puppet 2.6.12 → 2.6.13

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of puppet might be problematic. Click here for more details.

Files changed (43) hide show
  1. data/CHANGELOG +30 -0
  2. data/CONTRIBUTING.md +299 -0
  3. data/conf/redhat/puppet.spec +4 -1
  4. data/ext/upload_facts.rb +120 -0
  5. data/lib/puppet.rb +1 -1
  6. data/lib/puppet/application/inspect.rb +5 -2
  7. data/lib/puppet/application/queue.rb +11 -1
  8. data/lib/puppet/application/resource.rb +3 -0
  9. data/lib/puppet/defaults.rb +2 -1
  10. data/lib/puppet/indirector/facts/inventory_service.rb +20 -0
  11. data/lib/puppet/indirector/report/processor.rb +2 -0
  12. data/lib/puppet/network/handler/filebucket.rb +2 -0
  13. data/lib/puppet/network/handler/fileserver.rb +1 -0
  14. data/lib/puppet/network/handler/master.rb +1 -0
  15. data/lib/puppet/network/handler/report.rb +2 -0
  16. data/lib/puppet/network/handler/runner.rb +1 -0
  17. data/lib/puppet/network/handler/status.rb +2 -0
  18. data/lib/puppet/network/http_server.rb +3 -0
  19. data/lib/puppet/network/http_server/mongrel.rb +129 -0
  20. data/lib/puppet/provider/exec/posix.rb +6 -3
  21. data/lib/puppet/provider/exec/shell.rb +11 -2
  22. data/lib/puppet/resource/catalog.rb +6 -3
  23. data/lib/puppet/ssl/host.rb +2 -0
  24. data/lib/puppet/type/cron.rb +13 -12
  25. data/lib/puppet/type/file.rb +2 -2
  26. data/lib/puppet/type/file/source.rb +1 -1
  27. data/lib/puppet/type/user.rb +8 -0
  28. data/lib/puppet/util.rb +16 -41
  29. data/lib/puppet/util/settings.rb +1 -1
  30. data/lib/puppet/util/suidmanager.rb +48 -14
  31. data/spec/unit/application/inspect_spec.rb +5 -0
  32. data/spec/unit/application/resource_spec.rb +25 -0
  33. data/spec/unit/configurer_spec.rb +5 -0
  34. data/spec/unit/indirector/facts/inventory_service_spec.rb +22 -0
  35. data/spec/unit/indirector/report/processor_spec.rb +7 -5
  36. data/spec/unit/resource/catalog_spec.rb +54 -7
  37. data/spec/unit/ssl/host_spec.rb +58 -9
  38. data/spec/unit/type/file_spec.rb +6 -0
  39. data/spec/unit/type/user_spec.rb +8 -0
  40. data/spec/unit/util/settings_spec.rb +11 -0
  41. data/spec/unit/util/suidmanager_spec.rb +210 -0
  42. metadata +11 -5
  43. data/test/puppet/tc_suidmanager.rb +0 -120
data/CHANGELOG CHANGED
@@ -1,3 +1,33 @@
1
+ 2.6.13
2
+ ===
3
+ e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master
4
+ 9dfd011 (#5617) Puppet queue logging
5
+ a91cfa1 maint: Fix failing spec on old version of rspec
6
+ aa2a762 (#10289) Add an ext script to upload facts to inventory server
7
+ 5129d38 (#10289) Add a safe alternative to REST for inventory service
8
+ 7514d32 missing includes in network XML-RPC handlers
9
+ 397a506 (#10244) Restore Mongrel XMLRPC functionality
10
+ e7a6995 (#9794) k5login can overwrite arbitrary files as root
11
+ 0a92a70 Resist directory traversal attacks through indirections.
12
+ 8d86e5a (9547) Minor mods to acceptance tests
13
+ 2bf6721 Reset indirector state after configurer tests.
14
+ bb224dd (#8770) Don't fail to set supplementary groups when changing user to root
15
+ 2a0de12 (#8770) Always fully drop privileges when changing user
16
+ 00c4b25 (#8662) Migrate suidmanager test case to rspec
17
+ d7c9c76 (#8740) Do not enumerate files in the root directory.
