Puppet

# Release Notes

(See also: [[Release Notes Scratchpad]])

The Release Notes document is a feature roadmap to the various

Puppet versions. It details changes to features, functions,

language, configuration and types during the course of Puppet's

development. It highlights incompatibilities and specifies when new

features were introduced and the extent to which they are

backwards-compatible.

Also available is the

[Roadmap Tracker](http://projects.puppetlabs.com/projects/puppet/roadmap?tracker_ids%5B%5D=1&tracker_ids%5B%5D=2&tracker_ids%5B%5D=4&completed=1&with_subprojects=0&with_subprojects=0)

which lists tickets closed for each release. Just click on the

relevant release from the list on the right hand side.

If upgrading you should review this document upward from the

version you are upgrading from. Please remember that if upgrading

through multiple versions some behaviour may change more than

once.

It is also important to note when upgrading that not all versions

are backwards compatible. Newer agents may not work with older

masters and vice-versa. Where possible backwards-compatibility is

maintained but it's not always totally successful. We strongly recommend

ensuring your master and agents are the same version.

When upgrading it is also strongly recommended that you upgrade your master

first and then your agents. Earlier agents usually work with later masters but later

agents frequently have issues with earlier master versions. For example 0.24.8

agents will work with 2.6.6 masters but 2.6.6 agents may have unpredictable

results with a 0.24.8 master.

- [2.7.10](#2.7.10)

- [2.7.9](#2.7.9)

- [2.7.8](#2.7.8)

- 2.7.7 died in the Thunderdome

- [2.7.6](#2.7.6)

- [2.7.5](#2.7.5)

- [2.7.4](#2.7.4)

- [2.7.3](#2.7.3)

- 2.7.2 died in the Thunderdome and was never released.

- [2.7.1](#2.7.1)

- [2.7.0 (Statler)](#2.7.0)

- [2.6.13](#2.6.13)

- [2.6.12](#2.6.12)

- [2.6.11](#2.6.11)

- [2.6.10](#2.6.10)

- [2.6.9](#2.6.9)

- [2.6.8](#2.6.8)

- [2.6.7](#2.6.7)

- [2.6.6](#2.6.6)

- [2.6.5](#2.6.5)

- [2.6.4](#2.6.4)

- [2.6.3](#2.6.3)

- [2.6.2](#2.6.2)

- [2.6.1](#2.6.1)

- [2.6.0](#2.6.0)

- [0.25.5](#0.25.5)

- [0.25.4](#0.25.4)

- [0.25.3](#0.25.3)

- [0.25.2](#0.25.2)

- [0.25.1](#0.25.1)

- [0.25.0](#0.25.0)

- [0.24.9](#0.24.9)

- [0.24.8](#0.24.8)

- [0.24.7](#0.24.7)

- [0.24.6](#0.24.6)

- [0.24.5](#0.24.5)

- [0.24.4](#0.24.4)

- [0.24.3](#0.24.3)

- [0.24.2](#0.24.2)

- [0.24.1](#0.24.1)

- [0.24.0 (misspiggy)](#0.24.0+\(misspiggy\))

- [0.23.2](#0.23.2)

- [0.23.1 (beaker)](#0.23.1+\(beaker\))

- [0.23.0](#0.23.0)

- [0.22.3](#0.22.3)

- [0.22.2 (grover)](#0.22.2+\(grover\))

- [0.22.1 (kermit)](#0.22.1+\(kermit\))

- [0.22.0](#0.22.0)

- [0.20.0](#0.20.0)

#2.7.10

## Community MVP for this release: Brice Figureau (@masterzen) for the

Instrumentation Framework

## Highlights ##

We have several section of release notes this month due to the high volume of commits.  Sections are Instrumentation, Core, Mac OS, Windows, and FreeBSD.

* Instrumentation Features available

* Symbolic File modes supports ( e.g. u=rw,go=r) for File type

* Write reports to a temporary file and move them into place

* Add password get/set behavior for Mac OS X 10.7

* Add support for user expiriy in pw user provider

* Improve pw group provider on FreeBSD

* Make sure managehome is respected on FreeBSD

* Add password management on FreeBSD

## Bug Fixes ##

* Make the Debian service provider handle services that don't conform to the debian policy manual.

