Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Installing Gems on Windows With Puppet

DZone's Guide to

Installing Gems on Windows With Puppet

In this post, we take a look at how to make changes to the Ruby runtime that ships with the Puppet windows installer. Read on to find out more.

· DevOps Zone
Free Resource

The Nexus Suite is uniquely architected for a DevOps native world and creates value early in the development pipeline, provides precise contextual controls at every phase, and accelerates DevOps innovation with automation you can trust. Read how in this ebook.

If you need to access or make changes to the Ruby runtime that ships with the Puppet Windows Installer Package (known as the MSI) to install Ruby gems, there are a couple of common ways:

  • Interactively, via the Start Command Prompt with Puppet shortcut and the gem install command. This tends to be used for testing, given changes impact only the current system.
  • By using the package type with the gem provider in a Puppet manifest, which may impact many systems:package { 'retries': provider => 'gem' }.

This can be necessary to enable Puppet modules to function when those modules depend on code from a Ruby gem that is included with the puppet-agent MSI. This most commonly happens with the AWS, Azure, or vSphere modules.

You may have noticed that installing gems on Windows has been failing since the Ruby Gems website upgraded its SSL certificate to a more secure format on October 6, 2016 due to the fact that the Root CA came from a new issuer. Agents prior to the puppet-agent-1.6.0 agent could be experiencing errors like this:

Error: Execution of 'C:/Program Files/Puppet Labs/Puppet/sys/ruby/bin/gem.bat install --no-rdoc --no-ri retries' returned 2: ERROR:  Could not find a valid gem 'retries' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
Error: /Stage[main]/Main/Package[retries]/ensure: change from absent to present failed: Execution of 'C:/Program Files/Puppet Labs/Puppet/sys/ruby/bin/gem.bat install --no-rdoc --no-ri retries' returned 2: ERROR:  Could not find a valid gem 'retries' (>= 0), here is why:
          Unable to download data from https://rubygems.org/ - SSL_connect returned=1 errno=0 state=error: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)

In the puppet-agent MSI prior to 1.6.0, the RubyGems included with the Puppet Ruby distribution use a default configuration of trusting only six Root CAs. Unfortunately, the new CA GlobalSign is not included. In puppet-agent 1.6.0 and newer, Puppet began shipping a CA bundle that includes the 150-p;us trusted Root CAs derived from the actively maintained Mozilla list and ensures that the OpenSSL Ruby relies on is configured to use this bundle. Since the new issuing Root CA from GlobalSign has always been included, 1.6.0+ agents are not impacted.

Fortunately, Puppet itself can be used to add the GlobalSign Root CA to the appropriate directory on older versions of Puppet using the following manifest:

$ruby_dir = regsubst($::ruby['sitedir'],'^(.*/lib/ruby/).*$','\1')
$ruby_ver = regsubst($::ruby['sitedir'],'^.*/(.*)$','\1')
$cert_path = "${ruby_dir}${ruby_ver}/rubygems/ssl_certs/GlobalSign_Root_CA-2.11.4.0.0.0.0.1.21.75.90.195.148.pem"

file { $cert_path: 
  content => @(EOPEM)
    # alias="GlobalSign Root CA"
    # trust=CKA_TRUST_CODE_SIGNING CKA_TRUST_EMAIL_PROTECTION CKA_TRUST_SERVER_AUTH
    # distrust=
    # openssl-trust=codeSigning emailProtection serverAuth
    -----BEGIN CERTIFICATE-----
    MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
    A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
    b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
    MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
    YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
    aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
    jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
    xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
    1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
    snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
    U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
    9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
    BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
    AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
    yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
    38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
    AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
    DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
    HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
    -----END CERTIFICATE-----
    | EOPEM
}


File[$cert_path] -> Package<| provider == gem |>

Note that for compatibility reasons, this manifest requires at least Puppet 3.5 (released in April 2014) to run. Upon removal or upgrade of the Puppet MSI, this file will remain in place.

The DevOps Zone is brought to you in partnership with Sonatype Nexus.  See how the Nexus platform infuses precise open source component intelligence into the DevOps pipeline early, everywhere, and at scale. Read how in this ebook

Topics:
puppet ,devops ,gem ,windows

Published at DZone with permission of Ethan Brown. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}