puppet 7.16.0 → 7.17.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (65) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +66 -5
  3. data/ext/systemd/puppet.service +1 -1
  4. data/lib/puppet/agent.rb +20 -2
  5. data/lib/puppet/application/agent.rb +3 -13
  6. data/lib/puppet/application/apply.rb +2 -2
  7. data/lib/puppet/configurer.rb +1 -1
  8. data/lib/puppet/defaults.rb +11 -1
  9. data/lib/puppet/http/client.rb +22 -2
  10. data/lib/puppet/parameter.rb +19 -4
  11. data/lib/puppet/pops/evaluator/deferred_resolver.rb +46 -6
  12. data/lib/puppet/pops/functions/dispatcher.rb +10 -6
  13. data/lib/puppet/pops/loader/ruby_legacy_function_instantiator.rb +7 -6
  14. data/lib/puppet/pops/types/type_mismatch_describer.rb +22 -1
  15. data/lib/puppet/provider/package/puppetserver_gem.rb +7 -16
  16. data/lib/puppet/provider/package/yum.rb +8 -3
  17. data/lib/puppet/provider/user/directoryservice.rb +15 -8
  18. data/lib/puppet/ssl/ssl_provider.rb +65 -12
  19. data/lib/puppet/ssl/state_machine.rb +13 -17
  20. data/lib/puppet/transaction.rb +22 -0
  21. data/lib/puppet/type/user.rb +3 -0
  22. data/lib/puppet/type.rb +20 -3
  23. data/lib/puppet/version.rb +1 -1
  24. data/lib/puppet.rb +1 -14
  25. data/man/man5/puppet.conf.5 +11 -3
  26. data/man/man8/puppet-agent.8 +2 -2
  27. data/man/man8/puppet-apply.8 +1 -1
  28. data/man/man8/puppet-catalog.8 +1 -1
  29. data/man/man8/puppet-config.8 +1 -1
  30. data/man/man8/puppet-describe.8 +1 -1
  31. data/man/man8/puppet-device.8 +1 -1
  32. data/man/man8/puppet-doc.8 +1 -1
  33. data/man/man8/puppet-epp.8 +1 -1
  34. data/man/man8/puppet-facts.8 +1 -1
  35. data/man/man8/puppet-filebucket.8 +1 -1
  36. data/man/man8/puppet-generate.8 +1 -1
  37. data/man/man8/puppet-help.8 +1 -1
  38. data/man/man8/puppet-lookup.8 +1 -1
  39. data/man/man8/puppet-module.8 +1 -1
  40. data/man/man8/puppet-node.8 +1 -1
  41. data/man/man8/puppet-parser.8 +1 -1
  42. data/man/man8/puppet-plugin.8 +1 -1
  43. data/man/man8/puppet-report.8 +1 -1
  44. data/man/man8/puppet-resource.8 +1 -1
  45. data/man/man8/puppet-script.8 +1 -1
  46. data/man/man8/puppet-ssl.8 +1 -1
  47. data/man/man8/puppet.8 +2 -2
  48. data/spec/integration/application/agent_spec.rb +157 -0
  49. data/spec/integration/application/apply_spec.rb +74 -0
  50. data/spec/integration/http/client_spec.rb +27 -10
  51. data/spec/lib/puppet_spec/https.rb +1 -1
  52. data/spec/lib/puppet_spec/puppetserver.rb +39 -2
  53. data/spec/unit/agent_spec.rb +6 -2
  54. data/spec/unit/application/agent_spec.rb +26 -16
  55. data/spec/unit/daemon_spec.rb +2 -11
  56. data/spec/unit/http/client_spec.rb +18 -0
  57. data/spec/unit/pops/evaluator/deferred_resolver_spec.rb +26 -0
  58. data/spec/unit/pops/loaders/loaders_spec.rb +1 -1
  59. data/spec/unit/pops/types/type_mismatch_describer_spec.rb +167 -1
  60. data/spec/unit/provider/package/puppetserver_gem_spec.rb +2 -2
  61. data/spec/unit/provider/user/directoryservice_spec.rb +1 -1
  62. data/spec/unit/ssl/ssl_provider_spec.rb +75 -1
  63. data/spec/unit/ssl/state_machine_spec.rb +1 -0
  64. data/tasks/generate_cert_fixtures.rake +5 -4
  65. metadata +2 -2
@@ -53,7 +53,7 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
53
53
  end
54
54
 
