| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Update puppet_for_the_win dependency so dev builds use facter 2.2.0
|
|
(PUP-3227) Address man page ownship conflicts
|
|
This moves the sha1 to include the recent changes to the MSI that add more
clarification on FQDN of Puppet master.
|
|
Include win32-service 0.8.6 when building MSIs.
|
|
This upgrades the win32-service gem to at least 0.8.6 to take advantage
of the fixes to the service gem. This change includes only the fixes that
we have already applied patches to in puppet-win32-ruby.
|
|
|
|
Prior to this commit, upgrading from puppet=2.7.23-1~deb7u3 and
puppetmaster=2.7.23-1~deb7u3 to puppet=3.7.0.29-1puppetlabs1 and
puppetmaster=3.7.0.29-1puppetlabs1 fails. I believe this problem is due
to how Debian chose to package puppet-common, which owns
`/usr/share/man/man8/puppet-master.8.gz`.
This commit adds in a `Conflicts:` to the puppetmaster and
puppetmaster-common packages to make sure that we can successfully
upgrade from these older package versions. However, if a user has
puppetmaster and puppet older than 3.3.0 installed on a machine, and
only upgrades puppetmaster, this will uninstall the puppet package from
the system.
|
|
|
|
* upstream/master: (767 commits)
(maint) Namespace constant declaration in specs to prevent warnings
(maint) Expect test to fail on windows ruby 2.0 x86
(PUP-3069) Fix path expansion for environment.conf test on Win
(PUP-2349) Add windows specific expectation for deprecation_warning
(PUP-2349) Add windows specific expectation for deprecation_warning
(PUP-3069) Clear configuration_file for tests
(PUP-3069) Test both future and current parser with default_manifest
(PUP-3069) Update default_manifest setting descriptions
(PUP-3069) Change restrict_environment_manifest name
(PUP-3163) Create and manage the mode of $reportsdir
(maint) Clear record of configured deprecated settings
(PUP-3069) Add an integration spec for default_manifest
(PUP-3069) Halt compile if environment has manifest conflict
(PUP-3069) Add spec test for new default options
(PUP-3069) Add default manifest settings
PUP-3155 Improve spec tests around the PE puppet version
(PUP-3153) Guard against nil when closing Uniquefiles
(PUP-2984) Remove old installation directory when going from x64 to x86
(PUP-1884) Migrate MSI deps into puppet repo
(PUP-3154) Create and manage the mode of $statedir on redhat
...
|
|
For redhat and debian, we create and manage a $statedir with ownership
set to puppet:puppet. Unfortuntely, we also create a $reportsdir that is
owned by root. This means that other applications, even those in the
puppet group, could not write to this directory. This commits adds the
$reportsdir to both debian and redhat packaging to ensure it is created
with the correct permissions (just at the $statedir is), to ensure a
more consistent experience for users of our packages.
|
|
Update dependency on puppet_for_the_win:
https://github.com/puppetlabs/puppet_for_the_win/commit/c61dda253b09bd855488f7b6dd7332fdf84d3039
|
|
(PUP-1884) Migrate MSI deps into puppet repo
|
|
We have this problem where it is very difficult to know what exactly is
getting into the Puppet MSI when we build it. Previously, all that
information was stored in the Jenkins job used to build the MSI. This
proved difficult because there is no real way to audit changes made to
Jenkins jobs, why those changes were made, or who made them. This commit
moves that information into the Puppet Repo itself. This will help us
make sure the correct version of each project is getting into the MSI,
and allow us to build the MSI with the current checkout of the Puppet
Repo. However, this means we have to make sure we do not forget to
update the versions of the dependencies getting pulled into the MSI when
a new release happens.
|
|
In debian, we create and manage the $statedir in the postinst of the
puppet-common package. In redhat, $statedir would be created on
service start, and owned by root. This means that other applications,
even those in the puppet group, could not write to this directory. This
commit adds $statedir to the directories created in the redhat package
and sets the user and group ownership to puppet:puppet. This will ensure
a more consistent experience for users of our packages.
|
|
haus/ticket/master/pup-3035-add-var-run-puppet-to-debian-packaging
(PUP-3035) Add /var/run/puppet to debian packaging
|
|
In 6a94700, the rgen 0.7.0 library was added to the vendor directory in puppet,
and as such is no longer an external dependency. This commit removes the rgen
package as a dependency of the puppet rpm and deb packages, so that it is not
installed in addition to the vendored rgen (or worse even installed at a
conflicting version).
