openvpn facts not generated on server

[jameskirsop]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.5
• Distribution: CentOS7
• Module version: Latest with monkey patches to address does not work with systemd and severals VPN created #211

How to reproduce (e.g Puppet code you use)

openvpn::server { 'nms':
	local => '',
	country => 'AU',
	province => 'NSW',
	city => 'Sydney',
	organization => 'xyx.com.au',
	email => '[email protected]',
	proto => 'udp',
	tls_server => true,
	topology => 'subnet',
	server => '169.254.0.0 255.255.255.0',
	crl_auto_renew => true,
	key_cn => 'openvpn.xyx.com.au',
	key_ou => 'DevOps',
	keepalive => '30 240',
	management => true,
	group => 'openvpn',
}

What are you seeing

Running $facter openvpn returns no results

What behaviour did you expect instead

A number of openvpn facts to be returned

Output log

Any additional information you'd like to impart

I discovered this issue well after adding the group => 'openvpn' option to the server. I'm not sure if this is related, but I've now tried to deploy a new openvpn client node and discovered that no resources are being exported via https://github.com/voxpupuli/puppet-openvpn/blob/master/manifests/deploy/export.pp

This lead me to investigate what facts were on the openvpn server node and discovered there were none.

Client configuration export was previously working, and the only changes I made from when I last successfully deployed a node to now (I think) was adding the management and group options.

Removing the group option doesn't seem to have remedied the issue (it has restored permissions to default of nobody), so I'm a bit confused.

Either way, I don't think it's ideal that this change broke the facts.

[Dan33l]

I did not tested yet, but the patch added can easily break the custom fact because the code does not expect to be in this situation.

[jameskirsop]

@Dan33l I've been running with a patch to make this module work in CentOS for a year now with no trouble, and only recently did I try and make changes to the user/group configuration and notice that configurations weren't deploying - so I'm not convinced that the patch caused this issue.

Seems like we'll need to do some testing when we get a moment!!

[Dan33l]

I confirm something is broken, at least with Puppet 5.5.16. On ubuntu1804 SUTs launched during acceptance i confirm i am getting all custom facts empty.

root@vpnserver:/# facter -p --debug easyrsa        
2019-09-24 20:31:44.380701 INFO  puppetlabs.facter - executed with command line: --debug easyrsa.
2019-09-24 20:31:44.384523 INFO  leatherman.ruby:138 - ruby loaded from "/opt/puppetlabs/puppet/lib/libruby.so.2.4.5".
2019-09-24 20:31:44.387326 DEBUG leatherman.dynamic_library:77 - symbol rb_data_object_alloc not found in library /opt/puppetlabs/puppet/lib/libruby.so.2.4.5, trying alias rb_data_object_wrap.
2019-09-24 20:31:44.444258 INFO  leatherman.ruby:187 - using ruby version 2.4.5
2019-09-24 20:31:44.446750 INFO  puppetlabs.facter - requested queries: easyrsa.
2019-09-24 20:31:44.446812 DEBUG puppetlabs.facter - fact "facterversion" has resolved to "3.11.9".
2019-09-24 20:31:44.447142 DEBUG puppetlabs.facter - fact "aio_agent_version" has resolved to "5.5.16".
2019-09-24 20:31:44.447489 DEBUG leatherman.file_util:65 - Error reading file: No such file or directory
2019-09-24 20:31:44.448670 DEBUG puppetlabs.facter - loading all custom facts.
2019-09-24 20:31:44.448764 DEBUG puppetlabs.facter - loading custom fact directories from config file
2019-09-24 20:31:44.448847 DEBUG puppetlabs.facter - searching "/opt/puppetlabs/facter/facts.d" for external facts.
2019-09-24 20:31:44.449005 DEBUG puppetlabs.facter - skipping external facts for "/etc/facter/facts.d": No such file or directory
2019-09-24 20:31:44.449617 DEBUG puppetlabs.facter - skipping external facts for "/etc/puppetlabs/facter/facts.d": No such file or directory
2019-09-24 20:31:44.449671 DEBUG puppetlabs.facter - no external facts were found.
2019-09-24 20:31:44.449779 DEBUG puppetlabs.facter - fact "easyrsa" does not exist.

