puppet 3.3.2 → 3.4.0.rc1

data/lib/puppet/{provider/confine → confine}/true.rb

@@ -1,6 +1,6 @@
-require 'puppet/provider/confine'
+require 'puppet/confine'
 
-class Puppet::Provider::Confine::True < Puppet::Provider::Confine
+class Puppet::Confine::True < Puppet::Confine
   def self.summarize(confines)
     confines.inject(0) { |count, confine| count + confine.summary }
   end

data/lib/puppet/{provider/confine → confine}/variable.rb

@@ -1,10 +1,10 @@
-require 'puppet/provider/confine'
+require 'puppet/confine'
 
 # Require a specific value for a variable, either a Puppet setting
 # or a Facter value.  This class is a bit weird because the name
 # is set explicitly by the ConfineCollection class -- from this class,
 # it's not obvious how the name would ever get set.
-class Puppet::Provider::Confine::Variable < Puppet::Provider::Confine
+class Puppet::Confine::Variable < Puppet::Confine
   # Provide a hash summary of failing confines -- the key of the hash
   # is the name of the confine, and the value is the missing yet required values.
   # Only returns failed values, not all required values.

data/lib/puppet/{provider/confine_collection.rb → confine_collection.rb}

@@ -1,8 +1,8 @@
 # Manage a collection of confines, returning a boolean or
 # helpful information.
-require 'puppet/provider/confine'
+require 'puppet/confine'
 
-class Puppet::Provider::ConfineCollection
+class Puppet::ConfineCollection
   def confine(hash)
     if hash.include?(:for_binary)
       for_binary = true
@@ -11,11 +11,11 @@ class Puppet::Provider::ConfineCollection
       for_binary = false
     end
     hash.each do |test, values|
-      if klass = Puppet::Provider::Confine.test(test)
+      if klass = Puppet::Confine.test(test)
         @confines << klass.new(values)
         @confines[-1].for_binary = true if for_binary
       else
-        confine = Puppet::Provider::Confine.test(:variable).new(values)
+        confine = Puppet::Confine.test(:variable).new(values)
         confine.name = test
         @confines << confine
       end

data/lib/puppet/{provider/confiner.rb → confiner.rb}

@@ -1,10 +1,10 @@
-require 'puppet/provider/confine_collection'
+require 'puppet/confine_collection'
 
 # The Confiner module contains methods for managing a Provider's confinement (suitability under given
 # conditions). The intent is to include this module in an object where confinement management is wanted.
 # It lazily adds an instance variable `@confine_collection` to the object where it is included.
 #
-module Puppet::Provider::Confiner
+module Puppet::Confiner
   # Confines a provider to be suitable only under the given conditions.
   # The hash describes a confine using mapping from symbols to values or predicate code.
   #
@@ -26,11 +26,11 @@ module Puppet::Provider::Confiner
     confine_collection.confine(hash)
   end
 
-  # @return [Puppet::Provider::ConfineCollection] the collection of confines
+  # @return [Puppet::ConfineCollection] the collection of confines
   # @api private
   #
   def confine_collection
-    @confine_collection ||= Puppet::Provider::ConfineCollection.new(self.to_s)
+    @confine_collection ||= Puppet::ConfineCollection.new(self.to_s)
   end
 
   # Checks whether this implementation is suitable for the current platform (or returns a summary

data/lib/puppet/daemon.rb

@@ -149,16 +149,12 @@ class Puppet::Daemon
   # Create a pidfile for our daemon, so we can be stopped and others
   # don't try to start.
   def create_pidfile
-    Puppet::Util.synchronize_on(Puppet.run_mode.name,Sync::EX) do
-      raise "Could not create PID file: #{@pidfile.file_path}" unless @pidfile.lock
-    end
+    raise "Could not create PID file: #{@pidfile.file_path}" unless @pidfile.lock
   end
 
   # Remove the pid file for our daemon.
   def remove_pidfile
-    Puppet::Util.synchronize_on(Puppet.run_mode.name,Sync::EX) do
-      @pidfile.unlock
-    end
+    @pidfile.unlock
   end
 
   def run_event_loop

data/lib/puppet/data_binding.rb

@@ -2,39 +2,11 @@ require 'puppet/indirector'
 
 # A class for managing data lookups
 class Puppet::DataBinding
+  class LookupError < Puppet::Error; end
 
-  # Set up indirection, so that data can be looked for in the complier
+  # Set up indirection, so that data can be looked for in the compiler
   extend Puppet::Indirector
 
   indirects(:data_binding, :terminus_setting => :data_binding_terminus,
     :doc => "Where to find external data bindings.")
-
-  # A class that acts just enough like a Puppet::Parser::Scope to
-  # fool Hiera's puppet backend. This class doesn't actually do anything
-  # but it does allow people to use the puppet backend with the hiera
-  # data bindings withough causing problems.
-  class Variables
-    FAKE_RESOURCE = Struct.new(:name).new("fake").freeze
-    FAKE_CATALOG = Struct.new(:classes).new([].freeze).freeze
-
-    def initialize(variable_bindings)
-      @variable_bindings = variable_bindings
-    end
-
-    def [](name)
-      @variable_bindings[name]
-    end
-
-    def resource
-      FAKE_RESOURCE
-    end
-
-    def catalog
-      FAKE_CATALOG
-    end
-
-    def function_include(name)
-      # noop
-    end
-  end
 end

