From e478a5d75effa39867c3633b027974beaed99aee Mon Sep 17 00:00:00 2001 From: Jo Vandeginste Date: Fri, 26 Nov 2021 10:51:36 +0100 Subject: [PATCH 1/2] Use a netcat with IPv6 support Traditional `netcat` has no support for IPv6. Support is implemented in `netcat-openbsd`, which should also be backward compatible. Signed-off-by: Jo Vandeginste --- docker/puppetdb/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/puppetdb/Dockerfile b/docker/puppetdb/Dockerfile index 2b992fe9db..3342e03afb 100644 --- a/docker/puppetdb/Dockerfile +++ b/docker/puppetdb/Dockerfile @@ -69,7 +69,7 @@ COPY docker/puppetdb/docker-entrypoint.d /docker-entrypoint.d # hadolint ignore=DL3009 RUN apt-get update && \ - apt-get install --no-install-recommends -y ca-certificates curl dnsutils netcat && \ + apt-get install --no-install-recommends -y ca-certificates curl dnsutils netcat-openbsd && \ chmod +x /ssl.sh /wtfc.sh /docker-entrypoint.sh /healthcheck.sh /docker-entrypoint.d/*.sh && \ dpkg -i dumb-init_"$DUMB_INIT_VERSION"_amd64.deb From 42021d3cddebdc6db3b67d712fe3dab142b3fc86 Mon Sep 17 00:00:00 2001 From: Jo Vandeginste Date: Fri, 26 Nov 2021 11:04:34 +0100 Subject: [PATCH 2/2] Support IPv6 by default in Jetty The equivalent "all" interface to `0.0.0.0` for IPv6 is `::`; this _includes_ IPv4's `0.0.0.0`. In other words, this should be fully backward compatible. Signed-off-by: Jo Vandeginste --- docker/puppetdb/conf.d/jetty.ini | 6 +++--- documentation/configure.markdown | 6 +++--- documentation/load_testing_tool.markdown | 2 +- resources/ext/cli/ssl-setup.erb | 4 ++-- resources/ext/config/conf.d/jetty.ini | 2 +- resources/puppetlabs/puppetdb/benchmark/config.ini | 2 +- test-resources/integration-puppetdb.conf | 4 ++-- test-resources/puppetserver/puppetserver.conf | 4 ++-- test/puppetlabs/puppetdb/cli/services_test.clj | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/docker/puppetdb/conf.d/jetty.ini b/docker/puppetdb/conf.d/jetty.ini index d30cfd0ecb..82b9fcb1a4 100644 --- a/docker/puppetdb/conf.d/jetty.ini +++ b/docker/puppetdb/conf.d/jetty.ini @@ -2,7 +2,7 @@ # IP address or hostname to listen for clear-text HTTP. To avoid resolution # issues, IP addresses are recommended over hostnames. # Default is `localhost`. -host = 0.0.0.0 +host = :: # Port to listen on for clear-text HTTP. port = 8080 @@ -13,8 +13,8 @@ port = 8080 # IP address to listen on for HTTPS connections. Hostnames can also be used # but are not recommended to avoid DNS resolution issues. To listen on all -# interfaces, use `0.0.0.0`. -# ssl-host = 0.0.0.0 +# interfaces, use `::`. +# ssl-host = :: # The port to listen on for HTTPS connections # ssl-port = 8081 diff --git a/documentation/configure.markdown b/documentation/configure.markdown index aa6d73e8ab..e7c8fcb557 100644 --- a/documentation/configure.markdown +++ b/documentation/configure.markdown @@ -623,7 +623,7 @@ The `[jetty]` section configures HTTP for PuppetDB. Sets the IP interface to listen on for **unencrypted** HTTP traffic. If not supplied, we bind to `localhost`, which will reject connections from anywhere but the PuppetDB server itself. To listen on -all available interfaces, use `0.0.0.0`. +all available interfaces, use `::`. To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname. @@ -654,7 +654,7 @@ can be made at one time. Defaults to 50. Sets which IP interface to listen on for **encrypted** HTTPS traffic. If not supplied, we bind to `localhost`. To listen on all available -interfaces, use `0.0.0.0`. +interfaces, use `::`. To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname @@ -821,7 +821,7 @@ Specifies the host or IP address for the REPL service to listen on. By default this is `127.0.0.1` only. As this is an insecure channel this is the only recommended setting for production environments. -If you wish to listen on all interfaces, you can specify `0.0.0.0`, for example, although this