Closed Bug 895639 Opened 12 years ago Closed 11 years ago

Support 10.9 Talos with PuppetAgain

Categories

(Infrastructure & Operations :: RelOps: Puppet, task)

Product:
Infrastructure & Operations
Component:
RelOps: Puppet
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: coop)

References

Details

Attachments

(1 file)

bug895639.patch
17.10 KB, patch
armenzg
: review+
dustin
: checked-in+
Details | Diff | Splinter Review
Similar to bug 891880 but with the shiny new OS X Mavericky.
Depends on: 895628
OS X 10.9 ships with Ruby-2.0, which isn't a problem for puppet, but the PL packages install in the ruby-1.8 site libs, so they don't work. `gem install puppet` works, though! -> http://projects.puppetlabs.com/issues/21868 user handling doesn't work: Error: incompatible character encodings: ASCII-8BIT and US-ASCII Error: /Stage[users]/Users::Root::Account/Darwinuser[root]/password: change from [old password hash redacted] to [new password hash redacted] failed: incompatible character encodings: ASCII-8BIT and US-ASCII -> http://projects.puppetlabs.com/issues/22107 And that pretty much makes everything else fail, so I'll work on that.
I also ran into issues with binary file contents: http://projects.puppetlabs.com/issues/22129 and, it seems, the certificate validation does not allow alternative DNS names: t-mavericks-r5-001:~ root# FACTER_PUPPETIZING=true /usr/bin/puppet agent --test --server="${PUPPET_SERVER:-puppet}" --pluginsync --ssldir=/var/lib/puppet/ssl Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: (null) Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=CA on releng-puppet2.srv.releng.scl3.mozilla.com Validity Not Before: May 2 20:17:00 2013 GMT Not After : May 1 20:17:00 2018 GMT Subject: CN=releng-puppet2.srv.releng.scl3.mozilla.com, OU=PuppetMasters Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:c7:25:76:20:36:d6:6d:6b:c8:ef:6c:52:2b:08: 64:1f:09:eb:43:30:0f:21:de:43:c2:e6:2e:82:d6: 13:34:63:65:9e:a6:f8:24:69:dd:25:1a:b2:d9:c1: 9a:72:57:39:12:d5:bf:9b:fb:6b:6d:3b:d7:fb:a2: c1:4a:12:10:16:e0:70:e0:54:88:1f:5c:ec:31:30: a1:2f:50:bf:0f:11:f6:4c:be:ea:f1:76:a4:ac:8c: 3d:a9:d1:ac:27:eb:e5:78:e4:10:9d:95:b7:ac:a5: 6e:ff:ad:8f:0d:af:a3:d0:70:61:51:ef:9a:49:39: 3b:27:5e:fe:13:e5:df:e2:12:08:76:df:73:46:aa: df:82:1c:5a:00:0c:33:34:47:56:22:95:82:d6:8a: 41:5d:1c:ad:0d:72:75:c0:b3:0b:30:ea:ea:e7:a5: 7b:b1:a7:8f:97:58:b4:34:f9:37:d3:1e:90:85:a8: 54:25:8a:aa:fa:b3:a0:c4:19:1c:24:cd:8b:bc:7e: 07:8d:de:a9:bb:f3:d4:e7:6e:44:a2:cc:17:27:4d: 76:74:f3:df:40:99:85:2c:5f:81:33:a2:2d:b3:cc: b2:1e:f5:9a:d2:98:bb:46:b6:ea:9a:07:7f:e5:d7: 35:02:45:74:d7:7b:94:b0:43:49:a7:94:65:cb:1c: 72:19 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: DirName:/CN=PuppetAgain Base CA/emailAddress=release@mozilla.com/OU=Release Engineering/O=Mozilla, Inc. serial:0B X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:puppet, DNS:releng-puppet2.srv.releng.scl3.mozilla.com Signature Algorithm: sha1WithRSAEncryption 69:64:df:37:11:b0:da:22:e0:fd:eb:a1:9f:2c:c1:28:d0:46: 9f:0b:ef:b4:c3:ad:3b:22:c7:96:c0:69:63:d3:77:91:0e:c3: 6f:3d:6a:f4:2a:c9:5e:61:94:52:b2:66:d1:73:4c:4e:bb:33: 05:6a:14:5e:de:4f:5a:b9:e2:c2:32:f0:9c:a8:9d:f7:e9:0a: 2f:4f:f5:2e:02:8e:5e:56:48:e1:8e:68:ce:38:4d:5b:17:76: 2e:c5:7c:54:af:55:82:e7:45:7a:6d:67:aa:1f:37:48:a3:f7: f1:ee:e4:fc:93:03:63:75:7e:ab:da:8d:85:0c:ed:1f:cf:e7: c0:de:75:61:82:59:4b:3c:d3:08:5a:91:c5:3a:14:b0:3f:44: 5a:c6:b3:65:e7:14:27:21:64:6d:e8:27:a4:fd:c1:61:9b:8f: 0c:17:4d:c5:4b:a5:b7:e8:90:d5:76:4a:bc:3c:72:80:74:9e: d9:cb:66:dd:32:8a:3b:6e:39:aa:c0:1c:a7:55:17:51:22:86: e9:a1:cd:0e:ef:90:c5:7f:fd:a7:b6:df:4b:03:b8:d8:16:21: 