| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
(PUP-3191) Use FileSystem.readlink in unpacker
|
|
Prior to this commit we were using File.readlink, which does not work properly
on Windows platforms, to tell the user about symlinks found when unpacking.
This commit changes that behavior to instead use the Puppet::Filesystem.readlink
function, which should work on all platforms that support symlinks.
|
|
(PUP-894) Be more lenient about CRL not yet valid errors
|
|
jpartlow/issue/stable/pup-3162-whitelist-environment-interpolation
(PUP-3162) Issue/stable/pup 3162 whitelist environment interpolation
|
|
Commit c752a9ceea was supposed to rescue StandardErrors not
SystemCallErrors so that we do not break in the same way again
if the win32-service gem decides to raise a different exception.
This commit restores rescuing of StandardErrors.
|
|
(PUP-3222) Rescue StandardError instead of non-existent exception
|
|
Previously, the windows service provider rescued exceptions of type
Win32::Service::Error. However, FFI-based versions of win32-service (v0.8.x)
no longer raise that type of error. Instead they raise SystemCallError.
So previously, if puppet failed to manage a service, e.g. service didn't
exist, puppet would try to rescue the exception specifying a class that
was not defined:
puppet resource service foo ensure=stopped
Error: /Service[foo]: Could not evaluate: uninitialized constant Win32::Service::Error
This regression was introduced as part of PUP-1283 when we migrated from
win32-service version 0.7.x to 0.8.x.
This commit modifies the various provider methods to more broadly rescue
StandardErrors and updates the spec tests to handle the negative cases.
Paired-with: Ethan J Brown <ethan@puppetlabs.com>
|
|
Previously, the agent would reject an SSL connection if the CRL it
downloaded from the CA had a `last_update` time that was slightly in the
future. The agent reports this as "CRL is not yet valid." This issue can
happen when the CA's time is slightly ahead of the agent's time, the CRL
is recently updated, and the agent doesn't already have a cached version
of the CRL (due to PUP-2103).
The CRL not yet valid error sometimes happens during acceptance testing
when we delete the agent's ssl directory, revoke a cert on the master
(which updates the CRL's last_update field), and run the agent (which
downloads the latest CRL).
This commit modifies the verify callback to ignore CRL not yet valid
errors provided all of the following are true:
* current_crl is not nil
* current_crl.last_update is not nil
* current_crl.last_update is strictly less than 5 minutes from now
It also adds specs around unspecified behavior, e.g. ensure the verify
callback returns false when errors are detected.
|
|
Previous commit blacklisted a small set of settings from having
$environment interpolated. After some discussion, we decided to broaden
this to a whitelist, and the only setting we can currently think of
needing $environment interpolation when using directory environments is
config_version.
We also decided to not halt startup for default_manifest with
$environment in it, as these errors are difficult to read with the
current error reporting from a rack master. So the validation for
default_manifest is removed.
|
|
Prior to this commit we were trying to use Pathname.realpath to find where a
symlink points to. This throws a file not found when the symlink doesn't point
at anything valid in the filesystem.
This commit fixes that problem by only using File.readlink and not attempting
to find the symlinked file relative to the module unpacking directory.
|
|
* pr/3054:
(maint) Cleanup test to be more readable
(PUP-3174) Make settings catalog skip manifestdir if environmentpath
Closes GH-3054
|
|
Previously, we assumed that verify_callback was only called once for each
cert in the chain, with preverify_ok set to true or false depending on
whether the cert is verified.
However, openssl call invoke the verify_callback for a number of other
reasons, e.g. CRL not yet valid. In that case, the error is not with
the current_cert, but with the current_crl.
This commit moves the logic for appending the current_cert to the
@peer_certs array only in the case that preverify_ok is true. Does not
cause problems, because we only looked at @peer_certs array if every
cert in the chain was successfully verified.
This commit makes it easier to handle other types of verify errors.
|
|
Previously, our verify callback stated that it received an SSLContext
parameter, but that is not correct. While there are SSLContext classes
in ruby, the actual object passed is of type StoreContext.
(rdb:1) store_context.class
OpenSSL::X509::StoreContext
|
|
There are a few settings for which interpolation of $environment does
not make sense when using directory environments.