18
+ 0e00473 (#3553) Explain that cron resources require time attributes
19
+ 769d432 (#8302) Improve documentation of exec providers
20
+ c209f62 Add document outlining preferred contribution methods
21
+ fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match
22
+ 89c021c (#8418) Fix inspect app to have the correct run_mode
23
+ 3165364 maint: Adding logging to include environment when source fails
24
+ f484851 maint: Add debug logging when the master receives a report
25
+ e639868 Confine password disclosure acceptance test to hosts with required libraries
26
+ a109c90 (maint) Cleanup and strengthen acceptance tests
27
+ b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum
28
+ 4a2f22c (maint) Fix platform dection for RHEL
29
+ 111a4b5 (#6857) Password disclosure when changing a user's password
30
+
1
31
  2.6.12 (CVE-2011-3872 see http://puppetlabs.com/security/hotfixes/cve-2011-3872/)
2
32
  ===
3
33
  3ed6499 Backport Enumerable#count to Rubies < 1.8.7
data/CONTRIBUTING.md ADDED
@@ -0,0 +1,299 @@
1
+ Checklist (and a short version for the impatient)
2
+ =================================================
3
+
4
+ * Commits:
5
+
6
+ - Make commits of logical units.
7
+
8
+ - Check for unnecessary whitespace with "git diff --check" before
9
+ committing.
10
+
11
+ - Commit using Unix line endings (check the settings around "crlf" in
12
+ git-config(1)).
13
+
14
+ - Do not check in commented out code or unneeded files.
15
+
16
+ - The first line of the commit message should be a short
17
+ description (50 characters is the soft limit, excluding ticket
18
+ number(s)), and should skip the full stop.
19
+
20
+ - If there is an associated Redmine ticket then the first line
21
+ should include the ticket number in the form "(#XXXX) Rest of
22
+ message".
23
+
24
+ - The body should provide a meaningful commit message, which:
25
+
26
+ - uses the imperative, present tense: "change", not "changed" or
27
+ "changes".
28
+
29
+ - includes motivation for the change, and contrasts its
30
+ implementation with the previous behavior.
31
+
32
+ - Make sure that you have tests for the bug you are fixing, or
33
+ feature you are adding.
34
+
35
+ - Make sure the test suite passes after your commit (rake spec unit).
36
+
37
+ * Submission:
38
+
39
+ * Pre-requisites:
40
+
41
+ - Make sure you have a [Redmine account](http://projects.puppetlabs.com)
42
+
43
+ - Sign the [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign)
44
+
45
+ * Preferred method:
46
+
47
+ - Fork the repository on GitHub.
48
+
49
+ - Push your changes to a topic branch in your fork of the
50
+ repository.
51
+
52
+ - Submit a pull request to the repository in the puppetlabs
53
+ organization.
54
+
55
+ * Alternate methods:
56
+
57
+ - Mail patches to puppet-dev mailing list using `rake mail_patches`,
58
+ or `git-format-patch(1)` & `git-send-email(1)`.
59
+
60
+ - Attach patches to Redmine ticket.
61
+
62
+ The long version
63
+ ================
64
+
65
+ 0. Decide what to base your work on.
66
+
67
+ In general, you should always base your work on the oldest
68
+ branch that your change is relevant to.
69
+
70
+ - A bug fix should be based on the current stable series. If the
71
+ bug is not present in the current stable release, then base it on
72
+ `master`.
73
+
74
+ - A new feature should be based on `master`.
75
+
76
+ - Security fixes should be based on the current maintenance series
77
+ (that is, the previous stable series). If the security issue
78
+ was not present in the maintenance series, then it should be
79
+ based on the current stable series if it was introduced there,
80
+ or on `master` if it is not yet present in a stable release.
81
+
82
+ The current stable series is 2.7.x, and the current maintenance
83
+ series is 2.6.x.
84
+
85
+ 1. Make separate commits for logically separate changes.
86
+
87
+ Please break your commits down into logically consistent units
88
+ which include new or changed tests relevent to the rest of the
89
+ change. The goal of doing this is to make the diff easier to
90
+ read for whoever is reviewing your code. In general, the easier
91
+ your diff is to read, the more likely someone will be happy to
92
+ review it and get it into the code base.
93
+
94
+ If you're going to refactor a piece of code, please do so as a
95
+ separate commit from your feature or bug fix changes.
96
+
97
+ We also really appreciate changes that include tests to make
98
+ sure the bug isn't re-introduced, and that the feature isn't
99
+ accidentally broken.
100
+
101
+ Describe the technical detail of the change(s). If your
102
+ description starts to get too long, that's a good sign that you
103
+ probably need to split up your commit into more finely grained
104
+ pieces.
105
+
106
+ Commits which plainly describe the the things which help
107
+ reviewers check the patch and future developers understand the
108
+ code are much more likely to be merged in with a minimum of
109
+ bike-shedding or requested changes. Ideally, the commit message
110
+ would include information, and be in a form suitable for
111
+ inclusion in the release notes for the version of Puppet that
112
+ includes them.
113
+
114
+ Please also check that you are not introducing any trailing
115
+ whitespaces or other "whitespace errors". You can do this by
116
+ running "git diff --check" on your changes before you commit.
117
+
118
+ 2. Sign the Contributor License Agreement
119
+
120
+ Before we can accept your changes, we do need a signed Puppet
121
+ Labs Contributor License Agreement (CLA).
122
+
123
+ You can access the CLA via the
124
+ [Contributor License Agreement link](https://projects.puppetlabs.com/contributor_licenses/sign)
125
+ in the top menu bar of our Redmine instance. Once you've signed
126
+ the CLA, a badge will show up next to your name on the
127
+ [Puppet Project Overview Page](http://projects.puppetlabs.com/projects/puppet?jump=welcome),
128
+ and your name will be listed under "Contributor License Signers"
129
+ section.
130
+
131
+ If you have any questions about the CLA, please feel free to
132
+ contact Puppet Labs via email at cla-submissions@puppetlabs.com.
133
+
134
+ 3. Sending your patches
135
+
136
+ We accept multiple ways of submitting your changes for
137
+ inclusion. They are listed below in order of preference.
138
+
139
+ Please keep in mind that any method that involves sending email
140
+ to the mailing list directly requires you to be subscribed to
141
+ the mailing list, and that your first post to the list will be
142
+ held in a moderation queue.
143
+
144
+ * GitHub Pull Requests
145
+
146
+ To submit your changes via a GitHub pull request, we _highly_
147
+ recommend that you have them on a topic branch, instead of
148
+ directly on "master" or one of the release, or RC branches.
149
+ It makes things much easier to keep track of, especially if
150
+ you decide to work on another thing before your first change
151
+ is merged in.
152
+
153
+ GitHub has some pretty good
154
+ [general documentation](http://help.github.com/) on using
155
+ their site. They also have documentation on
156
+ [creating pull requests](http://help.github.com/send-pull-requests/).
157
+
158
+ In general, after pushing your topic branch up to your
159
+ repository on GitHub, you'll switch to the branch in the
160
+ GitHub UI and click "Pull Request" towards the top of the page
161
+ in order to open a pull request.
162
+
163
+ You'll want to make sure that you have the appropriate
164
+ destination branch in the repository under the puppetlabs
165
+ organization. This should be the same branch that you based
166
+ your changes off of.
167
+
168
+ * Other pull requests
169
+
170
+ If you already have a publicly accessible version of the
171
+ repository hosted elsewhere, and don't wish to or cannot use
172
+ GitHub, you can submit your change by requesting that we pull
173
+ the changes from your repository by sending an email to the
174
+ puppet-dev Google Groups mailing list.
175
+
176
+ `git-request-pull(1)` provides a handy way to generate the text
177
+ for the email requesting that we pull your changes (and does
178
+ some helpful sanity checks in the process).
179
+
180
+ * Mailing patches to the mailing list
181
+
182
+ If neither of the previous methods works for you, then you can
183
+ also mail the patches inline to the puppet-dev Google Group
184
+ using either `rake mail_patches`, or by using
185
+ `git-format-patch(1)`, and `git-send-email(1)` directly.
186
+
187
+ `rake mail_patches` handles setting the appropriate flags to
188
+ `git-format-patch(1)` and `git-send-email(1)` for you, but
189
+ doesn't allow adding any commentary between the '---', and the
190
+ diffstat in the resulting email. It also requires that you
191
+ have created your topic branch in the form
192
+ `<type>/<parent>/<name>`.
193
+
194
+ If you decide to use `git-format-patch(1)` and
195
+ `git-send-email(1)` directly, please be sure to use the
196
+ following flags for `git-format-patch(1)`: -C -M -s -n
197
+ --subject-prefix='PATCH/puppet'
198
+
199
+ * Attaching patches to Redmine
200
+
201
+ As a method of last resort you can also directly attach the
202
+ output of `git-format-patch(1)`, or `git-diff(1)` to a Redmine
203
+ ticket.
204
+
205
+ If you are generating the diff outside of Git, please be sure
206
+ to generate a unified diff.
