puppet 6.11.1-x86-mingw32 → 6.16.0-x86-mingw32

data/lib/puppet/configurer/plugin_handler.rb

@@ -29,8 +29,17 @@ class Puppet::Configurer::PluginHandler
     result += plugin_fact_downloader.evaluate
     result += plugin_downloader.evaluate
 
+    # until file metadata/content are using the rest client, we need to check
+    # both :server_agent_version and the session to see if the server supports
+    # the "locales" mount
     server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
-    if Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
+    locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
+    unless locales
+      session = Puppet.lookup(:http_session)
+      locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
+    end
+
+    if locales
       locales_downloader = Puppet::Configurer::Downloader.new(
         "locales",
         Puppet[:localedest],

data/lib/puppet/context/trusted_information.rb

@@ -29,11 +29,6 @@ class Puppet::Context::TrustedInformation
   # @return [String]
   attr_reader :hostname
 
-  # Additional external facts loaded through `trusted_external_command`.
-  #
-  # @return [Hash]
-  attr_reader :external
-
   def initialize(authenticated, certname, extensions, external = {})
     @authenticated = authenticated.freeze
     @certname = certname.freeze
@@ -46,11 +41,11 @@ class Puppet::Context::TrustedInformation
     end
     @hostname = hostname.freeze
     @domain = domain.freeze
-    @external = external.freeze
+    @external = external.is_a?(Proc) ? external : external.freeze
   end
 
   def self.remote(authenticated, node_name, certificate)
-    external = retrieve_trusted_external(node_name)
+    external = proc { retrieve_trusted_external(node_name) }
 
     if authenticated
       extensions = {}
@@ -70,8 +65,19 @@ class Puppet::Context::TrustedInformation
   def self.local(node)
     # Always trust local data by picking up the available parameters.
     client_cert = node ? node.parameters['clientcert'] : nil
+    external = proc { retrieve_trusted_external(client_cert) }
+
+    new('local', client_cert, {}, external)
+  end
 
-    new('local', client_cert, {}, retrieve_trusted_external(client_cert))
+  # Additional external facts loaded through `trusted_external_command`.
+  #
+  # @return [Hash]
+  def external
+    if @external.is_a?(Proc)
+      @external = @external.call.freeze
+    end
+    @external
   end
 
   def self.retrieve_trusted_external(certname)

data/lib/puppet/daemon.rb

@@ -1,19 +1,15 @@
 require 'puppet/application'
 require 'puppet/scheduler'
 
-# Run periodic actions and a network server in a daemonized process.
+# Run periodic actions in a daemonized process.
 #
-# A Daemon has 3 parts:
+# A Daemon has 2 parts:
 #   * config reparse
-#   * (optional) an agent that responds to #run
-#   * (optional) a server that response to #stop, #start, and #wait_for_shutdown
+#   * an agent that responds to #run
 #
-# The config reparse will occur periodically based on Settings. The server will
-# be started and is expected to manage its own run loop (and so not block the
-# start call). The server will, however, still be waited for by using the
-# #wait_for_shutdown method. The agent is run periodically and a time interval
-# based on Settings. The config reparse will update this time interval when
-# needed.
+# The config reparse will occur periodically based on Settings. The agent
+# is run periodically and a time interval based on Settings. The config
+# reparse will update this time interval when needed.
 #
 # The Daemon is also responsible for signal handling, starting, stopping,
 # running the agent on demand, and reloading the entire process. It ensures
@@ -23,12 +19,14 @@ require 'puppet/scheduler'
 class Puppet::Daemon
   SIGNAL_CHECK_INTERVAL = 5
 
-  attr_accessor :agent, :server, :argv
-  attr_reader :signals
+  attr_accessor :argv
+  attr_reader :signals, :agent
 
-  def initialize(pidfile, scheduler = Puppet::Scheduler::Scheduler.new())
+  def initialize(agent, pidfile, scheduler = Puppet::Scheduler::Scheduler.new())
+    raise Puppet::DevError, _("Daemons must have an agent") unless agent
     @scheduler = scheduler
     @pidfile = pidfile
+    @agent = agent
     @signals = []
   end
 
@@ -88,7 +86,6 @@ class Puppet::Daemon
   end
 
   def reload
-    return unless agent
     agent.run({:splay => false})
   rescue Puppet::LockError
     Puppet.notice "Not triggering already-running agent"
@@ -96,7 +93,7 @@ class Puppet::Daemon
 
   def restart
     Puppet::Application.restart!
-    reexec unless agent and agent.running?
+    reexec
   end
 
   def reopen_logs
@@ -129,8 +126,6 @@ class Puppet::Daemon
   def stop(args = {:exit => true})
     Puppet::Application.stop!
 
