Warning after upgrading to v3.1.0

[vchepkov]

After upgrading to v3.1.0, puppet started issuing warning each run

Warning: Facter: Operation not permitted @ io_fread - /sys/module/kdb_main/parameters/enable_nmi
Warning: Facter: Permission denied @ rb_sysopen - /sys/module/md_mod/parameters/new_array
Warning: Facter: Permission denied @ rb_sysopen - /sys/module/ipmi_si/parameters/hotmod

Puppet 6.25.1
Checked on CentOS 7, RHEL 8 and Fedora 35

[vchepkov]

@jcpunk , @bastelfreak , v3.1.1 reduced warning count, but didn't eliminate them

Observe this on RHEL8

Warning: Facter: Operation not permitted @ io_fread - /sys/module/kdb/parameters/enable_nmi

This on CentOS 7

Warning: Facter: Operation not permitted @ io_fread - /sys/module/kdb_main/parameters/enable_nmi

[smoeding]

I can confirm this issue. It happens because the file looks readable when in fact it isn't:

# ls -l /sys/module/kdb/parameters/enable_nmi
-rw-------. 1 root root 4096 Feb 7 14:09 /sys/module/kdb/parameters/enable_nmi

# cat /sys/module/kdb/parameters/enable_nmi
cat: /sys/module/kdb/parameters/enable_nmi: Operation not permitted

[kenyon]

We tried to fix this in #78, but I didn't test the final update. :( Edit: Turns out that I wouldn't have seen the kdb warning on the systems I was testing on anyway. I do see it on Ubuntu 18.04 VMs with v3.1.1 though.

[tenajsystems]

I can confirm this issue as well on Ubuntu 20.04 after moving to 3.1.1. Any thoughts on when a fix will be available for this issue?

[jcpunk]

Does the patch from #81 fix this for you?

[vchepkov]

May I suggest to make this fact possible to blacklist?

 facter --list-block-groups
AZ
  - az_metadata
EC2
  - ec2_metadata
  - ec2_userdata
file system
  - mountpoints
  - filesystems
  - partitions
hypervisors
  - hypervisors

[hggh]

@vchepkov you can block any fact by its name:
File: /etc/puppetlabs/facter/facter.conf

facts : {
  blocklist: [
 "kmods",

  ]
}

[vchepkov]

That doesn't help, unfortunately,

# cat /etc/puppetlabs/facter/facter.conf 
facts : {
  blocklist: [
    "kmods",
  ]
}
# puppet agent -t --environment kmod 
Info: Using environment 'kmod'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Notice: /File[/opt/puppetlabs/puppet/cache/lib/facter/kmod.rb]/ensure: defined content as '{md5}f8de287fe030a71616b4e0d9fb4238a0'
Info: Retrieving locales
Info: Loading facts
Warning: Facter: Operation not permitted @ io_fread - /sys/module/kdb_main/parameters/enable_nmi

I was under impression only limited set of facts can be blocklisted:

# facter --list-block-groups
AZ
  - az_metadata
EC2
  - ec2_metadata
  - ec2_userdata
file system
  - mountpoints
  - filesystems
  - partitions
hypervisors
  - hypervisors

[hggh]

Version 7.x is able to block facts by name, perhaps your Puppet/Facter version is too old.

[vchepkov]

It's actually 'current' with PE LTS, which is 6.26.0

[tenajsystems]

Does the patch from #81 fix this for you?

How would I test the referenced patch? I am not sure which release branch you branched off to create that patch.

[jcpunk]

That patch should be based off of 3.1.1. You can manually perform the changes listed on your environment to test it, copy the whole file out of my fork, or apply the diff directly to your tree. The process varies a bit depending on how you're managing your environments.

I'll confess I'm hopeful it will be merged soon. @bastelfreak is there anything else you need on that PR?

[aclarkee]

Worth noting that #81 doesn't fix this, just hides the error.

imo the fact should still be adjusted to cater to this. Maybe a blacklist of parameters exposed via hiera? Just hiding the errors is pointless.. If this module is attempting to read kernel parameters that aren't designed to be read, then it shouldn't be doing that.

[vchepkov]

I agree, this fact is intrusive and should be refactored using lsmod command

[arnonerba]

It would be really great to have this fixed. It's been a constant annoyance on our RHEL 8 and Ubuntu 20.04 machines.

[bastelfreak]

@arnonerba can you provide a PR with a proper fix?

[arnonerba]

Here is my suggestion: #88

[smoeding]

As far as I understand the internals a blacklist would have to be implemented in the ruby code of the facter code.
I'm afraid nobody is willing to keep up with updating this module and providing new releases when just another exception is found.

[bastelfreak]

I don't think we need to work with a filter list. Can you please test #81 ? That works at least in my environment.

[arnonerba]

I like this new version of #81 much better and can confirm it gets rid of the error on RHEL 8 and Ubuntu 20.04. Thanks!