puppet 8.8.1 → 8.10.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +3 -1
- data/Gemfile.lock +49 -39
- data/README.md +1 -1
- data/ext/project_data.yaml +12 -0
- data/ext/windows/service/daemon.rb +1 -1
- data/install.rb +3 -74
- data/lib/puppet/application/apply.rb +1 -0
- data/lib/puppet/application/filebucket.rb +6 -4
- data/lib/puppet/application/resource.rb +5 -1
- data/lib/puppet/application/ssl.rb +4 -4
- data/lib/puppet/configurer.rb +1 -1
- data/lib/puppet/daemon.rb +13 -1
- data/lib/puppet/defaults.rb +66 -54
- data/lib/puppet/face/catalog.rb +24 -8
- data/lib/puppet/face/help.rb +43 -23
- data/lib/puppet/feature/telnet.rb +1 -5
- data/lib/puppet/functions/capitalize.rb +1 -1
- data/lib/puppet/functions/find_file.rb +4 -0
- data/lib/puppet/functions/hiera.rb +1 -0
- data/lib/puppet/functions/index.rb +2 -2
- data/lib/puppet/functions/lookup.rb +1 -1
- data/lib/puppet/functions/new.rb +1 -1
- data/lib/puppet/functions/regsubst.rb +1 -1
- data/lib/puppet/functions/unique.rb +3 -2
- data/lib/puppet/functions/yaml_data.rb +1 -0
- data/lib/puppet/interface/action_manager.rb +1 -1
- data/lib/puppet/provider/package/pacman.rb +9 -10
- data/lib/puppet/provider/package/pip.rb +1 -1
- data/lib/puppet/provider/service/systemd.rb +1 -0
- data/lib/puppet/reference/configuration.rb +6 -1
- data/lib/puppet/resource/type.rb +15 -1
- data/lib/puppet/resource.rb +1 -1
- data/lib/puppet/scheduler/splay_job.rb +14 -3
- data/lib/puppet/settings.rb +2 -2
- data/lib/puppet/ssl/state_machine.rb +2 -2
- data/lib/puppet/transaction/resource_harness.rb +7 -3
- data/lib/puppet/type/exec.rb +3 -4
- data/lib/puppet/type/file/checksum.rb +4 -2
- data/lib/puppet/type/file/ctime.rb +2 -2
- data/lib/puppet/type/file/mtime.rb +2 -2
- data/lib/puppet/type/file/selcontext.rb +6 -6
- data/lib/puppet/type/package.rb +4 -3
- data/lib/puppet/type/tidy.rb +3 -1
- data/lib/puppet/type/user.rb +1 -1
- data/lib/puppet/util/checksums.rb +1 -0
- data/lib/puppet/util/profiler/aggregate.rb +2 -2
- data/lib/puppet/util/profiler/wall_clock.rb +2 -2
- data/lib/puppet/util/reference.rb +0 -1
- data/lib/puppet/util/selinux.rb +26 -14
- data/lib/puppet/version.rb +1 -1
- data/lib/puppet.rb +5 -1
- data/locales/puppet.pot +75 -75
- data/man/man5/puppet.conf.5 +20 -20
- data/man/man8/puppet-agent.8 +1 -1
- data/man/man8/puppet-apply.8 +2 -1
- data/man/man8/puppet-catalog.8 +5 -2
- data/man/man8/puppet-config.8 +1 -1
- data/man/man8/puppet-describe.8 +1 -1
- data/man/man8/puppet-device.8 +1 -1
- data/man/man8/puppet-doc.8 +1 -1
- data/man/man8/puppet-epp.8 +1 -1
- data/man/man8/puppet-facts.8 +1 -1
- data/man/man8/puppet-filebucket.8 +10 -1
- data/man/man8/puppet-generate.8 +1 -1
- data/man/man8/puppet-help.8 +1 -1
- data/man/man8/puppet-lookup.8 +1 -1
- data/man/man8/puppet-module.8 +1 -1
- data/man/man8/puppet-node.8 +1 -1
- data/man/man8/puppet-parser.8 +1 -1
- data/man/man8/puppet-plugin.8 +1 -1
- data/man/man8/puppet-report.8 +1 -1
- data/man/man8/puppet-resource.8 +1 -1
- data/man/man8/puppet-script.8 +1 -1
- data/man/man8/puppet-ssl.8 +3 -3
- data/man/man8/puppet.8 +128 -9
- metadata +2 -2
@@ -2,10 +2,10 @@
|
|
2
2
|
|
3
3
|
module Puppet::Scheduler
|
4
4
|
class SplayJob < Job
|
5
|
-
attr_reader :splay
|
5
|
+
attr_reader :splay, :splay_limit
|
6
6
|
|
7
7
|
def initialize(run_interval, splay_limit, &block)
|
8
|
-
@splay = calculate_splay(splay_limit)
|
8
|
+
@splay, @splay_limit = calculate_splay(splay_limit)
|
9
9
|
super(run_interval, &block)
|
10
10
|
end
|
11
11
|
|
@@ -25,10 +25,21 @@ module Puppet::Scheduler
|
|
25
25
|
end
|
26
26
|
end
|
27
27
|
|
28
|
+
# Recalculates splay.
|
29
|
+
#
|
30
|
+
# @param splay_limit [Integer] the maximum time (in seconds) to delay before an agent's first run.
|
31
|
+
# @return @splay [Integer] a random integer less than or equal to the splay limit that represents the seconds to
|
32
|
+
# delay before next agent run.
|
33
|
+
def splay_limit=(splay_limit)
|
34
|
+
if @splay_limit != splay_limit
|
35
|
+
@splay, @splay_limit = calculate_splay(splay_limit)
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
28
39
|
private
|
29
40
|
|
30
41
|
def calculate_splay(limit)
|
31
|
-
rand(limit + 1)
|
42
|
+
[rand(limit + 1), limit]
|
32
43
|
end
|
33
44
|
end
|
34
45
|
end
|
data/lib/puppet/settings.rb
CHANGED
@@ -81,11 +81,11 @@ class Puppet::Settings
|
|
81
81
|
end
|
82
82
|
|
83
83
|
def self.hostname_fact
|
84
|
-
Puppet.runtime[:facter].value
|
84
|
+
Puppet.runtime[:facter].value('networking.hostname')
|
85
85
|
end
|
86
86
|
|
87
87
|
def self.domain_fact
|
88
|
-
Puppet.runtime[:facter].value
|
88
|
+
Puppet.runtime[:facter].value('networking.domain')
|
89
89
|
end
|
90
90
|
|
91
91
|
def self.default_config_file_name
|
@@ -358,7 +358,7 @@ class Puppet::SSL::StateMachine
|
|
358
358
|
Wait.new(@machine)
|
359
359
|
else
|
360
360
|
to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
|
361
|
-
{ certname: Puppet[:certname], message: e.
|
361
|
+
{ certname: Puppet[:certname], message: e.message }, e)
|
362
362
|
end
|
363
363
|
end
|
364
364
|
end
|
@@ -391,7 +391,7 @@ class Puppet::SSL::StateMachine
|
|
391
391
|
end
|
392
392
|
Done.new(@machine, @ssl_context)
|
393
393
|
rescue => e
|
394
|
-
Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e })
|
394
|
+
Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e.message })
|
395
395
|
Done.new(@machine, @ssl_context)
|
396
396
|
end
|
397
397
|
end
|
@@ -235,9 +235,13 @@ class Puppet::Transaction::ResourceHarness
|
|
235
235
|
end
|
236
236
|
|
237
237
|
def noop(event, param, current_value, audit_message)
|
238
|
-
|
239
|
-
|
240
|
-
|
238
|
+
if param.sensitive
|
239
|
+
event.message = param.format(_("current_value %s, should be %s (noop)"),
|
240
|
+
param.is_to_s(current_value),
|
241
|
+
param.should_to_s(param.should)) + audit_message.to_s
|
242
|
+
else
|
243
|
+
event.message = "#{param.change_to_s(current_value, param.should)} (noop)#{audit_message}"
|
244
|
+
end
|
241
245
|
event.status = "noop"
|
242
246
|
end
|
243
247
|
|
data/lib/puppet/type/exec.rb
CHANGED
@@ -437,13 +437,12 @@ module Puppet
|
|
437
437
|
actually contain `myfile`, the exec will keep running every time
|
438
438
|
Puppet runs.
|
439
439
|
|
440
|
-
This parameter can also take an array of files and the command will
|
441
|
-
not run if **any** of these files exist.
|
440
|
+
This parameter can also take an array of files, and the command will
|
441
|
+
not run if **any** of these files exist. Consider this example:
|
442
442
|
|
443
443
|
creates => ['/tmp/file1', '/tmp/file2'],
|
444
444
|
|
445
|
-
|
446
|
-
|
445
|
+
The command is only run if both files don't exist.
|
447
446
|
EOT
|
448
447
|
|
449
448
|
accept_arrays
|
@@ -7,11 +7,13 @@ require_relative '../../../puppet/util/checksums'
|
|
7
7
|
Puppet::Type.type(:file).newparam(:checksum) do
|
8
8
|
include Puppet::Util::Checksums
|
9
9
|
|
10
|
+
# The default is defined in Puppet.default_digest_algorithm
|
10
11
|
desc "The checksum type to use when determining whether to replace a file's contents.
|
11
12
|
|
12
|
-
The default checksum type is
|
13
|
+
The default checksum type is sha256."
|
13
14
|
|
14
|
-
|
15
|
+
# The values are defined in Puppet::Util::Checksums.known_checksum_types
|
16
|
+
newvalues(:sha256, :sha256lite, :md5, :md5lite, :sha1, :sha1lite, :sha512, :sha384, :sha224, :mtime, :ctime, :none)
|
15
17
|
|
16
18
|
defaultto do
|
17
19
|
Puppet[:digest_algorithm].to_sym
|
@@ -2,9 +2,9 @@
|
|
2
2
|
|
3
3
|
module Puppet
|
4
4
|
Puppet::Type.type(:file).newproperty(:ctime) do
|
5
|
-
desc
|
5
|
+
desc "A read-only state to check the file ctime. On most modern \*nix-like
|
6
6
|
systems, this is the time of the most recent change to the owner, group,
|
7
|
-
permissions, or content of the file.
|
7
|
+
permissions, or content of the file."
|
8
8
|
|
9
9
|
def retrieve
|
10
10
|
current_value = :absent
|
@@ -2,8 +2,8 @@
|
|
2
2
|
|
3
3
|
module Puppet
|
4
4
|
Puppet::Type.type(:file).newproperty(:mtime) do
|
5
|
-
desc
|
6
|
-
is the time of the most recent change to the content of the file.
|
5
|
+
desc "A read-only state to check the file mtime. On \*nix-like systems, this
|
6
|
+
is the time of the most recent change to the content of the file."
|
7
7
|
|
8
8
|
def retrieve
|
9
9
|
current_value = :absent
|
@@ -45,7 +45,7 @@ module Puppet
|
|
45
45
|
return nil
|
46
46
|
end
|
47
47
|
|
48
|
-
context = get_selinux_default_context_with_handle(@resource[:path], provider.class.selinux_handle)
|
48
|
+
context = get_selinux_default_context_with_handle(@resource[:path], provider.class.selinux_handle, @resource[:ensure])
|
49
49
|
unless context
|
50
50
|
return nil
|
51
51
|
end
|
@@ -86,7 +86,7 @@ module Puppet
|
|
86
86
|
end
|
87
87
|
|
88
88
|
Puppet::Type.type(:file).newparam(:selinux_ignore_defaults) do
|
89
|
-
desc "If this is set
|
89
|
+
desc "If this is set, Puppet will not call the SELinux function selabel_lookup to
|
90
90
|
supply defaults for the SELinux attributes (seluser, selrole,
|
91
91
|
seltype, and selrange). In general, you should leave this set at its
|
92
92
|
default and only set it to true when you need Puppet to not try to fix
|
@@ -99,7 +99,7 @@ module Puppet
|
|
99
99
|
Puppet::Type.type(:file).newproperty(:seluser, :parent => Puppet::SELFileContext) do
|
100
100
|
desc "What the SELinux user component of the context of the file should be.
|
101
101
|
Any valid SELinux user component is accepted. For example `user_u`.
|
102
|
-
If not specified it defaults to the value returned by selabel_lookup for
|
102
|
+
If not specified, it defaults to the value returned by selabel_lookup for
|
103
103
|
the file, if any exists. Only valid on systems with SELinux support
|
104
104
|
enabled."
|
105
105
|
|
@@ -110,7 +110,7 @@ module Puppet
|
|
110
110
|
Puppet::Type.type(:file).newproperty(:selrole, :parent => Puppet::SELFileContext) do
|
111
111
|
desc "What the SELinux role component of the context of the file should be.
|
112
112
|
Any valid SELinux role component is accepted. For example `role_r`.
|
113
|
-
If not specified it defaults to the value returned by selabel_lookup for
|
113
|
+
If not specified, it defaults to the value returned by selabel_lookup for
|
114
114
|
the file, if any exists. Only valid on systems with SELinux support
|
115
115
|
enabled."