root@vpnserver:/# facter -p --debug openvpn
2019-09-24 20:32:43.043320 INFO  puppetlabs.facter - executed with command line: --debug openvpn.
2019-09-24 20:32:43.048132 INFO  leatherman.ruby:138 - ruby loaded from "/opt/puppetlabs/puppet/lib/libruby.so.2.4.5".
2019-09-24 20:32:43.050665 DEBUG leatherman.dynamic_library:77 - symbol rb_data_object_alloc not found in library /opt/puppetlabs/puppet/lib/libruby.so.2.4.5, trying alias rb_data_object_wrap.
2019-09-24 20:32:43.106646 INFO  leatherman.ruby:187 - using ruby version 2.4.5
2019-09-24 20:32:43.109422 INFO  puppetlabs.facter - requested queries: openvpn.
2019-09-24 20:32:43.109484 DEBUG puppetlabs.facter - fact "facterversion" has resolved to "3.11.9".
2019-09-24 20:32:43.109520 DEBUG puppetlabs.facter - fact "aio_agent_version" has resolved to "5.5.16".
2019-09-24 20:32:43.110135 DEBUG leatherman.file_util:65 - Error reading file: No such file or directory
2019-09-24 20:32:43.110657 DEBUG puppetlabs.facter - loading all custom facts.
2019-09-24 20:32:43.111394 DEBUG puppetlabs.facter - loading custom fact directories from config file
2019-09-24 20:32:43.111523 DEBUG puppetlabs.facter - searching "/opt/puppetlabs/facter/facts.d" for external facts.
2019-09-24 20:32:43.111615 DEBUG puppetlabs.facter - skipping external facts for "/etc/facter/facts.d": No such file or directory
2019-09-24 20:32:43.111964 DEBUG puppetlabs.facter - skipping external facts for "/etc/puppetlabs/facter/facts.d": No such file or directory
2019-09-24 20:32:43.111996 DEBUG puppetlabs.facter - no external facts were found.
2019-09-24 20:32:43.112078 DEBUG puppetlabs.facter - fact "openvpn" does not exist.

root@vpnserver:/# puppet --version
5.5.16

[Dan33l]

It looks something changed and the method used to get fact is deprecated.

root@vpnserver:/etc/puppetlabs/code/modules/openvpn/lib/facter# puppet facts

|..8x..]

openvpn
    "openvpn": {
      "test_openvpn_server": {
        "vpnclienta": {
          "conf": "client\ndev tun\nproto tcp\nremote 172.17.0.4 1194\ncomp-lzo\nresolv-retry infinite\nauth-retry none\nnobind\npersist-key\npersist-tun\ncipher AES-256-CBC\ntls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA\nmute-replay-warnings\nns-cert-type server\nverb 3\nmute 20\n\n# Additional custom options\n\nca keys/vpnclienta/ca.crt\ncert keys/vpnclienta/vpnclienta.crt\nkey keys/vpnclienta/vpnclienta.key\n",
          "ca": "-----BEGIN CERTIFICATE-----\nMIIEMTCCAxmgAwIBAgIUC4lk7aeQw77JbMwFiwB8t/DcIZIwDQYJKoZIhvcNAQEL\nBQAwZjELMAkGA1UEBhMCQ08xCzAJBgNVBAgTAlNUMQ8wDQYDVQQHEwZBIGNpdHkx\nDDAKBgNVBAoTA0ZPTzEPMA0GA1UEAxMGRk9PIENBMRowGAYJKoZIhvcNAQkBFgti\nYXJAZm9vLm9yZzAeFw0xOTA5MjQyMDQyMDdaFw0yOTA5MjEyMDQyMDdaMGYxCzAJ\nBgNVBAYTAkNPMQswCQYDVQQIEwJTVDEPMA0GA1UEBxMGQSBjaXR5MQwwCgYDVQQK\nEwNGT08xDzANBgNVBAMTBkZPTyBDQTEaMBgGCSqGSIb3DQEJARYLYmFyQGZvby5v\ncmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkDbR7/2Ikoyy0JAYI\n7juJAzehoi7BJYLKeUgAg03eQaC4MjUQNuR/MDub4v/2YBPM9cHprAiOXJBXzru2\nrj588RswOA6LrrUa4yDMk9cDR8nvRtq9EGZi2VYdLqIHvbey6s8h4JdJkkEqDRBX\nQpT/Xx9SzPyfKBHFucz0O82tcOLQwT1BFRuhRvuFBl8gh79aCNCoUpwFexob4jHZ\nEY3xcZ0xasj62fxdpBTPT9wW6tnX9kwtm5VyLDdVSWghkjNGp3Y8l5sXSmxrrjxe\ncrX7IYxQCTHZ6gbb3gKTMiPsPhPSuhpBxCWxumnabNBPlEjCmQmo+/LqltWqlkSX\nMcVRAgMBAAGjgdYwgdMwHQYDVR0OBBYEFDaonXokO9vlaynEVotWW36522+hMIGj\nBgNVHSMEgZswgZiAFDaonXokO9vlaynEVotWW36522+hoWqkaDBmMQswCQYDVQQG\nEwJDTzELMAkGA1UECBMCU1QxDzANBgNVBAcTBkEgY2l0eTEMMAoGA1UEChMDRk9P\nMQ8wDQYDVQQDEwZGT08gQ0ExGjAYBgkqhkiG9w0BCQEWC2JhckBmb28ub3JnghQL\niWTtp5DDvslszAWLAHy38NwhkjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA\nA4IBAQC0obGYuYJF4Dt82X6NPCjtYW+LkX8s2kQDnFKMIIUi2IzRT55ynW4Pqn83\noAAeal5BK3hZQDY72XB8Lyp193ETxHYeI7kNlWneILTX0DYmEPzZ7/V17lcrL0cx\niIWwymDhx2gvDjBOSlCrSCkk+SRvA/oTrjAzq24NEU3k3D9EDHVXgj7cmOLQ7gNP\nrkWDsMWZBOFpBfK1BcvYssK15LHyZuNTQ9G3KJrpoAwVmolukBQwHXYkU3ss+Xs2\nxKPrLyK1HIyGybFFo0sDdVqIJmtgU6GjyJTjefQPmC6bBFkfjyt35MlSkMDl/5h3\ney/K+hdSqnKcYZ3xBX+IUyk5/n/D\n-----END CERTIFICATE-----\n",