* Only load facts once per run

* Puppetd removes pid file upon exit

* Fix MySQL deadlock possibility within inventory service

* Test Augeas versions correctly with versioncmp

* Consider package epoch version when comparing yum package versions

* Link should autorequire target

* Use SMF's svcadm -s option to wait for errors

* Fix fact and plugin sync on Windows

* Set password before creating user on Windows

* Always serve files in binary mode on Windows

* Don't hard code ruby install paths in Windows batch files 

* Don't copy owner and group when sourcing files from master on Windows

* Fix OS X supplementary group handling

* Use launchctl load -w in launchd provider (Mac OS)

* Improve error msg for missing pip command

* Better validation for IPv4 and IPv6 address in host type.

### Instrumentation

Contributed by:  Brice Figureau <brice-puppet@daysofwonder.com>

The Puppet Instrumentation Framework is a tool to install into a puppet

executable:

* instrumentation listeners

* code probes

Code probes are static commands we add to the Puppet codebase to

instrument some specific parts of the code. Currently only the

Indirector is covered (but since it is the central piece of Puppet, it

should cover a lot of possible use).

Each time the program reaches a code probe (and instrumentation is

enabled), the Instrumentation Framework sends an event to the registered

instrumentation listeners. Those can be enabled/disabled/added/removed

live without restarting the executable.

Those listeners responsibility is to produce something useful to the

user. The patch shipped with 3 example listeners, one that logs

execution time of every probe, another that aggregate some performance

data about probes, and the final one decorates the executable process

name (as seen in top) with the latest probes it encounters.

The Framework also includes a set of REST API and REST Faces to allow it

to enable/disable listeners or probes or to get access to listener

performance data if they produce some.

How to use the Instrumentation Framework:

You need a live running Puppet executable (preferably a puppet master

which by default listens to REST requests). It might also be necessary

to modify the auth.conf to allow the instrumentation requests.

Display the list of known instrumentation listeners

    puppet instrumentation_listener search x --terminus rest

Enable the "performance" instrumentation listener

    puppet instrumentation_listener enable performance --terminus rest

Know more about the "performance" listener (is it enabled for

instance):

    puppet instrumentation_listener find performance --terminus rest

Of course this will only work if probes are enabled:

List all the current executable probes:

     puppet instrumentation_probe search x --terminus rest

Enable the instrumentation probes:

     puppet instrumentation_probe enable --terminus rest

How to get access to the data coming from a listener (here the

"performance" one):

    puppet instrumentation_data find performance --terminus rest

## Core  ##

### Improve error msg for missing pip comand

Author: Kelsey Hightower <kelsey@puppetlabs.com>

(#11958) Improve error msg for missing pip command

Without this patch the pip package provider does not produce a user

friendly error message when the pip command is not available. The

current error message looks like this:

        err: /Stage[main]/Dummy/Package[virtualenv]/ensure: change from

        absent to present failed: Could not set 'present on ensure:

        undefined method `pip' for

        #<Puppet::Type::Package::ProviderPip:0xb6cf6cd0> at

        /etc/puppet/modules/dummy/manifests/init.pp:5

This patch improves the error message by passing a string argument, 'Could not locate

the pip command.', when raising the `NoMethodError`. The new error

message looks like this:

        err: /Stage[main]/Dummy/Package[virtualenv]/ensure: change from

        absent to present failed: Could not set 'present on ensure: Could

        not locate the pip command. at

        /etc/puppet/modules/dummy/manifests/init.pp:5

This patch also includes updated spec tests validating this change. No

other behavior changes are being introduced.

### Better validation for IPv4 and IPv6 address in host type.

Author: Daniel Pittman <daniel@puppetlabs.com>

(#11499) Better validation for IPv4 and IPv6 address in host type.

The previous code was fairly lax in validation, and would allow a bunch of

invalid addresses through - as well as rejecting some legal, but uncommon,

IPv6 address types.

This adds substantial testing, especially around IPv6 addressing, and replaces

the older validation with new, fancy stuff that works for all the cases.

###  Support symbolic file modes.

Author: Daniel Pittman <daniel@puppetlabs.com>

 (#2927) Support symbolic file modes.

This adds a new feature, support for symbolic file modes, to Puppet.  In

addition to being able to specify the octal mode, you can now use the same

symbolic mode style that chmod supports:

        file { "/example": mode => "u=rw,go=r" }

This also supports relative file modes:

        file { "/relative": mode = "u+w,go-wx" }

Support is based on the common GNU and BSD symbolic modes of operation; you

specify a comma separated list of actions to take in each you can sit:

The user (u), group (g), other (o), or all (a) of the permission map.

You can modify the ability to read (r), write (w), execute / search (x) on a

 file or directory.

You can also modify the sticky bit (t), or the setuid and setgid bits (s).

