puppet 6.22.1-universal-darwin → 6.25.1-universal-darwin

data/lib/puppet/configurer.rb

@@ -91,7 +91,7 @@ class Puppet::Configurer
 
         if result
           # don't use use cached catalog if it doesn't match server specified environment
-          if @node_environment && result.environment != @environment
+          if result.environment != @environment
             Puppet.err _("Not using cached catalog because its environment '%{catalog_env}' does not match '%{local_env}'") % { catalog_env: result.environment, local_env: @environment }
             return nil
           end
@@ -118,8 +118,11 @@ class Puppet::Configurer
       catalog = result.to_ral
       catalog.finalize
       catalog.retrieval_duration = duration
-      catalog.write_class_file
-      catalog.write_resource_file
+
+      if Puppet[:write_catalog_summary]
+        catalog.write_class_file
+        catalog.write_resource_file
+      end
     end
     options[:report].add_times(:convert_catalog, catalog_conversion_time) if options[:report]
 
@@ -257,6 +260,7 @@ class Puppet::Configurer
 
   def run_internal(options)
     report = options[:report]
+    report.initial_environment = Puppet[:environment]
 
     if options[:start_time]
       startup_time = Time.now - options[:start_time]
@@ -296,69 +300,42 @@ class Puppet::Configurer
       configured_environment = Puppet[:environment] if Puppet.settings.set_by_config?(:environment)
 
       # We only need to find out the environment to run in if we don't already have a catalog
-      unless (cached_catalog || options[:catalog] || Puppet[:strict_environment_mode])
-        begin
-          node = nil
-          node_retr_time = thinmark do
-            node = Puppet::Node.indirection.find(Puppet[:node_name_value],
-              :environment => Puppet::Node::Environment.remote(@environment),
-              :configured_environment => configured_environment,
-              :ignore_cache => true,
-              :transaction_uuid => @transaction_uuid,
-              :fail_on_404 => true)
-          end
-          options[:report].add_times(:node_retrieval, node_retr_time)
+      unless (cached_catalog || options[:catalog] || Puppet.settings.set_by_cli?(:environment) || Puppet[:strict_environment_mode])
+        Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
+        initial_environment, loaded_last_environment = last_server_specified_environment
 
-          if node
-            # If we have deserialized a node from a rest call, we want to set
-            # an environment instance as a simple 'remote' environment reference.
-            if !node.has_environment_instance? && node.environment_name
-              node.environment = Puppet::Node::Environment.remote(node.environment_name)
-            end
+        unless loaded_last_environment
+          Puppet.debug(_("Requesting environment from the server"))
+          initial_environment = current_server_specified_environment(@environment, configured_environment, options)
+        end
 
-            @node_environment = node.environment.to_s
-
-            if node.environment.to_s != @environment
-              Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: node.environment }
-              @environment = node.environment.to_s
-              report.environment = @environment
-              query_options = nil
-              facts = nil
-
-              new_env = Puppet::Node::Environment.remote(@environment)
-              Puppet.push_context(
-                {
-                  current_environment: new_env,
-                  loaders: Puppet::Pops::Loaders.new(new_env, true)
-                },
-                "Local node environment #{@environment} for configurer transaction"
-              )
-            else
-              Puppet.info _("Using configured environment '%{env}'") % { env: @environment }
-            end
-          end
-        rescue StandardError => detail
-          Puppet.warning(_("Unable to fetch my node definition, but the agent run will continue:"))
-          Puppet.warning(detail)
+        if initial_environment
+          @environment = initial_environment
+          report.environment = initial_environment
+
+          push_current_environment_and_loaders
+        else
+          Puppet.debug(_("Could not find a usable environment in the lastrunfile. Either the file does not exist, does not have the required keys, or the values of 'initial_environment' and 'converged_environment' are identical."))
         end
       end
 
+      Puppet.info _("Using environment '%{env}'") % { env: @environment }
+
       # This is to maintain compatibility with anyone using this class
       # aside from agent, apply, device.
       unless Puppet.lookup(:loaders) { nil }
-        new_env = Puppet::Node::Environment.remote(@environment)
-        Puppet.push_context(
-          {
-            current_environment: new_env,
-            loaders: Puppet::Pops::Loaders.new(new_env, true)
-          },
-          "Local node environment #{@environment} for configurer transaction"
-        )
+        push_current_environment_and_loaders
       end
 
