Issue #3909 has been updated by Steven Seed.
I'm not sure if this comment belongs here or if I should open a new issue, but
we recently ran into a problem when implementing the dhcp domain-search option
on our dhcp server. The more recent dhclients (4.1.x) on Linux and I believe
BSD will now include requests for domain-search which results in search
value(s) in /etc/resolv.conf that have trailing periods (.).
Facter does not strip these trailing periods from the domain and fqdn values
returned. The result is the puppet client in a client/server environment will
will suddenly think it's name has changed and request a new certificate (one
that has a trailing dot). The puppetmaster will then refuse to authenticate the
host because it doesn't think the name matches the certificate issued by the
puppet ca.
I've made a very simple patch that fixes the problem in the facter domain.rb
file. I'm attaching the patch. The option mentioned by the original poster to
strip the trailing dot should work as well and may be a better solution.
--- /usr/lib/ruby/site_ruby/1.8/facter/domain.rb 2011-10-16
10:36:29.000000000 -0700
+++ /usr/lib/ruby/site_ruby/1.8/facter/domain.rb.new 2012-02-02
16:40:03.890869844 -0800
@@ -36,9 +36,9 @@ Facter.add(:domain) do
search = nil
File.open("/etc/resolv.conf") { |file|
file.each { |line|
- if line =~ /^\s*domain\s+(\S+)/
+ if line =~ /^\s*domain\s+(\S+)\.+/
domain = $1
- elsif line =~ /^\s*search\s+(\S+)/
+ elsif line =~ /^\s*search\s+(\S+)\.+/
search = $1
end
}
----------------------------------------
Bug #3909: Facter does not behave properly with non-existent top-level domains.
https://projects.puppetlabs.com/issues/3909
Author: Joe McDonagh
Status: Accepted
Priority: Normal
Assignee:
Category: library
Target version: 1.6.x
Keywords:
Branch:
Affected Facter version:
On behalf of a puppet-users posted who did not want to create an additional
login to file a bug:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
I was stumbling over the fact that I use a (not existing) toplevel
domain in my environment. So I set up the dnsdomainname to print out the
correct domain (without fullstop ('.')). Additional I limited the search
path in resolv.conf to end with a '.'.
That seems to tangle facter. As I read the code it needs a '.' anywhere
in domainname to work and the fallback to parse /etc/resolv.conf cannot
handle trailing '.'. The last is easy to handle by $1.sub(/\.$/, '') but
the first I do not know how to handle correctly for every case (At least
on debian there seems to be '(none)' if it is not defined correctly.)
Could that go into upstream code respective how to fix the first case
proper?
Regards
Klaus Ethgen
- --
Klaus Ethgen http://www.ethgen.de/
pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <[email protected]>
Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEVAwUBS/xBU5+OKpjRpO3lAQpDUgf7B8gw4EqNTZO4HemjLzFRkR6tQqUm/fFm
eHvzgjmfktshgxak8vrq0hvU6njC8BG/aloNvDBwdwJYFqn/L9iJRTVouqzp4G0Z
pAiRGgFvn/itVuK5tpenuJF7nBtZkDjhDhNxwSCwxfc4l+aFPTSgj50Isor2cieQ
iK0RXQH6O00vtvuFL8eWnHwTKD4hd4pCv2XSB4O3tprxZK8y7/NxdD5b/ikcv7VW
s3K4iD6iqZozsN9uEEJIh1ZAbLLkmYBEYJOdtElj/pPw2gcdeLnZGF7P/H9vdu00
qU1KA7kyo8u4PuctCTvuBdMrtPHxg5MGt9HGfN1/1rgw7aBaO5IEzA==
=Q4PY
-----END PGP SIGNATURE-----
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
