puppet 2.6.4 → 2.6.5

data/lib/puppet/transaction/resource_harness.rb

@@ -7,92 +7,138 @@ class Puppet::Transaction::ResourceHarness
   attr_reader :transaction
 
   def allow_changes?(resource)
-    return true unless resource.purging? and resource.deleting?
-    return true unless deps = relationship_graph.dependents(resource) and ! deps.empty? and deps.detect { |d| ! d.deleting? }
-
-    deplabel = deps.collect { |r| r.ref }.join(",")
-    plurality = deps.length > 1 ? "":"s"
-    resource.warning "#{deplabel} still depend#{plurality} on me -- not purging"
-    false
-  end
-
-  def apply_changes(status, changes)
-    changes.each do |change|
-      status << change.apply
-
-      cache(change.property.resource, change.property.name, change.is) if change.auditing?
+    if resource.purging? and resource.deleting? and deps = relationship_graph.dependents(resource) \
+            and ! deps.empty? and deps.detect { |d| ! d.deleting? }
+      deplabel = deps.collect { |r| r.ref }.join(",")
+      plurality = deps.length > 1 ? "":"s"
+      resource.warning "#{deplabel} still depend#{plurality} on me -- not purging"
+      false
+    else
+      true
     end
-    status.changed = true
   end
 
-  # Used mostly for scheduling at this point.
+  # Used mostly for scheduling and auditing at this point.
   def cached(resource, name)
     Puppet::Util::Storage.cache(resource)[name]
   end
 
-  # Used mostly for scheduling at this point.
+  # Used mostly for scheduling and auditing at this point.
   def cache(resource, name, value)
     Puppet::Util::Storage.cache(resource)[name] = value
   end
 
-  def changes_to_perform(status, resource)
+  def perform_changes(resource)
     current = resource.retrieve_resource
 
     cache resource, :checked, Time.now
 
     return [] if ! allow_changes?(resource)
 
-    audited = copy_audited_parameters(resource, current)
-
-    if param = resource.parameter(:ensure)
-      return [] if absent_and_not_being_created?(current, param)
-      return [Puppet::Transaction::Change.new(param, current[:ensure])] unless ensure_is_insync?(current, param)
-      return [] if ensure_should_be_absent?(current, param)
+    current_values = current.to_hash
+    historical_values = Puppet::Util::Storage.cache(resource).dup
+    desired_values = {}
+    resource.properties.each do |property|
+      desired_values[property.name] = property.should
     end
+    audited_params = (resource[:audit] || []).map { |p| p.to_sym }
+    synced_params = []
 
-    resource.properties.reject { |p| p.name == :ensure }.reject do |param|
-      param.should.nil?
-    end.reject do |param|
-      param_is_insync?(current, param)
-    end.collect do |param|
-      change = Puppet::Transaction::Change.new(param, current[param.name])
-      change.auditing = true if audited.include?(param.name)
-      change
+    # Record the current state in state.yml.
+    audited_params.each do |param|
+      cache(resource, param, current_values[param])
     end
-  end
 
-  def copy_audited_parameters(resource, current)
-    return [] unless audit = resource[:audit]
-    audit = Array(audit).collect { |p| p.to_sym }
-    audited = []
-    audit.find_all do |param|
-      next if resource[param]
+    # Update the machine state & create logs/events
+    events = []
+    ensure_param = resource.parameter(:ensure)
+    if desired_values[:ensure] && !ensure_param.safe_insync?(current_values[:ensure])
+      events << apply_parameter(ensure_param, current_values[:ensure], audited_params.include?(:ensure), historical_values[:ensure])
+      synced_params << :ensure
+    elsif current_values[:ensure] != :absent
+      work_order = resource.properties # Note: only the resource knows what order to apply changes in
+      work_order.each do |param|
+        if desired_values[param.name] && !param.safe_insync?(current_values[param.name])
+          events << apply_parameter(param, current_values[param.name], audited_params.include?(param.name), historical_values[param.name])
+          synced_params << param.name
+        end
+      end
+    end
 