data/lib/puppet/defaults.rb

@@ -20,23 +20,27 @@ module Puppet
     :confdir  => {
         :default  => nil,
         :type     => :directory,
-        :desc     =>
-            "The main Puppet configuration directory.  The default for this setting is calculated based on the user.  If the process\n" +
-            "is running as root or the user that Puppet is supposed to run as, it defaults to a system directory, but if it's running as any other user,\n" +
-            "it defaults to being in the user's home directory.",
+        :desc     => "The main Puppet configuration directory.  The default for this setting
+          is calculated based on the user.  If the process is running as root or
+          the user that Puppet is supposed to run as, it defaults to a system
+          directory, but if it's running as any other user, it defaults to being
+          in the user's home directory.",
     },
     :vardir   => {
         :default  => nil,
         :type     => :directory,
-        :desc     => "Where Puppet stores dynamic and growing data.  The default for this setting is calculated specially, like `confdir`_.",
+        :owner    => "service",
+        :group    => "service",
+        :desc     => "Where Puppet stores dynamic and growing data.  The default for this
+          setting is calculated specially, like `confdir`_.",
     },
 
     ### NOTE: this setting is usually being set to a symbol value.  We don't officially have a
     ###     setting type for that yet, but we might want to consider creating one.
     :name     => {
         :default  => nil,
-        :desc     => "The name of the application, if we are running as one.  The\n" +
-            "default is essentially $0 without the path or `.rb`.",
+        :desc     => "The name of the application, if we are running as one.  The
+          default is essentially $0 without the path or `.rb`.",
     }
   )
 
@@ -52,6 +56,15 @@ module Puppet
   )
 