Signed-off-by: Moses Mendoza <moses@puppetlabs.com>
|
|
* upstream/pr/2995:
(doc) Add Puppet Specific Documentation
(PUP-2914) Remove rgen 0.7.0 dependency
(PUP-2914) Add rgen 0.7.0 to vendored libraries
|
|
This commit does some simple refactoring int he puppet-common.postinst
to avoid some unneeded repetition.
|
|
Previously /var/run/puppet was created only during service start on
debian for both puppet and puppetmaster services. However, as it is used
in both of those services, it makes sense to have it owned and created
by one of the puppet packages. puppet-common is a dependency of both the
puppet and puppetmaster packages, so this commit adds /var/run/puppet to
the puppet-common.dirs file so it will be created in that package. This
also brings parity between redhat and debian packages in this respect,
as redhat puppet packages create the /var/run/puppet directory already.
This also adds a dpkg-statoverride call to manage permissions for the
/var/run/puppet directory.
|
|
Iristyle/ticket/master/PUP-2987-windows-service-hangs
(PUP-2987) Windows service hangs
|
|
The library rgen was an unnecessary dependency since it was
vendored. This commit removes unnecessary dependency.
|
|
Previously, the x86 version of the puppet gem depended on win32-eventlog
~> 0.5.3 which is not ffi compatible. This was caused when eventlog
changes were reverted in 35b1abc1, and then reimplemented in
537b0572, but the corresponding eventlog dependency was not bumped.
This commit bumps the dependency to use ~> 0.6.1 for x86. The x64
version already correctly depends on ~> 0.6.1.
|
|
- Move runinterval parsing and execution of the puppet agent to a new
thread that maintains a busyloop until either:
- the service is no longer running
- an exception has occurred with parsing the runinterval
- Rather than performing a wakeup against the main thread, simply kill
this new thread on service_stop
- Main service code will wait until the busyloop thread dies, then will
exit
- Note that this change is ultimately not responsible for the service
hangs experienced in the service. Additional changes have been made
to the win32-service gem to ensure events being waited on with
WaitForSingleObject are always signaled properly, even in failure
cases. Please see merged PR for more info:
https://github.com/djberg96/win32-service/pull/21
https://github.com/puppetlabs/puppet-win32-ruby/pull/51
|
|
This commit removes Saucy from the build_defaults. It went EOL on July
17, 2014
|
|
- Refactor parsing code to a separate method to cleanup run loop
|
|
|
|
* pr/2859:
(PUP-1471) Remove warning message about pausing Windows agent service
|
|
Puppet agent on windows now uses a win32-service gem which is 0.8.4 or
greater[1,2]. The warning message and inline comments are no longer
required now that the upstream bug was fixed[3].
[1] https://github.com/puppetlabs/puppet/commit/5a5e685bf835fb459d036d31f0078668f5802331
[2] https://github.com/puppetlabs/puppet/commit/784c3d17c4d3e666701559c529e46465e5dc417e
[3] https://github.com/djberg96/win32-service/commit/38eba9f1edee41c9fb1d89fc3dea11da0768baf9
|
|
Iristyle/ticket/master/PUP-2521-remove-windows-pr-gem
(PUP-2521) Remove windows-pr gem
|
|
* ticket/master/PUP-2881-update-win32-taskscheduler: (27 commits)
(doc) task_scheduler failure on enabled/index in manifest
(PUP-2881) Use COM UseInstance Helper for cleanup
(PUP-2881) Don't Release TaskScheduler in save
(PUP-2881) Refactor Task cleanup
(PUP-2881) Use COM interface pointer helper
(PUP-2881) Remove taskscheduler VERSION
(PUP-2881) Taskscheduler COM initialization
(PUP-2881) Remove taskscheduler S_OK constant
(PUP-2881) Remove msvcrt/buffer from taskscheduler
(PUP-2881) Refactor ITaskTrigger for FFI / COM
(PUP-2881) Refactor IPersistFile for FFI / COM
(PUP-2881) Remove CoTaskMemFree in windows/com.rb
(PUP-2881) Refactor ITask for FFI / COM
(PUP-2881) Setup Taskscheduler HRESULT constants
(PUP-2881) Refactor IEnumWorkItems for FFI / COM
(PUP-2881) Refactor ITaskScheduler for FFI / COM
(PUP-2881) Fix Unknownr UseInstance helper
(PUP-2881) Use Windows::Error for COM call fails
(PUP-2881) Add Windows COM code from Unknownr
(PUP-2881) Move COM FFI to file windows/com.rb
...