+      temp_value = options[:pluginsync]
+
+      # only validate server environment if pluginsync is requested
+      options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
+
       query_options, facts = get_facts(options) unless query_options
+      options[:pluginsync] = temp_value
+
       query_options[:configured_environment] = configured_environment
-      options[:convert_for_node] = node
 
       catalog = prepare_and_retrieve_catalog(cached_catalog, facts, options, query_options)
       unless catalog
@@ -383,6 +360,8 @@ class Puppet::Configurer
         @environment = catalog.environment
         report.environment = @environment
 
+        push_current_environment_and_loaders
+
         query_options, facts = get_facts(options)
         query_options[:configured_environment] = configured_environment
 
@@ -456,6 +435,25 @@ class Puppet::Configurer
   end
   private :run_internal
 
+  def valid_server_environment?
+    session = Puppet.lookup(:http_session)
+    begin
+      fs = session.route_to(:fileserver)
+      fs.get_file_metadatas(path: URI(Puppet[:pluginsource]).path, recurse: :false, environment: @environment)
+      true
+    rescue Puppet::HTTP::ResponseError => detail
+      if detail.response.code == 404
+        Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+      else
+        Puppet.log_exception(detail, detail.message)
+      end
+      false
+    rescue => detail
+      Puppet.log_exception(detail, detail.message)
+      false
+    end
+  end
+
   def find_functional_server
     begin
       session = Puppet.lookup(:http_session)
@@ -472,10 +470,88 @@ class Puppet::Configurer
   end
   private :find_functional_server
 
+  #
+  # @api private
+  #
+  # Read the last server-specified environment from the lastrunfile. The
+  # environment is considered to be server-specified if the values of
+  # `initial_environment` and `converged_environment` are different.
+  #
+  # @return [String, Boolean] An array containing a string with the environment
+  #   read from the lastrunfile in case the server is authoritative, and a
+  #   boolean marking whether the last environment was correctly loaded.
+  def last_server_specified_environment
+    return @last_server_specified_environment, @loaded_last_environment if @last_server_specified_environment
+
+    if Puppet::FileSystem.exist?(Puppet[:lastrunfile])
+      summary = Puppet::Util::Yaml.safe_load_file(Puppet[:lastrunfile])
+      return [nil, nil] unless summary['application']['run_mode'] == 'agent'
+      initial_environment = summary['application']['initial_environment']
+      converged_environment = summary['application']['converged_environment']
+      @last_server_specified_environment = converged_environment if initial_environment != converged_environment
+      Puppet.debug(_("Successfully loaded last environment from the lastrunfile"))
+      @loaded_last_environment = true
+    end
+
+    Puppet.debug(_("Found last server-specified environment: %{environment}") % { environment: @last_server_specified_environment }) if @last_server_specified_environment
+    [@last_server_specified_environment, @loaded_last_environment]
+  rescue => detail
+    Puppet.debug(_("Could not find last server-specified environment: %{detail}") % { detail: detail })
+    [nil, nil]
+  end
+  private :last_server_specified_environment
+
+  def current_server_specified_environment(current_environment, configured_environment, options)
+    return @server_specified_environment if @server_specified_environment
+
+    begin
+      node_retr_time = thinmark do
+        node = Puppet::Node.indirection.find(Puppet[:node_name_value],
+                                             :environment => Puppet::Node::Environment.remote(current_environment),
+                                             :configured_environment => configured_environment,
+                                             :ignore_cache => true,
+                                             :transaction_uuid => @transaction_uuid,
+                                             :fail_on_404 => true)
+
+        # The :rest node terminus returns a node with an environment_name, but not an
+        # environment instance. Attempting to get the environment instance will load
+        # it from disk, which will likely fail. So create a remote environment.
+        #
+        # The :plain node terminus returns a node with an environment, but not an
+        # environment_name.
+        if !node.has_environment_instance? && node.environment_name
+          node.environment = Puppet::Node::Environment.remote(node.environment_name)
+        end
+
+        @server_specified_environment = node.environment.to_s
+
+        if @server_specified_environment != @environment
+          Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: @server_specified_environment }
+        end
+      end
+
+      options[:report].add_times(:node_retrieval, node_retr_time)
+
+      @server_specified_environment
+    rescue => detail
+      Puppet.warning(_("Unable to fetch my node definition, but the agent run will continue:"))
+      Puppet.warning(detail)
+      nil
+    end
+  end
+  private :current_server_specified_environment
+
   def send_report(report)
     puts report.summary if Puppet[:summarize]
     save_last_run_summary(report)
-    Puppet::Transaction::Report.indirection.save(report, nil, :environment => Puppet::Node::Environment.remote(@environment)) if Puppet[:report]
+    if Puppet[:report]
+      remote = Puppet::Node::Environment.remote(@environment)
+      begin
+        Puppet::Transaction::Report.indirection.save(report, nil, ignore_cache: true, environment: remote)
+      ensure
+        Puppet::Transaction::Report.indirection.save(report, nil, ignore_terminus: true, environment: remote)
+      end
+    end
   rescue => detail
     Puppet.log_exception(detail, _("Could not send report: %{detail}") % { detail: detail })
   end
@@ -498,7 +574,7 @@ class Puppet::Configurer
   # @return [false] If an exception is raised during fact generation or
   #   submission.
   def resubmit_facts
-    ::Facter.clear
+    Puppet.runtime[:facter].clear
     facts = find_facts
 
