Skip to content

(PUP-2958) Reclaim stale ssl lockfiles#7555

Merged
kris-bosland merged 1 commit intopuppetlabs:masterfrom
joshcooper:pidlock_ftw
Jun 5, 2019
Merged

(PUP-2958) Reclaim stale ssl lockfiles#7555
kris-bosland merged 1 commit intopuppetlabs:masterfrom
joshcooper:pidlock_ftw

Conversation

@joshcooper
Copy link
Contributor

@joshcooper joshcooper commented Jun 5, 2019

Previously, puppet's ssl state machine would fail to run if the ssl lockfile
existed, no matter what it's contents were. Change the state machine to use
Puppet::Util::Pidlock instead which is capable of detecting if the pid refers
to an already running puppet instance.

@joshcooper
(PUP-2958) Reclaim stale ssl lockfiles
7c9ca3d 
Previously, puppet's ssl state machine would fail to run if the ssl lockfile
existed, no matter what it's contents were. Change the state machine to use
`Puppet::Util::Pidlock` instead which is capable of detecting if the pid refers
to an already running puppet instance.
@joshcooper joshcooper requested a review from a team June 5, 2019 18:28
@joshcooper
Copy link
Contributor Author

joshcooper commented Jun 5, 2019

Acquires empty lockfile:

[root@rllkgfa3qeth9t6 ~]# touch /etc/puppetlabs/puppet/ssl/ssl.lock
[root@rllkgfa3qeth9t6 ~]# puppet agent -t --certname something
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for something
Info: Certificate Request fingerprint (SHA256): CC:DE:BF:B5:AA:52:EE:6B:9A:58:BE:AE:D5:9E:C2:E5:B5:6F:21:4F:BB:C4:C7:9F:A2:E8:95:8C:35:0C:A3:BC
Info: Certificate for something has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (something). Exiting now because the waitforcert setting is set to 0.

Acquires lockfile containing non-puppet pids:

[root@rllkgfa3qeth9t6 ~]# ps -p 1
  PID TTY          TIME CMD
    1 ?        00:00:01 systemd
[root@rllkgfa3qeth9t6 ~]# echo 1 > /etc/puppetlabs/puppet/ssl/ssl.lock
[root@rllkgfa3qeth9t6 ~]# puppet agent -t --certname something
Info: Creating a new RSA SSL key for something
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for something
Info: Certificate Request fingerprint (SHA256): CC:DE:BF:B5:AA:52:EE:6B:9A:58:BE:AE:D5:9E:C2:E5:B5:6F:21:4F:BB:C4:C7:9F:A2:E8:95:8C:35:0C:A3:BC
Info: Certificate for something has not been signed yet
Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (something). Exiting now because the waitforcert setting is set to 0.

Faills to acquire when pid references background puppet process:

[root@rllkgfa3qeth9t6 ~]# systemctl start puppet
[root@rllkgfa3qeth9t6 ~]# pgrep puppet
26036
[root@rllkgfa3qeth9t6 ~]# echo 26036 > /etc/puppetlabs/puppet/ssl/ssl.lock
[root@rllkgfa3qeth9t6 ~]# puppet agent -t --certname something
Error: Could not run: Another puppet instance is already running; exiting

@kris-bosland kris-bosland merged commit b03cd0e into puppetlabs:master Jun 5, 2019
@joshcooper joshcooper deleted the pidlock_ftw branch April 15, 2021 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kris-bosland kris-bosland kris-bosland approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshcooper @kris-bosland