   define_settings(:main,
+    :priority => {
+      :default => nil,
+      :type    => :priority,
+      :desc    => "The scheduling priority of the process.  Valid values are 'high',
+        'normal', 'low', or 'idle', which are mapped to platform-specific
+        values.  The priority can also be specified as an integer value and
+        will be passed as is, e.g. -5.  Puppet must be running as a privileged
+        user in order to increase scheduling priority.",
+    },
     :trace => {
         :default  => false,
         :type     => :boolean,
@@ -70,9 +83,9 @@ module Puppet
     },
     :syslogfacility => {
         :default  => "daemon",
-        :desc     => "What syslog facility to use when logging to\n" +
-            "syslog.  Syslog has a fixed list of valid facilities, and you must\n" +
-            "choose one of those; you cannot just make one up."
+        :desc     => "What syslog facility to use when logging to syslog.
+          Syslog has a fixed list of valid facilities, and you must
+          choose one of those; you cannot just make one up."
     },
     :statedir => {
         :default  => "$vardir/state",
@@ -93,30 +106,33 @@ module Puppet
     :genconfig => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "Whether to just print a configuration to stdout and exit.  Only makes\n" +
-            "sense when used interactively.  Takes into account arguments specified\n" +
-            "on the CLI.",
+        :desc     => "When true, causes Puppet applications to print an example config file
+          to stdout and exit. The example will include descriptions of each
+          setting, and the current (or default) value of each setting,
+          incorporating any settings overridden on the CLI (with the exception
+          of `genconfig` itself). This setting only makes sense when specified
+          on the command line as `--genconfig`.",
     },
     :genmanifest => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "Whether to just print a manifest to stdout and exit.  Only makes\n" +
-            "sense when used interactively.  Takes into account arguments specified\n" +
-            "on the CLI.",
+        :desc     => "Whether to just print a manifest to stdout and exit.  Only makes
+          sense when specified on the command line as `--genmanifest`.  Takes into account arguments specified
+          on the CLI.",
     },
     :configprint => {
         :default  => "",
-        :desc     => "Print the value of a specific configuration setting.  If the name of a\n" +
-            "setting is provided for this, then the value is printed and puppet\n" +
-            "exits.  Comma-separate multiple values.  For a list of all values,\n" +
-            "specify 'all'.",
+        :desc     => "Print the value of a specific configuration setting.  If the name of a
+          setting is provided for this, then the value is printed and puppet
+          exits.  Comma-separate multiple values.  For a list of all values,
+          specify 'all'.",
     },
     :color => {
       :default => "ansi",
       :type    => :string,
-      :desc    => "Whether to use colors when logging to the console.  Valid values are\n" +
-          "`ansi` (equivalent to `true`), `html`, and `false`, which produces no color.\n" +
-          "Defaults to false on Windows, as its console does not support ansi colors.",
+      :desc    => "Whether to use colors when logging to the console.  Valid values are
+        `ansi` (equivalent to `true`), `html`, and `false`, which produces no color.
+        Defaults to false on Windows, as its console does not support ansi colors.",
     },
     :mkusers => {
         :default  => false,
@@ -131,14 +147,15 @@ module Puppet
     :onetime => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "Run the configuration once, rather than as a long-running\n" +
-          "daemon. This is useful for interactively running puppetd.",
+        :desc     => "Perform one configuration run and exit, rather than spawning a long-running
+          daemon. This is useful for interactively running puppet agent, or
+          running puppet agent from cron.",
         :short    => 'o',
     },
     :path => {
         :default          => "none",
-        :desc             => "The shell search path.  Defaults to whatever is inherited\n" +
-            "from the parent process.",
+        :desc             => "The shell search path.  Defaults to whatever is inherited
+          from the parent process.",
         :call_hook => :on_define_and_write,
         :hook             => proc do |value|
           ENV["PATH"] = "" if ENV["PATH"].nil?
@@ -153,11 +170,11 @@ module Puppet
     :libdir => {
         :type           => :directory,
         :default        => "$vardir/lib",
-        :desc           => "An extra search path for Puppet.  This is only useful\n" +
-            "for those files that Puppet will load on demand, and is only\n" +
-            "guaranteed to work for those cases.  In fact, the autoload\n" +
-            "mechanism is responsible for making sure this directory\n" +
-            "is in Ruby's search path\n",
+        :desc           => "An extra search path for Puppet.  This is only useful
+          for those files that Puppet will load on demand, and is only
+          guaranteed to work for those cases.  In fact, the autoload
+          mechanism is responsible for making sure this directory
+          is in Ruby's search path\n",
       :call_hook => :on_initialize_and_write,
       :hook             => proc do |value|
         $LOAD_PATH.delete(@oldlibdir) if defined?(@oldlibdir) and $LOAD_PATH.include?(@oldlibdir)
@@ -168,41 +185,44 @@ module Puppet
     :ignoreimport => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "If true, allows the parser to continue without requiring\n" +
-            "all files referenced with `import` statements to exist. This setting was primarily\n" +
-            "designed for use with commit hooks for parse-checking.",
+        :desc     => "If true, allows the parser to continue without requiring
+          all files referenced with `import` statements to exist. This setting was primarily
+          designed for use with commit hooks for parse-checking.",
     },
     :environment => {
         :default  => "production",
-        :desc     => "The environment Puppet is running in.  For clients\n" +
-            "(e.g., `puppet agent`) this determines the environment itself, which\n" +
-            "is used to find modules and much more.  For servers (i.e., `puppet master`)\n" +
-            "this provides the default environment for nodes we know nothing about."
+        :desc     => "The environment Puppet is running in.  For clients
+          (e.g., `puppet agent`) this determines the environment itself, which
+          is used to find modules and much more.  For servers (i.e., `puppet master`)
+          this provides the default environment for nodes we know nothing about."
     },
     :diff_args => {
         :default  => default_diffargs,
-        :desc     => "Which arguments to pass to the diff command when printing differences between\n" +
-            "files. The command to use can be chosen with the `diff` setting.",
+        :desc     => "Which arguments to pass to the diff command when printing differences between
+          files. The command to use can be chosen with the `diff` setting.",
     },
     :diff => {
       :default => (Puppet.features.microsoft_windows? ? "" : "diff"),
-      :desc    => "Which diff command to use when printing differences between files. This setting\n" +
-        "has no default value on Windows, as standard `diff` is not available, but Puppet can use many\n" +
-        "third-party diff tools.",
+      :desc    => "Which diff command to use when printing differences between files. This setting
+          has no default value on Windows, as standard `diff` is not available, but Puppet can use many
+          third-party diff tools.",
     },
     :show_diff => {
         :type     => :boolean,
         :default  => false,
-        :desc     => "Whether to log and report a contextual diff when files are being replaced.  This causes\n" +
-            "partial file contents to pass through Puppet's normal logging and reporting system, so this setting\n" +
-            "should be used with caution if you are sending Puppet's reports to an insecure destination.\n" +
-            "This feature currently requires the `diff/lcs` Ruby library.",
+        :desc     => "Whether to log and report a contextual diff when files are being replaced.
+          This causes partial file contents to pass through Puppet's normal
+          logging and reporting system, so this setting should be used with
+          caution if you are sending Puppet's reports to an insecure
+          destination. This feature currently requires the `diff/lcs` Ruby
+          library.",
     },
     :daemonize => {
         :type     => :boolean,
         :default  => (Puppet.features.microsoft_windows? ? false : true),
-        :desc     => "Whether to send the process into the background.  This defaults to true on POSIX systems,
-          and to false on Windows (where Puppet currently cannot daemonize).",
+        :desc     => "Whether to send the process into the background.  This defaults
+          to true on POSIX systems, and to false on Windows (where Puppet
+          currently cannot daemonize).",
         :short    => "D",
         :hook     => proc do |value|
           if value and Puppet.features.microsoft_windows?
@@ -212,10 +232,11 @@ module Puppet
     },
     :maximum_uid => {
         :default  => 4294967290,
-        :desc     => "The maximum allowed UID.  Some platforms use negative UIDs\n" +
-            "but then ship with tools that do not know how to handle signed ints, so the UIDs show up as\n" +
-            "huge numbers that can then not be fed back into the system.  This is a hackish way to fail in a\n" +
-            "slightly more useful way when that happens.",
+        :desc     => "The maximum allowed UID.  Some platforms use negative UIDs
+          but then ship with tools that do not know how to handle signed ints,
+          so the UIDs show up as huge numbers that can then not be fed back into
+          the system.  This is a hackish way to fail in a slightly more useful
+          way when that happens.",
     },
     :route_file => {
       :default    => "$confdir/routes.yaml",
@@ -385,14 +406,21 @@ module Puppet
     :freeze_main => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "Freezes the 'main' class, disallowing any code to be added to it.  This\n" +
-            "essentially means that you can't have any code outside of a node, class, or definition other\n" +
-            "than in the site manifest.",
+        :desc     => "Freezes the 'main' class, disallowing any code to be added to it.  This
+          essentially means that you can't have any code outside of a node,
+          class, or definition other than in the site manifest.",
     },
     :stringify_facts => {
       :default => true,
       :type    => :boolean,
-      :desc    => "Flatten fact values to strings using #to_s. Means you can't have arrays or hashes as fact values.",
+      :desc    => "Flatten fact values to strings using #to_s. Means you can't have arrays or
+        hashes as fact values.",
+    },
+    :trusted_node_data => {
+      :default => false,
+      :type    => :boolean,
+      :desc    => "Stores trusted node data in a hash called $trusted.
+        When true also prevents $trusted from being overridden in any scope.",
     }
   )
   Puppet.define_settings(:module_tool,
@@ -470,6 +498,36 @@ This is unnecessary for agents, unless you intend to use them as a server for
 It is rarely necessary for servers; it is usually helpful only if you need to
 have a pool of multiple load balanced masters, or for the same master to
 respond on two physically separate networks under different names.
+EOT
+    },
+    :csr_attributes => {
+      :default => "$confdir/csr_attributes.yaml",
+      :type => :file,
+      :desc => <<EOT
+An optional file containing custom attributes to add to certificate signing
+requests (CSRs). You should ensure that this file does not exist on your CA
+puppet master; if it does, unwanted certificate extensions may leak into
+certificates created with the `puppet cert generate` command.
+
+If present, this file must be a YAML hash containing a `custom_attributes` key
+and/or an `extension_requests` key. The value of each key must be a hash, where
+each key is a valid OID and each value is an object that can be cast to a string.
+
+Custom attributes can be used by the CA when deciding whether to sign the
+certificate, but are then discarded. Attribute OIDs can be any OID value except
+the standard CSR attributes (i.e. attributes described in RFC 2985 section 5.4).
+This is useful for embedding a pre-shared key for autosigning policy executables
+(see the `autosign` setting), often by using the `1.2.840.113549.1.9.7`
+("challenge password") OID.
+
+Extension requests will be permanently embedded in the final certificate.
+Extension OIDs must be in the "ppRegCertExt" (`1.3.6.1.4.1.34380.1.1`) or
+"ppPrivCertExt" (`1.3.6.1.4.1.34380.1.2`) OID arcs. The ppRegCertExt arc is
+reserved for four of the most common pieces of data to embed: `pp_uuid` (`.1`),
+`pp_instance_id` (`.2`), `pp_image_name` (`.3`), and `pp_preshared_key` (`.4`)
+--- in the YAML file, these can be referred to by their short descriptive names
+instead of their full OID. The ppPrivCertExt arc is unregulated, and can be used
+for site-specific extensions.
 EOT
     },
     :certdir => {
@@ -558,19 +616,19 @@ EOT
       :type  => :file,
       :mode  => 0644,
       :owner => "service",
