You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected Puppet, Ruby, OS and module versions/distributions
Puppet: 5.3.3
Ruby: bundled with puppet (ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux])
Distribution: Ubuntu 16.04
Module version: 0.6.1
How to reproduce (e.g Puppet code you use)
We just provide a wrong config for example duplicate lines in an allow.
What are you seeing
When a wrong squid config is generated and deployed puppet runs stop/start on squid.
This means no syntax check is made. What happens is that squid stops and can't start again.
What behaviour did you expect instead
Allow a syntax check/parse before squid stop, then return an error.
Output log
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Computing checksum on file /etc/squid/squid.conf
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]) Filebucketed /etc/squid/squid.conf to puppet with sum 9d58442d33b217aa95a150b7aeee9a12
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]/content) content changed '{md5}9d58442d33b217aa95a150b7aeee9a12' to '{md5}dad5e225f455572c70ca7606afa20a5b'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]) The container Concat[/etc/squid/squid.conf] will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]) The container /etc/squid/squid.conf will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/etc/squid/squid.conf) The container Concat[/etc/squid/squid.conf] will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (Concat[/etc/squid/squid.conf]) The container Class[Squid::Config] will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (Class[Squid::Service]) Scheduling refresh of Service[squid]
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl is-active squid'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl is-enabled squid'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl is-active squid'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl restart squid'
Dec 14 16:12:31 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:12:31 proxy2.abc.example.com squid[16690]: * Stopping Squid HTTP Proxy squid
Dec 14 16:12:33 proxy2.abc.example.com squid[16690]: * Waiting...
Dec 14 16:12:38 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:43 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:48 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:53 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:58 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:13:02 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-3) process 15830 exited with status 0
Dec 14 16:13:03 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:13:05 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-coord-4) process 15829 exited with status 0
Dec 14 16:13:05 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-2) process 15831 exited with status 0
Dec 14 16:13:05 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-1) process 15832 exited with status 0
Dec 14 16:13:08 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:13:08 proxy2.abc.example.com squid[16690]: ...done.
Dec 14 16:13:08 proxy2.abc.example.com squid[16690]: ...done.
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: * Starting Squid HTTP Proxy squid
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid: message repeated 3 times: [ Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com]
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: 2017/12/14 16:13:08| ERROR: '.download.maxmind.com' is a subdomain of '.maxmind.com'
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: 2017/12/14 16:13:08| ERROR: You need to remove '.download.maxmind.com' from the ACL named 'alloweddwhdomains'
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: FATAL: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: Squid Cache (Version 3.5.12): Terminated abnormally.
Any additional information you'd like to impart
Ubuntu uses generated systemd services from sysv. It does not use the restart function in the initscript but just uses stop/start. This means that the syntax check in the initscript is bypassed and the only thing that will happen is that it will be stopped and fail. but if reload is used then systemd will use the reload function which just sends a signal to squid to reload the config without a stop/start, there is a syntax check before this.
Will try to specify the restart option in the service and see if that works.. but maybe this should be a feature in puppet itself. What is your opinion about this?
The text was updated successfully, but these errors were encountered:
After further investigation I have found that the init script in Ubuntu has an incorrect test condition:
reload|force-reload)
res=$DAEMON -k parse -f $CONFIG 2>&1 | grep -o "FATAL .*"
Where the log output is in fact:
FATAL: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Since the colon is not accounted for in the regex it will always allow a restart/reload and fail if the config has an error. This will need to be fixed upstream as well. Will check if there is a bug for this in launchpad.
Affected Puppet, Ruby, OS and module versions/distributions
How to reproduce (e.g Puppet code you use)
We just provide a wrong config for example duplicate lines in an allow.
What are you seeing
When a wrong squid config is generated and deployed puppet runs stop/start on squid.
This means no syntax check is made. What happens is that squid stops and can't start again.
What behaviour did you expect instead
Allow a syntax check/parse before squid stop, then return an error.
Output log
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Computing checksum on file /etc/squid/squid.conf
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]) Filebucketed /etc/squid/squid.conf to puppet with sum 9d58442d33b217aa95a150b7aeee9a12
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]/content) content changed '{md5}9d58442d33b217aa95a150b7aeee9a12' to '{md5}dad5e225f455572c70ca7606afa20a5b'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]) The container Concat[/etc/squid/squid.conf] will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/Stage[main]/Squid::Config/Concat[/etc/squid/squid.conf]/File[/etc/squid/squid.conf]) The container /etc/squid/squid.conf will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (/etc/squid/squid.conf) The container Concat[/etc/squid/squid.conf] will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (Concat[/etc/squid/squid.conf]) The container Class[Squid::Config] will propagate my refresh event
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: (Class[Squid::Service]) Scheduling refresh of Service[squid]
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl is-active squid'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl is-enabled squid'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl is-active squid'
Dec 14 16:12:31 proxy2.abc.example.com puppet-agent[15922]: Executing: '/bin/systemctl restart squid'
Dec 14 16:12:31 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:12:31 proxy2.abc.example.com squid[16690]: * Stopping Squid HTTP Proxy squid
Dec 14 16:12:33 proxy2.abc.example.com squid[16690]: * Waiting...
Dec 14 16:12:38 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:43 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:48 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:53 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:12:58 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:13:02 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-3) process 15830 exited with status 0
Dec 14 16:13:03 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:13:05 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-coord-4) process 15829 exited with status 0
Dec 14 16:13:05 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-2) process 15831 exited with status 0
Dec 14 16:13:05 proxy2.abc.example.com squid[15827]: Squid Parent: (squid-1) process 15832 exited with status 0
Dec 14 16:13:08 proxy2.abc.example.com squid[16690]: * ...
Dec 14 16:13:08 proxy2.abc.example.com squid[16690]: ...done.
Dec 14 16:13:08 proxy2.abc.example.com squid[16690]: ...done.
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: * Starting Squid HTTP Proxy squid
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid: message repeated 3 times: [ Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com]
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: 2017/12/14 16:13:08| ERROR: '.download.maxmind.com' is a subdomain of '.maxmind.com'
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: 2017/12/14 16:13:08| ERROR: You need to remove '.download.maxmind.com' from the ACL named 'alloweddwhdomains'
Dec 14 16:13:08 proxy2.abc.example.com squid: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: FATAL: Bungled /etc/squid/squid.conf line 543: acl alloweddwhdomains dstdomain .maxmind.com
Dec 14 16:13:08 proxy2.abc.example.com squid[16729]: Squid Cache (Version 3.5.12): Terminated abnormally.
Any additional information you'd like to impart
Ubuntu uses generated systemd services from sysv. It does not use the restart function in the initscript but just uses stop/start. This means that the syntax check in the initscript is bypassed and the only thing that will happen is that it will be stopped and fail. but if reload is used then systemd will use the reload function which just sends a signal to squid to reload the config without a stop/start, there is a syntax check before this.
Will try to specify the restart option in the service and see if that works.. but maybe this should be a feature in puppet itself. What is your opinion about this?
The text was updated successfully, but these errors were encountered: