bolt 2.11.0 → 2.15.0

data/lib/bolt/applicator.rb

@@ -14,14 +14,16 @@ require 'open3'
 
 module Bolt
   class Applicator
-    def initialize(inventory, executor, modulepath, plugin_dirs, pdb_client, hiera_config, max_compiles, apply_settings)
+    def initialize(inventory, executor, modulepath, plugin_dirs, project,
+                   pdb_client, hiera_config, max_compiles, apply_settings)
       # lazy-load expensive gem code
       require 'concurrent'
 
       @inventory = inventory
       @executor = executor
-      @modulepath = modulepath
+      @modulepath = modulepath || []
       @plugin_dirs = plugin_dirs
+      @project = project
       @pdb_client = pdb_client
       @hiera_config = hiera_config ? validate_hiera_config(hiera_config) : nil
       @apply_settings = apply_settings || {}
@@ -104,6 +106,16 @@ module Bolt
       out, err, stat = Open3.capture3('ruby', bolt_catalog_exe, 'compile', stdin_data: catalog_input.to_json)
       ENV['PATH'] = old_path
 
+      # If bolt_catalog does not return valid JSON, we should print stderr to
+      # see what happened
+      print_logs = stat.success?
+      result = begin
+                 JSON.parse(out)
+               rescue JSON::ParserError
+                 print_logs = true
+                 { 'message' => "Something's gone terribly wrong! STDERR is logged." }
+               end
+
       # Any messages logged by Puppet will be on stderr as JSON hashes, so we
       # parse those and store them here. Any message on stderr that is not
       # properly JSON formatted is assumed to be an error message.  If
@@ -117,17 +129,15 @@ module Bolt
         { 'level' => 'err', 'message' => line }
       end
 
-      result = JSON.parse(out)
-      if stat.success?
+      if print_logs
         logs.each do |log|
           bolt_level = Bolt::Util::PuppetLogLevel::MAPPING[log['level'].to_sym]
           message = log['message'].chomp
           @logger.send(bolt_level, "#{target.name}: #{message}")
         end
-        result
-      else
-        raise ApplyError.new(target.name, result['message'])
       end
+      raise ApplyError.new(target.name, result['message']) unless stat.success?
+      result
     end
 
     def validate_hiera_config(hiera_config)
@@ -144,6 +154,7 @@ module Bolt
 
     def apply(args, apply_body, scope)
       raise(ArgumentError, 'apply requires a TargetSpec') if args.empty?
+      raise(ArgumentError, 'apply requires at least one statement in the apply block') if apply_body.nil?
       type0 = Puppet.lookup(:pal_script_compiler).type('TargetSpec')
       Puppet::Pal.assert_type(type0, args[0], 'apply targets')
 
@@ -188,6 +199,7 @@ module Bolt
       scope = {
         code_ast: ast,
         modulepath: @modulepath,
+        project: @project.to_h,
         pdb_config: @pdb_client.config.to_hash,
         hiera_config: @hiera_config,
         plan_vars: plan_vars,

data/lib/bolt/apply_inventory.rb

@@ -70,6 +70,10 @@ module Bolt
       @targets[target.name].features
     end
 
+    def resource(target, type, title)
+      @targets[target.name].resource(type, title)
+    end
+
     def add_to_group(*_params)
       raise InvalidFunctionCall, 'add_to_group'
     end

data/lib/bolt/apply_target.rb

@@ -62,6 +62,10 @@ module Bolt
       @safe_name
     end
 
+    def resource(type, title)
+      resources[Bolt::ResourceInstance.format_reference(type, title)]
+    end
+
     def parse_uri(string)
       require 'addressable/uri'
       if string.nil?

data/lib/bolt/bolt_option_parser.rb

@@ -20,7 +20,7 @@ module Bolt
     def get_help_text(subcommand, action = nil)
       case subcommand
       when 'apply'
-        { flags: ACTION_OPTS + %w[noop execute compile-concurrency],
+        { flags: ACTION_OPTS + %w[noop execute compile-concurrency hiera-config],
           banner: APPLY_HELP }
       when 'command'
         case action
@@ -172,13 +172,14 @@ module Bolt
           apply
 
       USAGE
-          bolt apply <manifest.pp> [options]
+          bolt apply [manifest.pp] [options]
 
       DESCRIPTION
           Apply Puppet manifest code on the specified targets.
 