-      if value = cached(resource, param)
-        resource[param] = value
-        audited << param
+    # Add more events to capture audit results
+    audited_params.each do |param_name|
+      if historical_values.include?(param_name)
+        if historical_values[param_name] != current_values[param_name] && !synced_params.include?(param_name)
+          event = create_change_event(resource.parameter(param_name), current_values[param_name], true, historical_values[param_name])
+          event.send_log
+          events << event
+        end
       else
-        resource.debug "Storing newly-audited value #{current[param]} for #{param}"
-        cache(resource, param, current[param])
+        resource.property(param_name).notice "audit change: newly-recorded value #{current_values[param_name]}"
+      end
+    end
+
+    events
+  end
+
+  def create_change_event(property, current_value, do_audit, historical_value)
+    event = property.event
+    event.previous_value = current_value
+    event.desired_value = property.should
+    event.historical_value = historical_value
+
+    if do_audit
+      event.audited = true
+      event.status = "audit"
+      if historical_value != current_value
+        event.message = "audit change: previously recorded value #{property.is_to_s(historical_value)} has been changed to #{property.is_to_s(current_value)}"
       end
     end
 
-    audited
+    event
+  end
+
+  def apply_parameter(property, current_value, do_audit, historical_value)
+    event = create_change_event(property, current_value, do_audit, historical_value)
+
+    if do_audit && historical_value && historical_value != current_value
+      brief_audit_message = " (previously recorded value was #{property.is_to_s(historical_value)})"
+    else
+      brief_audit_message = ""
+    end
+
+    if property.noop
+      event.message = "current_value #{property.is_to_s(current_value)}, should be #{property.should_to_s(property.should)} (noop)#{brief_audit_message}"
+      event.status = "noop"
+    else
+      property.sync
+      event.message = [ property.change_to_s(current_value, property.should), brief_audit_message ].join
+      event.status = "success"
+    end
+    event
+  rescue => detail
+    puts detail.backtrace if Puppet[:trace]
+    event.status = "failure"
+
+    event.message = "change from #{property.is_to_s(current_value)} to #{property.should_to_s(property.should)} failed: #{detail}"
+    event
+  ensure
+    event.send_log
   end
 
   def evaluate(resource)
     start = Time.now
     status = Puppet::Resource::Status.new(resource)
 
-    if changes = changes_to_perform(status, resource) and ! changes.empty?
-      status.out_of_sync = true
-      status.change_count = changes.length
-      apply_changes(status, changes)
-      if ! resource.noop?
-        cache(resource, :synced, Time.now)
-        resource.flush if resource.respond_to?(:flush)
-      end
+    perform_changes(resource).each do |event|
+      status << event
+    end
+
+    if status.changed? && ! resource.noop?
+      cache(resource, :synced, Time.now)
+      resource.flush if resource.respond_to?(:flush)
     end
+
     return status
   rescue => detail
     resource.fail "Could not create resource status: #{detail}" unless status
@@ -129,22 +175,4 @@ class Puppet::Transaction::ResourceHarness
     return nil unless name = resource[:schedule]
     resource.catalog.resource(:schedule, name) || resource.fail("Could not find schedule #{name}")
   end
-
-  private
-
-  def absent_and_not_being_created?(current, param)
-    current[:ensure] == :absent and param.should.nil?
-  end
-
-  def ensure_is_insync?(current, param)
-    param.insync?(current[:ensure])
-  end
-
-  def ensure_should_be_absent?(current, param)
-    param.should == :absent
-  end
-
-  def param_is_insync?(current, param)
-    param.insync?(current[param.name])
-  end
 end

data/lib/puppet/type.rb

@@ -446,7 +446,7 @@ class Type
   # Create a transaction event.  Called by Transaction or by
   # a property.
   def event(options = {})
-    Puppet::Transaction::Event.new({:resource => self, :file => file, :line => line, :tags => tags, :version => version}.merge(options))
+    Puppet::Transaction::Event.new({:resource => self, :file => file, :line => line, :tags => tags}.merge(options))
   end
 
   # Let the catalog determine whether a given cached value is
@@ -648,7 +648,7 @@ class Type
           "The is value is not in the is array for '#{property.name}'"
       end
       ensureis = is[property]
-      if property.insync?(ensureis) and property.should == :absent
+      if property.safe_insync?(ensureis) and property.should == :absent
         return true
       end
     end
@@ -660,7 +660,7 @@ class Type
       end
 
       propis = is[property]
-      unless property.insync?(propis)
+      unless property.safe_insync?(propis)
         property.debug("Not in sync: #{propis.inspect} vs #{property.should.inspect}")
         insync = false
       #else
@@ -957,12 +957,25 @@ class Type
   end
 