23:d1:63:c7:21:45:33:8e:0b:c1:bb:d4:d5:1f:04:5b:27:7f: 67:a6:e6:0b:87:db:b5:fd:c1:b3:b9:9c:aa:9b:6d:4b:60:b3: 39:10:b6:5e Yet it works fine with openssl s_client: t-mavericks-r5-001:~ root# openssl s_client -verify 2 -connect puppet:8140 -CAfile /var/lib/puppet/ssl/certs/ca.pem verify depth is 2 CONNECTED(00000003) depth=2 /CN=PuppetAgain Base CA/emailAddress=release@mozilla.com/OU=Release Engineering/O=Mozilla, Inc. verify return:1 depth=1 /CN=CA on releng-puppet2.srv.releng.scl3.mozilla.com verify return:1 depth=0 /CN=releng-puppet2.srv.releng.scl3.mozilla.com/OU=PuppetMasters verify return:1 --- Certificate chain 0 s:/CN=releng-puppet2.srv.releng.scl3.mozilla.com/OU=PuppetMasters i:/CN=CA on releng-puppet2.srv.releng.scl3.mozilla.com 1 s:/CN=CA on releng-puppet2.srv.releng.scl3.mozilla.com i:/CN=PuppetAgain Base CA/emailAddress=release@mozilla.com/OU=Release Engineering/O=Mozilla, Inc. --- Server certificate -----BEGIN CERTIFICATE----- MIIEBjCCAu6gAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MTkwNwYDVQQDDDBDQSBv biByZWxlbmctcHVwcGV0Mi5zcnYucmVsZW5nLnNjbDMubW96aWxsYS5jb20wHhcN MTMwNTAyMjAxNzAwWhcNMTgwNTAxMjAxNzAwWjBNMTMwMQYDVQQDDCpyZWxlbmct cHVwcGV0Mi5zcnYucmVsZW5nLnNjbDMubW96aWxsYS5jb20xFjAUBgNVBAsMDVB1 cHBldE1hc3RlcnMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHJXYg NtZta8jvbFIrCGQfCetDMA8h3kPC5i6C1hM0Y2Wepvgkad0lGrLZwZpyVzkS1b+b +2ttO9f7osFKEhAW4HDgVIgfXOwxMKEvUL8PEfZMvurxdqSsjD2p0awn6+V45BCd lbespW7/rY8Nr6PQcGFR75pJOTsnXv4T5d/iEgh233NGqt+CHFoADDM0R1YilYLW ikFdHK0NcnXAswsw6urnpXuxp4+XWLQ0+TfTHpCFqFQliqr6s6DEGRwkzYu8fgeN 3qm789TnbkSizBcnTXZ0899AmYUsX4Ezoi2zzLIe9ZrSmLtGtuqaB3/l1zUCRXTX e5SwQ0mnlGXLHHIZAgMBAAGjggEBMIH+MIGMBgNVHSMEgYQwgYGhfKR6MHgxHDAa BgNVBAMTE1B1cHBldEFnYWluIEJhc2UgQ0ExIjAgBgkqhkiG9w0BCQEWE3JlbGVh c2VAbW96aWxsYS5jb20xHDAaBgNVBAsTE1JlbGVhc2UgRW5naW5lZXJpbmcxFjAU BgNVBAoTDU1vemlsbGEsIEluYy6CAQswDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMC BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwPQYDVR0RBDYwNIIGcHVwcGV0gipyZWxl bmctcHVwcGV0Mi5zcnYucmVsZW5nLnNjbDMubW96aWxsYS5jb20wDQYJKoZIhvcN AQEFBQADggEBAGlk3zcRsNoi4P3roZ8swSjQRp8L77TDrTsix5bAaWPTd5EOw289 avQqyV5hlFKyZtFzTE67MwVqFF7eT1q54sIy8JyonffpCi9P9S4Cjl5WSOGOaM44 TVsXdi7FfFSvVYLnRXptZ6ofN0ij9/Hu5PyTA2N1fqvajYUM7R/P58DedWGCWUs8 0whakcU6FLA/RFrGs2XnFCchZG3oJ6T9wWGbjwwXTcVLpbfokNV2Srw8coB0ntnL Zt0yijtuOarAHKdVF1EihumhzQ7vkMV//ae230sDuNgWISPRY8chRTOOC8G71NUf BFsnf2em5guH27X9wbO5nKqbbUtgszkQtl4= -----END CERTIFICATE----- subject=/CN=releng-puppet2.srv.releng.scl3.mozilla.com/OU=PuppetMasters issuer=/CN=CA on releng-puppet2.srv.releng.scl3.mozilla.com --- Acceptable client certificate CA names /CN=CA on releng-puppet2.build.scl1.mozilla.com /CN=CA on releng-puppet1.srv.releng.use1.mozilla.com /CN=CA on releng-puppet1.srv.releng.usw2.mozilla.com /CN=CA on releng-puppet2.srv.releng.scl3.mozilla.com /CN=CA on releng-puppet2.srv.releng.use1.mozilla.com /CN=CA on releng-puppet2.srv.releng.usw2.mozilla.com /CN=CA on releng-puppet3.srv.releng.use1.mozilla.com /CN=CA on releng-puppet3.srv.releng.usw2.mozilla.com /CN=PuppetAgain Base CA/emailAddress=release@mozilla.com/OU=Release Engineering/O=Mozilla, Inc. /CN=CA on releng-puppet1.build.mtv1.mozilla.com/emailAddress=release@mozilla.com/O=Mozilla, Inc./OU=Release Engineering /CN=CA on releng-puppet1.build.scl1.mozilla.com/emailAddress=release@mozilla.com/O=Mozilla, Inc./OU=Release Engineering /CN=CA on releng-puppet1.srv.releng.scl3.mozilla.com/emailAddress=release@mozilla.com/O=Mozilla, Inc./OU=Release Engineering /CN=CA on releng-puppet2.build.mtv1.mozilla.com --- SSL handshake has read 3754 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: B192EA04B36065A7A775ECB42F4B8014C02DE5896A18F4828BE735379B3C1A25 Session-ID-ctx: Master-Key: CF87FBEB047E195161B7382B469DDAEE40BF658173E91B54497F88E3020D897950DAFF96F4FF564EC5C00A0E82AA0215 Key-Arg : None Start Time: 1376595484 Timeout : 300 (sec) Verify return code: 0 (ok) ---