55
55
  if options[:local]
56
- list = execute_rubygems_list_command(gem_regex)
56
+ list = execute_rubygems_list_command(command_options)
57
57
  else
58
58
  begin
59
59
  list = puppetservercmd(command_options)
@@ -137,7 +137,7 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
137
137
  # for example: json (1.8.3 java)
138
138
  # but java platform gems should not be managed by this (or any) provider.
139
139
 
140
- def self.execute_rubygems_list_command(gem_regex)
140
+ def self.execute_rubygems_list_command(command_options)
141
141
  puppetserver_default_gem_home = '/opt/puppetlabs/server/data/puppetserver/jruby-gems'
142
142
  puppetserver_default_vendored_jruby_gems = '/opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems'
143
143
  puppet_default_vendor_gems = '/opt/puppetlabs/puppet/lib/ruby/vendor_gems'
@@ -157,24 +157,15 @@ Puppet::Type.type(:package).provide :puppetserver_gem, :parent => :gem do
157
157
  gem_env['GEM_PATH'] = puppetserver_conf['jruby-puppet'].key?('gem-path') ? puppetserver_conf['jruby-puppet']['gem-path'].join(':') : puppetserver_default_gem_path
158
158
  end
159
159
  gem_env['GEM_SPEC_CACHE'] = "/tmp/#{$$}"
160
- Gem.paths = gem_env
161
-
162
- sio_inn = StringIO.new
163
- sio_out = StringIO.new
164
- sio_err = StringIO.new
165
- stream_ui = Gem::StreamUI.new(sio_inn, sio_out, sio_err, false)
166
- gem_list_cmd = Gem::Commands::ListCommand.new
167
- gem_list_cmd.options[:domain] = :local
168
- gem_list_cmd.options[:args] = [gem_regex] if gem_regex
169
- gem_list_cmd.ui = stream_ui
170
- gem_list_cmd.execute
160
+
161
+ # Remove the 'gem' from the command_options
162
+ command_options.shift
163
+ gem_out = execute_gem_command(Puppet::Type::Package::ProviderPuppet_gem.provider_command, command_options, gem_env)
171
164
 
172
165
  # There is no method exclude default gems from the local gem list,
173
166
  # for example: psych (default: 2.2.2)
174
167
  # but default gems should not be managed by this (or any) provider.
175
- gem_list = sio_out.string.lines.reject { |gem| gem =~ / \(default\: / }
168
+ gem_list = gem_out.lines.reject { |gem| gem =~ / \(default\: / }
176
169
  gem_list.join("\n")
177
- ensure
178
- Gem.clear_paths
179
170
  end
180
171
  end
@@ -204,7 +204,7 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
204
204
  return should
205
205
  end
206
206
  versions = []
207
- available_versions(@resource[:name]).each do |version|
207
+ available_versions(@resource[:name], disablerepo, enablerepo, disableexcludes).each do |version|
208
208
  begin
209
209
  rpm_version = RPM_VERSION.parse(version)
210
210
  versions << rpm_version if should_range.include?(rpm_version)
@@ -225,8 +225,13 @@ defaultfor :osfamily => :redhat, :operatingsystemmajrelease => (4..7).to_a
225
225
  end
226
226
  end
227
227
 
228
- def available_versions(package_name)
229
- output = execute("yum list #{package_name} --showduplicates | sed -e '1,/Available Packages/ d' | awk '{print $2}'")
228
+ def available_versions(package_name, disablerepo, enablerepo, disableexcludes)
229
+ args = [command(:cmd), 'list', package_name, '--showduplicates']
230
+ args.concat(disablerepo.map { |repo| ["--disablerepo=#{repo}"] }.flatten)
231
+ args.concat(enablerepo.map { |repo| ["--enablerepo=#{repo}"] }.flatten)
232
+ args.concat(disableexcludes.map { |repo| ["--disableexcludes=#{repo}"] }.flatten)
233
+
234
+ output = execute("#{args.compact.join(' ')} | sed -e '1,/Available Packages/ d' | awk '{print $2}'")
230
235
  output.split("\n")
231
236
  end
232
237
 
