|
| 1 | +--- |
| 2 | +title: "Subsystems: Agent/server HTTPS communications" |
| 3 | +layout: default |
| 4 | +--- |
| 5 | + |
| 6 | +[http_api]: http_api/http_api_index.html |
| 7 | +[authconf]: config_file_auth.html |
| 8 | +[facts]: lang_variables.html#facts-and-built-in-variables |
| 9 | +[catalog]: lang_summary.html#compilation-and-catalogs |
| 10 | +[file]: type.html#file |
| 11 | +[static]: indirection.html#catalog |
| 12 | +[keepalive_setting]: configuration.html#httpkeepalivetimeout |
| 13 | + |
| 14 | +OpenVox agent and OpenVox Server communicate via mutually authenticated HTTPS using client |
| 15 | +certificates. |
| 16 | + |
| 17 | +The available HTTPS endpoints are detailed in the [HTTP API reference][http_api]. Access to each |
| 18 | +endpoint is controlled by [auth.conf][authconf] settings. |
| 19 | + |
| 20 | +## Persistent HTTP and HTTPS connections and Keep-Alive |
| 21 | + |
| 22 | +When acting as an HTTPS client, OpenVox reuses connections by sending `Connection: Keep-Alive` |
| 23 | +in HTTP requests. This reduces transport layer security (TLS) overhead, improving performance |
| 24 | +for runs with dozens of HTTPS requests. |
| 25 | + |
| 26 | +You can configure the Keep-Alive duration using the [`http_keepalive_timeout` |
| 27 | +setting][keepalive_setting], but it must be shorter than the maximum keepalive allowed by the |
| 28 | +OpenVox Server web server. |
| 29 | + |
| 30 | +OpenVox caches HTTP connections and verified HTTPS connections. If you specify a custom HTTP |
| 31 | +connection class, OpenVox does not cache the connection. |
| 32 | + |
| 33 | +OpenVox always requests that a connection be kept open, but the server can choose to close the |
| 34 | +connection by sending `Connection: close` in the HTTP response. If that occurs, OpenVox does not |
| 35 | +cache the connection and starts a new connection for its next request. |
| 36 | + |
| 37 | +## Diagram |
| 38 | + |
| 39 | +This sequence diagram illustrates the HTTPS requests an OpenVox agent makes to the OpenVox Server |
| 40 | +during a single agent run. See the sections below for a detailed description of each step. |
| 41 | + |
| 42 | +```mermaid |
| 43 | +sequenceDiagram |
| 44 | + participant A as OpenVox Agent |
| 45 | + participant S as OpenVox Server |
| 46 | +
|
| 47 | + Note over A: 1. Check for keys and certificates |
| 48 | +
|
| 49 | + A->>S: GET /puppet/v3/node/NAME |
| 50 | + S-->>A: 2. Node object (environment) |
| 51 | +
|
| 52 | + A->>S: GET /puppet/v3/file_metadatas/plugins |
| 53 | + S-->>A: 3. Plugin metadata |
| 54 | + A->>S: GET /puppet/v3/file_content/plugins/FILE |
| 55 | + S-->>A: Plugin files |
| 56 | +
|
| 57 | + A->>S: POST /puppet/v3/catalog/NAME (facts as JSON) |
| 58 | + S-->>A: 4. Compiled catalog |
| 59 | +
|
| 60 | + A->>S: GET /puppet/v3/file_metadata/PATH |
| 61 | + S-->>A: 5. File metadata |
| 62 | + A->>S: GET /puppet/v3/file_content/PATH |
| 63 | + S-->>A: File content |
| 64 | +
|
| 65 | + A->>S: PUT /puppet/v3/report/NAME |
| 66 | + Note over S: 6. Report stored |
| 67 | +``` |
| 68 | + |
| 69 | +## The process of Agent-side checks and HTTPS requests during a single agent run |
| 70 | + |
| 71 | +1. **Check for keys and certificates:** |
| 72 | + |
| 73 | + a. The agent downloads the CA (Certification Authority) bundle. |
| 74 | + |
| 75 | + b. If certificate revocation is enabled, the agent loads or downloads the Certificate |
| 76 | + Revocation List (CRL) bundle using the previous CA bundle to verify the connection. |
| 77 | + |
| 78 | + c. The agent loads or generates a private key. If the agent needs a certificate, it generates |
| 79 | + a Certificate Signing Request (CSR), including any `dns_alt_names` and `csr_attributes`, |
| 80 | + and submits the request using `PUT /puppet-ca/v1/certificate_request/:certname`. |
| 81 | + |
| 82 | + d. The agent attempts to download the signed certificate using |
| 83 | + `GET /puppet-ca/v1/certificate/:certname`. |
| 84 | + |
| 85 | + * If there is a conflict that must be resolved on the OpenVox Server, such as cleaning the |
