puppet 3.1.0.rc1 → 3.1.0.rc2

data/lib/puppet/ssl/certificate_authority.rb

@@ -1,6 +1,7 @@
 require 'monitor'
 require 'puppet/ssl/host'
 require 'puppet/ssl/certificate_request'
+require 'puppet/ssl/certificate_signer'
 require 'puppet/util'
 
 # The class that knows how to sign certificates.  It creates
@@ -277,7 +278,9 @@ class Puppet::SSL::CertificateAuthority
     cert = Puppet::SSL::Certificate.new(hostname)
     cert.content = Puppet::SSL::CertificateFactory.
       build(cert_type, csr, issuer, next_serial)
-    cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
+
+    signer = Puppet::SSL::CertificateSigner.new
+    signer.sign(cert.content, host.key.content)
 
     Puppet.notice "Signed certificate request for #{hostname}"
 

data/lib/puppet/ssl/certificate_request.rb

@@ -1,4 +1,5 @@
 require 'puppet/ssl/base'
+require 'puppet/ssl/certificate_signer'
 
 # Manage certificate requests.
 class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
@@ -59,7 +60,8 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
       csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", extReq))
     end
 
-    csr.sign(key, OpenSSL::Digest::SHA256.new)
+    signer = Puppet::SSL::CertificateSigner.new
+    signer.sign(csr, key)
 
     raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for #{name} on the server" unless csr.verify(key.public_key)
 

data/lib/puppet/ssl/certificate_signer.rb

@@ -0,0 +1,22 @@
+# Take care of signing a certificate in a FIPS 140-2 compliant manner.
+#
+# @see http://projects.puppetlabs.com/issues/17295
+#
+# @api private
+class Puppet::SSL::CertificateSigner
+  def initialize
+    if OpenSSL::Digest.const_defined?('SHA256')
+      @digest = OpenSSL::Digest::SHA256
+    elsif OpenSSL::Digest.const_defined?('SHA1')
+      @digest = OpenSSL::Digest::SHA1
+    else
+      raise Puppet::Error,
+        "No FIPS 140-2 compliant digest algorithm in OpenSSL::Digest"
+    end
+    @digest
+  end
+
+  def sign(content, key)
+    content.sign(key, @digest.new)
+  end
+end

data/lib/puppet/type.rb

@@ -611,11 +611,11 @@ class Type
     @name_var_cache = (key_attributes.length == 1) && key_attributes.first
   end
 
-  # Gets the 'is' (current state) value of a parameter or property by name.
-  # To explicitly get the 'is' value use `o.is(:name)`, and to get the 'should' value
+  # Gets the 'should' (wanted state) value of a parameter or property by name.
+  # To explicitly get the 'is' (current state) value use `o.is(:name)`, and to explicitly get the 'should' value
   # use `o.should(:name)`
-  # @param name [String] the name of the attribute to obtain the 'is' value for.
-  # @return [Object] current value of the given attribute
+  # @param name [String] the name of the attribute to obtain the 'should' value for.
+  # @return [Object] 'should'/wanted value of the given attribute
   def [](name)
     name = name.intern
     fail("Invalid parameter #{name}(#{name.inspect})") unless self.class.validattr?(name)

data/lib/puppet/util/methodhelper.rb

@@ -1,7 +1,5 @@
 # Where we store helper methods related to, um, methods.
 module Puppet::Util::MethodHelper
-  extend self
-
   def requiredopts(*names)
     names.each do |name|
       devfail("#{name} is a required option for #{self.class}") if self.send(name).nil?
@@ -31,21 +29,4 @@ module Puppet::Util::MethodHelper
       hash
     end
   end
-
-  ##
-  # Helper to validate options. Example:
-  #
-  #   validate_options [:arguments, :inherits], options
-  #
-  # It expects list of valid options and a hash to validate as a last
-  # argument.
-  ##
-  def validate_options(allow, options = {})
-    options.each do |k, _|
-      unless Array(allow).include? k
-        raise ArgumentError, "unrecognized option #{k}"
-      end
-    end
-  end
-
 end