@@ -147,9 +147,9 @@ Puppet::Type.type(:user).provide :directoryservice do
147
147
  else
148
148
  embedded_binary_plist = get_embedded_binary_plist(attribute_hash[:shadowhashdata])
149
149
  if embedded_binary_plist['SALTED-SHA512-PBKDF2']
150
- attribute_hash[:password] = get_salted_sha512_pbkdf2('entropy', embedded_binary_plist)
151
- attribute_hash[:salt] = get_salted_sha512_pbkdf2('salt', embedded_binary_plist)
152
- attribute_hash[:iterations] = get_salted_sha512_pbkdf2('iterations', embedded_binary_plist)
150
+ attribute_hash[:password] = get_salted_sha512_pbkdf2('entropy', embedded_binary_plist, attribute_hash[:name])
151
+ attribute_hash[:salt] = get_salted_sha512_pbkdf2('salt', embedded_binary_plist, attribute_hash[:name])
152
+ attribute_hash[:iterations] = get_salted_sha512_pbkdf2('iterations', embedded_binary_plist, attribute_hash[:name])
153
153
  elsif embedded_binary_plist['SALTED-SHA512']
154
154
  attribute_hash[:password] = get_salted_sha512(embedded_binary_plist)
155
155
  end
@@ -205,16 +205,18 @@ Puppet::Type.type(:user).provide :directoryservice do
205
205
  # according to which field is passed. Arguments passed are the hash
206
206
  # containing the value read from the 'ShadowHashData' key in the User's
207
207
  # plist, and the field to be read (one of 'entropy', 'salt', or 'iterations')
208
- def self.get_salted_sha512_pbkdf2(field, embedded_binary_plist)
208
+ def self.get_salted_sha512_pbkdf2(field, embedded_binary_plist, user_name = "")
209
209
  case field
210
210
  when 'salt', 'entropy'
211
- embedded_binary_plist['SALTED-SHA512-PBKDF2'][field].unpack('H*').first
211
+ value = embedded_binary_plist['SALTED-SHA512-PBKDF2'][field]
212
+ if value == nil
213
+ raise Puppet::Error, "Invalid #{field} given for user #{user_name}"
214
+ end
215
+ value.unpack('H*').first
212
216
  when 'iterations'
213
217
  Integer(embedded_binary_plist['SALTED-SHA512-PBKDF2'][field])
214
218
  else
215
- raise Puppet::Error, 'Puppet has tried to read an incorrect value from the ' +
216
- "SALTED-SHA512-PBKDF2 hash. Acceptable fields are 'salt', " +
217
- "'entropy', or 'iterations'."
219
+ raise Puppet::Error, "Puppet has tried to read an incorrect value from the user #{user_name} in the SALTED-SHA512-PBKDF2 hash. Acceptable fields are 'salt', 'entropy', or 'iterations'."
218
220
  end
219
221
  end
220
222
 
@@ -401,6 +403,11 @@ Puppet::Type.type(:user).provide :directoryservice do
401
403
  # we have to treat the ds cache just like you would in the password=
402
404
  # method.
403
405
  def salt=(value)
406
+ if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.15') >= 0)
407
+ if value.length != 64
408
+ self.fail "macOS versions 10.15 and higher require the salt to be 32-bytes. Since Puppet's user resource requires the value to be hex encoded, the length of the salt's string must be 64. Please check your salt and try again."
409
+ end
410
+ end
404
411
  if (Puppet::Util::Package.versioncmp(self.class.get_os_version, '10.7') > 0)
405
412
  assert_full_pbkdf2_password
406
413
 
@@ -59,15 +59,18 @@ class Puppet::SSL::SSLProvider
59
59
  # refers to the cacerts bundle in the puppet-agent package.
60
60
  #
61
61
  # Connections made from the returned context will authenticate the server,
62
- # i.e. `VERIFY_PEER`, but will not use a client certificate and will not
63
- # perform revocation checking.
62
+ # i.e. `VERIFY_PEER`, but will not use a client certificate (unless requested)
63
+ # and will not perform revocation checking.
64
64
  #
65
65
  # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
66
66
  # @param path [String, nil] A file containing additional trusted CA certs.
67
+ # @param include_client_cert [true, false] If true, the client cert will be added to the context
68
+ # allowing mutual TLS authentication. The default is false. If the client cert doesn't exist
69
+ # then the option will be ignored.
67
70
  # @return [Puppet::SSL::SSLContext] A context to use to create connections
68
71
  # @raise (see #create_context)
69
72
  # @api private
70
- def create_system_context(cacerts:, path: Puppet[:ssl_trust_store])
73
+ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_client_cert: false)
71
74
  store = create_x509_store(cacerts, [], false, include_system_store: true)
72
75
 