     client = Puppet.runtime[:http]
@@ -533,6 +609,17 @@ class Puppet::Configurer
     end
   end
 
+  def push_current_environment_and_loaders
+    new_env = Puppet::Node::Environment.remote(@environment)
+    Puppet.push_context(
+      {
+        :current_environment => new_env,
+        :loaders => Puppet::Pops::Loaders.new(new_env, true)
+      },
+      "Local node environment #{@environment} for configurer transaction"
+    )
+  end
+
   def retrieve_catalog_from_cache(query_options)
     result = nil
     @duration = thinmark do
@@ -560,6 +647,7 @@ class Puppet::Configurer
           # don't update cache until after environment converges
           :ignore_cache_save => true,
           :environment       => Puppet::Node::Environment.remote(@environment),
+          :check_environment => true,
           :fail_on_404       => true,
           :facts_for_catalog => facts
         )

data/lib/puppet/confine/variable.rb

@@ -18,7 +18,7 @@ class Puppet::Confine::Variable < Puppet::Confine
 
   # Retrieve the value from facter
   def facter_value
-    @facter_value ||= ::Facter.value(name).to_s.downcase
+    @facter_value ||= Puppet.runtime[:facter].value(name).to_s.downcase
   end
 
   def initialize(values)

data/lib/puppet/defaults.rb

@@ -3,7 +3,7 @@ require 'puppet/util/platform'
 module Puppet
 
   def self.default_diffargs
-    if (Facter.value(:kernel) == "AIX" && Facter.value(:kernelmajversion) == "5300")
+    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
       ""
     else
       "-u"
@@ -90,7 +90,7 @@ module Puppet
           This setting is still experimental.',
         :hook    => proc do |value|
           value = munge(value)
-          if value && Puppet::Util::Package.versioncmp(Facter.value('facterversion'), '4.0.0') < 0
+          if value && Puppet::Util::Package.versioncmp(Puppet.runtime[:facter].value('facterversion'), '4.0.0') < 0
             begin
               original_facter = Object.const_get(:Facter)
               Object.send(:remove_const, :Facter)
@@ -218,7 +218,7 @@ module Puppet
 
         The strictness level is for both language semantics and runtime
         evaluation validation. In addition to controlling the behavior with
-        this master switch some individual warnings may also be controlled
+        this primary server switch some individual warnings may also be controlled
         by the disable_warnings setting.
 
         No new validations will be added to a micro (x.y.z) release,
@@ -262,7 +262,7 @@ module Puppet
           internal Ruby stack trace interleaved with Puppet function frames.",
         :hook     => proc do |value|
           # Enable or disable Facter's trace option too
-          Facter.trace(value) if Facter.respond_to? :trace
+          Puppet.runtime[:facter].trace(value)
         end
     },
     :puppet_trace => {
@@ -294,7 +294,7 @@ module Puppet
       :default    => true,
       :type       => :boolean,
       :desc       => "Whether to compile a [static catalog](https://puppet.com/docs/puppet/latest/static_catalogs.html#enabling-or-disabling-static-catalogs),
-        which occurs only on a Puppet Server master when the `code-id-command` and
+        which occurs only on Puppet Server when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
     :strict_environment_mode => {
@@ -412,13 +412,13 @@ module Puppet
         :default  => "production",
         :desc     => "The environment in which Puppet is running. For clients,
           such as `puppet agent`, this determines the environment itself, which
-          Puppet uses to find modules and much more. For servers, such as `puppet master`,
+          Puppet uses to find modules and much more. For servers, such as `puppet server`,
           this provides the default environment for nodes that Puppet knows nothing about.
 
           When defining an environment in the `[agent]` section, this refers to the
-          environment that the agent requests from the master. The environment doesn't
+          environment that the agent requests from the primary server. The environment doesn't
           have to exist on the local filesystem because the agent fetches it from the
-          master. This definition is used when running `puppet agent`.
+          primary server. This definition is used when running `puppet agent`.
 
