Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1598331 - Puppet 3 on Ruby 1.8.7 (RHEL6) doesn't represent an array as ["1.0", "1.1"] but 1.01.1
Puppet 3 on Ruby 1.8.7 (RHEL6) doesn't represent an array as ["1.0", "1.1"] b...
Status: CLOSED WONTFIX
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.2.15
x86_64 Linux
unspecified Severity urgent (vote)
: Unspecified
: Unused
Assigned To: satellite6-bugs
Katello QA List
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-05 03:09 EDT by Michal Dekan
Modified: 2018-07-05 11:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-07-05 10:46:49 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
foreman-debug from internal satellite 6.2.15 running on rhel 6.10 (551.37 KB, application/x-xz)
2018-07-05 03:09 EDT, Michal Dekan 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Michal Dekan 2018-07-05 03:09:16 EDT 
Created attachment 1456683 [details]
foreman-debug from internal satellite 6.2.15 running on rhel 6.10

Description of problem:

I've just applied  /etc/foreman-installer/custom-hiera.yaml settings from https://access.redhat.com/solutions/26833

=====
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.1']

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Install satellite 6.2.15
2. On rhel 6.10
3. Apply /etc/foreman-installer/custom-hiera.yaml 

==
# Foreman Proxy
foreman_proxy::tls_disabled_versions: ['1.1']

# Dynflow
foreman_proxy::plugin::dynflow::tls_disabled_versions: ['1.0', '1.1']

# Puppet 3
puppet::server::passenger::ssl_protocol: 'ALL -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2'

# Apache
apache::mod::ssl::ssl_protocol: ['ALL', '-SSLv3', '-TLSv1', '-TLSv1.1', '+TLSv1.2']

# Candlepin
candlepin::tls_versions: ['1.2']

# QPID Dispatch
foreman_proxy_content::qpid_router_ssl_protocols: ['TLSv1.2']
foreman_proxy_content::qpid_router_ssl_ciphers: 'ALL:!aNULL:+HIGH:-SSLv3:!IDEA-CBC-SHA'
==

Actual results:

installer fails to apply configuration, errors out

[root@satellite6 ~]# satellite-installer
Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core/launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError)
/Stage[main]/Foreman_proxy::Plugin::Dynflow/Service[smart_proxy_dynflow_core]/ensure: change from stopped to running failed: Could not start Service[smart_proxy_dynflow_core]: Execution of '/sbin/service smart_proxy_dynflow_core start' returned 1: Starting smart_proxy_dynflow_core: /opt/theforeman/tfm/root/usr/share/gems/gems/smart_proxy_dynflow_core-0.1.3.2/lib/smart_proxy_dynflow_core/launcher.rb:87:in `https_app': undefined method `each' for "1.01.1":String (NoMethodError)


Installing             Done                                               [100%] [.........................................................................................................................................................]

Expected results:

option tls_disabled_versions: ['1.1'] is applied in the config files same way like on RHEL7

Additional info:

 HOSTNAME: satellite6.rhel6.tlstest
       OS: redhat
  RELEASE: Red Hat Enterprise Linux Server release 6.10 (Santiago)
  FOREMAN: 1.11.0.89
     RUBY: ruby 1.8.7 (2013-06-27 patchlevel 374) [x86_64-linux]
   PUPPET: 3.8.6
  DENIALS: 0
Comment 2 Stephen Benjamin 2018-07-05 10:07:05 EDT 
Ruby 1.8.7 is rather unintelligent in how in converts a YAML array to strings:


irb(main):007:0> yaml['foreman_proxy::plugin::dynflow::tls_disabled_versions'].to_s
=> "1.01.1"


To fix this bug permanently we would need to change how the puppet module handles the dynflow template to look like foreman proxy:

https://github.com/theforeman/puppet-foreman_proxy/blob/master/templates/settings.yml.erb#L46-L53


** WORKAROUND **

For Dynflow you can use this as a workaround for now:

  foreman_proxy::plugin::dynflow::tls_disabled_versions: ["['1.0', '1.1']"]
Comment 3 Rich Jerrido 2018-07-05 10:46:35 EDT 
Given the fact that 

- 6.2 is not the latest release of Satellite at this time, so short of extremely high severity bugs we are not adding new capabilities there. 
- this issue specifically affects _only_ RHEL6
- There is a sufficient workaround in comment #2
- The customer can (and should) upgrade to RHEL 6.3

Closing this BZ as WONTFIX. Please create a KCS article with the above workaround.
Comment 4 Stephen Benjamin 2018-07-05 10:50:43 EDT 
The other issue is that Ruby 1.8.7 doesn't include the masks for disabling TLS v1.1. These are defined in the OpenSSL header files, and pulled in by the ruby library.

See: https://github.com/ruby/ruby/blob/ruby_1_8_7/ext/openssl/ossl_ssl.c#L1474-L1476

We would need to monkey patch Ruby.  Users should move to RHEL 7 at the least, and ideally Satellite 6.3 as soon as possible.
Comment 5 Stephen Benjamin 2018-07-05 10:50:45 EDT 
The other issue is that Ruby 1.8.7 doesn't include the masks for disabling TLS v1.1. These are defined in the OpenSSL header files, and pulled in by the ruby library.

See: https://github.com/ruby/ruby/blob/ruby_1_8_7/ext/openssl/ossl_ssl.c#L1474-L1476

We would need to monkey patch Ruby.  Users should move to RHEL 7 at the least, and ideally Satellite 6.3 as soon as possible.
Comment 7 Michal Dekan 2018-07-05 11:22:44 EDT 
(In reply to Rich Jerrido from comment #3)
> Given the fact that 
> 
> - 6.2 is not the latest release of Satellite at this time, so short of
> extremely high severity bugs we are not adding new capabilities there. 
> - this issue specifically affects _only_ RHEL6
> - There is a sufficient workaround in comment #2
> - The customer can (and should) upgrade to RHEL 6.3
> 
> Closing this BZ as WONTFIX. Please create a KCS article with the above
> workaround.

Updated current https://access.redhat.com/solutions/26833 with this workaround for Satellite 6.2.15 running on RHEL6.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.