* default_manifest -> defines either the relative path to manifests
within a directory environment, or an absolute path to manifests to be
used by all directory environments. It is currently a configuration
error to set $environment within default_manifest.
* basemodulepath -> conceptually, this is intended for supplemental
modules required for all environments, and should not vary by
environment.
* environmentpath -> this is the base path defining what directory
environments can be found. Interpolating $environment within it makes no
sense.
Additionally, both environmentpath and basemodulepath are required by
the environment loaders during initialization. They will interpolate
relative to a specified environment if you interogate config, but in a
running master instance, will have interpolated to the default
environment regardless of the current environment being processed for a
catalog, for instance.
A last case, irregardless of type of environment, is the pathological
case of attempting to interpolate $environment within environment.
This, unsurprisingly, causes a stack overflow.
This patch adjusts the Puppet::Settings interpolation code so that
$environment is not interpolated within any of these four settings when
using directory environments (so, when the environmentpath has been
set).* So assuming a confdir=/etc/puppet,
basemodulepath=$confdir/modules/$environment will be interpolated as
'/etc/puppet/modules/$environment' and a warning will be logged.
*Currently setting $environment in default_manifest will error out
when puppet loads as a setting validation error, and this behavior will
never be reached.
|
|
Override the Ruby 2.x default of setting accept-encoding to gzip when puppet http_compression is set to false.
|
|
The loaders previously assumed that any installation of puppet would be
under a directory called lib. This holds true when running puppet from
source (during development), or in some package cases, but is not
generally true. This simplifying assumption was made so that the loading
path for both puppet system extensions (built in functions) and module
extensions could be loaded in the same manner: find the root of the
extender and loading code from `lib/puppet/...`.
This changes to loading to instead only assume that there is a `puppet`
directory and not the name of the parent. This, however, forces the
loader for modules to become specialized to only be able to find ruby
extentions, because they are in the 'lib' directory, which is how the
loader must now be configured.
|
|
|
|
The Resource handles square brackets in a resource title as
if it is a complete resource reference. This behavior is there
to support the component resource type, and whits. The implementation
however did not check if a regular type was also given.
This means that any resource with square brackets in its title either
leads to an error, or to the creation of an instance of different
type/title than what was intended.
This commit fixes this by only doing the munging of the title if the
type is nil, component or a whit.
|
|
This makes the settings catalog skip managment of manifestdir if
environmentpath is set.
|
|
|
|
(docs) Revise and unify explanations of module/file references in functi...
|
|
(docs) Clarify note about ssh_authorized_keys in resources resource type
|
|
jpartlow/feature/master/pup-3069-add-defaultmanifest
Feature/master/pup 3069 add defaultmanifest
|
|
The new default_manifest integration spec is parsing actual
configuration files and uncovered that our Settings do not clear the
@configuration_file data when #unsafe_clear is called. This allows
parsed settings to leak across specs.
Specifically dropping the @configuration_file in the test helper
Settings#clear_everything_for_tests, resolves this, without changing the
behavior of the Settings#clear, and through it, the Puppet.clear
methods.
|
|
Better descriptions of default_manifest and
disable_per_environment_manifest courtesy of Nick Fagerlund.
|
|
hlindberg/PUP-3117_resource-expression-splat-rocket-alt
(PUP-3117) Complete the Resource Expression implementation
|
|
After discussion with Nick Fagerlund and Henrik Lindberg, changing
restrict_environment_manifest setting to
disable_per_environment_manifest to more clearly reflect what the
setting does.
|
|
We cache a list of deprecated settings that have been configured in the
initial parse_config, so that later initialization steps allow us to
read the :disable_warnings value, and then decide whether or not to
actually issue a particular warning.
But we weren't clearing this cache in the unsafe_clear call, which was
allowing this state to leak across specs. Once we added that cache
clear to unsafe_clear, we then had to reorder parse_config steps for
unsafe_clear, followed by record_deprecations_from_puppet_conf(data).
|
|
Henrik brought up that with the new restrict_environment_manifest
setting set true, authors of modules in a particular environment
may be surprised by a manifest they have specified in their
environment.conf not being pulled in, leading to bad behavior when a
catalog is executed. Although this is logged on the master, compilation
delivery and catalog execution is not prevented.