Finally, you can set conditional execute permissions (X), which will result in

the file having the execute bit if the target is a directory, or if the target

had *any* execute bit set.  (eg: g+X will set x if the original was u=x,g=.)

### Only load facts once per puppet run

Author: Patrick Carlisle <patrick@puppetlabs.com>

(#8341) Only load facts once per puppet run

Make the facter terminus the only place that loads facts (with the notable

exception of pluginsync which loads any ruby code it syncs).

This should satisfy several requirements:

 * daemonized puppet agent can get fresh facts on each run

 * puppet master can load facts

 * facts are not loaded more than once by the puppet agent fact handler

### Puppetd does not remove its pidfile when it exits

Author: R.I.Pienaar <rip@devco.net>

(#5246) Puppetd does not remove its pidfile when it exits

The Puppet::Daemon instance sets up the pid file when it starts

but it's up to the user of that object to arrange for stop to be

called

There are signal handlers setup to call stop but in a onetime run

those are never called

This change arrange for the stop method to be called after a onetime

run is done but do not hand the task of exiting the application over

to that so that the agent application can handle the report status

based exit codes

### Retry inventory ActiveRecord transaction failure

Author: Carl Caum <carl@carlcaum.com>

Retry inventory ActiveRecord transaction failure

Previous to this commit, if the ActiveRecord transaction for saving

facts failed do to MySQL deadlock, for example, the transaction would

fail printing a message to the user.  This primarily occurred during a

PE agent installation if multiple agent's were being creating

simultaneously.

This commit adds the ability to retry if a

ActiveRecord::StatementInvalid exception is thrown.  To accomplish this,

this commit ports Cloud Provisioner's

Puppet::CloudPack::Utils#retry_action method to Puppet core under

Puppet::Util::RetryAction#retry_action.

### Properly track blockers when generating additional resources

Author: Nick Lewis <nick@puppetlabs.com>

(#11641) Properly track blockers when generating additional resources

Previously, we would enqueue any unblocked resources as we added them to the

graph. These were our initial resources, with no dependencies, and served as a

starting place for traversal. However, we would

add_dynamically_generated_resources before traversing, which could add

additional resources and dependencies. We never accounted for these, causing

our measure of blockedness to become incorrect (a resource could have more

dependencies than we counted).

This is similar to the case of eval_generate adding additional resources. In

that case, we clear the blockers list and allow it to be recalculated on

demand. Unfortunately, that approach doesn't work for the case where we add

resources before traversing (as in add_dynamically_generated_resources),

because we wouldn't have a reliable list of resources to begin traversal with.

Now we no longer enqueue resources when adding them, and instead wait until

after we have called add_dynamically_generated_resources (which happens only

once). This allows us to add our root resources with the assurance they won't

change before we start evaluating them.

### Make the Debian service provider handle services that don't conform to the debain policy manual.

Author: Zach Leslie <zach@puppetlabs.com>

(#7296) Make the Debian service provider handle services that don't conform to the debain policy manual.

This change is to support initscripts that do not support the --query

method of invoke-rc.d used by the Debian provider to determine if

service is enabled.

The fix checks that the link count in /etc/rc?.d is equal to 4, which is

the number of links that should be present when using the Debian service

provider, which is done by `update-rc.d #{service} defaults`.

### Write reports to a temporary file and move them into place

Author: Ricky Zhou <ricky@fedoraproject.org>

(#8119) Write reports to a temporary file and move them into place

When writing reports, there is a window in between opening and writing to the

report file when the report file exists as an empty file. This makes writing

report processors a little annoying as they have to deal with this case. This

writes the report into a temporary file then renames it to the report file.

### Test Augueas versions correctly with versioncmp    

Author: Dominic Cleal <dcleal@redhat.com>

(#11414) Test Augeas versions correctly with versioncmp

The release of Augeas 0.10.0 broke simplistic version comparisons with the >=

operator, so now use versioncmp.

### Save/execute changes on versions of Augeas < 0.3.6

Author: Dominic Cleal <dcleal@redhat.com>

(#11414) Save/execute changes on versions of Augeas < 0.3.6

Versions of Augeas prior to 0.3.6 didn't report their version number, so a

fallback of executing changes once in need_to_run? and again in execute_changes

is performed.  Otherwise a save is done in need_to_run? and this is re-used in

execute_changes.

The /augeas/events/saved node is used to tell whether the latter optimisation

happened, but the return value of #match wasn't tested correctly (it's an empty

array).

