在升级了CentOS6.5后,系统一直运行正常,今天在尝试自动部署了一台新的Bootnode后,发现在运行puppet agent时,发生报错:
Error: Could not retrieve catalog from remote server: Error on SERVER: Failed to submit 'replace facts' command for bootnode.ustack.in to PuppetDB at bootnode.ustack.in:: SSL_connect returned= errno= state=SSLv3 read server key exchange B: EC lib
查询puppetdb的日志:
-- ::, WARN [qtp1031698099-] [io.nio] javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
我先排除我所使用的软件版本:
Puppet版本是3.3.2
PuppetDB版本是1.5.0
错误来源于puppet master在向puppetdb执行replace facts操作时出现Fail。使用往常的经验对系统进行了排查,排除了证书问题,puppetdb配置问题。随后google到了puppet user ML。
找到了以下关键信息:
If your runnning jdk 6u26 or older you're probably hitting these bugs.
I had this same error with the OpenDJ LDAP server a few years back and
upgrading the JDK fixed it.http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6932403
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7025227We're touching that code right now, as we're actually in the process of deprecating use of JDK 1.6 with PuppetDB.
查了一下系统中的Java jdk版本,果然是1.6。
[root@master ~]# yum list |grep jdk
java-1.6.-openjdk.x86_64 :1.6.0.0-1.65.1.11..el6_4 @sunfire
java-1.6.-openjdk.x86_64 :1.6.0.0-1.66.1.13..el6 base
java-1.6.-openjdk-demo.x86_64 :1.6.0.0-1.66.1.13..el6 base
java-1.6.-openjdk-devel.x86_64 :1.6.0.0-1.66.1.13..el6 base
java-1.6.-openjdk-javadoc.x86_64 :1.6.0.0-1.66.1.13..el6 base
java-1.6.-openjdk-src.x86_64 :1.6.0.0-1.66.1.13..el6 base
java-1.7.-openjdk.x86_64 :1.7.0.45-2.4.3.3.el6 base
java-1.7.-openjdk-demo.x86_64 :1.7.0.45-2.4.3.3.el6 base
java-1.7.-openjdk-devel.x86_64 :1.7.0.45-2.4.3.3.el6 base
java-1.7.-openjdk-javadoc.noarch :1.7.0.45-2.4.3.3.el6 base
java-1.7.-openjdk-src.x86_64 :1.7.0.45-2.4.3.3.el6 base
将其升级到1.7.0,并重启puppetdb,一切恢复正常。