       EXAMPLES
-          bolt apply manifest.pp --targets target1,target2
+          bolt apply manifest.pp -t target
+          bolt apply -e "file { '/etc/puppetlabs': ensure => present }" -t target
     HELP
 
     COMMAND_HELP = <<~HELP

data/lib/bolt/catalog.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
+require 'bolt/apply_inventory'
 require 'bolt/apply_target'
 require 'bolt/config'
 require 'bolt/error'
 require 'bolt/inventory'
-require 'bolt/apply_inventory'
 require 'bolt/pal'
 require 'bolt/puppetdb'
 require 'bolt/util'
@@ -19,7 +19,7 @@ module Bolt
       @log_level = log_level
     end
 
-    def with_puppet_settings(hiera_config = {})
+    def with_puppet_settings(overrides = {})
       Dir.mktmpdir('bolt') do |dir|
         cli = []
         Puppet::Settings::REQUIRED_APP_SETTINGS.each do |setting|
@@ -31,7 +31,9 @@ module Bolt
         Puppet.settings.override_default(:vendormoduledir, '')
 
         Puppet.initialize_settings(cli)
-        Puppet.settings[:hiera_config] = hiera_config
+        overrides.each do |setting, value|
+          Puppet.settings[setting] = value
+        end
 
         # Use a special logdest that serializes all log messages and their level to stderr.
         Puppet::Util::Log.newdestination(:stderr)
@@ -54,80 +56,51 @@ module Bolt
     end
 
     def compile_catalog(request)
-      pal_main = request['code_ast'] || request['code_string']
-      target = request['target']
       pdb_client = Bolt::PuppetDB::Client.new(Bolt::PuppetDB::Config.new(request['pdb_config']))
-      options = request['puppet_config'] || {}
-      with_puppet_settings(request['hiera_config']) do
-        Puppet[:rich_data] = true
-        Puppet[:node_name_value] = target['name']
-        env_conf = { modulepath: request['modulepath'] || [],
-                     facts: target['facts'] || {} }
-        env_conf[:variables] = {}
+      project = request['project'] || {}
+      bolt_project = Struct.new(:name, :path).new(project['name'], project['path']) unless project.empty?
+      inv = Bolt::ApplyInventory.new(request['config'])
+      puppet_overrides = {
+        bolt_pdb_client: pdb_client,
+        bolt_inventory: inv,
+        bolt_project: bolt_project
+      }
+
+      # Facts will be set by the catalog compiler, so we need to ensure
+      # that any plan or target variables with the same name are not
+      # passed into the apply block to avoid a redefinition error.
+      # Filter out plan and target vars separately and raise a Puppet
+      # warning if there are any collisions for either. Puppet warning
+      # is the only way to log a message that will make it back to Bolt
+      # to be printed.
+      target = request['target']
+      plan_vars = shadow_vars('plan', request['plan_vars'], target['facts'])
+      target_vars = shadow_vars('target', target['variables'], target['facts'])
+      topscope_vars = target_vars.merge(plan_vars)
+      env_conf = { modulepath: request['modulepath'],
+                   facts: target['facts'],
+                   variables: topscope_vars }
+
+      puppet_settings = {
+        node_name_value: target['name'],
+        hiera_config: request['hiera_config']
+      }
+
+      with_puppet_settings(puppet_settings) do
         Puppet::Pal.in_tmp_environment('bolt_catalog', env_conf) do |pal|
-          inv = Bolt::ApplyInventory.new(request['config'])
-          Puppet.override(bolt_pdb_client: pdb_client,
-                          bolt_inventory: inv) do
+          Puppet.override(puppet_overrides) do
             Puppet.lookup(:pal_current_node).trusted_data = target['trusted']
             pal.with_catalog_compiler do |compiler|
-              # Deserializing needs to happen inside the catalog compiler so
-              # loaders are initialized for loading
-              plan_vars = Puppet::Pops::Serialization::FromDataConverter.convert(request['plan_vars'])
-
-              # Facts will be set by the catalog compiler, so we need to ensure
-              # that any plan or target variables with the same name are not
-              # passed into the apply block to avoid a redefinition error.
-              # Filter out plan and target vars separately and raise a Puppet
-              # warning if there are any collisions for either. Puppet warning
-              # is the only way to log a message that will make it back to Bolt
-              # to be printed.
-              pv_collisions, pv_filtered = plan_vars.partition do |k, _|
-                target['facts'].keys.include?(k)
-              end.map(&:to_h)
-              unless pv_collisions.empty?
-                print_pv = pv_collisions.keys.map { |k| "$#{k}" }.join(', ')
-                plural = pv_collisions.keys.length == 1 ? '' : 's'
-                Puppet.warning("Plan variable#{plural} #{print_pv} will be overridden by fact#{plural} " \
-                               "of the same name in the apply block")
-              end
-
-              tv_collisions, tv_filtered = target['variables'].partition do |k, _|
-                target['facts'].keys.include?(k)
-              end.map(&:to_h)
-              unless tv_collisions.empty?
-                print_tv = tv_collisions.keys.map { |k| "$#{k}" }.join(', ')
-                plural = tv_collisions.keys.length == 1 ? '' : 's'
-                Puppet.warning("Target variable#{plural} #{print_tv} " \
-                               "will be overridden by fact#{plural} of the same name in the apply block")
-              end
-
-              pal.send(:add_variables, compiler.send(:topscope), tv_filtered.merge(pv_filtered))
-
+              options = request['puppet_config'] || {}
               # Configure language strictness in the CatalogCompiler. We want Bolt to be able
               # to compile most Puppet 4+ manifests, so we default to allowing deprecated functions.
               Puppet[:strict] = options['strict'] || :warning
               Puppet[:strict_variables] = options['strict_variables'] || false
-              ast = Puppet::Pops::Serialization::FromDataConverter.convert(pal_main)
-              # This will be a Program when running via `bolt apply`, but will
-              # only be a subset of the AST when compiling an apply block in a
-              # plan. In that case, we need to discover the definitions (which
-              # would ordinarily be stored on the Program) and construct a Program object.
-              unless ast.is_a?(Puppet::Pops::Model::Program)
-                # Node definitions must be at the top level of the apply block.
-                # That means the apply body either a) consists of just a
-                # NodeDefinition, b) consists of a BlockExpression which may
-                # contain NodeDefinitions, or c) doesn't contain NodeDefinitions.
-                definitions = if ast.is_a?(Puppet::Pops::Model::BlockExpression)
-                                ast.statements.select { |st| st.is_a?(Puppet::Pops::Model::NodeDefinition) }
-                              elsif ast.is_a?(Puppet::Pops::Model::NodeDefinition)
-                                [ast]
-                              else
-                                []
-                              end
-                ast = Puppet::Pops::Model::Factory.PROGRAM(ast, definitions, ast.locator).model
-              end
+
+              pal_main = request['code_ast'] || request['code_string']
+              ast = build_program(pal_main)
               compiler.evaluate(ast)
-              compiler.instance_variable_get(:@internal_compiler).send(:evaluate_ast_node)
+              compiler.evaluate_ast_node
               compiler.compile_additions
               compiler.with_json_encoding(&:encode)
             end
@@ -135,5 +108,45 @@ module Bolt
         end
       end
     end
+
+    # Warn and remove variables that will be shadowed by facts of the same
+    # name, which are set in scope earlier.
+    def shadow_vars(type, vars, facts)
+      collisions, valid = vars.partition do |k, _|
+        facts.include?(k)
+      end
+      if collisions.any?
+        names = collisions.map { |k, _| "$#{k}" }.join(', ')
+        plural = collisions.length == 1 ? '' : 's'
+        Puppet.warning("#{type.capitalize} variable#{plural} #{names} will be overridden by fact#{plural} " \
+                       "of the same name in the apply block")
+      end
+      valid.to_h
+    end
+
+    def build_program(code)
+      ast = Puppet::Pops::Serialization::FromDataConverter.convert(code)
+
+      # This will be a Program when running via `bolt apply`, but will
+      # only be a subset of the AST when compiling an apply block in a
+      # plan. In that case, we need to discover the definitions (which
+      # would ordinarily be stored on the Program) and construct a Program object.
+      if ast.is_a?(Puppet::Pops::Model::Program)
+        ast
+      else
+        # Node definitions must be at the top level of the apply block.
+        # That means the apply body either a) consists of just a
+        # NodeDefinition, b) consists of a BlockExpression which may
+        # contain NodeDefinitions, or c) doesn't contain NodeDefinitions.
+        definitions = if ast.is_a?(Puppet::Pops::Model::BlockExpression)
+                        ast.statements.select { |st| st.is_a?(Puppet::Pops::Model::NodeDefinition) }
+                      elsif ast.is_a?(Puppet::Pops::Model::NodeDefinition)
+                        [ast]
+                      else
+                        []
+                      end
+        Puppet::Pops::Model::Factory.PROGRAM(ast, definitions, ast.locator).model
+      end
+    end
   end
 end

data/lib/bolt/cli.rb

@@ -115,7 +115,7 @@ module Bolt
                   Bolt::Config.from_file(options[:configfile], options)
                 else
                   project = if options[:boltdir]
-                              Bolt::Project.new(options[:boltdir])
+                              Bolt::Project.create_project(options[:boltdir])
                             else
                               Bolt::Project.find_boltdir(Dir.pwd)
                             end
@@ -392,7 +392,7 @@ module Bolt
         end
         code = apply_manifest(options[:code], options[:targets], options[:object], options[:noop])
       else
-        executor = Bolt::Executor.new(config.concurrency, analytics, options[:noop])
+        executor = Bolt::Executor.new(config.concurrency, analytics, options[:noop], config.modified_concurrency)
         targets = options[:targets]
 
         results = nil
@@ -512,7 +512,7 @@ module Bolt
                        params: plan_arguments }
       plan_context[:description] = options[:description] if options[:description]
 
-      executor = Bolt::Executor.new(config.concurrency, analytics, options[:noop])
+      executor = Bolt::Executor.new(config.concurrency, analytics, options[:noop], config.modified_concurrency)
       if options.fetch(:format, 'human') == 'human'
         executor.subscribe(outputter)
       else
@@ -537,7 +537,18 @@ module Bolt
       Puppet[:tasks] = false
       ast = pal.parse_manifest(code, filename)
 
-      executor = Bolt::Executor.new(config.concurrency, analytics, noop)
+      if defined?(ast.body) &&
+         (ast.body.is_a?(Puppet::Pops::Model::HostClassDefinition) ||
+         ast.body.is_a?(Puppet::Pops::Model::ResourceTypeDefinition))
+        message = "Manifest only contains definitions and will result in no changes on the targets. "\
+                  "Definitions must be declared for their resources to be applied. You can read more "\
+                  "about defining and declaring classes and types in the Puppet documentation at "\
+                  "https://puppet.com/docs/puppet/latest/lang_classes.html and "\
+                  "https://puppet.com/docs/puppet/latest/lang_defined_types.html"
+        @logger.warn(message)
+      end
+
+      executor = Bolt::Executor.new(config.concurrency, analytics, noop, config.modified_concurrency)
       executor.subscribe(outputter) if options.fetch(:format, 'human') == 'human'
       executor.subscribe(log_outputter)
       # apply logging looks like plan logging, so tell the outputter we're in a
@@ -760,7 +771,7 @@ module Bolt
     end
 
     def pal
-      project = config.project.load_as_module? ? config.project : nil
+      project = config.project.project_file? ? config.project : nil
       @pal ||= Bolt::PAL.new(config.modulepath,
                              config.hiera_config,
                              config.project.resource_types,

data/lib/bolt/config.rb

@@ -23,8 +23,13 @@ module Bolt
   end
 
   class Config
-    attr_reader :config_files, :warnings, :data, :transports, :project
+    attr_reader :config_files, :warnings, :data, :transports, :project, :modified_concurrency
 
+    BOLT_CONFIG_NAME = 'bolt.yaml'
+    BOLT_DEFAULTS_NAME = 'bolt-defaults.yaml'
+
+    # Transport config classes. Used to load default transport config which
+    # gets passed along to the inventory.
     TRANSPORT_CONFIG = {
       'ssh'    => Bolt::Config::Transport::SSH,
       'winrm'  => Bolt::Config::Transport::WinRM,
@@ -34,45 +39,84 @@ module Bolt
       'remote' => Bolt::Config::Transport::Remote
     }.freeze
 