###   Make Puppet::Type.ensurable? false when exists? is undefined

Author: Ilya Sher <ilya.sher@coding-knight.com>

(#11333) Make Puppet::Type.ensurable? false when exists? is undefined

Puppet::Type.ensurable? incorrectly returned true even when

public_method_defined?(:exists?) was false because the check never

actually happened. This make sure all the necessary methods are checked

and adds tests.

### Consider package epoch version when comparing yum package versions    

Author: Jude Nagurney <jude@pwan.org>

(#8062) Consider package epoch version when comparing yum package versions

By including the epoch version in the version returned as the "latest"

available, we can now properly consider package updates where only the

epoch version has changed.

### Log when we start evaluating resource at the info level

Author: Patrick Carlisle <patrick@puppetlabs.com>

(#4865) Log when we start evaluating resources at the info level

Since we log the final time at info it makes sense to log the start at info as

well.

### Fix array support in schedule's range parameters    

Author: Sean Millichamp <sean@bruenor.org>

(#10321) Fix array support in schedule's range parameter

Change the schedule type's range parameter to properly evaluate

all elements of a supplied array for validity instead of only

checking the first member of the array. Add documentation to

clarify that range does accept an array.

Fix the associated tests to use must instead of should (Puppet::Type#should

shadows the rspec should).

###    Make resourcefile work with composite namevars

Author: Max Martin <max@puppetlabs.com>

(#10109) Make resourcefile work with composite namevars

The code for creating the resourcefile was directly calling

resource.name_var, which was causing problems with resources that have

composite namevars (since, for these, Type#name_var will return false).

This patch sanitizes the process by first checking whether there is a

single namevar, and simply calling resource.ref if there is not one.

### Add README_DEVELOPER describing UTF-8 in Puppet

Author: Jeff McCune <jeff@puppetlabs.com>

(#11246) Add README_DEVELOPER describing UTF-8 in Puppet

Without this patch, developers of Puppet don't have a clear place to get

a high level understanding of the way other Puppet developers are

working with UTF-8 and the differences in character encodings between

Ruby 1.8 and 1.9.

This patch addresses this problem by adding a new document,

README_DEVELOPER.md where developers and contributors can look to for

high level information.

### Better SSL error message certificate doesn't match key    

Author: Joshua Harlan Lifton <lifton@puppetlabs.com>

(#7110) Better SSL error message certificate doesn't match key

Previously, any error with the certificate retrieved from the master

matching the agent's private key would give the same static error

message, which wasn't particularly helpful. This commit differentiates

three different error cases: missing certificate, missing private key,

and certificate doesn't match private key. In the last case, the error

message includes the fingerprint of the certificate in question and

explicit command line instructions on how to fix the problem.

###   Add a defaults argument to create_resources

Author: Matthias Pigulla <mp@webfactory.de>

(#9768) Add a defaults argument to create_resources

Make it possible to supply defaults when calling create_resources using an

optional hash argument.

### Link should autorequire target

Author: Stefan Schulte <stefan.schulte@taunusstein.net>

(#5421) Link should autorequire target

When we manage a local link to a directory and the target directory is

managed by puppet as well, establish an autorequire. So if we have

something like

      file { '/foo': ensure => directory }

      file { '/link_to_foo': ensure => '/foo' }

      file { '/link_to_foo/bar': ensure => file }

we can ensure that puppet does not create dead links and does not try to

create '/link_to_foo/bar' before /foo is created.

###     Use SMF's svcadm -s option to wait for errors

Author: Dominic Cleal <dcleal@redhat.com>

(#10807) Use SMF's svcadm -s option to wait for errors

By default running `svcadm enable example` will start the service in the

background and won't return errors if it fails.  Using the -s option will cause

svcadm to wait and return errors back to the provider if the service cannot

start for some reason.

### Added missing RequestHeader entries to ext/rack/files/apache2.conf

Author: Eli Klein <eklein@rallydev.com>

    Added missing RequestHeader entries to ext/rack/files/apache2.conf

###    Debug logging when we start evaluating resources.

Author: Daniel Pittman <daniel@puppetlabs.com>

(#4865) Debug logging when we start evaluating resources.

The `evaltrace` option allowed individual resource evaluation time to be

tracked, which made it easier to post-hoc identify which resources took long

periods of time to process.

It is also helpful, when doing live debugging, to know where the hang happens;

to support that we now log a debug message about starting the evaluation of

the resource before we go into the process.

###   Update storeconfigclean script to read puppet.conf

Author: Nan Liu <nan@puppetlabs.com>

(#8547) Update storeconfigclean script to read puppet.conf

The existing storeconfig script is parsing and reading puppet.conf

specifically from the master section. This change allows the script to

read from the settings from puppet.conf in the order of master, main,

and loads the rails default. This should match the puppet application

behaviour.