73
76
  if path
@@ -88,6 +91,29 @@ class Puppet::SSL::SSLProvider
88
91
  end
89
92
  end
90
93
 
94
+ if include_client_cert
95
+ cert_provider = Puppet::X509::CertProvider.new
96
+ private_key = cert_provider.load_private_key(Puppet[:certname], required: false)
97
+ unless private_key
98
+ Puppet.warning("Private key for '#{Puppet[:certname]}' does not exist")
99
+ end
100
+
101
+ client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
102
+ unless client_cert
103
+ Puppet.warning("Client certificate for '#{Puppet[:certname]}' does not exist")
104
+ end
105
+
106
+ if private_key && client_cert
107
+ client_chain = resolve_client_chain(store, client_cert, private_key)
108
+
109
+ return Puppet::SSL::SSLContext.new(
110
+ store: store, cacerts: cacerts, crls: [],
111
+ private_key: private_key, client_cert: client_cert, client_chain: client_chain,
112
+ revocation: false
113
+ ).freeze
114
+ end
115
+ end
116
+
91
117
  Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: [], revocation: false).freeze
92
118
  end
93
119
 
@@ -124,15 +150,7 @@ class Puppet::SSL::SSLProvider
124
150
  raise ArgumentError, _("Client cert is missing") unless client_cert
125
151
 
126
152
  store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
127
- client_chain = verify_cert_with_store(store, client_cert)
128
-
129
- if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
130
- raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
131
- end
132
-
133
- unless client_cert.check_private_key(private_key)
134
- raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
135
- end
153
+ client_chain = resolve_client_chain(store, client_cert, private_key)
136
154
 
137
155
  Puppet::SSL::SSLContext.new(
138
156
  store: store, cacerts: cacerts, crls: crls,
@@ -191,6 +209,27 @@ class Puppet::SSL::SSLProvider
191
209
  csr
192
210
  end
193
211
 
212
+ def print(ssl_context, alg = 'SHA256')
213
+ if Puppet::Util::Log.sendlevel?(:debug)
214
+ chain = ssl_context.client_chain
215
+ # print from root to client
216
+ chain.reverse.each_with_index do |cert, i|
217
+ digest = Puppet::SSL::Digest.new(alg, cert.to_der)
218
+ if i == chain.length - 1
219
+ Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
220
+ else
221
+ Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
222
+ end
223
+ end
224
+ ssl_context.crls.each do |crl|
225
+ oid_values = Hash[crl.extensions.map { |ext| [ext.oid, ext.value] }]
226
+ crlNumber = oid_values['crlNumber'] || 'unknown'
227
+ authKeyId = (oid_values['authorityKeyIdentifier'] || 'unknown').chomp!
228
+ Puppet.debug("Using CRL '#{crl.issuer.to_utf8}' authorityKeyIdentifier '#{authKeyId}' crlNumber '#{crlNumber }'")
229
+ end
230
+ end
231
+ end
232
+
194
233
  private
195
234
 
196
235
  def default_flags
@@ -237,6 +276,20 @@ class Puppet::SSL::SSLProvider
237
276
  end
238
277
  end
239
278
 
279
+ def resolve_client_chain(store, client_cert, private_key)
280
+ client_chain = verify_cert_with_store(store, client_cert)
281
+
282
+ if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
283
+ raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
284
+ end
285
+
286
+ unless client_cert.check_private_key(private_key)
287
+ raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
288
+ end
289
+
290
+ client_chain
291
+ end
292
+
240
293
  def verify_cert_with_store(store, cert)
241
294
  # StoreContext#initialize accepts a chain argument, but it's set to [] because
242
295
  # puppet requires any intermediate CA certs needed to complete the client's
@@ -27,6 +27,15 @@ class Puppet::SSL::StateMachine
27
27
  detail.set_backtrace(cause.backtrace)
28
28
  Error.new(@machine, message, detail)
29
29
  end
30
+
31
+ def log_error(message)
32
+ # When running daemonized we set stdout to /dev/null, so write to the log instead
33
+ if Puppet[:daemonize]
34
+ Puppet.err(message)
35
+ else
36
+ $stdout.puts(message)
37
+ end
38
+ end
30
39
  end
31
40
 