-    # NOTE: All configuration options should have a corresponding schema property
-    #       in schemas/bolt-config.schema.json
-    OPTIONS = {
+    # Options that configure Bolt. These options are used in bolt.yaml and
+    # bolt-defaults.yaml.
+    BOLT_CONFIG = {
+      "color"               => "Whether to use colored output when printing messages to the console.",
+      "compile-concurrency" => "The maximum number of simultaneous manifest block compiles.",
+      "concurrency"         => "The number of threads to use when executing on remote targets.",
+      "format"              => "The format to use when printing results. Options are `human` and `json`.",
+      "plugin_hooks"        => "Which plugins a specific hook should use.",
+      "plugins"             => "A map of plugins and their configuration data.",
+      "puppetdb"            => "A map containing options for configuring the Bolt PuppetDB client.",
+      "puppetfile"          => "A map containing options for the `bolt puppetfile install` command.",
+      "save-rerun"          => "Whether to update `.rerun.json` in the Bolt project directory. If "\
+                               "your target names include passwords, set this value to `false` to avoid "\
+                               "writing passwords to disk."
+    }.freeze
+
+    # These options are only available to bolt-defaults.yaml.
+    DEFAULTS_CONFIG = {
+      "inventory-config" => "A map of default configuration options for the inventory. This includes options "\
+                            "for setting the default transport to use when connecting to targets, as well as "\
+                            "options for configuring the default behavior of each transport."
+    }.freeze
+
+    # Options that configure the inventory, specifically the default transport
+    # used by targets and the transports themselves. These options are used in
+    # bolt.yaml, inventory.yaml, and under the inventory-config key in
+    # bolt-defaults.yaml.
+    INVENTORY_CONFIG = {
+      "transport" => "The default transport to use when the transport for a target is not specified in the URI.",
+      "docker"    => "A map of configuration options for the docker transport.",
+      "local"     => "A map of configuration options for the local transport.",
+      "pcp"       => "A map of configuration options for the pcp transport.",
+      "remote"    => "A map of configuration options for the remote transport.",
+      "ssh"       => "A map of configuration options for the ssh transport.",
+      "winrm"     => "A map of configuration options for the winrm transport."
+    }.freeze
+
+    # Options that configure the project, such as paths to files used for a
+    # specific project. These settings are used in bolt.yaml and bolt-project.yaml.
+    PROJECT_CONFIG = {
       "apply_settings"           => "A map of Puppet settings to use when applying Puppet code",
-      "color"                    => "Whether to use colored output when printing messages to the console.",
-      "compile-concurrency"      => "The maximum number of simultaneous manifest block compiles.",
-      "concurrency"              => "The number of threads to use when executing on remote targets.",
-      "format"                   => "The format to use when printing results. Options are `human` and `json`.",
       "hiera-config"             => "The path to your Hiera config.",
       "inventoryfile"            => "The path to a structured data inventory file used to refer to groups of "\
                                     "targets on the command line and from plans.",
       "log"                      => "The configuration of the logfile output. Configuration can be set for "\
                                     "`console` and the path to a log file, such as `~/.puppetlabs/bolt/debug.log`.",
-      "modulepath"               => "The module path for loading tasks and plan code. This is either an array "\
-                                    "of directories or a string containing a list of directories separated by the "\
-                                    "OS-specific PATH separator.",
-      "plugin_hooks"             => "Which plugins a specific hook should use.",
-      "plugins"                  => "A map of plugins and their configuration data.",
-      "puppetdb"                 => "A map containing options for configuring the Bolt PuppetDB client.",
-      "puppetfile"               => "A map containing options for the `bolt puppetfile install` command.",
-      "save-rerun"               => "Whether to update `.rerun.json` in the Bolt project directory. If "\
-                                    "your target names include passwords, set this value to `false` to avoid "\
-                                    "writing passwords to disk.",
-      "transport"                => "The default transport to use when the transport for a target is not "\
-                                    "specified in the URL or inventory.",
+      "modulepath"               => "An array of directories that Bolt loads content (e.g. plans and tasks) from.",
       "trusted-external-command" => "The path to an executable on the Bolt controller that can produce "\
                                     "external trusted facts. **External trusted facts are experimental in both "\
                                     "Puppet and Bolt and this API may change or be removed.**"
     }.freeze
 