207
+
208
+ 4. Update the related Redmine ticket.
209
+
210
+ If there's a Redmine ticket associated with the change you
211
+ submitted, then you should update the ticket to include the
212
+ location of your branch, and change the status to "In Topic
213
+ Branch Pending Merge", along with any other commentary you may
214
+ wish to make.
215
+
216
+ How to track the status of your change after it's been submitted
217
+ ================================================================
218
+
219
+ Shortly after opening a pull request on GitHub, there should be an
220
+ automatic message sent to the puppet-dev Google Groups mailing list
221
+ notifying people of this. This notification is used to let the Puppet
222
+ development community know about your requested change to give them a
223
+ chance to review, test, and comment on the change(s).
224
+
225
+ If you submitted your change via manually sending a pull request or
226
+ mailing the patches, then we keep track of these using
227
+ [patchwork](https://patchwork.puppetlabs.com). When code is merged
228
+ into the project it is automatically removed from patchwork, and the
229
+ Redmine ticket is manually updated with the commit SHA1. In addition,
230
+ the ticket status must be updated by the person who merges the topic
231
+ branch to a status of "Merged - Pending Release"
232
+
233
+ We do our best to comment on or merge submitted changes within a week.
234
+ However, if there hasn't been any commentary on the pull request or
235
+ mailed patches, and it hasn't been merged in after a week, then feel
236
+ free to ask for an update by replying on the mailing list to the
237
+ automatic notification or mailed patches. It probably wasn't
238
+ intentional, and probably just slipped through the cracks.
239
+
240
+ Additional Resources
241
+ ====================
242
+
243
+ * [Getting additional help](http://projects.puppetlabs.com/projects/puppet/wiki/Getting_Help)
244
+
245
+ * [Writing tests](http://projects.puppetlabs.com/projects/puppet/wiki/Development_Writing_Tests)
246
+
247
+ * [Bug tracker (Redmine)](http://projects.puppetlabs.com)
248
+
249
+ * [Patchwork](https://patchwork.puppetlabs.com)
250
+
251
+ * [Contributor License Agreement](https://projects.puppetlabs.com/contributor_licenses/sign)
252
+
253
+ * [General GitHub documentation](http://help.github.com/)
254
+
255
+ * [GitHub pull request documentation](http://help.github.com/send-pull-requests/)
256
+
257
+ If you have commit access to the repository
258
+ ===========================================
259
+
260
+ Even if you have commit access to the repository, you'll still need to
261
+ go through the process above, and have someone else review and merge
262
+ in your changes. The rule is that all changes must be reviewed by a
263
+ developer on the project (that didn't write the code) to ensure that
264
+ all changes go through a code review process.
265
+
266
+ Having someone other than the author of the topic branch recorded as
267
+ performing the merge is the record that they performed the code
268
+ review.
269
+
270
+ * Merging topic branches
271
+
272
+ When merging code from a topic branch into the integration branch
273
+ (Ex: master, 2.7.x, 1.6.x, etc.), there should always be a merge
274
+ commit. You can accomplish this by always providing the `--no-ff`
275
+ flag to `git merge`.
276
+
277
+ git merge --no-ff --log tickets/master/1234-fix-something-broken
278
+
279
+ The reason for always forcing this merge commit is that it
280
+ provides a consistent way to look up what changes & commits were
281
+ in a topic branch, whether that topic branch had one, or 500
282
+ commits. For example, if the merge commit had an abbreviated
283
+ SHA-1 of `coffeebad`, then you could use the following `git log`
284
+ invocation to show you which commits it brought in:
285
+
286
+ git log coffeebad^1..coffeebad^2
287
+
288
+ The following would show you which changes were made on the topic
289
+ branch:
290
+
291
+ git diff coffeebad^1...coffeebad^2
292
+
293
+ Because we _always_ merge the topic branch into the integration
294
+ branch the first parent (`^1`) of a merge commit will be the most
295
+ recent commit on the integration branch from just before we merged
296
+ in the topic, and the second parent (`^2`) will always be the most
297
+ recent commit that was made in the topic branch. This also serves
298
+ as the record of who performed the code review, as mentioned
299
+ above.