-    server.stop if server
-
     remove_pidfile
 
     Puppet::Util::Log.close_all
@@ -140,16 +135,7 @@ class Puppet::Daemon
 
   def start
     create_pidfile
-
-    raise Puppet::DevError, _("Daemons must have an agent, server, or both") unless agent or server
-
-    # Start the listening server, if required.
-    server.start if server
-
-    # Finally, loop forever running events - or, at least, until we exit.
     run_event_loop
-
-    server.wait_for_shutdown if server
   end
 
   private
@@ -165,6 +151,7 @@ class Puppet::Daemon
     @pidfile.unlock
   end
 
+  # Loop forever running events - or, at least, until we exit.
   def run_event_loop
     agent_run = Puppet::Scheduler.create_job(Puppet[:runinterval], Puppet[:splay], Puppet[:splaylimit]) do
       # Splay for the daemon is handled in the scheduler
@@ -189,7 +176,6 @@ class Puppet::Daemon
     end
 
     reparse_run.disable if Puppet[:filetimeout] == 0
-    agent_run.disable unless agent
 
     @scheduler.run_loop([reparse_run, agent_run, signal_loop])
   end

data/lib/puppet/defaults.rb

@@ -35,7 +35,7 @@ module Puppet
   def self.default_basemodulepath
     if Puppet::Util::Platform.windows?
       path = ['$codedir/modules']
-      installdir = Facter.value(:env_windows_installdir)
+      installdir = ENV["FACTER_env_windows_installdir"]
       if installdir
         path << "#{installdir}/puppet/modules"
       end
@@ -47,7 +47,7 @@ module Puppet
 
   def self.default_vendormoduledir
     if Puppet::Util::Platform.windows?
-      installdir = Facter.value(:env_windows_installdir)
+      installdir = ENV["FACTER_env_windows_installdir"]
       if installdir
         "#{installdir}\\puppet\\vendor_modules"
       else
@@ -65,7 +65,33 @@ module Puppet
 
   AS_DURATION = %q{This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).}
 
-  define_settings(:main,
+  # @api public
+  # @param args [Puppet::Settings] the settings object to define default settings for
+  # @return void
+  def self.initialize_default_settings!(settings)
+    settings.define_settings(:main,
+      :facterng => {
+        :default => false,
+        :type    => :boolean,
+        :desc    => 'Whether to enable a pre-Facter 4.0 release of Facter (distributed as
+          the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
+          This setting is still experimental.',
+        :hook    => proc do |value|
+          if value
+            begin
+              original_facter = Object.const_get(:Facter)
+              Object.send(:remove_const, :Facter)
+
+              require 'facter-ng'
+              # It is required to re-setup logger for facter-ng
+              Puppet::Util::Logging.setup_facter_logging!
+            rescue LoadError
+              Object.const_set(:Facter, original_facter)
+              raise ArgumentError, 'facter-ng could not be loaded'
+            end
+          end
+        end
+    },
     :confdir  => {
         :default  => nil,
         :type     => :directory,
@@ -102,7 +128,7 @@ module Puppet
     }
   )
 
-  define_settings(:main,
+  settings.define_settings(:main,
     :logdir => {
         :default  => nil,
         :type     => :directory,
@@ -149,11 +175,24 @@ module Puppet
         valid   = %w[deprecations undefined_variables undefined_resources]
         invalid = values - (values & valid)
         if not invalid.empty?
-          raise ArgumentError, _("Cannot disable unrecognized warning types %{invalid}.") % { invalid: invalid.inspect } +
-              ' ' + _("Valid values are %{values}.") % { values: valid.inspect}
+          raise ArgumentError, _("Cannot disable unrecognized warning types '%{invalid}'.") % { invalid: invalid.join(',') } +
+              ' ' + _("Valid values are '%{values}'.") % { values: valid.join(', ') }
         end
       end
     },
+    :merge_dependency_warnings => {
+      :default => false,
+      :type    => :boolean,
+      :desc    => "Whether to merge class-level dependency failure warnings.
+
+        When a class has a failed dependency, every resource in the class
+        generates a notice level message about the dependency failure,
+        and a warning level message about skipping the resource.
+
+        If true, all messages caused by a class dependency failure are merged
+        into one message associated with the class.
+        ",
+    },
     :strict => {
       :default    => :warning,
       :type       => :symbolic_enum,
@@ -193,7 +232,7 @@ module Puppet
     }
   )
 