32
41
  # Load existing CA certs or download them. Transition to NeedCRLs.
@@ -270,15 +279,15 @@ class Puppet::SSL::StateMachine
270
279
  def next_state
271
280
  time = @machine.waitforcert
272
281
  if time < 1
273
- puts _("Exiting now because the waitforcert setting is set to 0.")
282
+ log_error(_("Exiting now because the waitforcert setting is set to 0."))
274
283
  exit(1)
275
284
  elsif Time.now.to_i > @machine.wait_deadline
276
- puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] }
285
+ log_error(_("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}). Exiting now because the maxwaitforcert timeout has been exceeded.") % {name: Puppet[:certname] })
277
286
  exit(1)
278
287
  else
279
288
  Puppet.info(_("Will try again in %{time} seconds.") % {time: time})
280
289
 
281
- # close persistent connections and session state before sleeping
290
+ # close http/tls and session state before sleeping
282
291
  Puppet.runtime[:http].close
283
292
  @machine.session = Puppet.runtime[:http].create_session
284
293
 
@@ -419,20 +428,7 @@ class Puppet::SSL::StateMachine
419
428
  def ensure_client_certificate
420
429
  final_state = run_machine(NeedLock.new(self), Done)
421
430
  ssl_context = final_state.ssl_context
422
-
423
- if Puppet::Util::Log.sendlevel?(:debug)
424
- chain = ssl_context.client_chain
425
- # print from root to client
426
- chain.reverse.each_with_index do |cert, i|
427
- digest = Puppet::SSL::Digest.new(@digest, cert.to_der)
428
- if i == chain.length - 1
429
- Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
430
- else
431
- Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_utf8, digest: digest})
432
- end
433
- end
434
- end
435
-
431
+ @ssl_provider.print(ssl_context, @digest)
436
432
  ssl_context
437
433
  end
438
434
 
@@ -276,6 +276,7 @@ class Puppet::Transaction
276
276
 
277
277
  # Evaluate a single resource.
278
278
  def eval_resource(resource, ancestor = nil)
279
+ resolve_resource(resource)
279
280
  propagate_failure(resource)
280
281
  if skip?(resource)
281
282
  resource_status(resource).skipped = true
@@ -464,6 +465,27 @@ class Puppet::Transaction
464
465
  public :skip?
465
466
  public :missing_tags?
466
467
 
468
+ def resolve_resource(resource)
469
+ return unless catalog.host_config?
470
+
471
+ deferred_validate = false
472
+
473
+ resource.eachparameter do |param|
474
+ if param.value.instance_of?(Puppet::Pops::Evaluator::DeferredValue)
475
+ # Puppet::Parameter#value= triggers validation and munging. Puppet::Property#value=
476
+ # overrides the method, but also triggers validation and munging, since we're
477
+ # setting the desired/should value.
478
+ resolved = param.value.resolve
479
+ # resource.notice("Resolved deferred value to #{resolved}")
480
+ param.value = resolved
481
+ deferred_validate = true
482
+ end
483
+ end
484
+
485
+ if deferred_validate
486
+ resource.validate_resource
487
+ end
488
+ end
467
489
  end
468
490
 
469
491
  require_relative 'transaction/report'
@@ -227,6 +227,9 @@ module Puppet
227
227
  * OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
228
228
  on these systems, the `salt` and `iterations` attributes need to be specified as
229
229
  well as the password.
230
+ * macOS 10.15 and higher require the salt to be 32-bytes. Since Puppet's user
231
+ resource requires the value to be hex encoded, the length of the salt's
232
+ string must be 64.
230
233
  * Windows passwords can be managed only in cleartext, because there is no Windows
231
234
  API for setting the password hash.
232
235
 
data/lib/puppet/type.rb CHANGED
@@ -2282,7 +2282,13 @@ class Type
2282
2282
  # @api public
2283
2283
  #
2284
2284
  def self.validate(&block)
2285
- define_method(:validate, &block)
2285
+ define_method(:unsafe_validate, &block)
2286
+
2287
+ define_method(:validate) do
2288
+ return if enum_for(:eachparameter).any? { |p| p.value.instance_of?(Puppet::Pops::Evaluator::DeferredValue) }
2289
+
2290
+ unsafe_validate
2291
+ end
2286
2292
  end
2287
2293
 
2288
2294
  # @return [String] The file from which this type originates from
@@ -2372,6 +2378,19 @@ class Type
2372
2378
 