|
|
* ticket/master/PUP2889-eventlog:
(PUP-2889) Remove dependency on win32-eventlog constants
|
|
- Remove win32-taskscheduler from gemspec through project_data.yaml
- Update require statements where appropriate
- All specs verified
|
|
adrienthebo/issue/master/pup-2177-update-apache-ciphersuite
(PUP-2177) Change Crypto Spec in accordance to bettercrypto.org
|
|
Previously, we were referencing win32-eventlog constants. However, version
0.6.0 introduced a backwards incompatible change by renaming the event
type constants[1]. As result, we can't simply upgrade to the latest ffi
gem.
This commit defines the constants in puppet, and removes our dependence on
the gem. It also adds eventlog specs, in particular to ensure that
Puppet.features.eventlog? is always true on windows.
[1] https://github.com/djberg96/win32-eventlog/commit/99aeb4d854306a6db699550884f189cbd3c8928a
|
|
We provide an Apache vhost configuration for users that want to run a
Puppet master using Apache and Passenger. The configuration was added in
d85d73c (five years ago, roughly) and set the SSLProtocol and
SSLCipherSuite directives using the assumptions about cryptography at
the time. As part of PUP-2582 commit 05af20b70 updated the SSL cipher
suite and protocol settings to remove some of the most vulnerable
ciphers, but still contained some relaxed settings to ensure
compatibility with as many platforms as possible.
-- Summary
This commit updates the SSLProtocol and SSLCipherSuite directives to
ensure we only use secure ciphers while continuing to function on all
supported platforms. The most notable difference is that this change
switches the cipher selection from a blacklist where all ciphers are
added and then selectively removed, to a whitelist where only known safe
ciphers are allowed. The cipher suite has been selected using the
guidelines laid out by the Applied Crypto Hardening paper[0].
-- Overall cipher selection
This cipher suite was chosen by selecting for the following criteria:
* TLS 1.0, 1.1, 1.2
* Perfect forward secrecy/ephemeral Diffie Hellman where possible
* Preferring strong MACs (SHA-2) where possible
* GCM as the authenticated encryption scheme where possible
* Always falling back to reasonably acceptable schemes for maximum
platform compatibility
The resulting cipher suite has the following implications:
TLSv1.2 is preferred over TLSv1.0, but is still provides reasonable
ciphers with TLSv1.0.
-- Key exchange
Ephemeral Diffie Hellman and Ephemeral Elliptic Curve Diffie Hellman are
used for key exchange. EDH is preferred over EECDH due to ongoing
concerns with potential weaknesses in elliptic curve cryptography, but
EECDH is still included due to the performance benefits of EECDH over
EDH.[1] Non-ephemeral Diffie Hellman is not used to ensure perfect
forward secrecy. If EDH or EECDH are not available, key exchange will be
done using RSA for compatibility with legacy SSL libraries.
-- Authentication
RSA is used for authentication as it works in most of today's setups and
modern implementations are resistant to attack for the foreseeable future.
-- Encryption
AES256 and CAMELLIA256 count as very strong ciphers at the moment, but
if these algorithms are not available then AES128 or CAMELLIA128 will be
used as fallbacks since they are still reasonably strong. CAMELLIA is
preferred over AES due to the decision by NSS to prefer CAMELLIA, with
the following rationale:
National ciphers such as Camellia are listed before international ciphers
such as AES and RC4 to allow servers that prefer Camellia to be able to
negotiate Camellia without having to disable AES and RC4, which are needed
for interoperability with clients that don't yet implement Camellia.[2]
-- Message Authentication (MAC)
Message authentication prefers AEAD with GCM, and then falls back to
SHA256. If ECDHE is used SHA384 will be used when available. If no
better option is available SHA1 will be used.