This commit will raise an exception on the master prior to catalog
compilation if it detect's a conflict between manifest settings in the
requested environment.
|
|
Some Puppet installations do not use environment specific manifests
(particularly when an ENC is in use), however may still have global
setup required for all environments. For these installations it is
convenient to have a :default_manifest setting specified rather than
copying them manifest into every environment.
There are also installations which have a separation of roles between
users mainting the puppet master, puppet.conf and enc, and users making
per environment module changes. In these cases some Puppet installations
prefer to restrict the use of per environment manifests.
These two use cases were handled by setting the global manifest to a
non-interpolated path while setting the global modulepath to a path
interpolated with $environment.
With these settings being deprecated, directory environment
installations did not provide a means of preserving this functionality.
This patch addresses this by providing two new settings:
* default_manifest - is now the fallback manifest path if non is
specified in a given environment's environment.conf. It defaults to the
environment root relative path './manifests' which is the same default
that was previously hardset in early version of directory environments.
* restrict_environment_manifest - if set to true, enforces that
environments cannot define their own manifest setting, and validates
that default_manifest is set to an absolute path.
It is an initialization error if default_manifest is set to a string
that has an '$environment' to be interpolated within it.
We also log an error if restrict_environment_manifest is true and the
loaded environment's environment.conf has a manifest setting that
differs from the default_manifest setting.
|
|
cprice404/bug/master/PUP-3153-guard-against-nil-when-closing-uniquefiles
(PUP-3153) Guard against nil when closing Uniquefiles
|
|
In a recent commit we introduced `Uniquefile` to use in place
of `Tempfile` for certain code paths. Because `Uniquefile` does
not automatically delete files for you, it is necessary to call
`close!` explicitly if you wish to make sure that they get
removed.
In the original commit I did this in a few places in an `ensure`
block. However, I did not guard against the possibility that
an error might occur when attempting to instantiate the `Uniquefile`
object (e.g., file permissions error), and thus the calls to `close!`
in the `ensure` blocks may result in a NilClass exception (and also
mask the real error).
This commit adds guards to ensure that we only try to call `close!`
if the `Uniquefile` object was actually instantiated.
|
|
|
|
There was a typo in the message that referenced a non existing variable.
This was undetected because there was no test to cover this.
When testing the expected behavior, it was found that the validation
was not correct as it allowed parameters to have hexadecimal names, but
not octal names. Now all numeric parameter names are disallowed (they
cannot be used or addressed anyway).
|
|
|
|
This completes the implenentation of the Resource Expression.
* The LHS must now be a QualifiedName (i.e. file, notify), or
a QualifiedReference (i.e. File, Notify), or an access expression
with a left QualifiedReference (i.e. Resource[file]), or literal
'class'
* The result of the LHS must be a CatalogEntry type, and it may not
be detailed to title level.
* The * => syntax can be used to to unfold a hash. It may be used
once per titled resource body. Attribute names must be unique across
the attributes set with name => expr, and those set with * => hash.
|
|
The initial commit for this ticket missed the case where
the mode value isn't explicitly specified but rather comes from
source permissions of a file resource, e.g. as happens during
pluginsync.
This change ensures that mode from a source permission is
converted to an octal string if it's a Numeric.
|
|
It's not that it's deprecated, it's that it never worked.
|
|
Now that this function works in a more useful way, we can advertise it a bit
more widely.
|
|
This fixes a problem in the grammar that made it impossible to have
more than one *=> per body.
This commit also adds a check for duplicate entries in the resulting
hash with the final set of parameter to value mapping.
|
|
|
|
Before this commit, pmtignore functionality worked, but only after
checking for symlinks, so it was impossible to ignore symlinks. This
commit allows symlinks to be ignored, too.
|
|
Docs: 3.7 deprecations and revisions
|
|
The _timestamp fact causes problems when turning on immutable facts
because it is an unsupported data type (Time) that should not leak into
the puppet language. (The system halts with an error if you try prior to
this fix.)
|
|
number
Also, link to the puppetlabs/acl module.
|
|
"URL-compliant" was an odd way to put this, so I revised the text to be less ambiguous.
|
|
|
|
|
|
Making the vendoring instructions more clear, detailing the PUPPET_README.md
suggestion.
|
|
|
