Comments (14)
tiandrey
commented on July 29, 2024
Update: with puppetserver version 6.2.0-1stretch, there were only Vault::ConnectionPool::PoolShuttingDownError errors (about 100 errors per day)
However, with puppetserver version 6.15.1-1stretch (I tested both old single-threaded and new multithreaded JRuby mode), there are many different errors, here are stats for one day:
root@puppet:~# zcat /var/log/puppetlabs/puppetserver/puppetserver-2021-03-25.0.log.gz /var/log/puppetlabs/puppetserver/puppetserver-2021-03-25.1.log.gz | grep 'Skipping backend' | grep -o '\[hiera-vault\].*' | awk -F ' on node' '{print $1}' | awk -F ' \\(file:' '{print $1}' | sort | uniq -c | sort -n
3 [hiera-vault] Skipping backend. Configuration error: Socket closed
3 [hiera-vault] Skipping backend. Configuration error: undefined method `request' for nil:NilClass
3 [hiera-vault] Skipping backend. Configuration error: undefined method `ssl_version=' for nil:NilClass
12 [hiera-vault] Skipping backend. Configuration error: The Vault server at `https://127.0.0.1:8200' is not currently
81 [hiera-vault] Skipping backend. Configuration error: Vault::ConnectionPool::PoolShuttingDownError
2700 [hiera-vault] Skipping backend. Configuration error: undefined method `configure' for nil:NilClass
3087 [hiera-vault] Skipping backend. Configuration error: no cipher match
Some of no cipher match errors may be accounted for changes in default ciphers in puppetserver, but surely not all of them.
Also, https://127.0.0.1:8200 is NOT address of my Vault server.
from petems-hiera_vault.
petems
commented on July 29, 2024
@tiandrey Can you change your module to use this branch fix to see if it resolves your problem: #65
from petems-hiera_vault.
petems
commented on July 29, 2024
I've just cut and pushed a release for 2.0.0, hopefully this should fix it 👍🏻
from petems-hiera_vault.
tiandrey
commented on July 29, 2024
Can't check it right now, but mutex should fix the problem. I'll comment as soon as I'm able to test it.
from petems-hiera_vault.
tiandrey
commented on July 29, 2024
I've tried v2.0.0 - received lots of errors like
2021-08-16T19:26:57.548+03:00 ERROR [qtp1752447289-227] [puppetserver] Puppet [hiera-vault] Skipping backend. Configuration error: no cipher match
2021-08-16T19:26:57.548+03:00 ERROR [qtp1752447289-227] [puppetserver] Puppet [hiera-vault] Skipping backend. Configuration error: no cipher match on node example-hostname
2021-08-16T19:26:57.549+03:00 ERROR [qtp1752447289-227] [puppetserver] Puppet Server Error: [hiera-vault] Skipping backend. Configuration error: no cipher match on node example-hostname
/etc/puppetlabs/code/environments/production/modules/hiera_vault/lib/puppet/functions/hiera_vault.rb:138:in `block in vault_get'
org/jruby/ext/thread/Mutex.java:164:in `synchronize'
/etc/puppetlabs/code/environments/production/modules/hiera_vault/lib/puppet/functions/hiera_vault.rb:112:in `vault_get'
/etc/puppetlabs/code/environments/production/modules/hiera_vault/lib/puppet/functions/hiera_vault.rb:89:in `lookup_key'
from petems-hiera_vault.
petems
commented on July 29, 2024
What version of Vault and Puppet are you running?
Looks like this: hashicorp/vault-ruby#179
from petems-hiera_vault.
tiandrey
commented on July 29, 2024
vault (0.16.0)
ii puppet-agent 6.23.0-1stretch amd64 The Puppet Agent package contains all of the elements needed to run puppet, including ruby, facter, and hiera.
ii puppetserver 6.15.3-1stretch all Puppet Labs puppetserver
This is still a heisenbug, most of requests are completed successfully, but many still have this error.
from petems-hiera_vault.
petems
commented on July 29, 2024
Which version of Vault itself do you have installed? (The app itself, not the gem)
from petems-hiera_vault.
petems
commented on July 29, 2024
Are you using the same Puppet version across your estate?
from petems-hiera_vault.
petems
commented on July 29, 2024
Also, could you do puppetserver gem list for me?
from petems-hiera_vault.
tiandrey
commented on July 29, 2024
Which version of Vault itself do you have installed?
Don't know, don't think it matters - most requests succeed, so the problem it's not caused by cryptography issues per se.
Are you using the same Puppet version across your estate?
From 6 to 7. Again, it doesn't matter - the same node can have error on one run and success on the next.