+    # A combined map of all configuration options that can be set in this class.
+    # Includes all options except 'inventory-config', which is munged when loading
+    # a bolt-defaults.yaml file.
+    OPTIONS = BOLT_CONFIG.merge(INVENTORY_CONFIG).merge(PROJECT_CONFIG).freeze
+
+    # Default values for select options. These do not set the default values in Bolt
+    # and are only used for documentation.
     DEFAULT_OPTIONS = {
-      "color" => true,
+      "color"               => true,
       "compile-concurrency" => "Number of cores",
-      "concurrency" => "100 or one-third of the ulimit, whichever is lower",
-      "format" => "human",
-      "hiera-config" => "Boltdir/hiera.yaml",
-      "inventoryfile" => "Boltdir/inventory.yaml",
-      "modulepath" => ["Boltdir/modules", "Boltdir/site-modules", "Boltdir/site"],
-      "save-rerun" => true
+      "concurrency"         => "100 or one-seventh of the ulimit, whichever is lower",
+      "format"              => "human",
+      "hiera-config"        => "Boltdir/hiera.yaml",
+      "inventoryfile"       => "Boltdir/inventory.yaml",
+      "modulepath"          => ["Boltdir/modules", "Boltdir/site-modules", "Boltdir/site"],
+      "save-rerun"          => true,
+      "transport"           => "ssh"
+    }.freeze
+
+    PUPPETDB_OPTIONS = {
+      "cacert"      => "The path to the ca certificate for PuppetDB.",
+      "cert"        => "The path to the client certificate file to use for authentication.",
+      "key"         => "The private key for the certificate.",
+      "server_urls" => "An array containing the PuppetDB host to connect to. Include the protocol `https` and "\
+                       "the port, which is usually `8081`. For example, `https://my-master.example.com:8081`.",
+      "token"       => "The path to the PE RBAC Token."
     }.freeze
 
     PUPPETFILE_OPTIONS = {
@@ -106,61 +150,154 @@ module Bolt
     DEFAULT_DEFAULT_CONCURRENCY = 100
 
     def self.default
-      new(Bolt::Project.new('.'), {})
+      new(Bolt::Project.create_project('.'), {})
     end
 
     def self.from_project(project, overrides = {})
-      data = {
-        filepath: project.config_file,
-        data: Bolt::Util.read_optional_yaml_hash(project.config_file, 'config')
-      }
+      conf = if project.project_file == project.config_file
+               project.data
+             else
+               Bolt::Util.read_optional_yaml_hash(project.config_file, 'config')
+             end
 
-      data = load_defaults.push(data).select { |config| config[:data]&.any? }
+      data = load_defaults(project).push(
+        filepath: project.config_file,
+        data: conf,
+        warnings: []
+      )
 
       new(project, data, overrides)
     end
 
     def self.from_file(configfile, overrides = {})
-      project = Bolt::Project.new(Pathname.new(configfile).expand_path.dirname)
+      project = Bolt::Project.create_project(Pathname.new(configfile).expand_path.dirname)
 
-      data = {
+      conf = if project.project_file == project.config_file
+               project.data
+             else
+               Bolt::Util.read_yaml_hash(configfile, 'config')
+             end
+
+      data = load_defaults(project).push(
         filepath: project.config_file,
-        data: Bolt::Util.read_yaml_hash(configfile, 'config')
-      }
-      data = load_defaults.push(data).select { |config| config[:data]&.any? }
+        data: conf,
+        warnings: []
+      )
 
       new(project, data, overrides)
     end
 
-    def self.load_defaults
+    def self.system_path
       # Lazy-load expensive gem code
       require 'win32/dir' if Bolt::Util.windows?
 