Marking infra due to Apple NDA
Group: infra
All of the packages other than puppet are built. What remains: - SSL issues (comment 2) - figure out why kernel_task is always running (probably an OS bug) - Build puppet packages + submit changes upstream - Puppetize support in DS
Group: infra → mozilla-corporation-confidential
The socket on which #connect fails is #<OpenSSL::SSL::SSLSocket:0x007fb0bbf02378 @io=#<TCPSocket:fd 7>, @context=#<OpenSSL::SSL::SSLContext:0x007fb0bbf03318 @cert=#<OpenSSL::X509::Certificate subject=#<OpenSSL::X509::Name:0x007fb0bbf02120>, issuer=#<OpenSSL::X509::Name:0x007fb0bbf020a8>, serial=#<OpenSSL::BN:0x007fb0bbf02030>, not_before=2013-08-16 16:38:26 UTC, not_after=2018-08-15 16:38:26 UTC>, @key=#<OpenSSL::PKey::RSA:0x007fb0bbee3360>, @client_ca=nil, @ca_file="/var/lib/puppet/ssl/certs/ca.pem", @ca_path=nil, @timeout=nil, @verify_mode=1, @verify_depth=nil, @renegotiation_cb=nil, @verify_callback=#<Puppet::SSL::Validator:0x007fb0bbef8378 @peer_certs=[], @verify_errors=[], @ssl_configuration=#<Puppet::SSL::Configuration:0x007fb0bbef84e0 @localcacert="/var/lib/puppet/ssl/certs/ca.pem", @ca_chain_file=nil, @ca_auth_file=nil>>, @options=16779263, @cert_store=#<OpenSSL::X509::Store:0x007fb0bbee2438 @verify_callback=nil, @error=nil, @error_string=nil, @chain=nil, @time=nil>, @extra_chain_cert=nil, @client_cert_cb=nil, @tmp_dh_callback=nil, @session_id_context=nil, @session_get_cb=nil, @session_new_cb=nil, @session_remove_cb=nil, @servername_cb=nil>, @sync_close=true, @hostname="puppet", @eof=false, @rbuffer="", @sync=true>
With OpenSSL::debug = true, I get Error: Failed to apply catalog: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:reason(1112) Breaking that down: Error code: 0x14077458 Error library: ssl Error function: ssl32_get_server_hello Error reason: 1112 In theory, SSL reason codes should be in openssl's crypto/err/openssl.ec. However, in 0.9.8y, which is the version Apple installs, there is no reason 1112, which is probably part of why it's not translated into a symbol in the error string. OpenSSL-1.0.1e *does* have a reason 1112, so I'm assuming Apple has backported that to 0.9.8y. It's "SSL_R_TLSV1_UNRECOGNIZED_NAME". It looks like that corresponds to TLS error TLS1_AD_UNRECOGNIZED_NAME and SSL_AD_UNRECOGNIZED_NAME. I'll go out on a limb and guess that comes from int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) which can return that error in two places: first, when it sees the server-name field in the TLS packet: if (type == TLSEXT_TYPE_server_name) { if (s->tlsext_hostname == NULL || size > 0) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } tlsext_servername = 1; } which fails if the server hello contains a server_name extension but none was sent in the client hello, or if the server hello's server_name extension has nonzero length; and if (!s->hit && tlsext_servername == 1) { if (s->tlsext_hostname) { if (s->session->tlsext_hostname == NULL) { s->session->tlsext_hostname = BUF_strdup(s->tlsext_hostname); if (!s->session->tlsext_hostname) { *al = SSL_AD_UNRECOGNIZED_NAME; return 0; } } else { *al = SSL_AD_DECODE_ERROR; return 0; } } } which essentially flags a failure of BUF_strdup as SSL_AD_UNRECOGNIZED_NAME (!?!). I think we can discount the latter. The former is explained in RFC3546: A server that receives a client hello containing the "server_name" extension, MAY use the