is generally not recommended for production. +If you wish to listen on all interfaces, you can specify `::`, for example, although this is generally not recommended for production. ## `[developer]` settings diff --git a/documentation/load_testing_tool.markdown b/documentation/load_testing_tool.markdown index b7da114eee..6b03fe48e5 100644 --- a/documentation/load_testing_tool.markdown +++ b/documentation/load_testing_tool.markdown @@ -67,7 +67,7 @@ below. * On the primary server, modify `/etc/puppetlabs/puppetdb/conf.d/jetty.ini`. In the `[jetty]` section, set either: - * `host=0.0.0.0 # http access from all agents` + * `host=:: # http access from all agents` * `host= # access from specific agent` * Install java on the agent diff --git a/resources/ext/cli/ssl-setup.erb b/resources/ext/cli/ssl-setup.erb index 2877a8b742..fc5e57ee21 100644 --- a/resources/ext/cli/ssl-setup.erb +++ b/resources/ext/cli/ssl-setup.erb @@ -349,7 +349,7 @@ chown -R "$user:$group" "$ssl_dir" if [ -f "$jettyfile" ] ; then # Check settings are correct and fix or warn settings=( - "ssl-host:0.0.0.0" + "ssl-host:::" "ssl-port:8081" "ssl-key:${private_file}" "ssl-cert:${public_file}" @@ -423,7 +423,7 @@ then echo " [jetty]" echo " #host = localhost" echo " port = 8080" - echo " ssl-host = 0.0.0.0" + echo " ssl-host = ::" echo " ssl-port = 8081" echo " ssl-key = ${private_file}" echo " ssl-cert = ${public_file}" diff --git a/resources/ext/config/conf.d/jetty.ini b/resources/ext/config/conf.d/jetty.ini index 46e893415e..d080c19121 100644 --- a/resources/ext/config/conf.d/jetty.ini +++ b/resources/ext/config/conf.d/jetty.ini @@ -13,7 +13,7 @@ port = 8080 # IP address to listen on for HTTPS connections. Hostnames can also be used # but are not recommended to avoid DNS resolution issues. To listen on all -# interfaces, use `0.0.0.0`. +# interfaces, use `::`. # ssl-host = # The port to listen on for HTTPS connections diff --git a/resources/puppetlabs/puppetdb/benchmark/config.ini b/resources/puppetlabs/puppetdb/benchmark/config.ini index 376ad7d063..ebf5e7deb5 100644 --- a/resources/puppetlabs/puppetdb/benchmark/config.ini +++ b/resources/puppetlabs/puppetdb/benchmark/config.ini @@ -2,5 +2,5 @@ logging-config = resources/logback.xml [jetty] -host = 0.0.0.0 +host = :: port = 8080 diff --git a/test-resources/integration-puppetdb.conf b/test-resources/integration-puppetdb.conf index 9f9dc2f055..33c60c7707 100644 --- a/test-resources/integration-puppetdb.conf +++ b/test-resources/integration-puppetdb.conf @@ -19,10 +19,10 @@ nrepl: { } jetty: { - host: 0.0.0.0 + host: :: port: 0 - ssl-host: 0.0.0.0 + ssl-host: :: ssl-port: 0 # filled out by the test harness # Original settings diff --git a/test-resources/puppetserver/puppetserver.conf b/test-resources/puppetserver/puppetserver.conf index 817d45e35b..001ea6ab8b 100644 --- a/test-resources/puppetserver/puppetserver.conf +++ b/test-resources/puppetserver/puppetserver.conf @@ -12,9 +12,9 @@ webserver: { access-log-config: ./dev/request-logging-dev.xml client-auth: want # ssl-host controls what networks the server will accept connections from. - # The default value below is '0.0.0.0', so will accept connections from + # The default value below is '::', so will accept connections from # any client. For better security, you might wish to set this to 'localhost'. - ssl-host: 0.0.0.0 + ssl-host: :: #ssl-host: localhost ssl-port: 8140 } diff --git a/test/puppetlabs/puppetdb/cli/services_test.clj b/test/puppetlabs/puppetdb/cli/services_test.clj index 938880087e..9c74e16c17 100644 --- a/test/puppetlabs/puppetdb/cli/services_test.clj +++ b/test/puppetlabs/puppetdb/cli/services_test.clj @@ -214,7 +214,7 @@ (assoc :database *db*) (assoc :jetty (merge cert-config {:ssl-port 0 - :ssl-host "0.0.0.0" + :ssl-host "::" :ssl-protocols "TLSv1,TLSv1.1,TLSv1.2"})) (assoc-in [:puppetdb :certificate-allowlist] (str allowlist-file))) (fn []