Skip to content

Fix: Unordered IIS Site Binding Comparison to Prevent Unnecessary Resource Updates #407

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix: Unordered IIS Site Binding Comparison to Prevent Unnecessary Resource Updates #407

wants to merge 3 commits into from

Conversation

DarkArc-Github
Copy link

@DarkArc-Github DarkArc-Github commented Jun 3, 2025
edited
Loading

Fix IIS Site Binding Comparison to Prevent Unnecessary Resource Updates

Summary

This pull request modifies the insync? method in the bindings property of the iis_site resource type to use a set-based comparison instead of an order-dependent array comparison. This change prevents Puppet from detecting false differences and unnecessarily reapplying bindings when the only difference is the order in which IIS returns the bindings.

The specific change:

  • Modified the insync? method in Puppet/iis/lib/puppet/type/iis_site.rb to convert binding arrays to sets before comparison, making the comparison order-independent

Additional Context

  • Root cause and the steps to reproduce:

    • Root cause: The current implementation compares bindings as ordered arrays, but the order of bindings returned by IIS can vary between runs, especially for bindings with the same binding information but different protocols (such as net.msmq and msmq.formatname).
    • To reproduce: Create an IIS site with multiple binding types, including at least one pair of non-HTTP bindings with the same binding information (e.g., net.msmq and msmq.formatname both using the same hostname). Run Puppet multiple times and observe that it detects changes and reapplies the bindings on every run.

  • Thought process behind the implementation:

    • I considered several approaches to fix this issue:
      1. Modifying the sort_bindings method to ensure a stable sort
      2. Creating a custom provider that overrides the binding comparison
      3. Using a set-based comparison in the insync? method
    • I chose the set-based approach because:
      • It's the simplest and most direct solution
      • It aligns with how IIS actually works (binding order doesn't affect functionality)
      • It's the least invasive change with the lowest risk of unintended side effects
      • It's more robust against variations in how IIS or PowerShell returns bindings

Related Issues

This PR addresses an issue where IIS sites with multiple binding types would be unnecessarily updated on every Puppet run, causing potential service disruptions and increased Puppet run times.

Checklist

  • 🟢 Spec tests: Tested locally unit test log
  • 🟢 Acceptance tests: NA as it already tests for idempotency.
  • 🟢 Manually verified: Tested on a Windows Server with IIS and confirmed that after this change, Puppet correctly recognizes when bindings are in sync, even if their order varies

@DarkArc-Github DarkArc-Github requested a review from a team as a code owner June 3, 2025 19:57
@CLAassistant
Copy link

CLAassistant commented Jun 3, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@DarkArc-Github DarkArc-Github marked this pull request as draft June 3, 2025 20:22
@DarkArc-Github DarkArc-Github marked this pull request as ready for review June 4, 2025 01:26
@DarkArc-Github
Copy link
Author

@span786 Can you please review this?

do you want me to add changelog and metadata updates as well to this PR ?

@DarkArc-Github DarkArc-Github marked this pull request as draft June 4, 2025 17:56
@DarkArc-Github DarkArc-Github force-pushed the fix_binding_reapply branch 4 times, most recently from 9556945 to 97e3699 Compare June 4, 2025 19:33
@DarkArc-Github DarkArc-Github marked this pull request as ready for review June 4, 2025 19:34
@span786
Copy link
Contributor

span786 commented Jun 5, 2025

@DarkArc-Github

Could you please add the tests?
Also, I noticed some rubocop violations—please address those as well.

@DarkArc-Github DarkArc-Github marked this pull request as draft June 5, 2025 13:43
@DarkArc-Github
Copy link
Author

@DarkArc-Github

Could you please add the tests? Also, I noticed some rubocop violations—please address those as well.

Thanks for the reply, I don't see the spec jobs running when I push, so I can't find those issues when I make changes, I saw that job only when you commented so can you point me in the right direction please how can I get those jobs running spec tests for my push ?

@span786
Copy link
Contributor

span786 commented Jun 5, 2025

@DarkArc-Github
Could you please add the tests? Also, I noticed some rubocop violations—please address those as well.

Thanks for the reply, I don't see the spec jobs running when I push, so I can't find those issues when I make changes, I saw that job only when you commented so can you point me in the right direction please how can I get those jobs running spec tests for my push ?

You can check the test steps, and follow the same while running tests in your local

@DarkArc-Github
Copy link
Author

DarkArc-Github commented Jun 6, 2025
edited
Loading

@span786 Added unit test and removed the unused and unreferenced bindings class and tested locally (attached the spec run log here for your reference).
Added details to reference markdown as well for easy lookup.

  • Unit Spec test passes locally. spec_test.log
  • Tested locally by applying on test node.

@DarkArc-Github
Fix idempotency issues with non-HTTP IIS site bindings
5d5c8a5 
Sites using non-HTTP protocols (net.pipe, net.tcp, net.msmq,
msmq.formatname) were reapplied on every Puppet run due to unreliable
sorting and hash order sensitivity in binding comparison.

Replace custom sorting with set-based comparison to ensure identical
bindings are recognized regardless of array order or hash property order.

Resolves: Continuous configuration drift for non-HTTP protocol bindings
@DarkArc-Github
Test: Add unit tests for order-independent binding comparison
a2355c4 
Add comprehensive unit tests to validate the new set-based binding
comparison logic in iis_site type. Tests verify that:

- Bindings with identical content but different order are in sync
- Bindings with different content are correctly detected as out of sync
- Bindings with different counts are properly identified as out of sync

These tests ensure the order-independent comparison works correctly
and prevent regression to order-sensitive behavior.
@DarkArc-Github
docs(bindings): add non-HTTP protocol format specification
68edd94 
- Document hostname-only format for net.pipe, net.msmq, msmq.formatname
- Document port:hostname format for net.tcp
- Add comprehensive multi-protocol example
- Clarify SSL parameter restrictions for HTTPS only
@DarkArc-Github DarkArc-Github marked this pull request as ready for review June 6, 2025 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DarkArc-Github @CLAassistant @span786