[Bug 224623] sysutils/puppet4: Ruby 2.3.6 Update breaks puppetmaster rc.d script

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224623

            Bug ID: 224623
           Summary: sysutils/puppet4: Ruby 2.3.6 Update breaks
                    puppetmaster rc.d script
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: puppet at FreeBSD.org
          Reporter: rainbow at purlinux.org
             Flags: maintainer-feedback?(puppet at FreeBSD.org)
          Assignee: puppet at FreeBSD.org

Due to this code ( https://bugs.ruby-lang.org/issues/14005 ) added to the Ruby
2.3.6 release and beyond, Webrick, the default http daemon for Ruby processes,
can not create OpenSSL connections using 1.0.2k-freebsd in Base.

While a separate issue is being looked into with Ruby upstream and hopefully
resolved, this is an opportunity for us to move towards our port being in
compliance with Puppet best practices.

The sysutils/puppet4 port currently relies on the system installation of Ruby,
which isn't a problem. However, we currently ship a "puppetmaster" rc.d script
with puppet4 that launches a webrick process instead of pointing folks to the
appropriate way to manage a puppetserver in production.

As is shown here ( 
https://puppet.com/docs/puppet/4.10/services_master_webrick.html#important-deprecation-warning
https://docs.puppet.com/puppet/4.1/deprecated_servers.html
), this method of running a puppet server is being deprecated upstream and soon
will no longer be functional even on the versions of Ruby puppet explicitly
tests with.

The way upstream suggests to work with puppet is via puppetserver: 
( https://docs.puppet.com/puppetserver/2.1/services_master_puppetserver.html )

While causing sysutils/puppet4 to rely on puppetserver is not ideal (though
that should be the default with sysutils/puppet5), it would be beneficial to
users of Puppet4 on FreeBSD to receive a message after installing the port or
package that provided some of the links above, and informed them that Puppet
Server was the way forward. In future releases, it may make sense to remove the
puppetmaster rc.d script entirely, but due to the upcoming (in the next few
years) deprecation of Puppet4 entirely, it may not make sense entirely to do
so, even with the script being broken after the current Ruby update.

With that being said, as it stands currently, puppetmaster is broken, and I
feel we should evaluate the benefits of including a message like the one
suggested above to inform users, as all current guides for deploying puppet on
freebsd suggest the use of the puppetmaster rc.d script instead of installing
sysutils/puppetserver (which acts as a drop-in replacement for puppetmaster)


-----
Logs associated with the aforementioned failure
in:/var/log/puppet/masterhttp.log
--
[2017-12-25 21:30:26] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1
errno=0 state=SSLv3 read client hello B: unexpected record
        /usr/local/lib/ruby/site_ruby/2.3/puppet/network/http/webrick.rb:32:in
`accept'
        /usr/local/lib/ruby/site_ruby/2.3/puppet/network/http/webrick.rb:32:in
`block (2 levels) in listen'
        /usr/local/lib/ruby/2.3/webrick/server.rb:314:in `block in
start_thread'

-----
System Information:
FreeBSD 11.1-RELEASE-p1 x64

puppet4-4.10.8
Name           : puppet4
Version        : 4.10.8
Installed on   : Mon Dec 25 21:06:47 2017 PST
Origin         : sysutils/puppet4

ruby-2.3.6,1
Name           : ruby
Version        : 2.3.6,1
Installed on   : Tue Dec 26 21:40:43 2017 PST
Origin         : lang/ruby23

-- 
You are receiving this mail because:
You are the assignee for the bug.