information contained in the extension to guide its selection of an appropriate certificate to return to the client, and/or other aspects of security policy. In this event, the server SHALL include an extension of type "server_name" in the (extended) server hello. The "extension_data" field of this extension SHALL be empty. If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). Failures in the first paragraph would be protocol errors, which would be odd between two OpenSSL instances. The second paragraph is more likely -- the error is actually coming from the server, which does not recognize the name 'puppet' as a hostname. A closer look at ssl23_get_server_hello shows this is possible: else if ((p[0] == SSL3_RT_ALERT) && (p[1] == SSL3_VERSION_MAJOR) && ((p[2] == SSL3_VERSION_MINOR) || (p[2] == TLS1_VERSION_MINOR)) && (p[3] == 0) && (p[4] == 2)) { void (*cb)(const SSL *ssl,int type,int val)=NULL; int j; /* An alert */ if (s->info_callback != NULL) cb=s->info_callback; else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; i=p[5]; if (cb != NULL) { j=(i<<8)|p[6]; cb(s,SSL_CB_READ_ALERT,j); } s->rwstate=SSL_NOTHING; SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); goto err; and in fact SSL_AD_REASON_OFFSET is 1000, while the RFC-defined code for unrecognized_name is 112.
from tshark: Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 100 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 96 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Aug 16, 2013 14:14:48.000000000 EDT random_bytes: a87649a323a25cac7f290d1d61822ed961249c0061fb1282... Session ID Length: 0 Cipher Suites Length: 36 Cipher Suites (18 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) Extensions Length: 19 Extension: server_name Type: server_name (0x0000) Length: 11 Server Name Indication extension Server Name list length: 9 Server Name Type: host_name (0) Server Name length: 6 Server Name: puppet Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) Secure Sockets Layer TLSv1 Record Layer: Alert (Level: Warning, Description: Unrecognized Name) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Warning (1) Description: Unrecognized Name (112) TLSv1 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 57 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 53 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Aug 16, 2013 14:14:48.000000000 EDT random_bytes: a4e6dad41a7b6d933f50425c49ab111705d8323b2dc6623c... Session ID Length: 0 Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Compression Method: null (0) Extensions Length: 13 Extension: server_name Type: server_name (0x0000) Length: 0 Extension: renegotiation_info Type: renegotiation_info (0xff01) Length: 1 Renegotiation Info extension Renegotiation info extension length: 0 Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes) I should have started there!
Mountain lion does not send the server name extension, nor does linux, in our current configuration. I need to figure out if this is related to different puppet versions (I'm running 3.2.4 on mavericks from gem install) or different ruby versions. Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 86 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 82 Version: TLS 1.0 (0x0301) Random gmt_unix_time: Aug 16, 2013 15:18:28.000000000 EDT random_bytes: 96bd7e2d86676ac8d5d672d017bfb3da71f5dc60490e3c27... Session ID Length: 0 Cipher Suites Length: 36 Cipher Suites (18 suites) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) Compression Methods Length: 2 Compression Methods (2 methods) Compression Method: DEFLATE (1) Compression Method: null (0) Extensions Length: 4 Extension: SessionTicket TLS Type: SessionTicket TLS (0x0023) Length: 0 Data (0 bytes)
