On Sun, Mar 1, 2020 at 4:38 PM Simon Tideswell <stidesw...@gmail.com> wrote:
> Hello
>
> In case someone else gets tripped up by this, when upgrading from 6.8.0-1
> to 6.9.0-1 on Ubuntu 18 (and possibly other platforms) the sense of
> *strict_hostname_checking* changes. Previously it appears it was set to
> *false* by default.
>
> This means that a node manifest like ...
>
> *node 'my-lovely-node' {*
> * stuff*
> *}*
>
> ... will work. But with the upgrade it changes to *true* meaning the
> above will not work (and chaos ensues).
>
> After the change, if you don't set strict_hostname_checking to false in
> puppet.conf for the Puppet master, you will need this ...
>
> *node 'my-lovely-node.mydomain.com <http://my-lovely-node.mydomain.com>' {*
> * stuff*
> *}*
>
> Not a biggy, but I wasted half an hour or so one Saturday morning because
> of this. Hopefully if someone reads this before upgrading they can save a
> similar minor irritation.
>
Thanks for calling that out, Simon. It should be in the release notes but
that was done because the code that matches the nodename segments also
allows matching on several facts (hostname, domain, fqdn) as well as
certname.
Originally, this was an intentional design decision by Puppet (12+ years
ago) that a node could contribute to its own classification and that the
flexibility outweighed any security concerns (once a node's cert was
compromised the entire estate was effectively compromised as any node could
find out anything about any other node - including the master).
However, that was before the Puppet 4 language extensions, a reliable
external node classifier, or various fact improvements (or having to be
audited by large customer security teams). Since then we've generally built
Puppet features towards the idea that a compromised agent cert only
compromises that agent's info.
We looked into "fixing" the domain segment matching so that it only used
the node's certname but there were internal concerns that there could be
accidental leakage with "my-lovely-node.west.domain.com" retrieving "
my-lovely-node.east.domain.com"s classification. Consequently, we've
deprecated both strict_hostname_checking & node_name settings with the
intention of removing them in Puppet 7 (no eta).
We believe use cases served by those features are now available in the
Puppet language, eg:
node /my-lovely-node.*/ { ... }
We've left the setting in for now though so users can time their upgrades
to newer syntax appropriately.
HTH,
Justin
PS. h/t to @Abaddon for his work with us on this issue
> Simon
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/01b325c5-c9de-4fc4-97ed-b408b00d9cd9%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/01b325c5-c9de-4fc4-97ed-b408b00d9cd9%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqV-p-JHY_e7v-gX5Lqk7WcxgGP89e97oOO9-KCudTnG8w%40mail.gmail.com.
