Bug #12155
closedDetection of minicurl and https is done in conflicting ways
Description
The system policies select http as protocol for AIX, and select minicurl if curl is not available.
minicurl is deployed without TLS support.
This means that on a system without curl, and not running AIX, rudder automatically selects to use minicurl, but via https, which rudder's minicurl does not support.
This means the system policies are not consistent in themselves.
Please ensure the condition match up.
Please also verify if it was a conscious decision to miss TLS support in minicurl (for maintenance cost reasons, for example) or if "it's just not there because it's not there".
If it's intentionally missing, there should be no code path where rudder selects it for a https transfer.
EDIT (FAR): the point of that ticket is to make sure that minicurl is never selected in combination with HTTPS. Other evolution (like supporting curl+wget) will be done in other tickets.
Updated by Florian Heigl almost 7 years ago
The thing missing is: LWP::Protocol::https
So, please find out why we don't have that in rudder's perl.
Updated by François ARMAND almost 7 years ago
- Target version set to 4.1.11
- User visibility changed from Infrequent - complex configurations | third party integrations to Operational - other Techniques | Technique editor | Rudder settings
- Priority changed from 41 to 52
Thanks for reporting. I'm setting it to "operationnal", as it is not infrequent (as soon as you use AIX, it breaks).
Florian, would you mind get more information on your Rudder agent version on AIX?
I believe we corrected something on it recently, perhaps Nicolas/Benoit/Alexis would have an insight?
Updated by Florian Heigl almost 7 years ago
Hi,
I'm hitting this during porting to new OS (Linux, Linaro) /HW (Embedded) combinations, simply by the fact that curl isn't installed.
It would be AIX related if the code were working the same way in both places ;-)
That's what the report is about, not the issue at hand.
Updated by Florian Heigl almost 7 years ago
I just don't wanna have to fight against the system policies just because they're contradicting themselves. Once the intent is clear I can contribute something to work with that. As long as there's 3 undefined things (why this, why that) I can't get started.
Updated by François ARMAND almost 7 years ago
Thanks, I understand better (and was corrected by Alexis on the fact that it actually works on AIX).
It was a decision to not support HTTPS in minicurl (because it should have been here just as a workaround, not as full-blown solution, and most of the pain comes with supporting the "S" part of HTTPS).
So you are right, in NO case we should select minicurl when https is configured.
For the long-view part, we think more and more that minicurl was a bad idea. Most people can't afford HTTP-not-S, and we should not encourage them to do so (whithout knowing even less). Moreover, we are not really sure that the delta between having to maintain a HTTPS version of minicurl (and its dependencies) compared to just having a dependency on curl (even compiling curl if needed) worth the time. So we are certainly removing minicurl in a future version.
In your use case, is it by will that curl is not installed on the embeded devices? Would you be OK with just HTTP-not-S on them?
Updated by Florian Heigl almost 7 years ago
Thanks for the clarification, this helps a lot.
For my own case, I've asked if they can include curl in the OS and in parallel I was checking how much pain I'll have doing the same things using wget.
If I can make it work I'll send policy patches to support both.
I am not too happy to ask them to add curl when wget is already there, OTOH it is probably not that much work and only like a few KB extra weight.
More a political issue I'd say.
Updated by François ARMAND almost 7 years ago
Supporting "curl | wget" could be an option - a better one that maintaining minicurl. Alexis and Benoit would be more insightful here, but the first is giving a course next week and the other is a young father out of office right now...
Updated by Florian Heigl almost 7 years ago
Yeah I also think this is the way that helps Rudder the most, but a hard curl depedency could get the same result.
If I manage to provide some wget support, I'll make noise.
I would really appreciate if the detection (https/minicurl/aix) could be streamlined though.
Thinking of other cases like FreeBSD where I'm sure I'll also run into it, whenever I start on that again.
Updated by François ARMAND almost 7 years ago
- Description updated (diff)
- Effort required set to Very Small
- Priority changed from 52 to 80
I'm updating the ticket to precise that this ticket is only to take care of the bad selection of minicurl+https in initial promises (and so it should be a small correction).
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.1.11 to 4.1.12
Updated by Benoît PECCATTE over 6 years ago
- Assignee set to Benoît PECCATTE
- Priority changed from 80 to 79
Updated by Vincent MEMBRÉ over 6 years ago
- Target version changed from 4.1.12 to 4.1.13
- Priority changed from 79 to 78
Updated by Benoît PECCATTE over 6 years ago
- Target version changed from 4.1.13 to 411
Updated by Benoît PECCATTE over 6 years ago
- Target version changed from 411 to 4.1.13
Updated by Benoît PECCATTE over 6 years ago
- Status changed from New to In progress
- Priority changed from 78 to 77
Updated by Benoît PECCATTE over 6 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1317
Updated by Rudder Quality Assistant over 6 years ago
- Assignee changed from Alexis Mousset to Benoît PECCATTE
Updated by Benoît PECCATTE over 6 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|85fa50a9299f4b581d73892378f63522a01229c9.
Updated by Vincent MEMBRÉ over 6 years ago
- Status changed from Pending release to Released
- Priority changed from 77 to 76