2373
2379
  set_parameters(@original_parameters)
2374
2380
 
2381
+ validate_resource
2382
+
2383
+ set_sensitive_parameters(resource.sensitive_parameters)
2384
+ end
2385
+
2386
+ # Optionally validate the resource. This method is a noop if the type has not defined
2387
+ # a `validate` method using the puppet DSL. If validation fails, then an exception will
2388
+ # be raised with this resources as the context.
2389
+ #
2390
+ # @api public
2391
+ #
2392
+ # @return [void]
2393
+ def validate_resource
2375
2394
  begin
2376
2395
  self.validate if self.respond_to?(:validate)
2377
2396
  rescue Puppet::Error, ArgumentError => detail
@@ -2379,8 +2398,6 @@ class Type
2379
2398
  adderrorcontext(error, detail)
2380
2399
  raise error
2381
2400
  end
2382
-
2383
- set_sensitive_parameters(resource.sensitive_parameters)
2384
2401
  end
2385
2402
 
2386
2403
  protected
@@ -6,7 +6,7 @@
6
6
  # Raketasks and such to set the version based on the output of `git describe`
7
7
 
8
8
  module Puppet
9
- PUPPETVERSION = '7.16.0'
9
+ PUPPETVERSION = '7.17.0'
10
10
 
11
11
  ##
12
12
  # version is a public API method intended to always provide a fast and
data/lib/puppet.rb CHANGED
@@ -235,20 +235,7 @@ module Puppet
235
235
 