[..8x..]

[Dan33l]

@jameskirsop can you test puppet facts command and confirm you get a value of the fact ?

[jameskirsop]

@Dan33l, when I run puppet facts on the VPN client I recently built I get:

    "openvpn": {
    },

On the OpenVPN server I see similar results to yours above:

   "openvpn": {
      "vpnserver": {
        "vpnclient.local": {
          "conf": "client\ndev tun\nproto udp\nremote vpnserver 1194\ncomp-lzo\nresolv-retry infinite\nauth-retry none\nnobind\npersist-key\npersist-tun\ncipher AES-256-CBC\ntls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256\nmute-replay-warnings\nns-cert-type server\nverb 3\nmute 20\n\n# Additional custom options\n\nca keys/vpnclient.local/ca.crt\ncert keys/vpnclient.local/vpnclient.local.crt\nkey keys/vpnclient.local/vpnclient.local.key\n",
          "ca": "-----BEGIN CERTIFICATE-----\nMIIE0TCCA7mgAwIBAgIJAPp54vHmhTu3MA0GCSqGSIb3DQEBDQUAMIGcMQswCQYD\nVQQGEwJBVTEMMAoGA1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxFjAUBgNVBAoM\nDWRhcmFjby5jb20uYXUxDzANBgNVBAsMBkRldk9wczEaMBgGA1UEAwwRbm1zLmRh\ncmFjby5jb20uYXUxKTAnBgkqhkiG9w0BCQEWGnNlcnZlcmFsZXJ0c0BkYXJhY28u\nY29tLmF1MB4XDTE5MDUxNzAzMDc0MVoXDTI5MDUxNDAzMDc0MVowgZwxCzAJBgNV\nBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEWMBQGA1UECgwN\nZGFyYWNvLmNvbS5hdTEPMA0GA1UECwwGRGV2T3BzMRowGAYDVQQDDBFubXMuZGFy\nYWNvLmNvbS5hdTEpMCcGCSqGSIb3DQEJARYac2VydmVyYWxlcnRzQGRhcmFjby5j\nb20uYXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEbzg6t/jCeCFl\nUJRsEaDBdMbWcLgtfOB13dWO/3zKb618V2v/uakrBP4ziZAdV7xkEdM0YULdjG8e\n3IyIb8aU+J+zfu+j2kYYYNmq9eiK7H0qoy72uQjjf5D6cqanQqD1M5xrVAxSs0H2\n6KsVpwmu8qKuqrmKb3RxNueKArXyBvIUJNG3rKSQFqWrzYGe/Y6Nx7dydPY//Bp5\nvGJOtcc9VHGvDVZklFWtBIyn71cvIgqy2W+laONwqtn7ZLLtkqKKmSHVxO0sfJGP\nXG3SSv2amAm3JZ3A1vdGTy3/GejkrvSH5KEpwF9fd/MrNV964pA7aAUGjOIbHIEU\nFdbKtgdLAgMBAAGjggESMIIBDjAdBgNVHQ4EFgQUYLFk67QeXYzknSz9K/7oBwum\n9A4wgdEGA1UdIwSByTCBxoAUYLFk67QeXYzknSz9K/7oBwum9A6hgaKkgZ8wgZwx\nCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxDzANBgNVBAcMBlN5ZG5leTEWMBQG\nA1UECgwNZGFyYWNvLmNvbS5hdTEPMA0GA1UECwwGRGV2T3BzMRowGAYDVQQDDBFu\nbXMuZGFyYWNvLmNvbS5hdTEpMCcGCSqGSIb3DQEJARYac2VydmVyYWxlcnRzQGRh\ncmFjby5jb20uYXWCCQD6eeLx5oU7tzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIB\nBjANBgkqhkiG9w0BAQ0FAAOCAQEARIgSeEL3z9ZPRgdxS/H+pe6BazzTPckgqD+1\nJbnFpXx6DFKnhE5vMt7REeB21A036fO9LkdKPkzwbxNHkpRKRUUsD6EtWt/GjSht\nRSlNMAjPlVJYEm2tuv4H+Qyo108+jmuw2EHjYO3xmrU9Cx104Md9QRjjC438Hawj\nmYBWcfBZJIepGZf65+GVa3o4CzHMAc9q+0rOXhkG9I6Veguq1+j/ybId37t5R7FQ\n3KxFeMEZOtWaYhqqEhZ/Vfk0NGInRV5wywJRhnxXffKuXWuE9gNzLYI3wimBgm02\nam7g3ql+Dl8PMOAoCyhgxj2WvTJlC5gWp/43e/cWnRtscuLw3Q==\n-----END CERTIFICATE-----\n",