-- Fallback
When no better cipher is available, CAMELLIA128-SHA and then AES128-SHA
(with RSA for authentication) will be used, for cases such as OpenSSL
0.9.8 which does not provide support for ECC and TLSv1.1 or above.
-- Blacklisted algorithms
On top of the algorithms blacklisted in 05af20b7, ECDSA has been
disabled due to outstanding concerns about weaknesses to cache timing
attacks.[3]
[0] "Applied Crypto Hardening": https://bettercrypto.org/static/applied-crypto-hardening.pdf
[1] "A Note on Elliptic Curve Cryptography" "Applied Crypto Hardening section 3.7"
[2] "Document the policy for the order of cipher suites in SSL_ImplementedCiphers.": https://bugzilla.mozilla.org/show_bug.cgi?id=430875
[3] "How to design an elliptic-curve signature system" http://blog.cr.yp.to/20140323-ecdsa.html
Thanks to Aaron Zauner <azet@azet.org> and bettercrypto.org for
generating and submitting the updated cipher suite.
Commit message amended by Adrien Thebo <adrien@puppetlabs.com>
|
|
This reverts commit cffa48679b20362b3a50403a7460c1400524d790.
We need to revert win32-eventlog updates for now since it now has
dependencies on a library that doesn't exist in Windows 2003.
|
|
- Windows::Error no longer exists and the ERROR_FILE_NOT_FOUND
constant is part of the Puppet codebase now.
- Catch appropriate error in package specs
- Remove windows-pr, win32-api and windows-api from gemspec
|
|
* pr/2830:
(PUP-392) Upgrade win32-dir to 0.4.9
(PUP-392) Upgrade win32-process
(PUP-392) update win32-eventlog
|
|
This upgrades win32-dir from 0.4.3 to 0.4.9 (for both platforms).
|
|
Previously we were requiring an exact version match for the win32-service
gem. However, the ffi version of the gem has a regression and we expect a
new version of the gem to be released soon.
This commit relaxes the dependency so that we don't have to revisit this
issue in the near future.
|
|
Currently, upgrades from 2.7.26 to 3.6.2 break because of a file
conflict. It seems that as of Puppet 3.3.0, the manpages changed from
being owned by the puppet package, to being owned by the puppet-common
package. This change was initially done to allow upgrades from Debian
packages to ours. However, changing which package owns a given file
makes upgrades difficult. This commit adds in conflicts to allow smooth
upgrades from puppet packages prior to the manpage change to the current
version.
|
|
- This upgrades the win32-process gem from 0.6.5 to 0.7.4.
- Win32::Process wil not return a custom error anymore, just SystemCallError.
Since this can be used for amny things, limit down SystemCallError to be
rescued only if we are on Windows.
|
|
This brings eventlog up to the latest gem and fixes the constants it uses.
|
|
This upgrades win32-service from 0.7.2 (native compiled gem) to
0.8.4 (FFI-ed gem), which is a step in getting puppet to run on x64
ruby.
|
|
- Ensure that Bundler loads proper gemset whether on x86 or x64, based
on what is defined in project_data.yaml
- Note that latest FFI compatible gems have been added to x64 out of
necessity, but the code fails tests, and is not yet compatible with
Ruby 2 changes / gem updates.
- Gem versions for Ruby 1.9.x were kept the same*, and will be upgraded
as part of verifying gem compatibility when updating 1.9.x branch
to use latest FFI compatible gems.
- * FFI required an update on Ruby 1.9.x to FFI 1.9.3 to satisfy Facter
2.1.0 which now requires FFI 1.9.3
|
|
- Update inline strings mentioning it as a dependency
|
|
- synchronize and handle appear to no longer be used
|
|
- Previously, Process constants were used in a few locations throughout
the code. Capture the needed PRIORITY_CLASS constants in our local
Windows Process class, and also define CREATE_NEW_CONSOLE. These
constants have moved in new versions of the win32-process gem.
- Note that ext/windows/service/daemon.rb doesn't load Puppet code.
The daemon only loads what it explicitly needs, so ensure the
CREATE_NEW_CONSOLE constant is defined there.
|
|
This commit removes quantal from all build defaults because it is end of
life. It removes the defaults from the build_defaults yaml.
|
