad.internal) then the agent is able to find pe-node-a8cfec-1.ipp.us-west1-b.c.customer-support-scratchpad.internal.pp .


As a possible work around, the customer could use a classification group from the console to make their classification instead of the manifest approach for the affected nodes as that option works .

~* Please see Zendesk Support tab for further comments and attachments.~

Josh Cooper (Jira)

unread,
Mar 24, 2023, 1:06:02 PM3/24/23
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11788
 
Re: certname with .pp in the middle doesn't pick up its own manifest

Reminds me of this other issue when using regexp with node names in site.pp: PUP-11515

Tony Vu (Jira)

unread,
Mar 28, 2023, 4:12:02 PM3/28/23
to puppe...@googlegroups.com
Tony Vu updated an issue
 
Change By: Tony Vu
Epic Link: PUP-11659

Josh Cooper (Jira)

unread,
Apr 24, 2023, 2:30:03 PM4/24/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Phoenix

Josh Cooper (Jira)

unread,
Apr 24, 2023, 5:31:02 PM4/24/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Priority: Normal High

Josh Cooper (Jira)

unread,
Jun 1, 2023, 12:40:01 PM6/1/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Phoenix 2023-06-21
This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8)
Atlassian logo

Josh Cooper (Jira)

unread,
Jun 1, 2023, 12:40:02 PM6/1/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 8.2.0

Josh Cooper (Jira)

unread,
Jun 1, 2023, 12:40:03 PM6/1/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 7.26.0

Josh Cooper (Jira)

unread,
Jun 1, 2023, 1:58:02 PM6/1/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Story Points: 3

Michael Hashizume (Jira)

unread,
Jun 5, 2023, 6:02:01 PM6/5/23
to puppe...@googlegroups.com
Michael Hashizume updated an issue
Change By: Michael Hashizume
Sprint: Phoenix 2023-06- 21 07

Michael Hashizume (Jira)

unread,
Jun 5, 2023, 6:02:02 PM6/5/23
to puppe...@googlegroups.com
Michael Hashizume assigned an issue to Michael Hashizume
Change By: Michael Hashizume
Assignee: Michael Hashizume

Tony Vu (Jira)

unread,
Jun 7, 2023, 1:16:02 PM6/7/23
to puppe...@googlegroups.com
Tony Vu updated an issue
Change By: Tony Vu
Sprint: Phoenix 2023-06-07 , Phoenix 2023-06-21

Liam Sexton (Jira)

unread,
Jun 8, 2023, 10:16:02 AM6/8/23
to puppe...@googlegroups.com
Liam Sexton commented on Bug PUP-11788
 
Re: certname with .pp in the middle doesn't pick up its own manifest

Hi team,

Have a meeting with the customer who originally encountered this issue tomorrow - what's the status?

Thanks,
Liam

Michael Hashizume (Jira)

unread,
Jun 8, 2023, 6:40:02 PM6/8/23
to puppe...@googlegroups.com

We did some looking into this and it appears that this is an upstream bug with JRuby.

Puppet looks for manifests by globbing the manifest directories it knows about, using a pattern that includes wildcards for both the directories and filenames: https://github.com/puppetlabs/puppet/blob/094227ef1e145913b35ac092084d5eb0ad8e5c72/lib/puppet/node/environment.rb#L595

This works fine with MRI, which you can see if you run those problematic manifests locally with puppet apply. However, the same code running in JRuby (as it does with puppetserver) produces the behavior you've reported.

I've filed a bug upstream with JRuby: https://github.com/jruby/jruby/issues/7836

It sounds like the customer has a workaround for the time being while we wait for JRuby to fix this bug.

 

Josh Cooper (Jira)

unread,
Jun 13, 2023, 12:07:04 PM6/13/23
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Tony Vu
 
Change By: Josh Cooper
Assignee: Michael Hashizume Tony Vu
Reply all
Reply to author
Forward
0 new messages