data/lib/puppet/util/rubygems.rb

@@ -39,7 +39,9 @@ module Puppet::Util::RubyGems
   # @api private
   class Gems18Source < Source
     def directories
-      Gem::Specification.latest_specs.collect do |spec|
+      # `require 'mygem'` will consider and potentally load
+      # prerelease gems, so we need to match that behavior.
+      Gem::Specification.latest_specs(true).collect do |spec|
         File.join(spec.full_gem_path, 'lib')
       end
     end

data/lib/puppet/util/selinux.rb

@@ -43,13 +43,8 @@ module Puppet::Util::SELinux
     # matching.  If not, we can pass a mode of 0.
     begin
       filestat = file_lstat(file)
-    rescue Errno::EACCES, Errno::ENOENT => detail
-      warning "Could not stat; #{detail}"
-    end
-
-    if filestat
       mode = filestat.mode
-    else
+    rescue Errno::EACCES, Errno::ENOENT
       mode = 0
     end
 

data/lib/puppet/version.rb

@@ -7,7 +7,7 @@
 
 
 module Puppet
-  PUPPETVERSION = '3.1.0-rc1'
+  PUPPETVERSION = '3.1.0-rc2'
 
   ##
   # version is a public API method intended to always provide a fast and

data/man/man5/puppet.conf.5

@@ -1,8 +1,8 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "PUPPETCONF" "5" "May 2012" "Puppet Labs, LLC" "Puppet manual"
-\fBThis page is autogenerated; any changes will get overwritten\fR \fI(last generated on Thu May 17 14:19:16 \-0700 2012)\fR
+.TH "PUPPETCONF" "5" "January 2013" "Puppet Labs, LLC" "Puppet manual"
+\fBThis page is autogenerated; any changes will get overwritten\fR \fI(last generated on Tue Jan 15 12:33:09 \-0800 2013)\fR
 .
 .SH "Configuration Settings"
 .
@@ -19,6 +19,9 @@ Settings can be interpolated as \fB$variables\fR in other settings; \fB$environm
 Multiple values should be specified as comma\-separated lists; multiple directories should be separated with the system path separator (usually a colon)\.
 .
 .IP "\(bu" 4
+Settings that represent time intervals should be specified in duration format: an integer immediately followed by one of the units \'y\' (years of 365 days), \'d\' (days), \'h\' (hours), \'m\' (minutes), or \'s\' (seconds)\. The unit cannot be combined with other units, and defaults to seconds when omitted\. Examples are \'3600\' which is equivalent to \'1h\' (one hour), and \'1825d\' which is equivalent to \'5y\' (5 years)\.
+.
+.IP "\(bu" 4
 Settings that take a single file or directory can optionally set the owner, group, and mode for their value: \fBrundir = $vardir/run { owner = puppet, group = puppet, mode = 644 }\fR
 .
 .IP "\(bu" 4
@@ -29,6 +32,14 @@ The Puppet executables will ignore any setting that isn\'t relevant to their fun
 .P
 See the configuration guide \fIhttp://docs\.puppetlabs\.com/guides/configuring\.html\fR for more details\.
 .
+.SS "agent_catalog_run_lockfile"
+A lock file to indicate that a puppet agent catalog run is currently in progress\. The file contains the pid of the process that holds the lock on the catalog run\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: $statedir/agent_catalog_run\.lock
+.
+.IP "" 0
+.
 .SS "agent_disabled_lockfile"
 A lock file to indicate that puppet agent runs have been administratively disabled\. File contains a JSON object with state information\.
 .
@@ -37,16 +48,16 @@ A lock file to indicate that puppet agent runs have been administratively disabl
 .
 .IP "" 0
 .
-.SS "agent_pidfile"
-A lock file to indicate that a puppet agent run is currently in progress\. File contains the pid of the running process\.
+.SS "allow_duplicate_certs"
+Whether to allow a new certificate request to overwrite an existing certificate\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: $statedir/agent\.pid
+\fIDefault\fR: false
 .
 .IP "" 0
 .
-.SS "allow_duplicate_certs"
-Whether to allow a new certificate request to overwrite an existing certificate\.
+.SS "allow_variables_with_dashes"
+Permit hyphens (\fB\-\fR) in variable names and issue deprecation warnings about them\. This setting \fBshould always be \fBfalse\fR;\fR setting it to \fBtrue\fR will cause subtle and wide\-ranging bugs\. It will be removed in a future version\. Hyphenated variables caused major problems in the language, but were allowed between Puppet 2\.7\.3 and 2\.7\.14\. If you used them during this window, we apologize for the inconvenience \-\-\- you can temporarily set this to \fBtrue\fR in order to upgrade, and can rename your variables at your leisure\. Please revert it to \fBfalse\fR after you have renamed all affected variables\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: false