-      system_path = if Bolt::Util.windows?
-                      Pathname.new(File.join(Dir::COMMON_APPDATA, 'PuppetLabs', 'bolt', 'etc', 'bolt.yaml'))
-                    else
-                      Pathname.new(File.join('/etc', 'puppetlabs', 'bolt', 'bolt.yaml'))
-                    end
-      user_path = begin
-                    Pathname.new(File.expand_path(File.join('~', '.puppetlabs', 'etc', 'bolt', 'bolt.yaml')))
-                  rescue ArgumentError
-                    nil
-                  end
-
-      confs = [{ filepath: system_path, data: Bolt::Util.read_optional_yaml_hash(system_path, 'config') }]
-      confs << { filepath: user_path, data: Bolt::Util.read_optional_yaml_hash(user_path, 'config') } if user_path
+      if Bolt::Util.windows?
+        Pathname.new(File.join(Dir::COMMON_APPDATA, 'PuppetLabs', 'bolt', 'etc'))
+      else
+        Pathname.new(File.join('/etc', 'puppetlabs', 'bolt'))
+      end
+    end
+
+    def self.user_path
+      Pathname.new(File.expand_path(File.join('~', '.puppetlabs', 'etc', 'bolt')))
+    rescue StandardError
+      nil
+    end
+
+    # Loads a 'bolt-defaults.yaml' file, which contains default configuration that applies to all
+    # projects. This file does not allow project-specific configuration such as 'hiera-config' and
+    # 'inventoryfile', and nests all default inventory configuration under an 'inventory-config' key.
+    def self.load_bolt_defaults_yaml(dir)
+      filepath = dir + BOLT_DEFAULTS_NAME
+      data     = Bolt::Util.read_yaml_hash(filepath, 'config')
+      warnings = []
+
+      # Warn if 'bolt.yaml' detected in same directory.
+      if File.exist?(bolt_yaml = dir + BOLT_CONFIG_NAME)
+        warnings.push(
+          msg: "Detected multiple configuration files: ['#{bolt_yaml}', '#{filepath}']. '#{bolt_yaml}' "\
+               "will be ignored."
+        )
+      end
+
+      # Remove project-specific config such as hiera-config, etc.
+      project_config = data.slice(*PROJECT_CONFIG.keys)
+
+      if project_config.any?
+        data.reject! { |key, _| project_config.include?(key) }
+        warnings.push(
+          msg: "Unsupported project configuration detected in '#{filepath}': #{project_config.keys}. "\
+               "Project configuration should be set in 'bolt-project.yaml'."
+        )
+      end
+
+      # Remove top-level transport config such as transport, ssh, etc.
+      transport_config = data.slice(*INVENTORY_CONFIG.keys)
+
+      if transport_config.any?
+        data.reject! { |key, _| transport_config.include?(key) }
+        warnings.push(
+          msg: "Unsupported inventory configuration detected in '#{filepath}': #{transport_config.keys}. "\
+               "Transport configuration should be set under the 'inventory-config' option or "\
+               "in 'inventory.yaml'."
+        )
+      end
+
+      # Move data under transport-config to top-level so it can be easily merged with
+      # config from other sources.
+      if data.key?('inventory-config')
+        data = data.merge(data.delete('inventory-config'))
+      end
+
+      { filepath: filepath, data: data, warnings: warnings }
+    end
+
+    # Loads a 'bolt.yaml' file, the legacy configuration file. There's no special munging needed
+    # here since Bolt::Config will just ignore any invalid keys.
+    def self.load_bolt_yaml(dir)
+      filepath = dir + BOLT_CONFIG_NAME
+      data     = Bolt::Util.read_yaml_hash(filepath, 'config')
+      warnings = [msg: "Configuration file #{filepath} is deprecated and will be removed in a future version "\
+                        "of Bolt. Use '#{dir + BOLT_DEFAULTS_NAME}' instead."]
+
+      { filepath: filepath, data: data, warnings: warnings }
+    end
+
+    def self.load_defaults(project)
+      confs = []
+
+      # Load system-level config. Prefer a 'bolt-defaults.yaml' file, but fall back to the
+      # legacy 'bolt.yaml' file. If the project-level config file is also the system-level
+      # config file, don't load it a second time.
+      if File.exist?(system_path + BOLT_DEFAULTS_NAME)
+        confs << load_bolt_defaults_yaml(system_path)
+      elsif File.exist?(system_path + BOLT_CONFIG_NAME) &&
+            (system_path + BOLT_CONFIG_NAME) != project.config_file
+        confs << load_bolt_yaml(system_path)
+      end
+
+      # Load user-level config if there is a homedir. Prefer a 'bolt-defaults.yaml' file, but
+      # fall back to the legacy 'bolt.yaml' file.
+      if user_path
+        if File.exist?(user_path + BOLT_DEFAULTS_NAME)
+          confs << load_bolt_defaults_yaml(user_path)
+        elsif File.exist?(user_path + BOLT_CONFIG_NAME)
+          confs << load_bolt_yaml(user_path)
+        end
+      end
+
       confs
     end
 
