The sense of the strict_hostname_checking boolean changed from 6.8.0-1 to 6.9.0-1 (Ubuntu 18)

[Simon Tideswell]

Hello

In case someone else gets tripped up by this, when upgrading from 6.8.0-1 to 6.9.0-1 on Ubuntu 18 (and possibly other platforms) the sense of strict_hostname_checking changes. Previously it appears it was set to false by default.

This means that a node manifest like ...

node 'my-lovely-node' {

     stuff

}

... will work. But with the upgrade it changes to true meaning the above will not work (and chaos ensues).

After the change, if you don't set strict_hostname_checking to false in puppet.conf for the Puppet master, you will need this ...

node 'my-lovely-node.mydomain.com' {

     stuff

}

Not a biggy, but I wasted half an hour or so one Saturday morning because of this. Hopefully if someone reads this before upgrading they can save a similar minor irritation.

Simon

[Justin Stoller]

Thanks for calling that out, Simon. It should be in the release notes but that was done because the code that matches the nodename segments also allows matching on several facts (hostname, domain, fqdn) as well as certname.

Originally, this was an intentional design decision by Puppet (12+ years ago) that a node could contribute to its own classification and that the flexibility outweighed any security concerns (once a node's cert was compromised the entire estate was effectively compromised as any node could find out anything about any other node - including the master).

However, that was before the Puppet 4 language extensions, a reliable external node classifier, or various fact improvements (or having to be audited by large customer security teams). Since then we've generally built Puppet features towards the idea that a compromised agent cert only compromises that agent's info.

We looked into "fixing" the domain segment matching so that it only used the node's certname but there were internal concerns that there could be accidental leakage with "my-lovely-node.west.domain.com" retrieving "my-lovely-node.east.domain.com"s classification. Consequently, we've deprecated both strict_hostname_checking & node_name settings with the intention of removing them in Puppet 7 (no eta).

We believe use cases served by those features are now available in the Puppet language, eg:

node /my-lovely-node.*/ { ... }

We've left the setting in for now though so users can time their upgrades to newer syntax appropriately.

HTH,

Justin

PS. h/t to @Abaddon for his work with us on this issue

Simon

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/01b325c5-c9de-4fc4-97ed-b408b00d9cd9%40googlegroups.com.