@@ -70,21 +81,13 @@ During an inspect run, whether to archive files whose contents are audited to a
 .IP "" 0
 .
 .SS "async_storeconfigs"
-Whether to use a queueing system to provide asynchronous database integration\. Requires that \fBpuppet queue\fR be running and that \'PSON\' support for ruby be installed\.
+Whether to use a queueing system to provide asynchronous database integration\. Requires that \fBpuppet queue\fR be running\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: false
 .
 .IP "" 0
 .
-.SS "authconfig"
-The configuration file that defines the rights to the different namespaces and methods\. This can be used as a coarse\-grained authorization system for both \fBpuppet agent\fR and \fBpuppet master\fR\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: $confdir/namespaceauth\.conf
-.
-.IP "" 0
-.
 .SS "autoflush"
 Whether log files should always flush to disk\.
 .
@@ -102,7 +105,12 @@ Whether to enable autosign\. Valid values are true (which autosigns any key requ
 .IP "" 0
 .
 .SS "bindaddress"
-The address a listening server should bind to\. WEBrick defaults to 0\.0\.0\.0\.
+The address a listening server should bind to\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: 0\.0\.0\.0
+.
+.IP "" 0
 .
 .SS "bucketdir"
 Where FileBucket files are stored\.
@@ -120,17 +128,6 @@ Whether the master should function as a certificate authority\.
 .
 .IP "" 0
 .
-.SS "ca_days"
-How long a certificate should be valid, in days\. This setting is deprecated; use \fBca_ttl\fR instead
-.
-.SS "ca_md"
-The type of hash used in certificates\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: md5
-.
-.IP "" 0
-.
 .SS "ca_name"
 The name to use the Certificate Authority certificate\.
 .
@@ -156,7 +153,7 @@ The server to use for certificate authority requests\. It\'s a separate server b
 .IP "" 0
 .
 .SS "ca_ttl"
-The default TTL for new certificates; valid values must be an integer, optionally followed by one of the units \'y\' (years of 365 days), \'d\' (days), \'h\' (hours), or \'s\' (seconds)\. The unit defaults to seconds\. If this setting is set, ca_days is ignored\. Examples are \'3600\' (one hour) and \'1825d\', which is the same as \'5y\' (5 years)
+The default TTL for new certificates\. If this setting is set, ca_days is ignored\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: 5y
@@ -218,6 +215,13 @@ The CA public key\.
 \fIDefault\fR: $cadir/ca_pub\.pem
 .
 .IP "" 0
+.
+.SS "catalog_cache_terminus"
+How to store cached catalogs\. Valid values are \'json\' and \'yaml\'\. The agent application defaults to \'json\'\.
+.
+.TP
+\fIDefault\fR:
+
 .
 .SS "catalog_format"
 (Deprecated for \'preferred_serialization_format\') What format to use to dump the catalog\. Only supports \'marshal\' and \'yaml\'\. Only matters on the client, since it asks the server for a specific format\.
@@ -249,6 +253,14 @@ The certificate directory\.
 .SS "certdnsnames"
 The \fBcertdnsnames\fR setting is no longer functional, after CVE\-2011\-3872\. We ignore the value completely\. For your own certificate request you can set \fBdns_alt_names\fR in the configuration and it will apply locally\. There is no configuration option to set DNS alt names, or any other \fBsubjectAltName\fR value, for another nodes certificate\. Alternately you can use the \fB\-\-dns_alt_names\fR command line option to set the labels added while generating your own CSR\.
 .
+.SS "certificate_expire_warning"
+The window of time leading up to a certificate\'s expiration that a notification will be logged\. This applies to CA, master, and agent certificates\. Can be specified as a duration\.
+.
+.IP "\(bu" 4
+\fIDefault\fR: 60d
+.
+.IP "" 0
+.
 .SS "certificate_revocation"
 Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) to all clients\. If enabled, CA chaining will almost definitely not work\.
 .
@@ -261,7 +273,7 @@ Whether certificate revocation should be supported by downloading a Certificate