-  define_settings(:main,
+  settings.define_settings(:main,
     :priority => {
       :default => nil,
       :type    => :priority,
@@ -206,12 +245,19 @@ module Puppet
     :trace => {
         :default  => false,
         :type     => :boolean,
-        :desc     => "Whether to print stack traces on some errors",
+        :desc     => "Whether to print stack traces on some errors. Will print
+          internal Ruby stack trace interleaved with Puppet function frames.",
         :hook     => proc do |value|
           # Enable or disable Facter's trace option too
           Facter.trace(value) if Facter.respond_to? :trace
         end
     },
+    :puppet_trace => {
+        :default  => false,
+        :type     => :boolean,
+        :desc     => "Whether to print the Puppet stack trace on some errors.
+          This is a noop if `trace` is also set.",
+    },
     :profile => {
         :default  => false,
         :type     => :boolean,
@@ -224,6 +270,13 @@ module Puppet
         major releases of Puppet. Should be used with caution, as in development
         features are experimental and can have unexpected effects."
     },
+    :versioned_environment_dirs => {
+      :default => false,
+      :type => :boolean,
+      :desc => "Whether or not to look for versioned environment directories,
+      symlinked from `$environmentpath/<environment>`. This is an experimental
+      feature and should be used with caution."
+    },
     :static_catalogs => {
       :default    => true,
       :type       => :boolean,
@@ -502,12 +555,12 @@ module Puppet
     :hiera_config => {
       :default => lambda do
         config = nil
-        codedir = Puppet.settings[:codedir]
+        codedir = settings[:codedir]
         if codedir.is_a?(String)
           config = File.expand_path(File.join(codedir, 'hiera.yaml'))
           config = nil unless Puppet::FileSystem.exist?(config)
         end
-        config = File.expand_path(File.join(Puppet.settings[:confdir], 'hiera.yaml')) if config.nil?
+        config = File.expand_path(File.join(settings[:confdir], 'hiera.yaml')) if config.nil?
         config
       end,
       :desc    => "The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet master every time you edit it.",
@@ -571,7 +624,7 @@ module Puppet
     :http_proxy_password =>{
       :default    => "none",
       :hook       => proc do |value|
-        if Puppet.settings[:http_proxy_password] =~ /[@!# \/]/
+        if settings[:http_proxy_password] =~ /[@!# \/]/
           raise "Passwords set in the http_proxy_password setting must be valid as part of a URL, and any reserved characters must be URL-encoded. We received: #{value}"
         end
       end,
@@ -715,7 +768,7 @@ API to expire the cache as needed
     }
   )
 
-  Puppet.define_settings(:module_tool,
+  settings.define_settings(:module_tool,
     :module_repository  => {
       :default  => 'https://forgeapi.puppet.com',
       :desc     => "The module repository",
@@ -734,7 +787,7 @@ API to expire the cache as needed
     }
   )
 
-    Puppet.define_settings(
+    settings.define_settings(
     :main,
 
     # We have to downcase the fqdn, because the current ssl stuff (as opposed to in master) doesn't have good facilities for
@@ -815,13 +868,17 @@ This is useful for embedding a pre-shared key for autosigning policy executables
 ("challenge password") OID.
 
 Extension requests will be permanently embedded in the final certificate.
-Extension OIDs must be in the "ppRegCertExt" (`1.3.6.1.4.1.34380.1.1`) or
-"ppPrivCertExt" (`1.3.6.1.4.1.34380.1.2`) OID arcs. The ppRegCertExt arc is
+Extension OIDs must be in the "ppRegCertExt" (`1.3.6.1.4.1.34380.1.1`),
+"ppPrivCertExt" (`1.3.6.1.4.1.34380.1.2`), or
+"ppAuthCertExt" (`1.3.6.1.4.1.34380.1.3`) OID arcs. The ppRegCertExt arc is
 reserved for four of the most common pieces of data to embed: `pp_uuid` (`.1`),
 `pp_instance_id` (`.2`), `pp_image_name` (`.3`), and `pp_preshared_key` (`.4`)
 --- in the YAML file, these can be referred to by their short descriptive names
 instead of their full OID. The ppPrivCertExt arc is unregulated, and can be used
-for site-specific extensions.
+for site-specific extensions. The ppAuthCert arc is reserved for two pieces of
+data to embed: `pp_authorization` (`.1`) and `pp_auth_role` (`.13`). As with
+ppRegCertExt, in the YAML file, these can be referred to by their short
+descriptive name instead of their full OID.
 EOT
     },
     :certdir => {
@@ -1041,7 +1098,7 @@ EOT
     }
   )
 