|
116
116
|
|
@@ -121,7 +121,7 @@ module Puppet
|
|
121
121
|
Puppet::Type.type(:file).newproperty(:seltype, :parent => Puppet::SELFileContext) do
|
122
122
|
desc "What the SELinux type component of the context of the file should be.
|
123
123
|
Any valid SELinux type component is accepted. For example `tmp_t`.
|
124
|
-
If not specified it defaults to the value returned by selabel_lookup for
|
124
|
+
If not specified, it defaults to the value returned by selabel_lookup for
|
125
125
|
the file, if any exists. Only valid on systems with SELinux support
|
126
126
|
enabled."
|
127
127
|
|
@@ -132,7 +132,7 @@ module Puppet
|
|
132
132
|
Puppet::Type.type(:file).newproperty(:selrange, :parent => Puppet::SELFileContext) do
|
133
133
|
desc "What the SELinux range component of the context of the file should be.
|
134
134
|
Any valid SELinux range component is accepted. For example `s0` or
|
135
|
-
`SystemHigh`. If not specified it defaults to the value returned by
|
135
|
+
`SystemHigh`. If not specified, it defaults to the value returned by
|
136
136
|
selabel_lookup for the file, if any exists. Only valid on systems with
|
137
137
|
SELinux support enabled and that have support for MCS (Multi-Category
|
138
138
|
Security)."
|
data/lib/puppet/type/package.rb
CHANGED
@@ -301,12 +301,13 @@ module Puppet
|
|
301
301
|
command => '/opt/ruby/bin/gem',
|
302
302
|
}
|
303
303
|
|
304
|
-
Each provider defines a package management command
|
304
|
+
Each provider defines a package management command and uses the first
|
305
305
|
instance of the command found in the PATH.
|
306
306
|
|
307
307
|
Providers supporting the targetable feature allow you to specify the
|
308
|
-
absolute path of the package management command
|
309
|
-
instances of the command are installed, or
|
308
|
+
absolute path of the package management command. Specifying the absolute
|
309
|
+
path is useful when multiple instances of the command are installed, or
|
310
|
+
the command is not in the PATH.
|
310
311
|
EOT
|
311
312
|
|
312
313
|
isnamevar
|
data/lib/puppet/type/tidy.rb
CHANGED
@@ -32,7 +32,9 @@ Puppet::Type.newtype(:tidy) do
|
|
32
32
|
|
33
33
|
newparam(:recurse) do
|
34
34
|
desc "If target is a directory, recursively descend
|
35
|
-
into the directory looking for files to tidy.
|
35
|
+
into the directory looking for files to tidy. Numeric values
|
36
|
+
specify a limit for the recursion depth, `true` means
|
37
|
+
unrestricted recursion."
|
36
38
|
|
37
39
|
newvalues(:true, :false, :inf, /^[0-9]+$/)
|
38
40
|
|
data/lib/puppet/type/user.rb
CHANGED
@@ -231,7 +231,7 @@ module Puppet
|
|
231
231
|
* OS X 10.8 and higher use salted SHA512 PBKDF2 hashes. When managing passwords
|
232
232
|
on these systems, the `salt` and `iterations` attributes need to be specified as
|
233
233
|
well as the password.
|
234
|
-
* macOS 10.15 and
|
234
|
+
* macOS 10.15 and later require the salt to be 32 bytes. Because Puppet's user
|
235
235
|
resource requires the value to be hex encoded, the length of the salt's
|
236
236
|
string must be 64.
|
237
237
|
* Windows passwords can be managed only in cleartext, because there is no Windows
|
@@ -72,11 +72,11 @@ class Puppet::Util::Profiler::Aggregate < Puppet::Util::Profiler::WallClock
|
|
72
72
|
|
73
73
|
class Timer
|
74
74
|
def initialize
|
75
|
-
@start =
|
75
|
+
@start = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second)
|
76
76
|
end
|
77
77
|
|
78
78
|
def stop
|
79
|
-
|
79
|
+
Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second) - @start
|
80
80
|
end
|
81
81
|
end
|
82
82
|
end
|
@@ -21,11 +21,11 @@ class Puppet::Util::Profiler::WallClock < Puppet::Util::Profiler::Logging
|
|
21
21
|
FOUR_DECIMAL_DIGITS = '%0.4f'
|
22
22
|
|
23
23
|
def initialize
|
24
|
-
@start =
|
24
|
+
@start = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second)
