Puppet

Tracked this issue down to being caused by an older version of Ruby, specifically 1.8.1-7, which ships with RHEL4. The issue occurs in webrick/httprequest.rb where it fails to properly parse a double ampersand in a URL, such as the one generated by using a recursive file/directory and not setting some of the parameters, such as recurselimit. Here is an example of the url generated by the pluginsync option:

production/file_metadatas/plugins?recurse=true&&ignore=---+%0A++-+.svn%0A++-+CVS%0A++-+.git&links=manage

The double ampersand causes this error:

2010-09-08 14:56:01 ERROR 400: private method `gsub' called for nil:NilClass.

The —trace for this shows that it is an issue in ruby:

/usr/lib/ruby/1.8/webrick/httprequest.rb:342:in `parse_query'
/usr/lib/ruby/1.8/webrick/httprequest.rb:122:in `query'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick/rest.rb:16:in `params'
/usr/lib/site_ruby/1.8/puppet/network/http/handler.rb:64:in `process'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick/rest.rb:23:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:92:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:54:in `run'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:45:in `listen'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:42:in `call'
/usr/lib/ruby/1.8/webrick/server.rb:151:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:145:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:145:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:89:in `each'
/usr/lib/ruby/1.8/webrick/server.rb:89:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:79:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:79:in `start'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:42:in `listen'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:41:in `initialize'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:41:in `new'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:41:in `listen'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:38:in `synchronize'
/usr/lib/site_ruby/1.8/puppet/network/http/webrick.rb:38:in `listen'
/usr/lib/site_ruby/1.8/puppet/network/server.rb:131:in `listen'
/usr/lib/site_ruby/1.8/puppet/network/server.rb:146:in `start'
/usr/lib/site_ruby/1.8/puppet/daemon.rb:128:in `start'
/usr/lib/site_ruby/1.8/puppet/application/puppetmasterd.rb:122:in `main'
/usr/lib/site_ruby/1.8/puppet/application/puppetmasterd.rb:80:in `main'
/usr/lib/site_ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/site_ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/site_ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/site_ruby/1.8/puppet/application.rb:217:in `exit_on_fail'
/usr/lib/site_ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
err: private method `gsub' called for nil:NilClass

Testing with wget shows that if you remove the double ampersand, everything works fine (error caused by not using a proper SSL cert for the client, ignore it):

# wget -O- --no-check-certificate 'https://myserver:8140/production/file_metadatas/plugins?recurse=true&ignore=---+%0A++-+.svn%0A++-+CVS%0A++-+.git&links=manage'

2010-09-08 14:57:04 ERROR 403: Forbidden request: myserver(myip) access to /file_metadata/plugins [search] at line 93

Since older versions of ruby are supposed to be supported, this is a definite bug that should be addressed by sanitizing the URL that is sent to the puppetmaster. For normal recursive directories, this bug can be avoided by setting all parameters to sane values, since it is blank/nil values that are causing the problematic url. This mitigation is not available for things like pluginsync however, so it should be fixed in puppetd.

I’ve tested this bug on RHEL4 using puppetmaster 0.25.4-1 and 0.25.5-1. The issue goes away in RHEL5, however I only have systems that are running ruby 1.8.5-5, so I do not know exactly when this issue was corrected on that side.