| 86 | + old CSR or certificate, the agent sleeps for `waitforcert` seconds, or exits with `1` if |
| 87 | + waiting is not allowed, such as when running `puppet agent -t`. |
| 88 | + |
| 89 | + > **Tip:** This can happen if the agent's SSL directory is deleted, as the OpenVox Server |
| 90 | + > still has the valid, unrevoked certificate. |
| 91 | +
|
| 92 | + * If the downloaded certificate fails verification — for example, if it does not match its |
| 93 | + private key — OpenVox discards the certificate. The agent sleeps for `waitforcert` |
| 94 | + seconds, or exits with `1` if waiting is not allowed, such as when running |
| 95 | + `puppet agent -t`. |
| 96 | + |
| 97 | +2. **Request a node object and switch environments:** |
| 98 | + |
| 99 | + Do a GET request to `/puppet/v3/node/<NAME>`. |
| 100 | + |
| 101 | + * If the request is successful, read the environment from the node object. If the node object |
| 102 | + has an environment, use that environment instead of the one in the agent's config file in all |
| 103 | + subsequent requests during this run. |
| 104 | + * If the request is unsuccessful, or if the node object had no environment set, use the |
| 105 | + environment from the agent's config file. |
| 106 | + |
| 107 | +3. **If `pluginsync` is enabled on the agent, fetch plugins** from a file server mountpoint that |
| 108 | + scans the `lib` directory of every module: |
| 109 | + |
| 110 | + * Do a GET request to `/puppet/v3/file_metadatas/plugins` with `recurse=true` and |
| 111 | + `links=manage`. |
| 112 | + * Check whether any of the discovered plugins need to be downloaded. If so, do a GET request |
| 113 | + to `/puppet/v3/file_content/plugins/<FILE>` for each one. |
| 114 | + |
| 115 | +4. **Request catalog while submitting facts:** |
| 116 | + |
| 117 | + Do a POST request to `/puppet/v3/catalog/<NAME>`, where the post data is all of the node's |
| 118 | + [facts][] encoded as JSON. Receive a compiled [catalog][] in return. |
| 119 | + |
| 120 | + > **Note:** Submitting facts isn't logically bound to requesting a catalog. For more |
| 121 | + > information about facts, see [Language: Facts and built-in variables][facts]. |
| 122 | +
|
| 123 | +5. **Make file source requests while applying the catalog:** |
| 124 | + |
| 125 | + [File][] resources can specify file contents as either a `content` or `source` attribute. |
| 126 | + Content attributes go into the catalog, and the agent needs no additional data. Source |
| 127 | + attributes put only references into the catalog and might require additional HTTPS requests. |
| 128 | + |
| 129 | + * If you are using the normal compiler, then for each file source, the agent makes a GET |
| 130 | + request to `/puppet/v3/file_metadata/<SOMETHING>` and compares the metadata to the state |
| 131 | + of the file on disk. |
| 132 | + * If it is in sync, it continues on to the next file source. |
| 133 | + * If it is out of sync, it does a GET request to `/puppet/v3/file_content/<SOMETHING>` for |
| 134 | + the content. |
| 135 | + * If you are using the [static compiler][static], all file metadata is embedded in the |
| 136 | + catalog. For each file source, the agent compares the embedded metadata to the state of the |
| 137 | + file on disk. |
| 138 | + * If it is in sync, it continues on to the next file source. |
| 139 | + * If it is out of sync, it does a GET request to |
| 140 | + `/puppet/v3/file_bucket_file/md5/<CHECKSUM>` for the current content. |
| 141 | + |
| 142 | + The static compiler is cheaper in terms of network traffic, but potentially more expensive |
| 143 | + during catalog compilation. Large amounts of files, especially recursive directories, amplify |
| 144 | + the effect in both directions. |
| 145 | + |
| 146 | +6. **Submit report:** |
| 147 | + |
| 148 | + If `report` is enabled on the agent, do a PUT request to `/puppet/v3/report/<NAME>`. The |
| 149 | + content of the PUT should be a Puppet report object in YAML format. |
0 commit comments