 The name to use when handling certificates\. Defaults to the fully qualified domain name\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: wyclef\.puppetlabs\.lan
+\fIDefault\fR: sirrus\.puppetlabs\.lan
 .
 .IP "" 0
 .
@@ -339,10 +351,10 @@ How to determine the configuration version\. By default, it will be the time tha
 Print the value of a specific configuration setting\. If the name of a setting is provided for this, then the value is printed and puppet exits\. Comma\-separate multiple values\. For a list of all values, specify \'all\'\.
 .
 .SS "configtimeout"
-How long the client should wait for the configuration to be retrieved before considering it a failure\. This can help reduce flapping if too many clients contact the server at one time\.
+How long the client should wait for the configuration to be retrieved before considering it a failure\. This can help reduce flapping if too many clients contact the server at one time\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: 120
+\fIDefault\fR: 2m
 .
 .IP "" 0
 .
@@ -494,16 +506,8 @@ Document all resources
 .
 .IP "" 0
 .
-.SS "downcasefacts"
-Whether facts should be made all lowercase when sent to the server\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: false
-.
-.IP "" 0
-.
 .SS "dynamicfacts"
-Facts that are dynamic; these facts will be ignored when deciding whether changed facts should result in a recompile\. Multiple facts should be comma\-separated\.
+(Deprecated) Facts that are dynamic; these facts will be ignored when deciding whether changed facts should result in a recompile\. Multiple facts should be comma\-separated\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: memorysize,memoryfree,swapsize,swapfree
@@ -559,10 +563,10 @@ Where the fileserver configuration is stored\.
 .IP "" 0
 .
 .SS "filetimeout"
-The minimum time to wait (in seconds) between checking for updates in configuration files\. This timeout determines how quickly Puppet checks whether a file (such as manifests or templates) has changed on disk\.
+The minimum time to wait between checking for updates in configuration files\. This timeout determines how quickly Puppet checks whether a file (such as manifests or templates) has changed on disk\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: 15
+\fIDefault\fR: 15s
 .
 .IP "" 0
 .
@@ -785,14 +789,6 @@ The LDAP attributes to use to define Puppet classes\. Values should be comma\-se
 .
 .IP "" 0
 .
-.SS "ldapnodes"
-Whether to search for node configurations in LDAP\. See http://projects\.puppetlabs\.com/projects/puppet/wiki/LDAP_Nodes for more information\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: false
-.
-.IP "" 0
-.
 .SS "ldapparentattr"
 The attribute to use to define the parent node\.
 .
@@ -805,7 +801,7 @@ The attribute to use to define the parent node\.
 The password to use to connect to LDAP\.
 .
 .SS "ldapport"
-The LDAP port\. Only used if \fBldapnodes\fR is enabled\.
+The LDAP port\. Only used if \fBnode_terminus\fR is set to \fBldap\fR\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: 389
@@ -813,7 +809,7 @@ The LDAP port\. Only used if \fBldapnodes\fR is enabled\.
 .IP "" 0
 .
 .SS "ldapserver"
-The LDAP server\. Only used if \fBldapnodes\fR is enabled\.
+The LDAP server\. Only used if \fBnode_terminus\fR is set to \fBldap\fR\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: ldap
@@ -855,14 +851,6 @@ Whether TLS should be used when searching for nodes\. Defaults to false because
 .SS "ldapuser"
 The user to use to connect to LDAP\. Must be specified as a full DN\.
 .
-.SS "lexical"
-Whether to use lexical scoping (vs\. dynamic)\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: false
-.
-.IP "" 0
-.
 .SS "libdir"
 An extra search path for Puppet\. This is only useful for those files that Puppet will load on demand, and is only guaranteed to work for those cases\. In fact, the autoload mechanism is responsible for making sure this directory is in Ruby\'s search path
 .
@@ -970,7 +958,7 @@ Whether to create the necessary user and group that puppet agent will run as\.
 The module repository
 .
 .IP "\(bu" 4
-\fIDefault\fR: http://forge\.puppetlabs\.com
+\fIDefault\fR: https://forge\.puppetlabs\.com
 .
 .IP "" 0
 .
@@ -996,6 +984,13 @@ The name of the application, if we are running as one\. The default is essential
 .TP
 \fIDefault\fR:
 