-      :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be \n" <<
-                "considered authentic unless they posses a certificate issued by an authority \n" <<
-                "listed in this file.  If this setting has no value then the Puppet master's CA \n" <<
-                "certificate (localcacert) will be used."
+      :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
+        considered authentic unless they posses a certificate issued by an authority
+        listed in this file.  If this setting has no value then the Puppet master's CA
+        certificate (localcacert) will be used."
     },
     :ssl_server_ca_auth => {
       :type  => :file,
       :mode  => 0644,
       :owner => "service",
-      :desc  => "Certificate authorities who issue client certificates.  SSL clients will not be \n" <<
-                "considered authentic unless they posses a certificate issued by an authority \n" <<
-                "listed in this file.  If this setting has no value then the Puppet master's CA \n" <<
-                "certificate (localcacert) will be used."
+      :desc  => "Certificate authorities who issue client certificates.  SSL clients will not be
+        considered authentic unless they posses a certificate issued by an authority
+        listed in this file.  If this setting has no value then the Puppet master's CA
+        certificate (localcacert) will be used."
     },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
@@ -583,8 +641,9 @@ EOT
     :certificate_revocation => {
         :default  => true,
         :type     => :boolean,
-        :desc     => "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL)
-            to all clients.  If enabled, CA chaining will almost definitely not work.",
+        :desc     => "Whether certificate revocation should be supported by downloading a
+          Certificate Revocation List (CRL)
+          to all clients.  If enabled, CA chaining will almost definitely not work.",
     },
     :certificate_expire_warning => {
       :default  => "60d",
@@ -682,11 +741,36 @@ EOT
     :autosign => {
       :default => "$confdir/autosign.conf",
       :type => :file,
-      :mode => 0644,
-      :desc => "Whether to enable autosign.  Valid values are true (which
-        autosigns any key request, and is a very bad idea), false (which
-        never autosigns any key request), and the path to a file, which
-        uses that configuration file to determine which keys to sign."},
+      :desc => "Whether (and how) to autosign certificate requests. This setting
+        is only relevant on a puppet master acting as a certificate authority (CA).
+
+        Valid values are true (autosigns all certificate requests; not recommended),
+        false (disables autosigning certificates), or the absolute path to a file.
+
+        The file specified in this setting may be either a **configuration file**
+        or a **custom policy executable.** Puppet will automatically determine
+        what it is: If the Puppet user (see the `user` setting) can execute the
+        file, it will be treated as a policy executable; otherwise, it will be
+        treated as a config file.
+
+        If a custom policy executable is configured, the CA puppet master will run it
+        every time it receives a CSR. The executable will be passed the subject CN of the
+        request _as a command line argument,_ and the contents of the CSR in PEM format
+        _on stdin._ It should exit with a status of 0 if the cert should be autosigned
+        and non-zero if the cert should not be autosigned.
+
+        If a certificate request is not autosigned, it will persist for review. An admin
+        user can use the `puppet cert sign` command to manually sign it, or can delete
+        the request.
+
+        For info on autosign configuration files, see
+        [the guide to Puppet's config files](http://docs.puppetlabs.com/guides/configuring.html).",
+      :hook => proc do |value|
+        unless [false, 'false', true, 'true'].include?(value) or Puppet::Util.absolute_path?(value)
+          raise ArgumentError, "The autosign parameter must be 'true'/'false' or an absolute path"
+        end
+      end
+    },
     :allow_duplicate_certs => {
       :default    => false,
       :type       => :boolean,
@@ -733,10 +817,10 @@ EOT
       :pidfile => {
           :type => :file,
           :default  => "$rundir/${run_mode}.pid",
-          :desc     => "The file containing the PID of a running process.  " <<
-                       "This file is intended to be used by service management " <<
-                       "frameworks and monitoring systems to determine if a " <<
-                       "puppet process is still in the process table.",
+          :desc     => "The file containing the PID of a running process.
+            This file is intended to be used by service management frameworks
+            and monitoring systems to determine if a puppet process is still in
+            the process table.",
       },
       :bindaddress => {
         :default    => "0.0.0.0",
@@ -825,8 +909,9 @@ EOT
     :modulepath => {
       :default => "$confdir/modules#{File::PATH_SEPARATOR}/usr/share/puppet/modules",
       :type => :path,
-      :desc => "The search path for modules, as a list of directories separated by the system path separator character. " +
-          "(The POSIX path separator is ':', and the Windows path separator is ';'.)",
+      :desc => "The search path for modules, as a list of directories separated by the system
+        path separator character. (The POSIX path separator is ':', and the
+        Windows path separator is ';'.)",
     },
     :ssl_client_header => {
       :default    => "HTTP_X_CLIENT_DN",
@@ -1025,6 +1110,12 @@ EOT
     :desc         => "Boolean; whether puppet agent should ignore schedules.  This is useful
       for initial puppet agent runs.",
     },
+    :default_schedules => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Boolean; whether to generate the default schedule resources. Setting this to
+      false is useful for keeping external report processors clean of skipped schedule resources.",
+    },
     :puppetport => {
       :default    => 8139,
       :desc       => "Which port puppet agent listens on.",
@@ -1114,49 +1205,50 @@ EOT
     :agent_catalog_run_lockfile => {
       :default    => "$statedir/agent_catalog_run.lock",
       :type       => :string, # (#2888) Ensure this file is not added to the settings catalog.
-      :desc       => "A lock file to indicate that a puppet agent catalog run is currently in progress.  " +
-                     "The file contains the pid of the process that holds the lock on the catalog run.",
+      :desc       => "A lock file to indicate that a puppet agent catalog run is currently in progress.
+        The file contains the pid of the process that holds the lock on the catalog run.",
     },
     :agent_disabled_lockfile => {
         :default    => "$statedir/agent_disabled.lock",
-        :type         => :file,
-        :desc       => "A lock file to indicate that puppet agent runs have been administratively disabled.  File contains a JSON object with state information.",
+        :type       => :file,
+        :desc       => "A lock file to indicate that puppet agent runs have been administratively
+          disabled.  File contains a JSON object with state information.",
     },
     :usecacheonfailure => {
       :default    => true,
       :type       => :boolean,
       :desc       => "Whether to use the cached configuration when the remote
-      configuration will not compile.  This option is useful for testing
-      new configurations, where you want to fix the broken configuration
-      rather than reverting to a known-good one.",
+        configuration will not compile.  This option is useful for testing
+        new configurations, where you want to fix the broken configuration
+        rather than reverting to a known-good one.",
     },
     :use_cached_catalog => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Whether to only use the cached catalog rather than compiling a new catalog
-      on every run.  Puppet can be run with this enabled by default and then selectively
-      disabled when a recompile is desired.",
+        on every run.  Puppet can be run with this enabled by default and then selectively
+        disabled when a recompile is desired.",
     },
     :ignoremissingtypes => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Skip searching for classes and definitions that were missing during a
-      prior compilation. The list of missing objects is maintained per-environment and
-      persists until the environment is cleared or the master is restarted.",
+        prior compilation. The list of missing objects is maintained per-environment and
+        persists until the environment is cleared or the master is restarted.",
     },
     :ignorecache => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Ignore cache and always recompile the configuration.  This is
-      useful for testing new configurations, where the local cache may in
-      fact be stale even if the timestamps are up to date - if the facts
-      change or if the server changes.",
+        useful for testing new configurations, where the local cache may in
+        fact be stale even if the timestamps are up to date - if the facts
+        change or if the server changes.",
     },
     :dynamicfacts => {
       :default    => "memorysize,memoryfree,swapsize,swapfree",
       :desc       => "(Deprecated) Facts that are dynamic; these facts will be ignored when deciding whether
-      changed facts should result in a recompile.  Multiple facts should be
-      comma-separated.",
+        changed facts should result in a recompile.  Multiple facts should be
+        comma-separated.",
       :hook => proc { |value|
         if value
           Puppet.deprecation_warning "The dynamicfacts setting is deprecated and will be ignored."
@@ -1167,13 +1259,13 @@ EOT
       :default    => "$runinterval",
       :type       => :duration,
       :desc       => "The maximum time to delay before runs.  Defaults to being the same as the
-      run interval. #{AS_DURATION}",
+        run interval. #{AS_DURATION}",
     },
     :splay => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Whether to sleep for a pseudo-random (but consistent) amount of time before
-      a run.",
+        a run.",
     },
     :clientbucketdir => {
       :default  => "$vardir/clientbucket",
@@ -1185,8 +1277,8 @@ EOT
       :default  => "2m",
       :type     => :duration,
       :desc     => "How long the client should wait for the configuration to be retrieved
-      before considering it a failure.  This can help reduce flapping if too
-      many clients contact the server at one time. #{AS_DURATION}",
+        before considering it a failure.  This can help reduce flapping if too
+        many clients contact the server at one time. #{AS_DURATION}",
     },
     :report_server => {
       :default  => "$server",
@@ -1225,8 +1317,8 @@ EOT
       :default  => false,
       :type     => :boolean,
       :desc     => "Whether to create dot graph files for the different
-      configuration graphs.  These dot files can be interpreted by tools
-      like OmniGraffle or dot (which is part of ImageMagick).",
+        configuration graphs.  These dot files can be interpreted by tools
+        like OmniGraffle or dot (which is part of ImageMagick).",
     },
     :graphdir => {
       :default    => "$statedir/graphs",
@@ -1237,11 +1329,12 @@ EOT
       :default    => false,
       :type       => :boolean,
       :desc       => "Allow http compression in REST communication with the master.
-      This setting might improve performance for agent -> master communications over slow WANs.
-      Your puppet master needs to support compression (usually by activating some settings in a reverse-proxy
-      in front of the puppet master, which rules out webrick).
-      It is harmless to activate this settings if your master doesn't support
-      compression, but if it supports it, this setting might reduce performance on high-speed LANs.",
+        This setting might improve performance for agent -> master
+        communications over slow WANs. Your puppet master needs to support
+        compression (usually by activating some settings in a reverse-proxy in
+        front of the puppet master, which rules out webrick). It is harmless to
+        activate this settings if your master doesn't support compression, but
+        if it supports it, this setting might reduce performance on high-speed LANs.",
     },
     :waitforcert => {
       :default  => "2m",
@@ -1310,6 +1403,15 @@ EOT
       is used for retrieval, so anything that is a valid file source can
       be used here.",
     },
+    :pluginfactdest => {
+      :type     => :directory,
+      :default  => "$vardir/facts.d",
+      :desc     => "Where Puppet should store external facts that are being handled by pluginsync",
+    },
+    :pluginfactsource => {
+      :default  => "puppet://$server/pluginfacts",
+      :desc     => "Where to retrieve external facts for pluginsync",
+    },
     :pluginsync => {
       :default    => true,
       :type       => :boolean,
@@ -1330,7 +1432,8 @@ EOT
       :type     => :path,
       :default  => "$vardir/lib/facter#{File::PATH_SEPARATOR}$vardir/facts",
       :desc     => "Where Puppet should look for facts.  Multiple directories should
-        be separated by the system path separator character. (The POSIX path separator is ':', and the Windows path separator is ';'.)",
+        be separated by the system path separator character. (The POSIX path
+        separator is ':', and the Windows path separator is ';'.)",
 