Gems
# puppetserver gem list
2021-08-16 21:09:46,583 INFO [p.s.j.jruby-puppet-core] Disabling i18n for puppet because using multithreaded jruby
*** LOCAL GEMS ***
aws-eventstream (1.1.1)
aws-sigv4 (1.2.3)
cmath (default: 1.0.0)
concurrent-ruby (1.1.5)
csv (default: 1.0.0)
debouncer (0.2.2)
deep_merge (1.0.1)
fast_gettext (1.1.2)
fileutils (default: 1.1.0)
gettext (3.2.2)
hiera-eyaml (3.2.1)
highline (2.0.3)
hocon (1.3.1)
ipaddr (default: 1.2.0)
jar-dependencies (default: 0.4.0)
jruby-openssl (default: 0.10.5 java)
jruby-readline (default: 1.3.7 java)
json (default: 2.2.0 java)
locale (2.1.3, 2.1.2)
multi_json (1.14.1)
optimist (3.0.1)
psych (default: 3.2.0 java)
puppet-resource_api (1.8.14)
puppetserver-ca (1.9.4)
rake-ant (default: 1.0.4)
rdoc (default: 6.1.2)
scanf (default: 1.0.0)
semantic_puppet (1.0.4, 1.0.2)
text (1.3.1)
vault (0.15.0)
webrick (default: 1.6.1)
and bonus
# /opt/puppetlabs/puppet/bin/gem list
*** LOCAL GEMS ***
aws-eventstream (1.1.1)
aws-sigv4 (1.2.3)
bigdecimal (default: 1.3.4)
cmath (default: 1.0.0)
colored2 (3.1.2)
concurrent-ruby (1.1.8)
cri (2.15.11)
csv (default: 1.0.0)
date (default: 1.0.0)
debouncer (0.2.2)
deep_merge (1.0.1)
did_you_mean (1.2.0)
etc (default: 1.0.0)
facter (3.14.18)
facter-ng (4.2.1)
faraday (0.17.4)
faraday_middleware (0.14.0)
fast_gettext (1.1.2)
fcntl (default: 1.0.0)
ffi (1.13.1)
fiddle (default: 1.0.0)
fileutils (default: 1.0.2)
gettext (3.2.2)
gettext-setup (0.34)
hiera (3.7.0)
hiera-eyaml (3.2.1)
highline (2.0.3)
hocon (1.3.1)
httpclient (2.8.3)
io-console (default: 0.4.6)
ipaddr (default: 1.2.0)
json (default: 2.1.0)
locale (2.1.3)
log4r (1.1.10)
minitar (0.9)
minitest (5.10.3)
multi_json (1.14.1)
multipart-post (2.1.1)
net-ssh (4.2.0)
net-telnet (0.1.1)
openssl (default: 2.1.2)
optimist (3.0.1)
power_assert (1.1.1)
psych (default: 3.0.2)
puppet (6.23.0)
puppet-resource_api (1.8.14)
puppet_forge (2.3.4)
puppetserver-ca (1.9.4)
r10k (3.8.0)
rake (12.3.3)
rdoc (default: 6.0.1.1)
scanf (default: 1.0.0)
sdbm (default: 1.0.0)
semantic_puppet (1.0.4)
stringio (default: 0.0.1)
strscan (default: 1.0.0)
sys-filesystem (1.3.2)
test-unit (3.2.7)
text (1.3.1)
thor (1.1.0)
thread (0.2.2)
vault (0.16.0)
webrick (default: 1.4.2.1)
xmlrpc (0.3.0)
zlib (default: 1.0.0)
from petems-hiera_vault.
petems
commented on July 29, 2024
I was interested in the Vault version because there might be a specific change they've made on their side I'm not aware of (as right now the repo only tests against 1.0,1.1,1.2 and 1.3...
I'm seeing if I can setup a test environment with different versions of Vault and different JRuby versions to see what cipher issues there are
We've just merged a new feature that adds caching so that might help with some of the load issues, can you test that out?
from petems-hiera_vault.
Related Issues (20)
- If the Vault token becomes unavailable to the Hiera/Vault module, a secret is substituted with an empty string HOT 6
- Mark fields as Sensitive HOT 1
- vault caching HOT 3
- IGNORE-VAULT doesn't work correctly if set in the file. HOT 2
- puppet lookup does not work as desired HOT 2
- Supporting AWS IAM/EC2 authentication HOT 1
- When get the secrets if the secret contain a dollar (example$rest) sign only retrieve the secret until the dollar sign (example) HOT 2
- Release 2.0.0 is not tagged HOT 1
- changelog not updated for 2.0.0 HOT 2
- get a specific version secret HOT 1
- Testing - Running a real vault server is flaky
- Writing variables as key value pair HOT 1
- question: using wildcards in mounts paths
- Integration into hiera-eyaml
- Lots of CLOSE_WAITS to Vault on petems-hiera_vault v2.0.0 HOT 4
- Puppet 7 Support and New Forge Version
- Alternative ways to specify Vault token (or secure it) HOT 1
- Lookup-error in strict_mode in case of not found secret
- Docs: More guidance on how to use this in yaml
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from petems-hiera_vault.