+.
+.SS "node_cache_terminus"
+How to store cached nodes\. Valid values are (none), \'json\', \'yaml\' or write only yaml (\'write_only_yaml\')\. The master application defaults to \'write_only_yaml\', all others to none\.
+.
+.TP
+\fIDefault\fR:
+
 .
 .SS "node_name"
 How the puppet master determines the client\'s identity and sets the \'hostname\', \'fqdn\' and \'domain\' facts for use in the manifest, in particular for determining which \'node\' statement applies to the client\. Possible values are \'cert\' (use the subject\'s CN in the client\'s certificate) and \'facter\' (use the hostname that the client reported in its facts)
@@ -1057,7 +1052,7 @@ The shell search path\. Defaults to whatever is inherited from the parent proces
 .IP "" 0
 .
 .SS "pidfile"
-The pid file
+The file containing the PID of a running process\. This file is intended to be used by service management frameworks and monitoring systems to determine if a puppet process is still in the process table\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: $rundir/${run_mode}\.pid
@@ -1218,7 +1213,7 @@ The directory in which to store reports received from the client\. Each client g
 The \'from\' email address for the reports\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: report@wyclef\.puppetlabs\.lan
+\fIDefault\fR: report@sirrus\.puppetlabs\.lan
 .
 .IP "" 0
 .
@@ -1230,14 +1225,6 @@ The list of reports to generate\. All reports are looked for in \fBpuppet/report
 .
 .IP "" 0
 .
-.SS "reportserver"
-(Deprecated for \'report_server\') The server to which to send transaction reports\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: $server
-.
-.IP "" 0
-.
 .SS "reporturl"
 The URL used by the http reports processor to send reports
 .
@@ -1295,19 +1282,12 @@ The directory where RRD database files are stored\. Directories for each reporti
 .IP "" 0
 .
 .SS "rrdinterval"
-How often RRD should expect data\. This should match how often the hosts report back to the server\.
+How often RRD should expect data\. This should match how often the hosts report back to the server\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: $runinterval
 .
 .IP "" 0
-.
-.SS "run_mode"
-The effective \'run mode\' of the application: master, agent, or user\.
-.
-.TP
-\fIDefault\fR:
-
 .
 .SS "rundir"
 Where Puppet PID files are kept\.
@@ -1317,10 +1297,10 @@ Where Puppet PID files are kept\.
 