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc { |value| Facter.search(value) if Facter.respond_to?(:search) }}
@@ -1400,27 +1503,27 @@ EOT
     :dbport => {
       :default  => "",
       :desc     => "The database password for caching. Only
-      used when networked databases are used. #{STORECONFIGS_ONLY}",
+        used when networked databases are used. #{STORECONFIGS_ONLY}",
     },
     :dbuser => {
       :default  => "puppet",
       :desc     => "The database user for caching. Only
-      used when networked databases are used. #{STORECONFIGS_ONLY}",
+        used when networked databases are used. #{STORECONFIGS_ONLY}",
     },
     :dbpassword => {
       :default  => "puppet",
       :desc     => "The database password for caching. Only
-      used when networked databases are used. #{STORECONFIGS_ONLY}",
+        used when networked databases are used. #{STORECONFIGS_ONLY}",
     },
     :dbconnections => {
       :default  => '',
       :desc     => "The number of database connections for networked
-      databases.  Will be ignored unless the value is a positive integer. #{STORECONFIGS_ONLY}",
+        databases.  Will be ignored unless the value is a positive integer. #{STORECONFIGS_ONLY}",
     },
     :dbsocket => {
       :default  => "",
       :desc     => "The database socket location. Only used when networked
-      databases are used.  Will be ignored if the value is an empty string. #{STORECONFIGS_ONLY}",
+        databases are used.  Will be ignored if the value is an empty string. #{STORECONFIGS_ONLY}",
     },
     :railslog => {
       :default  => "$logdir/rails.log",
@@ -1434,8 +1537,8 @@ EOT
     :rails_loglevel => {
         :default  => "info",
         :desc     => "The log level for Rails connections.  The value must be
-            a valid log level within Rails.  Production environments normally use `info`
-            and other environments normally use `debug`. #{STORECONFIGS_ONLY}",
+          a valid log level within Rails.  Production environments normally use `info`
+          and other environments normally use `debug`. #{STORECONFIGS_ONLY}",
     }
   )
 