     def initialize(project, config_data, overrides = {})
       unless config_data.is_a?(Array)
-        config_data = [{ filepath: project.config_file, data: config_data }]
+        config_data = [{ filepath: project.config_file, data: config_data, warnings: [] }]
       end
 
-      @logger = Logging.logger[self]
-      @warnings = []
-      @project = project
-      @transports = {}
+      @logger       = Logging.logger[self]
+      @project      = project
+      @warnings     = @project.warnings.dup
+      @transports   = {}
       @config_files = []
 
       default_data = {
@@ -178,24 +315,22 @@ module Bolt
         'transport'           => 'ssh'
       }
 
-      loaded_data = config_data.map do |config|
-        @config_files.push(config[:filepath])
-        config[:data]
+      loaded_data = config_data.each_with_object([]) do |data, acc|
+        @warnings.concat(data[:warnings]) if data[:warnings].any?
+
+        if data[:data].any?
+          @config_files.push(data[:filepath])
+          acc.push(data[:data])
+        end
       end
 
       override_data = normalize_overrides(overrides)
 
       # If we need to lower concurrency and concurrency is not configured
       ld_concurrency = loaded_data.map(&:keys).flatten.include?('concurrency')
-      if default_concurrency != DEFAULT_DEFAULT_CONCURRENCY &&
-         !ld_concurrency &&
-         !override_data.key?('concurrency')
-        concurrency_warning = { option: 'concurrency',
-                                msg: "Concurrency will default to #{default_concurrency} because ulimit "\
-                                "is low: #{Etc.sysconf(Etc::SC_OPEN_MAX)}. Set concurrency with "\
-                                "'--concurrency', or set your ulimit with 'ulimit -n <limit>'" }
-        @warnings << concurrency_warning
-      end
+      @modified_concurrency = default_concurrency != DEFAULT_DEFAULT_CONCURRENCY &&
+                              !ld_concurrency &&
+                              !override_data.key?('concurrency')
 
       @data = merge_config_layers(default_data, *loaded_data, override_data)
 
@@ -351,7 +486,7 @@ module Bolt
         raise Bolt::ValidationError, "Compilation is CPU-intensive, set concurrency less than #{compile_limit}"
       end
 
-      unless %w[human json].include? format
+      if (format == 'rainbow' && Bolt::Util.windows?) || !(%w[human json rainbow].include? format)
         raise Bolt::ValidationError, "Unsupported format: '#{format}'"
       end
 
@@ -473,12 +608,18 @@ module Bolt
       end.join
     end
 
+    # Etc::SC_OPEN_MAX is meaningless on windows, not defined in PE Jruby and not available
+    # on some platforms. This method holds the logic to decide whether or not to even consider it.
+    def sc_open_max_available?
+      !Bolt::Util.windows? && defined?(Etc::SC_OPEN_MAX) && Etc.sysconf(Etc::SC_OPEN_MAX)
+    end
+
     def default_concurrency
-      if Bolt::Util.windows? || Etc.sysconf(Etc::SC_OPEN_MAX) >= 300 || Etc.sysconf(Etc::SC_OPEN_MAX).nil?
-        DEFAULT_DEFAULT_CONCURRENCY
-      else
-        (Etc.sysconf(Etc::SC_OPEN_MAX) / 3).floor
-      end
+      @default_concurrency ||= if !sc_open_max_available? || Etc.sysconf(Etc::SC_OPEN_MAX) >= 300
+                                 DEFAULT_DEFAULT_CONCURRENCY
+                               else
+                                 Etc.sysconf(Etc::SC_OPEN_MAX) / 7
+                               end
     end
   end
 end