Issue #23074 has been updated by Melissa Stone. Status changed from Merged - Pending Release to Closed
Released in Puppet 3.4.0-rc1 ---------------------------------------- Bug #23074: cert inventory has race condition https://projects.puppetlabs.com/issues/23074#change-100461 * Author: Henrik Lindberg * Status: Closed * Priority: Normal * Assignee: Henrik Lindberg * Category: security * Target version: 3.4.0 * Affected Puppet version: * Keywords: cert inventory signing autosigning * Branch: https://github.com/puppetlabs/puppet/pull/2032 ---------------------------------------- Certs are kept in an inventory called inventory.txt and this file is rebuilt when cert signing detects that it is missing. The rebuilding of the file consists of reading all existing certs and adding them to the inventory.txt. This takes place without any locking and this can result in both duplicated and missing entries. (To make matters worse, there were also race conditions in the logic to obtain serial numbers). The inventory.txt is only used for informational purposes; the main use case is being able to find information about a revoked and removed certificate. Some 3d party systems use the inventory.txt as a point of integration thus making it difficult to completely remove it. The best solution would other wise be to remove it completely and instead keep a directory of revoked/deleted certs - an inventory is then simply a listing of the existing and revoked certs that can be obtained directly from the filesystem. We should change how the inventory.txt is created by treating the additions to it as simple append logging. If the file does not exist it is created and the entry is added. If the file is corrupted, becomes large and user wants to prune it this should be handled by a separate subcommand to puppet cert called reinventory. This command can be executed on a non active master to reconstruct the list from the set of known certificates. To perform pruning, the user can make a copy, and then perform a reinventory - the diff between the two can be archived (if a long term track record is wanted). Thus this issue is about: * Add a puppet cert reinventory command * Modify logging to inventory.txt to not perform automatic reinventory -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.