@@ -1445,7 +1548,7 @@ EOT
     :couchdb_url => {
         :default  => "http://127.0.0.1:5984/puppet",
         :desc     => "The url where the puppet couchdb database will be created.
-        Only used when `facts_terminus` is set to `couch`.",
+          Only used when `facts_terminus` is set to `couch`.",
     }
   )
 
@@ -1454,15 +1557,15 @@ EOT
     :tags => {
       :default    => "",
       :desc       => "Tags to use to find resources.  If this is set, then
-      only resources tagged with the specified tags will be applied.
-      Values must be comma-separated.",
+        only resources tagged with the specified tags will be applied.
+        Values must be comma-separated.",
     },
     :evaltrace => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Whether each resource should log when it is
-      being evaluated.  This allows you to interactively see exactly
-      what is being done.",
+        being evaluated.  This allows you to interactively see exactly
+        what is being done.",
     },
     :summarize => {
         :default  => false,
@@ -1476,13 +1579,13 @@ EOT
     :external_nodes => {
         :default  => "none",
         :desc     => "An external command that can produce node information.  The command's output
-            must be a YAML dump of a hash, and that hash must have a `classes` key and/or
-            a `parameters` key, where `classes` is an array or hash and
-            `parameters` is a hash.  For unknown nodes, the command should
-            exit with a non-zero exit code.
+          must be a YAML dump of a hash, and that hash must have a `classes` key and/or
+          a `parameters` key, where `classes` is an array or hash and
+          `parameters` is a hash.  For unknown nodes, the command should
+          exit with a non-zero exit code.
 
