| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
* Package for Dyson
* Added SMF services
* Use dh-smf on illumos, dh-systemd on linux
|
|
|
|
|
|
|
|
|
|
|
|
Upstream version 3.7.2
# gpg: Signature made Fri 24 Oct 2014 01:27:51 PM CEST
# gpg: using DSA key 0x40E354D9FA26E2EE
# gpg: Good signature from "Stig Sandbeck Mathisen <ssm@fnord.no>" [ultimate]
# gpg: aka "Stig Sandbeck Mathisen <ssm@debian.org>" [ultimate]
# gpg: aka "Stig Sandbeck Mathisen <stigsm@gmail.com>" [ultimate]
# gpg: aka "Stig Sandbeck Mathisen <ssm@linpro.no>" [ultimate]
# gpg: aka "Stig Sandbeck Mathisen <ssm@online.no>" [ultimate]
# gpg: aka "Stig Sandbeck Mathisen <ssm@redpill-linpro.com>" [ultimate]
|
|
|
|
|
|
(PUP-3467) Reject SSLv3
|
|
Previously, when puppet initiated SSL connections, e.g. puppet agent,
puppet module, etc, it could downgrade to SSLv3.
This commit ensures puppet will not downgrade to SSLv3 by setting the
`OpenSSL::SSL::OP_NO_SSLv3` bit. However, unlike SSLv2, we cannot remove
SSLv3 ciphersuites, since they are the same ones used in TLSv1. From the
openssl ciphers man page, "The TLSv1.0 ciphers are flagged with SSLv3".
[1] https://www.openssl.org/docs/ssl/SSL_CIPHER_get_name.html
|
|
Previously, puppet's webrick server did not specify which ciphersuites
it would accept. Depending on the ruby and openssl, the default set of
ciphersuites is:
$ ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]'
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Note that "ALL:!ADH" does not exclude AECDH, and the default param
string includes "LOW", e.g. DES-CBC-SHA.
This commit updates the webrick ciphersuites to match the value used
in passenger in commit 204b2974b. The resulting ciphersuites are:
[["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256],
["DHE-RSA-CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128],
["CAMELLIA256-SHA", "TLSv1/SSLv3", 256, 256],
["AES256-SHA", "TLSv1/SSLv3", 256, 256],
["CAMELLIA128-SHA", "TLSv1/SSLv3", 128, 128],
["AES128-SHA", "TLSv1/SSLv3", 128, 128]]
|
|
Webrick will now reject SSLv3 connections. If an SSL client tries to
connection with SSLv3, webrick+openssl will issue an sslv3 alert
handshake failure.
|
|
zaphod42/issue/stable/pup-3201-incorrect-string-for-undef
(PUP-3201) Stop using :undef for parameters in 4x
|
|
The :undef symbol was still leaking all over the place internally. This
caused type inference to sometimes end up with Runtime[ruby, Symbol]. By
using nil instead of :undef, everything can be much more
straightforward. Once the code removal for puppet 4 comes into play even
more oddities around how resource parameters are handled can be
performed.
|
|
The lookup function only works when the future parser is in effect. This
changes the spec tests to turn on the future parser.
|
|
* issue/stable/pup-3277-envdir-perms:
(PUP-3277) Ensure agents re-enabled after disable agent test
(PUP-3277) Use owner from puppet settings rather than beaker defaults
|
|
And a step in the agent_disable_lockfile step to ensure that agents are
re-enabled. This should insulate subsequent tests from a failure partway
through agenet_disable_lockfile leaving disabled agents in its wake.
|
|
The beaker host['user'] default setting is root, but the actual user
setting from puppet defaults is likely to be puppet or pe-puppet. By
using the puppet settings, we are more likely to stay in sync with how
the files are being set by packaging or managed by puppet or supporting
puppetlabs modules. This should cut down on spurious changes to
environment owner/modes that were cropping up in some pe test runs.
|
|
(PUP-3401) Fix type calculations of "all Patterns"
|
|
hkenney/issue/stable/pup-3334_fix_environment_conf_not_changing_issue
(PUP-3334) Fix issue around settings not updating with environment.conf
|
|
In order to ensure that we don't encounter this issue again, add
a test case to environments_spec to ensure that the cache is being
properly cleared.
Additionally, fix a small bug in environment's list method where
a string should been converted to a symbol.
|
|
Prior to this commit, environment settings were not being updated
when environment.conf was changed, even if environment timeout had
expired. This was because they were being cached in places in
Puppet.settings that were not being cleared.
Now, all the cached data for a particular environment is cleared
when the environment timeout expires.
|
|
ffrank/ticket/3.7.x/PUP-3357-purge-unnamed-ssh-keys
(PUP-3357) purge unnamed ssh keys
|
|
Add an integration test with an ssh keyfile in which two keys have no name
and make sure that both are successfully purged.
|
|
Just makes sure that the user type and ssh_authorized_keys provider
generate pseudo-names for keys following the same pattern.
|
|
Generated resources from the user type share an empty resource name
if more than one unmanaged key has no comment in the authorized_keys
file (the comment is used for the namevar). This leads to duplicate
declaration errors when the user tries to purge those keys through
the user { purge_ssh_keys } parameter.
Make the provider use an internal pseudo-name in such cases. Generated
resources get the same respective pseudo-name for successful purging.
