Pull #19 causes Artifactory to restart every puppet run and restarting outside of puppet causes other issues

[mojibake-umd]

In 2.1.0 Puppet creates the etc/.secrets/.temp.db.properties file. Which triggers Artifactory service refresh, which Artifactory reads then deletes...next puppet run, etc/.secrets/.temp.db.properties files does not exist so puppet creates it and refreshes service causing restart.

Additionally if service is stopped and started by human etc/.secrets/.temp.db.properties does not exist, so etc/db.properties file is created if it does not exist and is configured to use Derby database.

Using 2.0.14 version of config.pp, can set db parameters and puppet will create etc/db.properties, then can unset parameters leaving db.properties unmanaged, and Artifactory can reset encrypted password as it pleases.

Artifactory Version: 6.10.3

[mojibake-umd]

To get around this issue in our wrapper module have the following.

file { '/opt/jfrog/artifactory/tomcat/lib/ojdbc8.jar':
    source => 'puppet:///modules/artifactory_umd/ojdbc8.jar',
    mode   => '0775',
    owner  => 'root',
  }

  $_dbpropchanges = {
    'type'     => 'oracle',
    'url'      => $db_url,
    'driver'   => 'oracle.jdbc.OracleDriver',
    'username' => $db_username,
    'password' => $db_password,
  }
  $dbpropchanges = $_dbpropchanges.reduce([]) | $memo, $value | {
    $memo + "set \"${value[0]}\" \"${value[1]}\""
  }
  augeas { 'db.properties':
    context => '/files/var/opt/jfrog/artifactory/etc/db.properties',
    incl    => '/var/opt/jfrog/artifactory/etc/db.properties',
    lens    => 'Properties.lns',
    changes => $dbpropchanges,
    onlyif  => 'match /files/var/opt/jfrog/artifactory/etc/db.properties/password size == 0',
    require => [Class['::artifactory_umd::install'],File['/opt/jfrog/artifactory/tomcat/lib/ojdbc8.jar']],
    notify  => Class['::artifactory::service'],
  }

Will see if I can work up a pull request so it would be useful for others, however this is the minimum to achieve what we needed with clean puppet runs after initial setup.

[cabrinha]

@mojibake-umd this should no longer be an issue as of Artifactory 6.6+

https://www.jfrog.com/confluence/display/RTF/Configuring+Security#ConfiguringSecurity-HardeningSecurityforSecrets

[mojibake-umd]

@cabrinha Thank you I read that page early.
However it does not resolve the issue with the puppet module, which is restarting Artifactory every puppet run because the temp file is recreated because Artifactory deleted after being restarted from last puppet run which triggers Artifactory to restart, repeating the cycle each puppet run (Every 30mins for us).

[cabrinha]

The creation of this file has no notify parameter assigned to it: https://github.com/autostructure/artifactory/blob/master/manifests/config.pp#L25

If puppet puts that file down, Artifactory should not be refreshed because of it. If the content changes, if the file exists or not, the Artifactory service should not be restarting.

Can you share the output of a puppet run that restarts the service?

[NicoVanWouwen]

Indeed there is no notify parameter assigned to the file but in the init.pp there is a notifying relation between the config and the service, so every change in the config results in a service restart.

[mojibake-umd]

I created #26 which does not fix this issue, but is related in that it does not use the temp file is use_temp_db_secrets is set to false.

[dploeger]

I fixed this in our fork by creating an external fact once the file has been written and checking that fact before creating the file again.

I haven't created a PR for this repository yet, because we have some other fixes in there and are currently waiting for puppetlabs/jdk to release a new version.

But maybe you find the patch useful.

[fraenki]

The module was (more or less officially) moved to https://github.com/fervidus/artifactory. That version contains fixes for all known issues and is also available on the Puppet Forge: https://forge.puppet.com/fervid/artifactory

[dploeger]

Oh, that is certainly not clear. Could you please add that info to this repo and their forge entries or is the original maintainer not available anymore?

[fraenki]

Could you please add that info to this repo and their forge entries or is the original maintainer not available anymore?

Unfortunately, I can't, because I'm not the owner of this or the other repo.
ping @bryanjbelanger

[bryanjbelanger]

I will deprecate this tonight. Sorry for the confusion everyone.

[dploeger]

@bryanjbelanger ping. 😃