Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipa facts generate warning #296

Open
teluq-pbrideau opened this issue Jul 9, 2024 · 4 comments · May be fixed by #299
Open

ipa facts generate warning #296

teluq-pbrideau opened this issue Jul 9, 2024 · 4 comments · May be fixed by #299

Comments

@teluq-pbrideau
Copy link

teluq-pbrideau commented Jul 9, 2024
edited
Loading

I get the warning Facter: Execution of '/bin/klist -s' returned 1,

vagrant@host:~$ sudo -i
root@host:~# puppet agent -t
Info: Using environment 'dev'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Warning: Facter: Execution of '/bin/klist -s' returned 1: 
Notice: Requesting catalog from host.vagrant.example.com:8140 (10.0.0.10)
Notice: Catalog compiled by host.vagrant.example.com[...]

Would it be safe for me to add a kinit -k in my /root/.bash_profile to fix this? Nevermind, the facts does not get populated when run via a service… How to make this fact work?

root@host:~# puppet facts ipa
Warning: Facter: Execution of '/bin/klist -s' returned 1: 
{
  "ipa": ""
}
root@host:~# kinit -k
root@host:~# puppet facts ipa
{
  "ipa": {
    "basedn": "dc=vagrant,dc=example,dc=com",
    "connected": true,
    "domain": "vagrant.example.com",
    "realm": "VAGRANT.EXAMPLE.COM",
    "server": "host.vagrant.example.com",
    "tls_ca_cert": "/etc/ipa/ca.crt"
  }
}
@op-ct op-ct added this to Org Triage Jul 9, 2024
@silug silug moved this from New to Todo in Org Triage Jul 15, 2024
@nick-markowski
Copy link
Member

The issue is that klist -s is evaluated with :failonfail defaulting to true, which ceases execution of the fact.

We should update the fact to:
klist_retval = Puppet::Util::Execution.execute("#{klist} -s", options = {:failonfail => false} )

@teluq-pbrideau
Copy link
Author

teluq-pbrideau commented Dec 13, 2024
edited
Loading

Thanks @nick-markowski, at least it won’t throw an error.

But even then, the facts will only be defined when it is run from a terminal with a kerberos token pre-configured.
For example, this fact will never be defined when run from systemd. Therefore, it cannot be use at all in a manifest.

Is this really the use-case for this fact? Could there be a way for me to use this fact in a manifest if puppet run via systemd?
edit: I’m dumb, didn’t read the code first

@nick-markowski
Copy link
Member

@teluq-pbrideau I'm not sure I totally understand the issue. This fact is supplemental; the use-case for the fact is to scrape a pre existing ipa connection for connection information, for use in services such as sssd, ssh, or custom manifests. With the fix I described in place, the fact should attempt to generate a kerberos ticket if the cache is empty or expired. Running facter -p ipa or starting puppet from systemd should result in the ipa fact getting populated.

silug added a commit to silug/pupmod-simp-simplib that referenced this issue Dec 13, 2024
@silug
Fix ipa fact
ffe52f8 
Closes simp#296
@silug silug linked a pull request Dec 13, 2024 that will close this issue
Open
@teluq-pbrideau
Copy link
Author

@nick-markowski Oh, sorry, you are 100% right. I assumed stuff and didn’t read the code. Thanks for the fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Org Triage
Status: Todo
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix ipa fact silug/pupmod-simp-simplib
2 participants
@nick-markowski @teluq-pbrideau