Issue #2899 has been updated by Josh Endries.
I'm seeing this on another host which is looking at files that are in an ignore
line in the manifest. I have this in my fedora definition:
file {
"/usr/local/fedora":
group => $group,
owner => $owner,
# checksum => md5,
ignore => [".svn", "client", "data", "server"],
# notify => Service[fedora],
# purge => true,
recurse => true,
recurselimit => 10,
require => Youser["fedora"],
source => [
"puppet:///modules/fedora/local/${version}/usr/local/fedora",
"puppet:///modules/fedora/fedora/${version}/usr/local/fedora",
],
sourceselect => all,
}
And can often see this in lsof -p <pid>:
puppetd 24239 root 6r REG 253,0 21603329 3368564
/usr/local/fedora/data/datastreams/2009/...
Which theoretically (AFAIK) it shouldn't be looking at.
----------------------------------------
Bug #2899: puppetd checks client files recursively even if they aren't specified
http://projects.reductivelabs.com/issues/2899
Author: Josh Endries
Status: Investigating
Priority: Normal
Assigned to: Markus Roberts
Category: fileserving
Target version:
Affected version: 0.25.1
Keywords:
Branch:
We stumbled upon a puppetd using 100% CPU and 12 GB of RAM a few days ago. We
have a DB app in /usr/local/fedora and a dev was doing work on migrating to a
new version and had many files in /usr/local/fedora/migration. We copy
/usr/local/fedora recursively from puppetmaster, so it (something) does descend
into the folder, but /usr/local/fedora/migration is not part of those files.
Nevertheless, the client's puppetd seemed to descend into it, probably doing
checksums or something, and ran for possibly days eating up more and more RAM
and constant high CPU. We worked around it by shutting puppetd down until the
migration is finished.
This may be worked around by using an ignore statement, I haven't tested that
since this situation is temporary, but that requires you know where the files
will be placed beforehand. This seems to suggest a DoS could be done against
Puppet or the system pretty easily by putting a directory somewhere with tons
of files in it, if Puppet copies the parent recursively. It also generally
seems like a bad design, the client reading things in that the server doesn't
need a check for, but maybe isn't easy to fix.
Anyway, I think it should be discussed or at least brought to attention. :)
I may be able to set up a test environment if necessary.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://reductivelabs.com/redmine/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