   newmetaparam(:audit) do
-    desc "Audit specified attributes of resources over time, and report if any have changed.
-      This attribute can be used to track changes to any resource over time, and can
-      provide an audit trail of every change that happens on any given machine.
-
-      Note that you cannot both audit and manage an attribute - managing it guarantees
-      the value, and any changes already get logged."
+    desc "Marks a subset of this resource's unmanaged attributes for auditing. Accepts an
+      attribute name or a list of attribute names.
+
+      Auditing a resource attribute has two effects: First, whenever a catalog
+      is applied with puppet apply or puppet agent, Puppet will check whether
+      that attribute of the resource has been modified, comparing its current
+      value to the previous run; any change will be logged alongside any actions
+      performed by Puppet while applying the catalog.
+
+      Secondly, marking a resource attribute for auditing will include that
+      attribute in inspection reports generated by puppet inspect; see the
+      puppet inspect documentation for more details.
+
+      Managed attributes for a resource can also be audited, but note that
+      changes made by Puppet will be logged as additional modifications. (I.e.
+      if a user manually edits a file whose contents are audited and managed,
+      puppet agent's next two runs will both log an audit notice: the first run
+      will log the user's edit and then revert the file to the desired state,
+      and the second run will log the edit made by Puppet.)"
 
     validate do |list|
       list = Array(list).collect {|p| p.to_sym}

data/lib/puppet/type/cron.rb

@@ -54,11 +54,7 @@ Puppet::Type.newtype(:cron) do
     # We have to override the parent method, because we consume the entire
     # "should" array
     def insync?(is)
-      if @should
-        self.is_to_s(is) == self.should_to_s
-      else
-        true
-      end
+      self.is_to_s(is) == self.should_to_s
     end
 
     # A method used to do parameter input handling.  Converts integers

data/lib/puppet/type/exec.rb

@@ -9,41 +9,11 @@ module Puppet
       commands is to use the checks like `creates` to avoid running the
       command unless some condition is met.
 
-      Note also that you can restrict an `exec` to only run when it receives
+      Note that you can restrict an `exec` to only run when it receives
       events by using the `refreshonly` parameter; this is a useful way to
       have your configuration respond to events with arbitrary commands.
 
-      It is worth noting that `exec` is special, in that it is not
-      currently considered an error to have multiple `exec` instances
-      with the same name.  This was done purely because it had to be this
-      way in order to get certain functionality, but it complicates things.
-      In particular, you will not be able to use `exec` instances that
-      share their commands with other instances as a dependency, since
-      Puppet has no way of knowing which instance you mean.
-
-      For example:
-
-          # defined in the production class
-          exec { \"make\":
-            cwd => \"/prod/build/dir\",
-            path => \"/usr/bin:/usr/sbin:/bin\"
-          }
-
-          . etc. .
-
-          # defined in the test class
-          exec { \"make\":
-            cwd => \"/test/build/dir\",
-            path => \"/usr/bin:/usr/sbin:/bin\"
-          }
-
-      Any other type would throw an error, complaining that you had
-      the same instance being managed in multiple places, but these are
-      obviously different images, so `exec` had to be treated specially.
-
-      It is recommended to avoid duplicate names whenever possible.
-
-      Note that if an `exec` receives an event from another resource,
+      Note also that if an `exec` receives an event from another resource,
       it will get executed again (or execute the command specified in `refresh`, if there is one).
 
       There is a strong tendency to use `exec` to do whatever work Puppet
@@ -335,7 +305,7 @@ module Puppet
             # Pull down the main aliases file
             file { \"/etc/aliases\":
               source => \"puppet://server/module/aliases\"
-            }  
+            }
 
             # Rebuild the database, but only when the file changes
             exec { newaliases:
@@ -664,7 +634,7 @@ module Puppet
     def validatecmd(cmd)
       exe = extractexe(cmd)
       # if we're not fully qualified, require a path
-      self.fail "'#{cmd}' is both unqualifed and specified no search path" if File.expand_path(exe) != exe and self[:path].nil?
+      self.fail "'#{cmd}' is not qualified and no path was specified. Please qualify the command or specify a path." if File.expand_path(exe) != exe and self[:path].nil?
     end
 
     def extractexe(cmd)

data/lib/puppet/type/file.rb

@@ -34,7 +34,7 @@ Puppet::Type.newtype(:file) do
 
     validate do |value|
       # accept various path syntaxes: lone slash, posix, win32, unc
-      unless (Puppet.features.posix? and (value =~ /^\/$/ or value =~ /^\/[^\/]/)) or (Puppet.features.microsoft_windows? and (value =~ /^.:\// or value =~ /^\/\/[^\/]+\/[^\/]+/))
+      unless (Puppet.features.posix? and value =~ /^\//) or (Puppet.features.microsoft_windows? and (value =~ /^.:\// or value =~ /^\/\/[^\/]+\/[^\/]+/))
         fail Puppet::Error, "File paths must be fully qualified, not '#{value}'"
       end
     end
@@ -271,17 +271,24 @@ Puppet::Type.newtype(:file) do
   end
 