          "crt": "............",
          "key": "............"
        },

[Dan33l]

The code of the fact openvpn does not expect to produce something on the client :
https://github.com/voxpupuli/puppet-openvpn/blob/master/lib/facter/openvpn.rb#L33

[jameskirsop]

Yeah, right.

So I guess the real question then is, why aren't exported resources being detected!!

[jameskirsop]

FWIW, 10 months later I've rebased my patch on master and I'm now seeing facts generated on the server.

However, my issue where clients aren't downloading their configuration remains.

[tomashejatko]

Hi, seems that problem is on this line:

puppet-openvpn/manifests/deploy/export.pp

Line 20 in d5e7ad9

if fact("openvpn.${server}.${name}") {

- when you replace

if fact("openvpn.${server}.${name}") {

with:

if $facts['openvpn'][$server][$name] {

It will work with Puppet6 on Ubuntu 18.04. I am going to fork this repo and will see if another problems pop up. If somebody is interested, you can try to merge this in meantime. Thanks

[jameskirsop]

Deployed a new VPN server today on RHEL 8 using the latest release with no patches.

No facts are generated on the server - $ facter openvpn returns an empty result.

Update
I've discovered two issues with the current release when deploying on RHEL 8:

1. The fact creation for the OpenVPN facts based on the case here:
   

   puppet-openvpn/lib/facter/openvpn.rb

   Lines 8 to 9 in 6800d56

   	when 'RedHat'
   	'/etc/openvpn'

   
   Doesn't work because of the addition of server to the path here:
   

   puppet-openvpn/data/family/RedHat/8.yaml

   Line 1 in 6800d56

   openvpn::server_directory: '/etc/openvpn/server'

   
   If I manually edit the Ruby facts template to append server to the path on Line 9, the fact creation works as expected.
2. Once that edit has been in place, implementing the syntax change above by @tomashejatko then results in correct resolution of the fact and exports the file resources correctly.

From my reading of the latest code on master it seems like the first issue above will be resolved because we're moving to using Deferred to create resources (indeed, openvpn.rb no longer is present on master) and the second issue will go away because the conditional statement has been removed.

We'll need to have a fix for #421 before I'd be happy to consider this issue able to be closed.