-    define_settings(
+    settings.define_settings(
     :ca,
     :ca_name => {
       :default => "Puppet CA: $certname",
@@ -1113,7 +1170,7 @@ EOT
         the request.
 
         For info on autosign configuration files, see
-        [the guide to Puppet's config files](https://puppet.com/docs/puppet/latest/config_about_settings.html).",
+        [the guide to Puppet's config files](https://puppet.com/docs/puppet/latest/config_file_autosign.html).",
     },
     :allow_duplicate_certs => {
       :default    => false,
@@ -1159,7 +1216,7 @@ EOT
 
   # Define the config default.
 
-    define_settings(:application,
+    settings.define_settings(:application,
       :config_file_name => {
           :type     => :string,
           :default  => Puppet::Settings.default_config_file_name,
@@ -1184,7 +1241,7 @@ EOT
       },
   )
 
-  define_settings(:environment,
+  settings.define_settings(:environment,
     :manifest => {
       :default    => nil,
       :type       => :file_or_directory,
@@ -1227,7 +1284,7 @@ EOT
     }
   )
 
-  define_settings(:master,
+  settings.define_settings(:master,
     :user => {
       :default    => "puppet",
       :desc       => "The user Puppet Server will run as. Used to ensure
@@ -1284,13 +1341,23 @@ EOT
       overridden by more specific settings (see `ca_port`, `report_port`).",
     },
     :node_name => {
-      :default    => "cert",
+      :default    => 'cert',
+      :type       => :enum,
+      :values     => ['cert', 'facter'],
+      :deprecated => :completely,
+      :hook       => proc { |val|
+        if val != 'cert'
+          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
+        end
+      },
       :desc       => "How the puppet master determines the client's identity
       and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
       in particular for determining which 'node' statement applies to the client.
       Possible values are 'cert' (use the subject's CN in the client's
       certificate) and 'facter' (use the hostname that the client
-      reported in its facts)",
+      reported in its facts).
+
+      This setting is deprecated, please use explicit fact matching for classification.",
     },
     :bucketdir => {
       :default => "$vardir/bucket",
@@ -1413,14 +1480,23 @@ EOT
       :desc       => "Where the fileserver configuration is stored.",
     },
     :strict_hostname_checking => {
-      :default    => false,
+      :default    => true,
+      :type       => :boolean,
       :desc       => "Whether to only search for the complete
-            hostname as it is in the certificate when searching for node information
-            in the catalogs.",
+        hostname as it is in the certificate when searching for node information
+        in the catalogs or to match dot delimited segments of the cert's certname
+        and the hostname, fqdn, and/or domain facts.
+
+        This setting is deprecated and will be removed in a future release.",
+      :hook => proc { |val|
+        if val != true
+          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
+        end
+      }
     }
   )
 
-  define_settings(:device,
+  settings.define_settings(:device,
     :devicedir =>  {
         :default  => "$vardir/devices",
         :type     => :directory,
@@ -1435,7 +1511,7 @@ EOT
     }
   )
 