           When defined in the `[user]` section, the environment refers to the path that
           Puppet uses to search for code and modules related to its execution. This
@@ -800,6 +800,12 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       :owner    => "service",
       :group    => "service",
       :desc    => "The directory where catalog previews per node are generated."
+    },
+    :location_trusted => {
+      :default => false,
+      :type     => :boolean,
+      :desc    => "This will allow sending the name + password and the cookie header to all hosts that puppet may redirect to.
+        This may or may not introduce a security breach if puppet redirects you to a site to which you'll send your authentication info and cookies."
     }
   )
 
@@ -830,7 +836,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
     :certname => {
       :default => lambda { Puppet::Settings.default_certname.downcase },
       :desc => "The name to use when handling certificates. When a node
-        requests a certificate from the CA puppet master, it uses the value of the
+        requests a certificate from the CA Puppet Server, it uses the value of the
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
@@ -878,8 +884,8 @@ names.
 **Note:** The list of alternate names is locked in when the server's
 certificate is signed. If you need to change the list later, you can't just
 change this setting; you also need to regenerate the certificate. For more
-information on that process, see the [cert regen docs]
-(https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
+information on that process, see the 
+[cert regen docs](https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
 
 To see all the alternate names your servers are using, log into your CA server
 and run `puppetserver ca list --all`, then check the output for `(alt names: ...)`.
@@ -893,7 +899,7 @@ EOT
       :desc => <<EOT
 An optional file containing custom attributes to add to certificate signing
 requests (CSRs). You should ensure that this file does not exist on your CA
-puppet master; if it does, unwanted certificate extensions may leak into
+Puppet Server; if it does, unwanted certificate extensions may leak into
 certificates created with the `puppetserver ca generate` command.
 
 If present, this file must be a YAML hash containing a `custom_attributes` key
@@ -1205,7 +1211,7 @@ EOT
       :default => "$confdir/autosign.conf",
       :type => :autosign,
       :desc => "Whether (and how) to autosign certificate requests. This setting
-        is only relevant on a puppet master acting as a certificate authority (CA).
+        is only relevant on a Puppet Server acting as a certificate authority (CA).
 
         Valid values are true (autosigns all certificate requests; not recommended),
         false (disables autosigning certificates), or the absolute path to a file.
@@ -1216,7 +1222,7 @@ EOT
         file, it will be treated as a policy executable; otherwise, it will be
         treated as a config file.
 
-        If a custom policy executable is configured, the CA puppet master will run it
+        If a custom policy executable is configured, the CA Puppet Server will run it
         every time it receives a CSR. The executable will be passed the subject CN of the
         request _as a command line argument,_ and the contents of the CSR in PEM format
         _on stdin._ It should exit with a status of 0 if the cert should be autosigned
@@ -1302,7 +1308,7 @@ EOT
     :manifest => {
       :default    => nil,
       :type       => :file_or_directory,
-      :desc       => "The entry-point manifest for puppet master. This can be one file
+      :desc       => "The entry-point manifest for the primary server. This can be one file
         or a directory of manifests to be evaluated in alphabetical order. Puppet manages
         this path as a directory if one exists or if the path ends with a / or \\.
 
@@ -1509,15 +1515,17 @@ EOT
         their names should be comma-separated, with whitespace allowed. (For example,
         `reports = http, store`.)
 
-        This setting is relevant to puppet master and puppet apply. The puppet
-        master will call these report handlers with the reports it receives from
+        This setting is relevant to puppet server and puppet apply. The primary Puppet
+        server will call these report handlers with the reports it receives from
         agent nodes, and puppet apply will call them with its own report. (In
         all cases, the node applying the catalog must have `report = true`.)
 
