Detection of minicurl and https is done in conflicting ways
The system policies select http as protocol for AIX, and select minicurl if curl is not available.
minicurl is deployed without TLS support.
This means that on a system without curl, and not running AIX, rudder automatically selects to use minicurl, but via https, which rudder's minicurl does not support.
This means the system policies are not consistent in themselves.
Please ensure the condition match up.
Please also verify if it was a conscious decision to miss TLS support in minicurl (for maintenance cost reasons, for example) or if "it's just not there because it's not there".
If it's intentionally missing, there should be no code path where rudder selects it for a https transfer.
EDIT (FAR): the point of that ticket is to make sure that minicurl is never selected in combination with HTTPS. Other evolution (like supporting curl+wget) will be done in other tickets.
#2 Updated by François ARMAND 9 months ago
- Target version set to 4.1.11
- User visibility changed from Infrequent - complex configurations | third party integrations to Operational - other Techniques | Technique editor | Rudder settings
- Priority changed from 41 to 52
Thanks for reporting. I'm setting it to "operationnal", as it is not infrequent (as soon as you use AIX, it breaks).
Florian, would you mind get more information on your Rudder agent version on AIX?
I believe we corrected something on it recently, perhaps Nicolas/Benoit/Alexis would have an insight?
#4 Updated by Florian Heigl 9 months ago
I'm hitting this during porting to new OS (Linux, Linaro) /HW (Embedded) combinations, simply by the fact that curl isn't installed.
It would be AIX related if the code were working the same way in both places ;-)
That's what the report is about, not the issue at hand.
#6 Updated by François ARMAND 9 months ago
Thanks, I understand better (and was corrected by Alexis on the fact that it actually works on AIX).
It was a decision to not support HTTPS in minicurl (because it should have been here just as a workaround, not as full-blown solution, and most of the pain comes with supporting the "S" part of HTTPS).
So you are right, in NO case we should select minicurl when https is configured.
For the long-view part, we think more and more that minicurl was a bad idea. Most people can't afford HTTP-not-S, and we should not encourage them to do so (whithout knowing even less). Moreover, we are not really sure that the delta between having to maintain a HTTPS version of minicurl (and its dependencies) compared to just having a dependency on curl (even compiling curl if needed) worth the time. So we are certainly removing minicurl in a future version.
In your use case, is it by will that curl is not installed on the embeded devices? Would you be OK with just HTTP-not-S on them?
#7 Updated by Florian Heigl 9 months ago
Thanks for the clarification, this helps a lot.
For my own case, I've asked if they can include curl in the OS and in parallel I was checking how much pain I'll have doing the same things using wget.
If I can make it work I'll send policy patches to support both.
I am not too happy to ask them to add curl when wget is already there, OTOH it is probably not that much work and only like a few KB extra weight.
More a political issue I'd say.
#9 Updated by Florian Heigl 9 months ago
Yeah I also think this is the way that helps Rudder the most, but a hard curl depedency could get the same result.
If I manage to provide some wget support, I'll make noise.
I would really appreciate if the detection (https/minicurl/aix) could be streamlined though.
Thinking of other cases like FreeBSD where I'm sure I'll also run into it, whenever I start on that again.
#10 Updated by François ARMAND 9 months ago
- Description updated (diff)
- Effort required set to Very Small
- Priority changed from 52 to 80
I'm updating the ticket to precise that this ticket is only to take care of the bad selection of minicurl+https in initial promises (and so it should be a small correction).
#18 Updated by Benoît PECCATTE 6 months ago
- Status changed from In progress to Pending technical review
- Assignee changed from Benoît PECCATTE to Alexis MOUSSET
- Pull Request set to https://github.com/Normation/rudder-techniques/pull/1317
#20 Updated by Benoît PECCATTE 6 months ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-techniques|85fa50a9299f4b581d73892378f63522a01229c9.
#21 Updated by Vincent MEMBRÉ 5 months ago
- Status changed from Pending release to Released
- Priority changed from 77 to 76