Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to pass custom environment variables to command in custom provider #9493

Closed
ekohl opened this issue Sep 30, 2024 · 1 comment
Closed

Unable to pass custom environment variables to command in custom provider #9493

ekohl opened this issue Sep 30, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@ekohl
Copy link
Contributor

ekohl commented Sep 30, 2024

Describe the Bug

In puppet-openssl we want to avoid passing variables on the command line because they'll be visible in the process list (like ps). OpenSSL provides a way to pass them as environment variables, but the API doesn't appear to allow this.

Expected Behavior

This is a very reduced version of x509_request:

Puppet::Type.type(:x509_request).provide(:openssl) do
  commands openssl: 'openssl'

  def create
    env = {}
    # actual options trimmed for brevity
    options = ['req']

    if resource[:password]
      options += ['-passin', 'env:CERTIFICATE_PASSIN']
      env['CERTIFICATE_PASSIN'] = resource[:password]
    end

    # This doesn't work as expected
    openssl options, { custom_environment: env }
  end
end

I'm not sure which API I'd actually expect. I copied custom_environment from Puppet::Util::Execution.execute, but I'd also be happy with a real keyword argument.

Steps to Reproduce

  1. Apply the code
  2. Note that the custom environment is actually passed as a command line option instead of an environment variable.

Environment

  • Puppet 8.9.0
  • Observed in my dev env, but also with acceptance tests on various distros using the AIO packages

Additional Context

I think the problem comes from this piece of code:

puppet/lib/puppet/provider/command.rb

Lines 21 to 26 in d0ec909

# @param args [Array<String>] Any command line arguments to pass to the executable
# @return The output from the command
def execute(*args)
resolved_executable = @resolver.which(@executable) or raise Puppet::MissingCommand, _("Command %{name} is missing") % { name: @name }
@executor.execute([resolved_executable] + args, @options)
end

It doesn't have any arguments to pass on. While there is a way to set a custom environment during initialization, that wouldn't work for things that are set via parameters (like in our case the instance's CSR password).

For now I'm working around it using execute:

execute([command('openssl')] + options, { failonfail: true, combine: true, custom_environment: env })
@ekohl ekohl added the bug Something isn't working label Sep 30, 2024
@ekohl ekohl mentioned this issue Oct 1, 2024
Merged
@joshcooper
Copy link
Contributor

Thanks for the detailed report @ekohl The commands metaprogramming has many shortcomings, as none of the execution options can be passed, such as sensitive: true Since there is a reasonable workaround of using the execute method, I'm going to close this as won't fix.

@joshcooper joshcooper closed this as not planned Won't fix, can't repro, duplicate, stale Oct 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ekohl @joshcooper