It is composed of the file name and a numeric index.
|
|
The type calculator did not correctly compute assignability for
a non parameterized Pattern. Such a Pattern is equal to "any string",
and is thus assignable from any other Pattern, Enum or String.
This was missing in the calculator and this resulted in Pattern neither
being equal to, less than, or greater than parameterized patterns.
|
|
The test failed on windows nodes because the acceptance test wasn't
using the `puppet` method from beaker. The test failed on future parser
due to the bare file mode, in 4.0 only string modes will be allowed.
This commit fixes up those issues, and removes the
`acceptable_exit_codes => [0]` since that is the default behavior.
|
|
(PUP-3201) Treat :undef as PNilType
|
|
* issue/stable/pup-3244-acceptance-enc-needs-hashbang:
(PUP-3244) Add a hashbang line to the acceptance test enc
(maint) Fix typo in test name
|
|
(PUP-3345) Fix memory leak (and add some tooling to find leaks)
|
|
The previous attempt to skip catalog_memory on < 2.1.0 caused the `rake
benchmark:all:run` task to abort because of a failed command. By
changing the exit to 0, rake is allowed to continue.
|
|
Ruby's Kernel.exec has different behavior on different platforms when
handling a script without a hashbang line. On rhel6, for instance:
[root@a3m9lej0pifviyl ~]# cat /root/test
echo 'foo'
[root@a3m9lej0pifviyl ~]# /root/test arg
foo
[root@a3m9lej0pifviyl ~]# irb
irb(main):001:0> exec('/root/test', 'arg')
Errno::ENOEXEC: Exec format error - /root/test
from (irb):1:in `exec'
from (irb):1
from :0
This seems to depend on how the underlying platforms exec functions
handle this case. Rewriting the enc as a ruby file with a hashbang line
sidesteps this issue and allows the test to run. Also dropped the
environment.conf usage since it seemed superfluous.
|
|
|
|
zaphod42/maint/stable/agent-errors-on-invalid-env-in-cached-catalog
(maint) Always use a remote env in the configurer
|
|
Before this commit the configurer would track the appropriate
environment to request from the master in the `@environment` variable.
This contained simply the name of the remote environment. The value was
passed through to various indirection requests as the `:environment`
parameter. However, as part of PUP-3244, something changed that caused
the configurer to begin failing when
* The requested environment did not exist remotely
* There was a cached catalog locally
* The cached catalog referenced an environment that did not exist
locally
This situation caused the indirector requests to contain an environment
name that the Puppet::Indirector::Request code would then try to expand
into a full environment instance by calling
`Puppet.lookup(:environments).get!(env)`. However, since the environment
didn't exist locally the `get!` method raised an error.
This commit changes it so that the configurer always converts the
`@environment`, which is always the environment from the server for the
current run, to `Puppet::Node::Environment.remote`. This stops
`Puppet::Indirector::Request` from trying to load the environment
locally.
I don't know how this ever worked...
|
|
This makes the catalog_memory benchmark print a message about
2.1.0 being required and then exit with -1 unless the ruby version
is >= than 2.1.0.
|
|
zaphod42/issue/stable/pup-3244-error-when-agent-uses-missing-env
(PUP-3244) Allow autoload to handle missing environment
|
|
The test of behavior when a module directory is specified as part of an
environment but is missing on disk was hidden inside another test. This
splits it out and calls out that the behavior is that the directory is
simply ignored.
|
|
A memory leak was introduced by caching all resource types that does
not handle deprecations (all types but one). This caused the problem
because the cache was held as a class instance variable and was never
evacuated.
This changes the Puppet::Resource class to not cache non-deprecation
resources.
|
|
This adds a command that processes the dumped heap information
produced by "catalog_memory" benchmark (or other similar heap-dumps).
The result is a .dot file that can be rendered.
This tool is useful when tracking a memory leak.
|
|
This adds a benchmark "catalog_memory" that is running an empty catalog
(one call to log). A baseline sample of memory is taken at first run,
and at last. A diff of bound objects is produced. Two heap dumps in json
formats "diff.json", and "heap.json" are produced. The diff contains the
dump of each bound object, and the heap a dump of all objects.
The benchmark also prints basic information about memory.
|
|
When a previous commit changed from get() to get!() the agent stopped
being able to use an environment that is available on the master, but
not available locally. I had misread the code and missed a trailing
`&&`. This caused me to think that the environment lookup in this case
was required, where in fact it is still optional.
This changes the structure of the code to make it much clearer that the
environment is optional, changes from get!() to get(), and adds some
tests around these code paths.
|
|
(PUP-3244) ENC ignores missing directory environments
|
|
(PUP-3244) ENC directory environments - Remove unnecessary Cached.get!
|
|
This removes a function that was provided by the super class.
|
|
Before this commit the Puppet::Environments::Cached#get! was not needed
as it was defined in a parent class. Puppet::Environments::Combined#get!
now calls get! in environment objects instead of assuming how get!
should work.
This commit also refactors areas in the code where
Puppet::Environments::EnvironmentNotFound was raised after calling get
in favor of the new get! method.
|
|
This removes a function that was provided by the super class.
|
|
For PUP-2857 :undef was changed from being a PNilType to a PRuntimeType.
This stopped the undef literal in the language from being able to be
assigned to Optional parameters. However, this only happened when the
undef was the default expression for the parameter.
|
