Puppet

Puppet Master 升級到 2.7.25-2 後收到 YAML 錯誤

  • September 3, 2014

我們的puppetmaster伺服器已升級到 RHEL6 ( puppet-2.7.25-2.el6.noarch) 上可用的最新版本。我們現在在主伺服器上收到如下錯誤:

Aug 26 11:36:59 master1 puppet-master[5555]: Could not intern from yaml: instance of IO needed

這在 RHEL4 上執行 0.25.6 的客戶端上:

Aug 26 11:36:59 foo1 Puppet (err): Could not retrieve catalog from remote server: Error 400 on SERVER: Could not intern from yaml: instance of IO needed

伺服器正在使用我不熟悉的 Apache 和乘客執行。有關如何解決此問題的任何想法?

更新

根據@FelixFrank,停止httpd服務後,執行以下命令:

$ sudo puppet master --no-daemonize --verbose --trace

在 puppet 客戶端嘗試檢索其目錄後,這為我提供了以下回溯:

err: /usr/lib/ruby/1.8/yaml.rb:176:in `load'
/usr/lib/ruby/1.8/yaml.rb:176:in `parse'
/usr/lib/ruby/site_ruby/1.8/puppet/vendor/safe_yaml/lib/safe_yaml.rb:201:in `safe_load'
/usr/lib/ruby/site_ruby/1.8/puppet/vendor/safe_yaml/lib/safe_yaml.rb:141:in `load'
/usr/lib/ruby/site_ruby/1.8/puppet/network/formats.rb:6:in `intern'
/usr/lib/ruby/site_ruby/1.8/puppet/network/format_handler.rb:12:in `send'
/usr/lib/ruby/site_ruby/1.8/puppet/network/format_handler.rb:12:in `protect'
/usr/lib/ruby/site_ruby/1.8/puppet/network/format_handler.rb:26:in `intern'
/usr/lib/ruby/site_ruby/1.8/puppet/network/format_handler.rb:108:in `convert_from'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb:25:in `extract_facts_from_request'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/catalog/compiler.rb:38:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:195:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:111:in `do_find'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:68:in `send'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:68:in `process'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick/rest.rb:24:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:45:in `listen'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `call'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:42:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:41:in `initialize'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:41:in `new'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:41:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:38:in `synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:38:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:126:in `listen'
/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:141:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:124:in `start'
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:202:in `main'
/usr/lib/ruby/site_ruby/1.8/puppet/application/master.rb:146:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:416:in `hook'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:407:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:69:in `execute'
/usr/bin/puppet:4
err: Could not intern from yaml: instance of IO needed

關於下一步嘗試什麼的任何想法?

根據Puppet 更改日誌,2.7.22 包含對 YAML 處理方式的更改:

在 puppet 中發現了一個嚴重漏洞,其中 puppet master 可以通過 REST API 從不受信任的客戶端獲取 YAML。可以反序列化此 YAML 以構造包含任意程式碼的對象。

這是由於一個安全漏洞。為了暫時緩解這個問題,我從 PuppetLabs 的 repo 降級到早期版本,並puppet-server通過yum versionlock.

引用自:https://serverfault.com/questions/624159