It's a ruby thing - puppet-3.2.4 on mtnlion works just fine.
Depends on: 906158
I have three pull req's in for packaging support - http://projects.puppetlabs.com/issues/21868 These scripts were used to create the *-mavericks.dmg packages now in /data/repos/DMGs, which include the other two patches required by 10.9. I reimaged the host and installed those packages. Works like a charm. I'll put the patches up for review shortly.
Attached patch bug895639.patchSplinter Review
Bug 895639: Add preliminary support for OS X 10.9 This requires that fixes for * http://projects.puppetlabs.com/issues/21868 * http://projects.puppetlabs.com/issues/22107 * http://projects.puppetlabs.com/issues/22129 be in place. Note that this uses the built-in user provider, rather than the custom darwinuser provider. Other OS X versions will switch soon. This is "preliminary" because we may need to adjust as we begin running tests on these hosts. --- I will also need to test that this does not have adverse consequences for other OS X versions before landing, but I'm not particularly worried.
Attachment #791538 - Flags: review?(armenzg)
Comment on attachment 791538 [details] [diff] [review] bug895639.patch Review of attachment 791538 [details] [diff] [review]: ----------------------------------------------------------------- I can only review that it kind of makes sense to me. I have not done puppet reviews for a couple of years. Beware :) ::: modules/packages/manifests/mozilla/screenresolution16-dmg.sh @@ +8,2 @@ > > +git clone git://github.com/jhford/screenresolution.git Where should we move this repo to? I would prefer it not living on github. I've asked the same on #releng to see what the options are.
Attachment #791538 - Flags: review?(armenzg) → review+
I moved that to bug 906656 - good catch! I'll test this out on other OS X versions and land it. Once that's done, are you ready to set up a few test machines and start greening up suites?
Attachment #791538 - Flags: checked-in+
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Backed out due to bug 906782
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Re-landed at Tue Aug 20 08:41:35 2013 -0700
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Coop: Anyone in particular we should work with to try to set up a few 10.9 hosts so you guys can start test integration?
Status: RESOLVED → REOPENED
Flags: needinfo?(coop)
Resolution: FIXED → ---
I will try to find an owner for this tomorrow.
Flags: needinfo?(coop)
coop, ping?
Sorry, I started working on integration patches for my dev-master01 but never commented to that affect. Do you want me to grab this bug or file a new one for that work?
This one is fine.
Assignee: dustin → coop
Dustin: I'm trying to hook t-mavericks-r5-001 up to my test master, but it's failing to puppetize. Nothing in /var/log/puppet/puppet.err. Running the command by hand yields the following: [root@t-mavericks-r5-001.test.releng.scl3.mozilla.com puppet]# /usr/bin/puppet agent --detailed-exitcodes --onetime --no-daemonize --logdest=console --logdest=syslog --server releng-puppet2.build.scl1.mozilla.com Error: Could not request certificate: Error 400 on SERVER: this master is not a CA Exiting; failed to retrieve certificate and waitforcert is disabled Thoughts?
Flags: needinfo?(dustin)
we resolved this via irc
Flags: needinfo?(dustin)
Group: mozilla-corporation-confidential
Blocks: 932431
I think our support here is solid enough that I can close this now. I'll continue the releng-specific work in bug 932431.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: