Skip to content

Commit

Permalink
Support IPv6 by default in Jetty
Browse files Browse the repository at this point in the history
The equivalent "all" interface to `0.0.0.0` for IPv6 is `::`; this
_includes_ IPv4's `0.0.0.0`. In other words, this should be fully
backward compatible.

Signed-off-by: Jo Vandeginste <Jo.Vandeginste@kuleuven.be>
  • Loading branch information
jovandeginste committed Nov 26, 2021
1 parent e478a5d commit 79ec355
Show file tree
Hide file tree
Showing 10 changed files with 20 additions and 20 deletions.
6 changes: 3 additions & 3 deletions docker/puppetdb/conf.d/jetty.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# IP address or hostname to listen for clear-text HTTP. To avoid resolution
# issues, IP addresses are recommended over hostnames.
# Default is `localhost`.
host = 0.0.0.0
host = ::

# Port to listen on for clear-text HTTP.
port = 8080
Expand All @@ -13,8 +13,8 @@ port = 8080

# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
# ssl-host = 0.0.0.0
# interfaces, use `::`.
# ssl-host = ::

# The port to listen on for HTTPS connections
# ssl-port = 8081
Expand Down
6 changes: 3 additions & 3 deletions documentation/configure.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -623,7 +623,7 @@ The `[jetty]` section configures HTTP for PuppetDB.
Sets the IP interface to listen on for **unencrypted** HTTP
traffic. If not supplied, we bind to `localhost`, which will reject
connections from anywhere but the PuppetDB server itself. To listen on
all available interfaces, use `0.0.0.0`.
all available interfaces, use `::`.

To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname.

Expand Down Expand Up @@ -654,7 +654,7 @@ can be made at one time. Defaults to 50.

Sets which IP interface to listen on for **encrypted** HTTPS traffic. If
not supplied, we bind to `localhost`. To listen on all available
interfaces, use `0.0.0.0`.
interfaces, use `::`.

To avoid DNS resolution confusion, if you wish to set this to something other than `localhost`, we reccomend using an IP address instead of a hostname

Expand Down Expand Up @@ -821,7 +821,7 @@ Specifies the host or IP address for the REPL service to listen on. By
default this is `127.0.0.1` only. As this is an insecure channel this
is the only recommended setting for production environments.

If you wish to listen on all interfaces, you can specify `0.0.0.0`, for example, although this is generally not recommended for production.
If you wish to listen on all interfaces, you can specify `::`, for example, although this is generally not recommended for production.

## `[developer]` settings

Expand Down
2 changes: 1 addition & 1 deletion documentation/load_testing_tool.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ below.

* On the primary server, modify `/etc/puppetlabs/puppetdb/conf.d/jetty.ini`.
In the `[jetty]` section, set either:
* `host=0.0.0.0 # http access from all agents`
* `host=:: # http access from all agents`
* `host=<agent ip address> # access from specific agent`

* Install java on the agent
Expand Down
8 changes: 4 additions & 4 deletions documentation/release_notes_older.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -1541,7 +1541,7 @@ For PostgreSQL consumers this means the extra `data` key needs to be traversed t

* Retire `facts.strip_internal` (terminus). ([PDB-971](https://tickets.puppetlabs.com/browse/PDB-971))

This patch adds a `maybe_strip_internal` method to Puppet::Node::Facts::Puppetdb
This patch adds a `maybe_strip_internal` method to Puppet0.0.0.0Node::Facts::Puppetdb
that will call `Facts#strip_internal` if the method exists, but Facts#values if
not. This will allow our terminus to remain backward compatible when Puppet
retires the `strip_internal` method and the `timestamp` fact.
Expand Down Expand Up @@ -3075,7 +3075,7 @@ Notable improvements and fixes:
The PuppetDB API specifies that it is JSON, so we should parse it as
that and not as PSON.

Some Puppet classes (Puppet::Node and Puppet::Node::Facts) don't
Some Puppet classes (Puppet0.0.0.0Node and Puppet::Node::Facts) don't
support JSON serialization, so continue to use PSON serialization
for them. In Puppet 3.4.0+ they have methods to do seralization in
other formats than PSON though, so when support for older versions
Expand All @@ -3085,7 +3085,7 @@ Notable improvements and fixes:

This patch adds some select profiling blocks to the PuppetDB terminus code.

The profiler is provided by puppet core from Puppet::Util::Puppetdb#profile,
The profiler is provided by puppet core from Puppet0.0.0.0Util::Puppetdb#profile,
which has recently become public for our use. We provide here in our own utils
library our own wrapper implementation that can be mixed in.

Expand Down Expand Up @@ -3688,7 +3688,7 @@ Notable features and improvements:
cache terminus, intercepting the first save request and storing the values
in PuppetDB.

* Avoid Array#find in Puppet::Resource::Catalog::Puppetdb#find_resource (Aman Gupta)
* Avoid Array#find in Puppet0.0.0.0Resource::Catalog::Puppetdb#find_resource (Aman Gupta)

This patch provides performance improvements in the terminus, during the
synthesize_edges stage. For example, in cases with 10,000 resource (with
Expand Down
4 changes: 2 additions & 2 deletions resources/ext/cli/ssl-setup.erb
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,7 @@ chown -R "$user:$group" "$ssl_dir"
if [ -f "$jettyfile" ] ; then
# Check settings are correct and fix or warn
settings=(
"ssl-host:0.0.0.0"
"ssl-host:::"
"ssl-port:8081"
"ssl-key:${private_file}"
"ssl-cert:${public_file}"
Expand Down Expand Up @@ -423,7 +423,7 @@ then
echo " [jetty]"
echo " #host = localhost"
echo " port = 8080"
echo " ssl-host = 0.0.0.0"
echo " ssl-host = ::"
echo " ssl-port = 8081"
echo " ssl-key = ${private_file}"
echo " ssl-cert = ${public_file}"
Expand Down
2 changes: 1 addition & 1 deletion resources/ext/config/conf.d/jetty.ini
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ port = 8080

# IP address to listen on for HTTPS connections. Hostnames can also be used
# but are not recommended to avoid DNS resolution issues. To listen on all
# interfaces, use `0.0.0.0`.
# interfaces, use `::`.
# ssl-host = <host>

# The port to listen on for HTTPS connections
Expand Down
2 changes: 1 addition & 1 deletion resources/puppetlabs/puppetdb/benchmark/config.ini
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@
logging-config = resources/logback.xml

[jetty]
host = 0.0.0.0
host = ::
port = 8080
4 changes: 2 additions & 2 deletions test-resources/integration-puppetdb.conf
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ nrepl: {
}

jetty: {
host: 0.0.0.0
host: ::
port: 0

ssl-host: 0.0.0.0
ssl-host: ::
ssl-port: 0 # filled out by the test harness

# Original settings
Expand Down
4 changes: 2 additions & 2 deletions test-resources/puppetserver/puppetserver.conf
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,9 @@ webserver: {
access-log-config: ./dev/request-logging-dev.xml
client-auth: want
# ssl-host controls what networks the server will accept connections from.
# The default value below is '0.0.0.0', so will accept connections from
# The default value below is '::', so will accept connections from
# any client. For better security, you might wish to set this to 'localhost'.
ssl-host: 0.0.0.0
ssl-host: ::
#ssl-host: localhost
ssl-port: 8140
}
Expand Down
2 changes: 1 addition & 1 deletion test/puppetlabs/puppetdb/cli/services_test.clj
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@
(assoc :database *db*)
(assoc :jetty (merge cert-config
{:ssl-port 0
:ssl-host "0.0.0.0"
:ssl-host "::"
:ssl-protocols "TLSv1,TLSv1.1,TLSv1.2"}))
(assoc-in [:puppetdb :certificate-allowlist] (str allowlist-file)))
(fn []
Expand Down

0 comments on commit 79ec355

Please sign in to comment.