-            This command makes it straightforward to store your node mapping
-            information in other data sources like databases.",
+          This command makes it straightforward to store your node mapping
+          information in other data sources like databases.",
     }
     )
 
@@ -1492,15 +1595,15 @@ EOT
       :default  => false,
       :type   => :boolean,
       :desc   => "Whether SSL should be used when searching for nodes.
-      Defaults to false because SSL usually requires certificates
-      to be set up on the client side.",
+        Defaults to false because SSL usually requires certificates
+        to be set up on the client side.",
     },
     :ldaptls => {
       :default  => false,
       :type     => :boolean,
       :desc     => "Whether TLS should be used when searching for nodes.
-      Defaults to false because TLS usually requires certificates
-      to be set up on the client side.",
+        Defaults to false because TLS usually requires certificates
+        to be set up on the client side.",
     },
     :ldapserver => {
       :default  => "ldap",
@@ -1518,20 +1621,20 @@ EOT
     :ldapclassattrs => {
       :default  => "puppetclass",
       :desc     => "The LDAP attributes to use to define Puppet classes.  Values
-      should be comma-separated.",
+        should be comma-separated.",
     },
     :ldapstackedattrs => {
       :default  => "puppetvar",
       :desc     => "The LDAP attributes that should be stacked to arrays by adding
-      the values in all hierarchy elements of the tree.  Values
-      should be comma-separated.",
+        the values in all hierarchy elements of the tree.  Values
+        should be comma-separated.",
     },
     :ldapattrs => {
       :default  => "all",
       :desc     => "The LDAP attributes to include when querying LDAP for nodes.  All
-      returned attributes are set as variables in the top-level scope.
-      Multiple values should be comma-separated.  The value 'all' returns
-      all attributes.",
+        returned attributes are set as variables in the top-level scope.
+        Multiple values should be comma-separated.  The value 'all' returns
+        all attributes.",
     },
     :ldapparentattr => {
       :default  => "parentnode",
@@ -1540,7 +1643,7 @@ EOT
     :ldapuser => {
       :default  => "",
       :desc     => "The user to use to connect to LDAP.  Must be specified as a
-      full DN.",
+        full DN.",
     },
     :ldappassword => {
       :default  => "",
@@ -1549,9 +1652,9 @@ EOT
     :ldapbase => {
         :default  => "",
         :desc     => "The search base for LDAP searches.  It's impossible to provide
-            a meaningful default here, although the LDAP libraries might
-            have one already set.  Generally, it should be the 'ou=Hosts'
-            branch under your main directory.",
+          a meaningful default here, although the LDAP libraries might
+          have one already set.  Generally, it should be the 'ou=Hosts'
+          branch under your main directory.",
     }
   )
 
@@ -1560,13 +1663,13 @@ EOT
       :default  => false,
       :type     => :boolean,
       :desc     => "Whether to store each client's configuration, including catalogs, facts,
-and related data.  This also enables the import and export of resources in
-the Puppet language - a mechanism for exchange resources between nodes.
+        and related data.  This also enables the import and export of resources in
+        the Puppet language - a mechanism for exchange resources between nodes.
 
