Project

General

Profile

Bug #12155

Detection of minicurl and https is done in conflicting ways

Added by Florian Heigl 10 months ago. Updated 5 months ago.

Status:
Released
Priority:
N/A
Category:
System techniques
Target version:
Severity:
Major - prevents use of part of Rudder | no simple workaround
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Very Small
Priority:
76

Description

The system policies select http as protocol for AIX, and select minicurl if curl is not available.
minicurl is deployed without TLS support.

This means that on a system without curl, and not running AIX, rudder automatically selects to use minicurl, but via https, which rudder's minicurl does not support.

This means the system policies are not consistent in themselves.

Please ensure the condition match up.
Please also verify if it was a conscious decision to miss TLS support in minicurl (for maintenance cost reasons, for example) or if "it's just not there because it's not there".

If it's intentionally missing, there should be no code path where rudder selects it for a https transfer.

EDIT (FAR): the point of that ticket is to make sure that minicurl is never selected in combination with HTTPS. Other evolution (like supporting curl+wget) will be done in other tickets.


Subtasks

Bug #12951: Inventory is not sent if curl is not presentReleasedFrançois ARMAND

Associated revisions

Revision 85fa50a9 (diff)
Added by Benoît PECCATTE 6 months ago

Fixes #12155: Detection of minicurl and https is done in conflicting ways

History

#1 Updated by Florian Heigl 9 months ago

The thing missing is: LWP::Protocol::https
So, please find out why we don't have that in rudder's perl.

#2 Updated by François ARMAND 9 months ago

  • Target version set to 4.1.11
  • User visibility changed from Infrequent - complex configurations | third party integrations to Operational - other Techniques | Technique editor | Rudder settings
  • Priority changed from 41 to 52

Thanks for reporting. I'm setting it to "operationnal", as it is not infrequent (as soon as you use AIX, it breaks).

Florian, would you mind get more information on your Rudder agent version on AIX?

I believe we corrected something on it recently, perhaps Nicolas/Benoit/Alexis would have an insight?

#4 Updated by Florian Heigl 9 months ago

Hi,

I'm hitting this during porting to new OS (Linux, Linaro) /HW (Embedded) combinations, simply by the fact that curl isn't installed.

It would be AIX related if the code were working the same way in both places ;-)
That's what the report is about, not the issue at hand.

#5 Updated by Florian Heigl 9 months ago

I just don't wanna have to fight against the system policies just because they're contradicting themselves. Once the intent is clear I can contribute something to work with that. As long as there's 3 undefined things (why this, why that) I can't get started.

#6 Updated by François ARMAND 9 months ago

Thanks, I understand better (and was corrected by Alexis on the fact that it actually works on AIX).

It was a decision to not support HTTPS in minicurl (because it should have been here just as a workaround, not as full-blown solution, and most of the pain comes with supporting the "S" part of HTTPS).

So you are right, in NO case we should select minicurl when https is configured.

For the long-view part, we think more and more that minicurl was a bad idea. Most people can't afford HTTP-not-S, and we should not encourage them to do so (whithout knowing even less). Moreover, we are not really sure that the delta between having to maintain a HTTPS version of minicurl (and its dependencies) compared to just having a dependency on curl (even compiling curl if needed) worth the time. So we are certainly removing minicurl in a future version.

In your use case, is it by will that curl is not installed on the embeded devices? Would you be OK with just HTTP-not-S on them?

#7 Updated by Florian Heigl 9 months ago

Thanks for the clarification, this helps a lot.

For my own case, I've asked if they can include curl in the OS and in parallel I was checking how much pain I'll have doing the same things using wget.
If I can make it work I'll send policy patches to support both.
I am not too happy to ask them to add curl when wget is already there, OTOH it is probably not that much work and only like a few KB extra weight.
More a political issue I'd say.

#8 Updated by François ARMAND 9 months ago

Supporting "curl | wget" could be an option - a better one that maintaining minicurl. Alexis and Benoit would be more insightful here, but the first is giving a course next week and the other is a young father out of office right now...

#9 Updated by Florian Heigl 9 months ago

Yeah I also think this is the way that helps Rudder the most, but a hard curl depedency could get the same result.
If I manage to provide some wget support, I'll make noise.

I would really appreciate if the detection (https/minicurl/aix) could be streamlined though.
Thinking of other cases like FreeBSD where I'm sure I'll also run into it, whenever I start on that again.

#10 Updated by François ARMAND 9 months ago

  • Description updated (diff)
  • Effort required set to Very Small
  • Priority changed from 52 to 80

I'm updating the ticket to precise that this ticket is only to take care of the bad selection of minicurl+https in initial promises (and so it should be a small correction).

#11 Updated by Vincent MEMBRÉ 8 months ago

  • Target version changed from 4.1.11 to 4.1.12

#12 Updated by Benoît PECCATTE 8 months ago

  • Assignee set to Benoît PECCATTE
  • Priority changed from 80 to 79

#13 Updated by Vincent MEMBRÉ 7 months ago

  • Target version changed from 4.1.12 to 4.1.13
  • Priority changed from 79 to 78

#14 Updated by Benoît PECCATTE 7 months ago

  • Target version changed from 4.1.13 to 411

#15 Updated by Benoît PECCATTE 7 months ago

  • Target version changed from 411 to 4.1.13

#16 Updated by Benoît PECCATTE 6 months ago

  • Description updated (diff)

#17 Updated by Benoît PECCATTE 6 months ago

  • Status changed from New to In progress
  • Priority changed from 78 to 77

#18 Updated by Benoît PECCATTE 6 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Benoît PECCATTE to Alexis MOUSSET
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/1317

#19 Updated by Normation Quality Assistant 6 months ago

  • Assignee changed from Alexis MOUSSET to Benoît PECCATTE

#20 Updated by Benoît PECCATTE 6 months ago

  • Status changed from Pending technical review to Pending release

#21 Updated by Vincent MEMBRÉ 5 months ago

  • Status changed from Pending release to Released
  • Priority changed from 77 to 76

This bug has been fixed in Rudder 4.1.13, 4.2.7 and 4.3.3 which were released today.

Also available in: Atom PDF