   CREATORS = [:content, :source, :target]
+  SOURCE_ONLY_CHECKSUMS = [:none, :ctime, :mtime]
 
   validate do
-    count = 0
+    creator_count = 0
     CREATORS.each do |param|
-      count += 1 if self.should(param)
+      creator_count += 1 if self.should(param)
     end
-    count += 1 if @parameters.include?(:source)
-    self.fail "You cannot specify more than one of #{CREATORS.collect { |p| p.to_s}.join(", ")}" if count > 1
+    creator_count += 1 if @parameters.include?(:source)
+    self.fail "You cannot specify more than one of #{CREATORS.collect { |p| p.to_s}.join(", ")}" if creator_count > 1
 
     self.fail "You cannot specify a remote recursion without a source" if !self[:source] and self[:recurse] == :remote
 
+    self.fail "You cannot specify source when using checksum 'none'" if self[:checksum] == :none && !self[:source].nil?
+
+    SOURCE_ONLY_CHECKSUMS.each do |checksum_type|
+      self.fail "You cannot specify content when using checksum '#{checksum_type}'" if self[:checksum] == checksum_type && !self[:content].nil?
+    end
+
     self.warning "Possible error: recurselimit is set but not recurse, no recursion will happen" if !self[:recurse] and self[:recurselimit]
   end
 
@@ -290,25 +297,8 @@ Puppet::Type.newtype(:file) do
     super(path.gsub(/\/+/, '/').sub(/\/$/, ''))
   end
 
-  # List files, but only one level deep.
-  def self.instances(base = "/")
-    return [] unless FileTest.directory?(base)
-
-    files = []
-    Dir.entries(base).reject { |e|
-      e == "." or e == ".."
-    }.each do |name|
-      path = File.join(base, name)
-      if obj = self[path]
-        obj[:audit] = :all
-        files << obj
-      else
-        files << self.new(
-          :name => path, :audit => :all
-        )
-      end
-    end
-    files
+  def self.instances(base = '/')
+    return self.new(:name => base, :recurse => true, :recurselimit => 1, :audit => :all).recurse_local.values
   end
 
   @depthfirst = false
@@ -718,8 +708,9 @@ Puppet::Type.newtype(:file) do
 
     mode = self.should(:mode) # might be nil
     umask = mode ? 000 : 022
+    mode_int = mode ? mode.to_i(8) : nil
 
-    content_checksum = Puppet::Util.withumask(umask) { File.open(path, 'w', mode) { |f| write_content(f) } }
+    content_checksum = Puppet::Util.withumask(umask) { File.open(path, 'w', mode_int ) { |f| write_content(f) } }
 
     # And put our new file in place
     if use_temporary_file # This is only not true when our file is empty.
@@ -778,7 +769,7 @@ Puppet::Type.newtype(:file) do
       # Make sure we get a new stat objct
       expire
       currentvalue = thing.retrieve
-      thing.sync unless thing.insync?(currentvalue)
+      thing.sync unless thing.safe_insync?(currentvalue)
     end
   end
 end
@@ -796,3 +787,5 @@ require 'puppet/type/file/group'
 require 'puppet/type/file/mode'
 require 'puppet/type/file/type'
 require 'puppet/type/file/selcontext'  # SELinux file context
+require 'puppet/type/file/ctime'
+require 'puppet/type/file/mtime'

data/lib/puppet/type/file/checksum.rb

@@ -9,7 +9,7 @@ Puppet::Type.type(:file).newparam(:checksum) do
 
     The default checksum parameter, if checksums are enabled, is md5."
 
-  newvalues "md5", "md5lite", "timestamp", "mtime", "time", "none"
+  newvalues "md5", "md5lite", "mtime", "ctime", "none"
 
   defaultto :md5
 

data/lib/puppet/type/file/content.rb

@@ -96,7 +96,6 @@ module Puppet
       end
 
       return true if ! @resource.replace?
-      return true unless self.should
 
       result = super
 
@@ -168,6 +167,8 @@ module Puppet
     def each_chunk_from(source_or_content)
       if source_or_content.is_a?(String)
         yield source_or_content
+      elsif source_or_content.nil? && resource.parameter(:ensure) && [:present, :file].include?(resource.parameter(:ensure).value)
+        yield ''
       elsif source_or_content.nil?
         yield read_file_from_filebucket
       elsif self.class.standalone?