-By default this uses ActiveRecord and an SQL database to store and query
-the data; this, in turn, will depend on Rails being available.
+        By default this uses ActiveRecord and an SQL database to store and query
+        the data; this, in turn, will depend on Rails being available.
 
-You can adjust the backend using the storeconfigs_backend setting.",
+        You can adjust the backend using the storeconfigs_backend setting.",
       # Call our hook with the default value, so we always get the libdir set.
       :call_hook => :on_initialize_and_write,
       :hook => proc do |value|
@@ -1587,8 +1690,8 @@ You can adjust the backend using the storeconfigs_backend setting.",
       :type => :terminus,
       :default => "active_record",
       :desc => "Configure the backend terminus used for StoreConfigs.
-By default, this uses the ActiveRecord store, which directly talks to the
-database from within the Puppet Master process."
+        By default, this uses the ActiveRecord store, which directly talks to the
+        database from within the Puppet Master process."
     }
   )
 
@@ -1597,57 +1700,63 @@ database from within the Puppet Master process."
         :default  => "$vardir/templates",
         :type     => :directory,
         :desc     => "Where Puppet looks for template files.  Can be a list of colon-separated
-      directories.",
+          directories.",
     },
 
     :allow_variables_with_dashes => {
       :default => false,
       :desc    => <<-'EOT'
-Permit hyphens (`-`) in variable names and issue deprecation warnings about
-them. This setting **should always be `false`;** setting it to `true`
-will cause subtle and wide-ranging bugs. It will be removed in a future version.
-
-Hyphenated variables caused major problems in the language, but were allowed
-between Puppet 2.7.3 and 2.7.14. If you used them during this window, we
-apologize for the inconvenience --- you can temporarily set this to `true`
-in order to upgrade, and can rename your variables at your leisure. Please
-revert it to `false` after you have renamed all affected variables.
-EOT
+        Permit hyphens (`-`) in variable names and issue deprecation warnings about
+        them. This setting **should always be `false`;** setting it to `true`
+        will cause subtle and wide-ranging bugs. It will be removed in a future version.
+
+        Hyphenated variables caused major problems in the language, but were allowed
+        between Puppet 2.7.3 and 2.7.14. If you used them during this window, we
+        apologize for the inconvenience --- you can temporarily set this to `true`
+        in order to upgrade, and can rename your variables at your leisure. Please
+        revert it to `false` after you have renamed all affected variables.
+      EOT
     },
     :parser => {
       :default => "current",
       :desc => <<-'EOT'
-Selects the parser to use for parsing puppet manifests (in puppet DSL language/'.pp' files).
-Available choices are 'current' (the default), and 'future'.
+        Selects the parser to use for parsing puppet manifests (in puppet DSL
+        language/'.pp' files). Available choices are `current` (the default),
+        and `future`.
 
-The 'curent' parser means that the released version of the parser should be used.
+        The `curent` parser means that the released version of the parser should
+        be used.
 
-The 'future' parser is a "time travel to the future" allowing early exposure to new language features.
-What these fatures are will vary from release to release and they may be invididually configurable.
+        The `future` parser is a "time travel to the future" allowing early
+        exposure to new language features. What these fatures are will vary from
+        release to release and they may be invididually configurable.
 
-Available Since Puppet 3.2.
-EOT
+        Available Since Puppet 3.2.
+      EOT
     },
    :max_errors => {
      :default => 10,
      :desc => <<-'EOT'
-Sets the max number of logged/displayed parser validation errors in case multiple errors have been detected.
-A value of 0 is the same as value 1. The count is per manifest.
-EOT
+       Sets the max number of logged/displayed parser validation errors in case
+       multiple errors have been detected. A value of 0 is the same as value 1.
+       The count is per manifest.
+     EOT
    },
    :max_warnings => {
      :default => 10,
      :desc => <<-'EOT'
-Sets the max number of logged/displayed parser validation warnings in case multiple errors have been detected.
-A value of 0 is the same as value 1. The count is per manifest.
-EOT
+       Sets the max number of logged/displayed parser validation warnings in
+       case multiple errors have been detected. A value of 0 is the same as
+       value 1. The count is per manifest.
+     EOT
      },
   :max_deprecations => {
     :default => 10,
     :desc => <<-'EOT'
-Sets the max number of logged/displayed parser validation deprecation warnings in case multiple errors have been detected.
-A value of 0 is the same as value 1. The count is per manifest.
-EOT
+      Sets the max number of logged/displayed parser validation deprecation
+      warnings in case multiple errors have been detected. A value of 0 is the
+      same as value 1. The count is per manifest.
+    EOT
     }
 
   )
@@ -1656,7 +1765,7 @@ EOT
         :default  => false,
         :type     => :boolean,
         :desc     => "Whether to document all resources when using `puppet doc` to
-        generate manifest documentation.",
+          generate manifest documentation.",
     }
   )
 end