puppetlabs / puppetlabs-sshkeys_core

Apache License 2.0
4 stars 32 forks source link

sshkeys removed in all puppet runs #87

Open amateo opened 4 months ago

amateo commented 4 months ago

I'm using now the old version 1.0.2 of the module. I am trying to update to latest 2.5.0, but when I used in Ubuntu 18.04 and Ubuntu 20.04 clients, I get messages like:

Notice: /Stage[main]/Ssh/Sshkey[piscis22.um.es_ed25519@]/ensure: removed (corrective)                                                                   
Notice: /Stage[main]/Ssh/Sshkey[sorex20.um.es_rsa@]/ensure: removed (corrective)                                                                        
Notice: /Stage[main]/Ssh/Sshkey[mustela33.um.es_rsa@]/ensure: removed (corrective)                                                                      
Notice: /Stage[main]/Ssh/Sshkey[fiber10.um.es_rsa@]/ensure: removed (corrective)                                                                        
...

for all the entries in /etc/ssh/ssh_known_host in all puppet runs (although entries are not currently removed and it shouldn't)

In newer versions of Ubuntu I don't have this problem

joshcooper commented 4 months ago

@amateo are the entries added back on each run too? Could you run the following, where certname is the fqdn for one of the hosts puppet is managing and whose known_host is flapping?

puppet query 'resources { type = "Sshkey" and certname = "<certname>" }' | jq '.[]'

We're tracking this internally as https://perforce.atlassian.net/browse/PA-5157

I believe the root cause is https://puppet.atlassian.net/browse/PUP-5302 The known hosts file is managed using a ParsedFile provider which relies on prefetch to load all of the entries at the start of the agent run. Due to the puppet bug, prefetch is not compatible with composite namevars. This module starting using composite namevars in 2.0 (see https://github.com/puppetlabs/puppetlabs-sshkeys_core/pull/27)