236
236
  {
237
237
  :environments => Puppet::Environments::Cached.new(Puppet::Environments::Combined.new(*loaders)),
238
- :ssl_context => proc {
239
- begin
240
- cert = Puppet::X509::CertProvider.new
241
- password = cert.load_private_key_password
242
- ssl = Puppet::SSL::SSLProvider.new
243
- ssl.load_context(certname: Puppet[:certname], password: password)
244
- rescue => e
245
- # TRANSLATORS: `message` is an already translated string of why SSL failed to initialize
246
- Puppet.log_exception(e, _("Failed to initialize SSL: %{message}") % { message: e.message })
247
- # TRANSLATORS: `puppet agent -t` is a command and should not be translated
248
- Puppet.err(_("Run `puppet agent -t`"))
249
- raise e
250
- end
251
- },
238
+ :ssl_context => proc { Puppet.runtime[:http].default_ssl_context },
252
239
  :http_session => proc { Puppet.runtime[:http].create_session },
253
240
  :plugins => proc { Puppet::Plugins::Configuration.load_plugins },
254
241
  :rich_data => false
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPETCONF" "5" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPETCONF" "5" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  \fBThis page is autogenerated; any changes will get overwritten\fR
6
6
  .
7
7
  .SH "Configuration settings"
@@ -929,7 +929,7 @@ The time to wait for data to be read from an HTTP connection\. If nothing is rea
929
929
  The HTTP User\-Agent string to send when making network requests\.
930
930
  .
931
931
  .IP "\(bu" 4
932
- \fIDefault\fR: \fBPuppet/7\.16\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
932
+ \fIDefault\fR: \fBPuppet/7\.17\.0 Ruby/2\.7\.5\-p203 (x86_64\-linux)\fR
933
933
  .
934
934
  .IP "" 0
935
935
  .
@@ -1486,6 +1486,14 @@ The preferred means of serializing ruby instances for passing over the wire\. Th
1486
1486
  .
1487
1487
  .IP "" 0
1488
1488
  .
1489
+ .SS "preprocess_deferred"
1490
+ Whether puppet should call deferred functions before applying the catalog\. If set to \fBtrue\fR, then all prerequisites needed for the deferred function must be satified prior to puppet running\. If set to \fBfalse\fR, then deferred functions will follow puppet relationships and ordering\. This allows puppet to install prerequisites needed for a deferred function and call the deferred function in the same run\.
1491
+ .
1492
+ .IP "\(bu" 4
1493
+ \fIDefault\fR: \fBtrue\fR
1494
+ .
1495
+ .IP "" 0
1496
+ .
1489
1497
  .SS "prerun_command"
1490
1498
  A command to run before every agent run\. If this command returns a non\-zero return code, the entire Puppet run will fail\.
1491
1499
  .
@@ -2000,7 +2008,7 @@ Whether to print stack traces on some errors\. Will print internal Ruby stack tr
2000
2008
  .IP "" 0
2001
2009
  .
2002
2010
  .SS "transactionstorefile"
2003
- Transactional storage file for persisting data between transactions for the purposes of infering information (such as corrective_change) on new data received\.
2011
+ Transactional storage file for persisting data between transactions for the purposes of inferring information (such as corrective_change) on new data received\.
2004
2012
  .
2005
2013
  .IP "\(bu" 4
2006
2014
  \fIDefault\fR: \fB$statedir/transactionstore\.yaml\fR
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-AGENT" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-AGENT" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-agent\fR \- The puppet agent daemon
@@ -51,7 +51,7 @@ Some flags are meant specifically for interactive use \-\-\- in particular, \'te
51
51
  \'\-\-tags\' allows you to specify what portions of a configuration you want to apply\. Puppet elements are tagged with all of the class or definition names that contain them, and you can use the \'tags\' flag to specify one of these names, causing only configuration elements contained within that class or definition to be applied\. This is very useful when you are testing new configurations \-\-\- for instance, if you are just starting to manage \'ntpd\', you would put all of the new elements into an \'ntpd\' class, and call puppet with \'\-\-tags ntpd\', which would only apply that small portion of the configuration during your testing, rather than applying the whole thing\.
52
52
  .
53
53
  .P
54
- \'\-\-fingerprint\' is a one\-time flag\. In this mode \'puppet agent\' runs once and displays on the console (and in the log) the current certificate (or certificate request) fingerprint\. Providing the \'\-\-digest\' option allows to use a different digest algorithm to generate the fingerprint\. The main use is to verify that before signing a certificate request on the master, the certificate request the master received is the same as the one the client sent (to prevent against man\-in\-the\-middle attacks when signing certificates)\.
54
+ \'\-\-fingerprint\' is a one\-time flag\. In this mode \'puppet agent\' runs once and displays on the console (and in the log) the current certificate (or certificate request) fingerprint\. Providing the \'\-\-digest\' option allows you to use a different digest algorithm to generate the fingerprint\. The main use is to verify that before signing a certificate request on the master, the certificate request the master received is the same as the one the client sent (to prevent against man\-in\-the\-middle attacks when signing certificates)\.
55
55
  .
56
56
  .P
57
57
  \'\-\-skip_tags\' is a flag used to filter resources\. If this is set, then only resources not tagged with the specified tags will be applied\. Values must be comma\-separated\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-APPLY" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-APPLY" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-apply\fR \- Apply Puppet manifests locally
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-CATALOG" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-CATALOG" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-catalog\fR \- Compile, save, view, and convert catalogs\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-CONFIG" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-CONFIG" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-config\fR \- Interact with Puppet\'s settings\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-DESCRIBE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-DESCRIBE" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-describe\fR \- Display help about resource types
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-DEVICE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-DEVICE" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-device\fR \- Manage remote network devices
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-DOC" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-DOC" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-doc\fR \- Generate Puppet references
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-EPP" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-EPP" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-epp\fR \- Interact directly with the EPP template parser/renderer\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-FACTS" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-FACTS" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-facts\fR \- Retrieve and store facts\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-FILEBUCKET" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-FILEBUCKET" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-filebucket\fR \- Store and retrieve files in a filebucket
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-GENERATE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-GENERATE" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-generate\fR \- Generates Puppet code from Ruby definitions\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-HELP" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-HELP" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-help\fR \- Display Puppet help\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-LOOKUP" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-LOOKUP" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-lookup\fR \- Interactive Hiera lookup
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-MODULE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-MODULE" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-module\fR \- Creates, installs and searches for modules on the Puppet Forge\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-NODE" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-NODE" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-node\fR \- View and manage node definitions\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-PARSER" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-PARSER" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-parser\fR \- Interact directly with the parser\.
@@ -1,7 +1,7 @@
1
1
  .\" generated with Ronn/v0.7.3
2
2
  .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
3
  .
4
- .TH "PUPPET\-PLUGIN" "8" "March 2022" "Puppet, Inc." "Puppet manual"
4
+ .TH "PUPPET\-PLUGIN" "8" "May 2022" "Puppet, Inc." "Puppet manual"
5
5
  .
6
6
  .SH "NAME"
7
7
  \fBpuppet\-plugin\fR \- Interact with the Puppet plugin system\.