@@ -5,7 +5,7 @@
5
5
  %global confdir conf/redhat
6
6
 
7
7
  Name: puppet
8
- Version: 2.6.12
8
+ Version: 2.6.13
9
9
  Release: 1%{?dist}
10
10
  Summary: A network tool for managing many disparate systems
11
11
  License: GPLv2
@@ -253,6 +253,9 @@ fi
253
253
  rm -rf %{buildroot}
254
254
 
255
255
  %changelog
256
+ * Mon Dec 12 2011 Matthaus Litteken <matthaus@puppetlabs.com> - 2.6.13-1
257
+ - Release of 2.6.13
258
+
256
259
  * Fri Oct 21 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.6.12-1
257
260
  - CVE-2011-3872 fixes
258
261
 
@@ -0,0 +1,120 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'net/https'
4
+ require 'openssl'
5
+ require 'openssl/x509'
6
+ require 'optparse'
7
+ require 'pathname'
8
+ require 'yaml'
9
+
10
+ require 'puppet'
11
+ require 'puppet/network/http_pool'
12
+
13
+ class Puppet::Application::UploadFacts < Puppet::Application
14
+ should_parse_config
15
+ run_mode :master
16
+
17
+ option('--debug', '-d')
18
+ option('--verbose', '-v')
19
+
20
+ option('--logdest DEST', '-l DEST') do |arg|
21
+ Puppet::Util::Log.newdestination(arg)
22
+ options[:setdest] = true
23
+ end
24
+
25
+ option('--minutes MINUTES', '-m MINUTES') do |minutes|
26
+ options[:time_limit] = 60 * minutes.to_i
27
+ end
28
+
29
+ def help
30
+ print <<HELP
31
+ == Synopsis
32
+
33
+ Upload cached facts to the inventory service.
34
+
35
+ = Usage
36
+
37
+ upload_facts [-d|--debug] [-v|--verbose] [-m|--minutes <minutes>]
38
+ [-l|--logdest syslog|<file>|console]
39
+
40
+ = Description
41
+
42
+ This command will read YAML facts from the puppet master's YAML directory, and
43
+ save them to the configured facts_terminus. It is intended to be used with the
44
+ facts_terminus set to inventory_service, in order to ensure facts which have
45
+ been cached locally due to a temporary failure are still uploaded to the
46
+ inventory service.
47
+
48
+ = Usage Notes
49
+
50
+ upload_facts is intended to be run from cron, with the facts_terminus set to
51
+ inventory_service. The +--minutes+ argument should be set to the length of time
52
+ between upload_facts runs. This will ensure that only new YAML files are
53
+ uploaded.
54
+
55
+ = Options
56
+
57
+ Note that any configuration parameter that's valid in the configuration file
58
+ is also a valid long argument. For example, 'server' is a valid configuration
59
+ parameter, so you can specify '--server <servername>' as an argument.
60
+
61
+ See the configuration file documentation at
62
+ http://docs.puppetlabs.com/references/stable/configuration.html for
63
+ the full list of acceptable parameters. A commented list of all
64
+ configuration options can also be generated by running puppet agent with
65
+ '--genconfig'.
66
+
67
+ minutes::
68
+ Limit the upload only to YAML files which have been added within the last n
69
+ minutes.
70
+ HELP
71
+
72
+ exit
73
+ end
74
+
75
+ def setup
76
+ # Handle the logging settings.
77
+ if options[:debug] or options[:verbose]
78
+ if options[:debug]
79
+ Puppet::Util::Log.level = :debug
80
+ else
81
+ Puppet::Util::Log.level = :info
82
+ end
83
+
84
+ Puppet::Util::Log.newdestination(:console) unless options[:setdest]
85
+ end
86
+
87
+ exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
88
+ end
89
+
90
+ def main
91
+ dir = Pathname.new(Puppet[:yamldir]) + 'facts'
92
+
93
+ cutoff = options[:time_limit] ? Time.now - options[:time_limit] : Time.at(0)
94
+
95
+ files = dir.children.select do |file|
96
+ file.extname == '.yaml' && file.mtime > cutoff
97
+ end
98
+
99
+ failed = false
100
+
101
+ terminus = Puppet::Node::Facts.indirection.terminus
102
+
103
+ files.each do |file|
104
+ facts = YAML.load_file(file)
105
+
106
+ request = Puppet::Indirector::Request.new(:facts, :save, facts)
107
+
108
+ # The terminus warns for us if we fail.
109
+ if terminus.save(request)
110
+ Puppet.info "Uploaded facts for #{facts.name} to inventory service"
111
+ else
112
+ failed = true
113
+ end
114
+ end
115
+
116
+ exit !failed
117
+ end
118
+ end
119
+
120
+ Puppet::Application::UploadFacts.new.run