-  define_settings(:agent,
+  settings.define_settings(:agent,
     :node_name_value => {
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
@@ -1560,6 +1636,12 @@ EOT
       :default    => lambda { Puppet::Settings.domain_fact },
       :desc       => "The domain which will be queried to find the SRV records of servers to use.",
     },
+    :http_extra_headers => {
+      :default => [],
+      :type => :http_extra_headers,
+      :desc => "The list of extra headers that will be sent with http requests to the master.
+      The header definition consists of a name and a value separated by a colon."
+    },
     :ignoreschedules => {
       :default    => false,
       :type       => :boolean,
@@ -1716,10 +1798,27 @@ EOT
       :type     => :boolean,
       :desc     => "Whether to send reports after every transaction.",
     },
+    :report_include_system_store => {
+      :default  => false,
+      :type     => :boolean,
+      :desc     => "Whether the 'http' report processor should include the system
+        certificate store when submitting reports to HTTPS URLs. If false, then
+        the 'http' processor will only trust HTTPS report servers whose certificates
+        are issued by the puppet CA or one of its intermediate CAs. If true, the
+        processor will additionally trust CA certificates in the system's
+        certificate store."
+    },
     :resubmit_facts => {
       :default  => false,
       :type     => :boolean,
-      :desc     => "Whether to send updated facts after every transaction.",
+      :desc     => "Whether to send updated facts after every transaction. By default
+        puppet only submits facts at the beginning of the transaction before applying a
+        catalog. Since puppet can modify the state of the system, the value of the facts
+        may change after puppet finishes. Therefore, any facts stored in puppetdb may not
+        be consistent until the agent next runs, typically in 30 minutes. If this feature
+        is enabled, puppet will resubmit facts after applying its catalog, ensuring facts
+        for the node stored in puppetdb are current. However, this will double the fact
+        submission load on puppetdb, so it is disabled by default.",
     },
     :lastrunfile =>  {
       :default  => "$statedir/last_run_summary.yaml",
@@ -1783,12 +1882,31 @@ EOT
       certificate request to be signed. A value of `unlimited` will cause puppet agent
       to ask for a signed certificate indefinitely.
       #{AS_DURATION}",
+    },
+    :waitforlock => {
+      :default  => "0",
+      :type     => :duration,
+      :desc     => "How frequently puppet agent should try running when there is an
+      already ongoing puppet agent instance.
+
+      This argument is by default disabled (value set to 0). In this case puppet agent will
+      immediatly exit if it cannot run at that moment. When a value other than 0 is set, this
+      can also be used in combination with the `maxwaitforlock` argument.
+      #{AS_DURATION}",
+    },
+    :maxwaitforlock => {
+      :default  => "1m",
+      :type     => :ttl,
+      :desc     => "The maximum amount of time the puppet agent should wait for an
+      already running puppet agent to finish before starting a new one. This is set by default to 1 minute.
+      A value of `unlimited` will cause puppet agent to wait indefinitely. 
+      #{AS_DURATION}",
     }
   )
 
   # Plugin information.
 
-  define_settings(
+  settings.define_settings(
     :main,
     :plugindest => {
       :type       => :directory,
@@ -1831,7 +1949,7 @@ EOT
 
   # Central fact information.
 
-    define_settings(
+    settings.define_settings(
     :main,
     :factpath => {
       :type     => :path,
@@ -1848,7 +1966,7 @@ EOT
     }
   )
 
-  define_settings(
+  settings.define_settings(
     :transaction,
     :tags => {
       :default    => "",
@@ -1876,7 +1994,7 @@ EOT
     }
   )
 
-    define_settings(
+    settings.define_settings(
     :main,
     :external_nodes => {
         :default  => "none",
@@ -1901,7 +2019,7 @@ EOT
     }
     )
 
-        define_settings(
+        settings.define_settings(
         :ldap,
     :ldapssl => {
       :default  => false,
@@ -1970,7 +2088,7 @@ EOT
     }
   )
 
-  define_settings(:master,
+  settings.define_settings(:master,
     :storeconfigs => {
       :default  => false,
       :type     => :boolean,
@@ -1988,7 +2106,7 @@ EOT
         require 'puppet/node/facts'
         if value
           Puppet::Resource::Catalog.indirection.set_global_setting(:cache_class, :store_configs)
-          Puppet.settings.override_default(:catalog_cache_terminus, :store_configs)
+          settings.override_default(:catalog_cache_terminus, :store_configs)
           Puppet::Node::Facts.indirection.set_global_setting(:cache_class, :store_configs)
           Puppet::Resource.indirection.set_global_setting(:terminus_class, :store_configs)
         end
@@ -2003,7 +2121,7 @@ EOT
     }
   )
 
-  define_settings(:parser,
+  settings.define_settings(:parser,
    :max_errors => {
      :default => 10,
      :desc => <<-'EOT'
@@ -2055,7 +2173,7 @@ EOT
     EOT
     }
   )
-  define_settings(:puppetdoc,
+  settings.define_settings(:puppetdoc,
     :document_all => {
         :default  => false,
         :type     => :boolean,
@@ -2064,7 +2182,7 @@ EOT
     }
   )
 
-  define_settings(
+  settings.define_settings(
     :main,
     :rich_data => {
       :default  => true,
@@ -2081,5 +2199,5 @@ EOT
       EOT
     }
   )
-
+  end
 end