Bug #3909
Strip trailing dots from domain fact
| Status: | Closed | Start date: | 05/28/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Hailee Kenney |
% Done: | 0% |
|
| Category: | library | |||
| Target version: | 2.0.0 | |||
| Keywords: | Affected Facter version: | |||
| Branch: | https://github.com/puppetlabs/facter/pull/200 | |||
| Votes: | 1 |
Description
On behalf of a puppet-users posted who did not want to create an additional login to file a bug:
I was stumbling over the fact that I use a (not existing) toplevel domain in my environment. So I set up the dnsdomainname to print out the correct domain (without fullstop (‘.’)). Additional I limited the search path in resolv.conf to end with a ‘.’.
That seems to tangle facter. As I read the code it needs a ‘.’ anywhere in domainname to work and the fallback to parse /etc/resolv.conf cannot handle trailing ‘.’. The last is easy to handle by $1.sub(/.$/, ‘’) but the first I do not know how to handle correctly for every case (At least on debian there seems to be ‘(none)’ if it is not defined correctly.)
Could that go into upstream code respective how to fix the first case proper?
Related issues
History
Updated by James Turnbull almost 2 years ago
- Category set to library
- Status changed from Unreviewed to Needs Decision
Updated by Luke Kanies almost 2 years ago
- Status changed from Needs Decision to Accepted
Updated by Ken Barber 6 months ago
- Target version set to 1.6.x
Updated by Steven Seed 4 months ago
I’m not sure if this comment belongs here or if I should open a new issue, but we recently ran into a problem when implementing the dhcp domain-search option on our dhcp server. The more recent dhclients (4.1.x) on Linux and I believe BSD will now include requests for domain-search which results in search value(s) in /etc/resolv.conf that have trailing periods (.).
Facter does not strip these trailing periods from the domain and fqdn values returned. The result is the puppet client in a client/server environment will will suddenly think it’s name has changed and request a new certificate (one that has a trailing dot). The puppetmaster will then refuse to authenticate the host because it doesn’t think the name matches the certificate issued by the puppet ca.
I’ve made a very simple patch that fixes the problem in the facter domain.rb file. I’m attaching the patch. The option mentioned by the original poster to strip the trailing dot should work as well and may be a better solution.
--- /usr/lib/ruby/site_ruby/1.8/facter/domain.rb 2011-10-16 10:36:29.000000000 -0700
+++ /usr/lib/ruby/site_ruby/1.8/facter/domain.rb.new 2012-02-02 16:40:03.890869844 -0800
@@ -36,9 +36,9 @@ Facter.add(:domain) do
search = nil
File.open("/etc/resolv.conf") { |file|
file.each { |line|
- if line =~ /^\s*domain\s+(\S+)/
+ if line =~ /^\s*domain\s+(\S+)\.+/
domain = $1
- elsif line =~ /^\s*search\s+(\S+)/
+ elsif line =~ /^\s*search\s+(\S+)\.+/
search = $1
end
}
Updated by Daniel Pittman 4 months ago
- Description updated (diff)
Steven, we need you to sign a CLA before we can accept the code change; you can find the details in our contributing guide: https://github.com/puppetlabs/puppet/blob/master/CONTRIBUTING.md
You don’t have to do the other bits, but we do need the CLA part. :)
Updated by Steven Seed about 1 month ago
I haven’t been able to get the doc signed, however I would like to remove the patch I uploaded as it doesn’t work properly. The original posters suggestion is better, but you must escape the ‘.’ in the regular expression with a backlash… $1.sub(/.$/, ‘’)
Updated by Hailee Kenney 12 days ago
- Assignee set to Hailee Kenney
Updated by Hailee Kenney 12 days ago
- Target version changed from 1.6.x to 2.0.0
Due to the fix in #7484, the probability of this reaching this issue is extremely rare. However, if we encounter a domain name with a trailing ‘.’, we will strip it off. Because behavior was undefined before, and now we’re explicitly removing trailing dot, it’s a potentially breaking change for certificates in Puppet, so we will target master rather than 1.6.x.
Updated by Hailee Kenney 12 days ago
- Subject changed from Facter does not behave properly with non-existent top-level domains. to Strip trailing dots from domain fact
Updated by Hailee Kenney 12 days ago
- Status changed from Accepted to In Topic Branch Pending Review
- Branch set to https://github.com/puppetlabs/facter/pull/200
Updated by Daniel Pittman 8 days ago
From the pull request:
jeffmccune commented 19 hours ago If we strip trailing dots from the domain fact we no longer support fully qualified domains. I don’t think we want to force everyone to an unqualified domain.
As discussed in the ticket, this was rarely possible in any case. Now, rather than having undefined behaviour where some rare set of failures could potentially lead to a fully qualified search path in resolv.conf leading to this fact having a trailing dot, it is always one of the two possible forms.
The only alternative is that we always terminate the name with a ., marking it as fully qualified (and violating the expectations of most users) instead.
There really isn’t an “unqualified name” here either, by the way – this is defined as the DNS domain name of the machine; that isn’t a definition that admits “partial domain names”.
Updated by Daniel Pittman 6 days ago
- Status changed from In Topic Branch Pending Review to Merged - Pending Release
Updated by Matthaus Litteken 6 days ago
- Status changed from Merged - Pending Release to Closed
released in Facter 2.0.0rc1