Skip to content

(PUP-2958) Protect the SSL state machine with an ssl lockfile#7530

Merged
kris-bosland merged 5 commits intopuppetlabs:masterfrom
joshcooper:rerevert-ssl-lock
May 31, 2019
Merged

(PUP-2958) Protect the SSL state machine with an ssl lockfile#7530
kris-bosland merged 5 commits intopuppetlabs:masterfrom
joshcooper:rerevert-ssl-lock

Conversation

@joshcooper
Copy link
Contributor

@joshcooper joshcooper commented May 21, 2019
edited
Loading

Commit 926e0e6 locked the agent lockfile before running the SSL state machine, but had to be reverted in 3e82d0f due to puppet infrastructure locking the agent lock and running puppet ssl bootstrap.

These commits introduce a new ssl lockfile so that the ssl and catalog application lock files have different scopes.

joshcooper added 4 commits May 17, 2019 14:49
@joshcooper
(PUP-2958) Avoid any_instance
54529d2 
Pass cert and ssl providers to the state machine so that we can allow/expect on
those instances rather than relying on any_instance, which is more brittle.
@joshcooper
(PUP-2958) Break from state machine loop
a4c838a 
Use break instead of return to avoid non-local return.
@joshcooper
(maint) Include path in timeout message
b56bcdb 
Previously the Timeout::Error referred to a non-existent `@path` instance
variable. Refer to the `path` argument instead and update the spec test to
match.
@joshcooper
(PUP-2958) Add debugging message for file locking
28d0adb 
Puppet will poll for the lockfile, up to the maximum `timeout` which defaults to
5 minutes. Add debugging messages so it's clear what's going on when running
with `puppet agent -td`.
@joshcooper joshcooper requested a review from a team May 21, 2019 01:17
@puppetcla
Copy link

puppetcla commented May 21, 2019

CLA signed by all contributors.

@joshcooper
Copy link
Contributor Author

joshcooper commented May 21, 2019

jenkins please test this on windows2016-64a with servertests

jtappa
jtappa reviewed May 21, 2019
View reviewed changes
lib/puppet/ssl/state_machine.rb Outdated
#
# @private
class Puppet::SSL::StateMachine
LOCKFILE_TIMEOUT_SECS = 5
Copy link
Contributor

@jtappa jtappa May 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this long enough? Can it be user configurable?

Copy link
Contributor Author

@joshcooper joshcooper May 21, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I debated making it configurable. One thing is right now there isn't any feedback if the agent is stuck polling for the lock, unless you're running with debug. I imagine that could cause some confusion. Thinking about making the retry message a warning instead:

Warning: Failed to lock '/Users/josh/.puppetlabs/etc/puppet/ssl/ssl.lock' retrying in 1.94 milliseconds

Thoiughts? Then I could increase the default timeout and make it configurable.

Copy link
Contributor

@kris-bosland kris-bosland May 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the retry message.

Copy link
Contributor Author

@joshcooper joshcooper May 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made it configurable. I didn't make the message a warning, because I'm concerned it could cause transient failures in CI, due to tests matching puppet agent output, especially in PE.

jtappa
jtappa reviewed May 21, 2019
View reviewed changes
jtappa
jtappa reviewed May 21, 2019
View reviewed changes
kris-bosland
kris-bosland suggested changes May 23, 2019
View reviewed changes
lib/puppet/ssl/state_machine.rb Outdated
#
# @private
class Puppet::SSL::StateMachine
LOCKFILE_TIMEOUT_SECS = 5
Copy link
Contributor

@kris-bosland kris-bosland May 23, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the retry message.

@joshcooper joshcooper force-pushed the rerevert-ssl-lock branch from d8c09d9 to 48c64d3 Compare May 29, 2019 20:14
@jtappa
Copy link
Contributor

jtappa commented May 29, 2019

At least one of the AppVeyor failures looks legit

jtappa
jtappa reviewed May 29, 2019
View reviewed changes
@joshcooper joshcooper force-pushed the rerevert-ssl-lock branch from 48c64d3 to cea456d Compare May 30, 2019 18:05
@joshcooper
(PUP-2958) Lock ssl lockfile before running state machine
be4abce 
Adds a new `Puppet[:ssl_lockfile]` setting of type `:string`. We don't use
`:file`, because we don't want puppet to create it when applying settings
catalogs.

Protect the ssl state machine with the ssl lockfile.
@joshcooper joshcooper force-pushed the rerevert-ssl-lock branch from cea456d to be4abce Compare May 30, 2019 23:43
@joshcooper
Copy link
Contributor Author

joshcooper commented May 30, 2019
edited
Loading

I reworked this to not use File#flock as that led to many platform specific issues with POSIX file locking and Windows. For now, we create an ssl specific lockfile (using the same locking mechanism as is used for the catalog application lockfile). If we fail to acquire the lock, then we fail and don't retry. We have a separate epic to improve agent locking, so I think it's best to solve the "stale lock recovery" issue in that epic.

@joshcooper joshcooper requested a review from kris-bosland May 31, 2019 04:12
@kris-bosland kris-bosland merged commit e8a59b3 into puppetlabs:master May 31, 2019
@joshcooper joshcooper deleted the rerevert-ssl-lock branch May 31, 2019 23:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@jtappa jtappa jtappa approved these changes

@kris-bosland kris-bosland kris-bosland approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@joshcooper @puppetcla @jtappa @kris-bosland