 .
 .SS "runinterval"
-How often puppet agent applies the client configuration; in seconds\. Note that a runinterval of 0 means "run continuously" rather than "never run\." If you want puppet agent to never run, you should start it with the \fB\-\-no\-client\fR option\.
+How often puppet agent applies the client configuration; in seconds\. Note that a runinterval of 0 means "run continuously" rather than "never run\." If you want puppet agent to never run, you should start it with the \fB\-\-no\-client\fR option\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: 1800
+\fIDefault\fR: 30m
 .
 .IP "" 0
 .
@@ -1356,14 +1336,6 @@ The directory in which serialized data is stored, usually in a subdirectory\.
 .
 .IP "" 0
 .
-.SS "servertype"
-The type of server to use\. Currently supported option is webrick\.
-.
-.IP "\(bu" 4
-\fIDefault\fR: webrick
-.
-.IP "" 0
-.
 .SS "show_diff"
 Whether to log and report a contextual diff when files are being replaced\. This causes partial file contents to pass through Puppet\'s normal logging and reporting system, so this setting should be used with caution if you are sending Puppet\'s reports to an insecure destination\. This feature currently requires the \fBdiff/lcs\fR Ruby library\.
 .
@@ -1397,7 +1369,7 @@ Whether to sleep for a pseudo\-random (but consistent) amount of time before a r
 .IP "" 0
 .
 .SS "splaylimit"
-The maximum time to delay before runs\. Defaults to being the same as the run interval\.
+The maximum time to delay before runs\. Defaults to being the same as the run interval\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: $runinterval
@@ -1411,6 +1383,13 @@ The domain which will be queried to find the SRV records of servers to use\.
 \fIDefault\fR: puppetlabs\.lan
 .
 .IP "" 0
+.
+.SS "ssl_client_ca_auth"
+Certificate authorities who issue server certificates\. SSL servers will not be considered authentic unless they posses a certificate issued by an authority listed in this file\. If this setting has no value then the Puppet master\'s CA certificate (localcacert) will be used\.
+.
+.TP
+\fIDefault\fR:
+
 .
 .SS "ssl_client_header"
 The header containing an authenticated client\'s SSL DN\. This header must be set by the proxy to the authenticated client\'s SSL DN (e\.g\., \fB/CN=puppet\.puppetlabs\.com\fR)\.
@@ -1427,6 +1406,13 @@ The header containing the status message of the client verification\. This heade
 \fIDefault\fR: HTTP_X_CLIENT_VERIFY
 .
 .IP "" 0
+.
+.SS "ssl_server_ca_auth"
+Certificate authorities who issue client certificates\. SSL clients will not be considered authentic unless they posses a certificate issued by an authority listed in this file\. If this setting has no value then the Puppet master\'s CA certificate (localcacert) will be used\.
+.
+.TP
+\fIDefault\fR:
+
 .
 .SS "ssldir"
 Where SSL certificates are kept\.
@@ -1512,7 +1498,7 @@ Where Puppet looks for template files\. Can be a list of colon\-separated direct
 .IP "" 0
 .
 .SS "thin_storeconfigs"
-Boolean; whether storeconfigs store in the database only the facts and exported resources\. If true, then storeconfigs performance will be higher and still allow exported/collected resources, but other usage external to Puppet might not work
+Boolean; whether Puppet should store only facts and exported resources in the storeconfigs database\. This will improve the performance of exported resources with the older \fBactive_record\fR backend, but will disable external tools that search the storeconfigs database\. Thinning catalogs is generally unnecessary when using PuppetDB to store catalogs\.
 .
 .IP "\(bu" 4
 \fIDefault\fR: false
@@ -1568,10 +1554,10 @@ Where Puppet stores dynamic and growing data\. The default for this setting is c
 .IP "" 0
 .
 .SS "waitforcert"
-The time interval, specified in seconds, \'puppet agent\' should connect to the server and ask it to sign a certificate request\. This is useful for the initial setup of a puppet client\. You can turn off waiting for certificates by specifying a time of 0\.
+The time interval \'puppet agent\' should connect to the server and ask it to sign a certificate request\. This is useful for the initial setup of a puppet client\. You can turn off waiting for certificates by specifying a time of 0\. Can be specified as a duration\.
 .
 .IP "\(bu" 4
-\fIDefault\fR: 120
+\fIDefault\fR: 2m
 .
 .IP "" 0
 .
@@ -1592,4 +1578,4 @@ Boolean; whether to use the zlib library
 .IP "" 0
 .
 .P
-\fIThis page autogenerated on Thu May 17 14:19:16 \-0700 2012\fR
+\fIThis page autogenerated on Tue Jan 15 12:33:09 \-0800 2013\fR