|
25
25
|
end
|
26
26
|
|
27
27
|
def stop
|
28
|
-
@time =
|
28
|
+
@time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_second) - @start
|
29
29
|
@time
|
30
30
|
end
|
31
31
|
|
data/lib/puppet/util/selinux.rb
CHANGED
@@ -55,24 +55,16 @@ module Puppet::Util::SELinux
|
|
55
55
|
|
56
56
|
# If the file exists we should pass the mode to matchpathcon for the most specific
|
57
57
|
# matching. If not, we can pass a mode of 0.
|
58
|
-
|
59
|
-
filestat = file_lstat(file)
|
60
|
-
mode = filestat.mode
|
61
|
-
rescue Errno::EACCES
|
62
|
-
mode = 0
|
63
|
-
rescue Errno::ENOENT
|
64
|
-
if resource_ensure
|
65
|
-
mode = get_create_mode(resource_ensure)
|
66
|
-
else
|
67
|
-
mode = 0
|
68
|
-
end
|
69
|
-
end
|
58
|
+
mode = file_mode(file, resource_ensure)
|
70
59
|
|
71
60
|
retval = Selinux.matchpathcon(file, mode)
|
72
61
|
retval == -1 ? nil : retval[1]
|
73
62
|
end
|
74
63
|
|
75
|
-
|
64
|
+
# Retrieve and return the default context of the file using an selinux handle.
|
65
|
+
# If we don't have SELinux support or if the SELinux call fails to file a
|
66
|
+
# default then return nil.
|
67
|
+
def get_selinux_default_context_with_handle(file, handle, resource_ensure = nil)
|
76
68
|
return nil unless selinux_support?
|
77
69
|
# If the filesystem has no support for SELinux labels, return a default of nil
|
78
70
|
# instead of what selabel_lookup would return
|
@@ -81,7 +73,11 @@ module Puppet::Util::SELinux
|
|
81
73
|
# Handle is needed for selabel_lookup
|
82
74
|
raise ArgumentError, _("Cannot get default context with nil handle") unless handle
|
83
75
|
|
84
|
-
|
76
|
+
# If the file exists we should pass the mode to selabel_lookup for the most specific
|
77
|
+
# matching. If not, we can pass a mode of 0.
|
78
|
+
mode = file_mode(file, resource_ensure)
|
79
|
+
|
80
|
+
retval = Selinux.selabel_lookup(handle, file, mode)
|
85
81
|
retval == -1 ? nil : retval[1]
|
86
82
|
end
|
87
83
|
|
@@ -245,6 +241,22 @@ module Puppet::Util::SELinux
|
|
245
241
|
mode
|
246
242
|
end
|
247
243
|
|
244
|
+
# If the file/directory/symlink exists, return its mode. Otherwise, get the default mode
|
245
|
+
# that should be used to create the file/directory/symlink taking into account the desired
|
246
|
+
# file type specified in +resource_ensure+.
|
247
|
+
def file_mode(file, resource_ensure)
|
248
|
+
filestat = file_lstat(file)
|
249
|
+
filestat.mode
|
250
|
+
rescue Errno::EACCES
|
251
|
+
0
|
252
|
+
rescue Errno::ENOENT
|
253
|
+
if resource_ensure
|
254
|
+
get_create_mode(resource_ensure)
|
255
|
+
else
|
256
|
+
0
|
257
|
+
end
|
258
|
+
end
|
259
|
+
|
248
260
|
# Internal helper function to read and parse /proc/mounts
|
249
261
|
def read_mounts
|
250
262
|
mounts = ''.dup
|
data/lib/puppet/version.rb
CHANGED
data/lib/puppet.rb
CHANGED
@@ -237,7 +237,11 @@ module Puppet
|
|
237
237
|
:ssl_context => proc { Puppet.runtime[:http].default_ssl_context },
|
238
238
|
:http_session => proc { Puppet.runtime[:http].create_session },
|
239
239
|
:plugins => proc { Puppet::Plugins::Configuration.load_plugins },
|
240
|
-
:rich_data =>
|
240
|
+
:rich_data => Puppet[:rich_data],
|
241
|
+
# `stringify_rich` controls whether `rich_data` is stringified into a lossy format
|
242
|
+
# instead of a lossless format. Catalogs should not be stringified, though to_yaml
|
243
|
+
# and the resource application have uses for a lossy, user friendly format.
|
244
|
+
:stringify_rich => false
|
241
245
|
}
|
242
246
|
end
|
243
247
|
|