         See the report reference for information on the built-in report
         handlers; custom report handlers can also be loaded from modules.
         (Report handlers are loaded from the lib directory, at
-        `puppet/reports/NAME.rb`.)",
+        `puppet/reports/NAME.rb`.)
+
+        To turn off reports entirely, set this to `none`",
     },
     :reportdir => {
       :default => "$vardir/reports",
@@ -1576,7 +1584,7 @@ EOT
     :node_name_value => {
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_fact.  Changing this setting also requires changes to the default
         auth.conf configuration on the Puppet Master.  Please see
         http://links.puppet.com/node_name_value for more information."
@@ -1584,7 +1592,7 @@ EOT
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_value.  Changing this setting also requires changes to the default
         auth.conf configuration on the Puppet Master.  Please see
         http://links.puppet.com/node_name_fact for more information.",
@@ -1598,8 +1606,8 @@ EOT
       :default => "$statedir/state.yaml",
       :type => :file,
       :mode => "0640",
-      :desc => "Where puppet agent and puppet master store state associated
-        with the running configuration.  In the case of puppet master,
+      :desc => "Where Puppet agent and Puppet Server store state associated
+        with the running configuration.  In the case of Puppet Server,
         this file reflects the state discovered through interacting
         with clients."
     },
@@ -1636,6 +1644,12 @@ EOT
       :mode => "0750",
       :desc => "The directory in which serialized data is stored on the client."
     },
+    :write_catalog_summary => {
+      :default => true,
+      :type => :boolean,
+      :desc => "Whether to write the `classfile` and `resourcefile` after applying
+        the catalog. It is enabled by default, except when running `puppet apply`.",
+    },
     :classfile => {
       :default => "$statedir/classes.txt",
       :type => :file,
@@ -1662,11 +1676,11 @@ EOT
         the POSIX syslog service and the Windows Event Log are unavailable. (Currently,
         no supported operating systems match that description.)
 
-        Despite the name, both puppet agent and puppet master will use this file
+        Despite the name, both puppet agent and puppet server will use this file
         as the fallback logging destination.
 
         For control over logging destinations, see the `--logdest` command line
-        option in the manual pages for puppet master, puppet agent, and puppet
+        option in the manual pages for puppet server, puppet agent, and puppet
         apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
         or read them online at https://puppet.com/docs/puppet/latest/man/."
     },
@@ -1680,12 +1694,12 @@ EOT
     },
     :server => {
       :default => "puppet",
-      :desc => "The puppet master server to which the puppet agent should connect.",
+      :desc => "The primary Puppet server to which the Puppet agent should connect.",
     },
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of puppet master servers to which the puppet agent should connect,
+      :desc => "The list of primary Puppet servers to which the Puppet agent should connect,
         in the order that they will be tried.",
     },
     :use_srv_records => {
@@ -1700,7 +1714,7 @@ EOT
     :http_extra_headers => {
       :default => [],
       :type => :http_extra_headers,
-      :desc => "The list of extra headers that will be sent with http requests to the master.
+      :desc => "The list of extra headers that will be sent with http requests to the primary server.
       The header definition consists of a name and a value separated by a colon."
     },
     :ignoreschedules => {
@@ -1726,7 +1740,7 @@ EOT
         like it does when running normally. However, if a resource attribute is not in
         the desired state (as declared in the catalog), Puppet will take no
         action, and will instead report the changes it _would_ have made. These
-        simulated changes will appear in the report sent to the puppet master, or
+        simulated changes will appear in the report sent to the primary Puppet server, or
         be shown on the console if running puppet agent or puppet apply in the
         foreground. The simulated changes will not send refresh events to any
         subscribing or notified resources, although Puppet will log that a refresh
@@ -1798,7 +1812,7 @@ EOT
       :desc       => "Whether to only use the cached catalog rather than compiling a new catalog
         on every run.  Puppet can be run with this enabled by default and then selectively
         disabled when a recompile is desired. Because a Puppet agent using cached catalogs
-        does not contact the master for a new catalog, it also does not upload facts at
+        does not contact the primary server for a new catalog, it also does not upload facts at
         the beginning of the Puppet run.",
     },
     :ignoremissingtypes => {
@@ -1806,7 +1820,7 @@ EOT
       :type       => :boolean,
       :desc       => "Skip searching for classes and definitions that were missing during a
         prior compilation. The list of missing objects is maintained per-environment and
-        persists until the environment is cleared or the master is restarted.",
+        persists until the environment is cleared or the primary server is restarted.",
     },
     :splaylimit => {
       :default    => "$runinterval",
@@ -1836,7 +1850,7 @@ EOT
         If you restart an agent's puppet service with `splay` enabled, it
         recalculates its splay period and delays its first agent run after
         restarting for this new period. If you simultaneously restart a group of
-        puppet agents with `splay` enabled, their checkins to your puppet masters
+        puppet agents with `splay` enabled, their checkins to your primary servers
         can be distributed more evenly.",
     },
     :clientbucketdir => {
@@ -1928,7 +1942,7 @@ EOT
 
       When starting for the first time, puppet agent will submit a certificate
       signing request (CSR) to the server named in the `ca_server` setting
-      (usually the puppet master); this may be autosigned, or may need to be
+      (usually the primary Puppet server); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.
 
       Puppet agent cannot apply configurations until its approved certificate is
@@ -2042,7 +2056,7 @@ EOT
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
-        Facter.search(*paths)
+        Puppet.runtime[:facter].search(*paths)
       end
     }
   )