### Add mysql2 gem support

Author: Stefan Schulte <stefan.schulte@taunusstein.net>

(#9997) Add mysql2 gem support

Besides the mysql gem there is a mysql2 gem that is a "modern, simple

and very fast Mysql library for Ruby" [1]. It can either be installed as a

separate gem (v0.2.x) for ActiveRecord < 3.1 or can be used as part of

ActiveRecord 3.1

To use mysql2 the dbadapter setting must be set to "mysql2" and this patch

adds support for this setting.

    [1] https://github.com/brianmario/mysql2#readme

# Mac Highlights #

###  Fix OS X Ruby supplementary group handling

Author: Gary Larizza <gary@puppetlabs.com>

(#3419) Fix OS X Ruby supplementary group handling

Catch Errno::EINVAL as some operating systems (OS X in particular) can

cause troubles when using Process#groups= to change the user/process

list of supplementary groups membership.

Test coverage has been added to check for regressions.

Add a test for the expected failure

### Fix group resource in OS X    

Author: Gary Larizza <gary@puppetlabs.com>

(#4855) Fix group resource in OS X

The group provider on OS X uses “dseditgroup” to manage group

membership. Due to Apple bug 8481241 (“dseditgroup can’t remove unknown

users from groups”), however, if the puppet group provider needs to

remove a non-existant user from a group it manages, it will fail.

To remedy this, in the meantime, the provider will call dscl to delete

the non-existant member from the group. If that fails then the error

is rescued and feedback is provided.

### Build a Rake task for building Apple Packages

Author: Gary Larizza <gary@puppetlabs.com>

Build a Rake task for building Apple Packages

### Use launchctl load -w in launchd provider    

Author: Gary Larizza <gary@puppetlabs.com>

(#2773) Use launchctl load -w in launchd provider

There was an issue where a service on OS X would be enabled but also

stopped and the launchd service provider couldn't start it. In this

case, the launchd service provider needed to execute `launchctl load -w

<job_path>` to successfully start the service, but it wasn't programmed

to do so.

To remedy this, the launchd service provider's start method now checks

if the job is disabled OR if the job is currently stopped.

A spec test was added to catch for this unique situation.

### Add password get/set behavior for 10.7

Author: Gary Larizza <gary@puppetlabs.com>

(#11293) Add password get/set behavior for 10.7

Puppet did not have the ability to get/set passwords in OS X version

10.7.  This commit implements this behavior. Users in 10.7 have a

binary plist file in /var/db/dslocal/nodes/Default/users that contains

a 'ShadowHashData' key. The value for this key is actually a binary

encrypted plist which contains a 'SALTED-SHA512' key containing

a base64 encoded string. This string is actually the salted-SHA512

password hash with a 4 byte salt prepending the hash. Puppet expects

this 4 byte salt + salted-SHA512 password hash in order to set the

user's password. Since this value is drastically different from

previous versions of OS X, Puppet will fail if you try and pass

a SHA1 password hash that was used in previous versions of OS X.

Spec tests were added to ensure that Puppet fails with an incorrect

password, and that the get/set behavior works properly with OS X

version 10.7.

# Windows Highlights #

### Always serve files in binary mode

Author: Josh Cooper <josh@puppetlabs.com>

(#11929) Always serve files in binary mode

Previously, Windows agents were reading files in text mode when serving

them locally, such as when serving files from a local module, corrupting

binary files in the process.

This commit reads files in binary mode, which is a noop on Unix.

###  Use `%~dp0` to resolve bat file's install directory

Author: Josh Cooper <josh@puppetlabs.com>

(#11714) Use `%~dp0` to resolve bat file's install directory

This commit uses the `%~dp0` batch script modifier to resolve the

drive and path of the directory containing the envpuppet.bat

file. This eliminates the need for hard coded paths within the script

tselfIt also uses `%VAR:\=/%` to substitute each backslash for a

forward slash in the RUBYLIB environment

Also added a section about running the spec tests on Windows.

### Add envpuppet batch file to run Puppet from source on Windows

Author: Jeff McCune <jeff@puppetlabs.com>

(#11714) Add envpuppet batch file to run Puppet from source on Windows

Running Puppet on windows from source is non-trivial since the

environment variables behave quite differently.  In addition, it's not

clear windows paths expect / rather than \ path separators.

This patch provides an envpuppet batch file to run Puppet from source on

Windows platforms.

###  Don't hard code ruby install paths in Windows batch files

Author: Josh Cooper <josh@puppetlabs.com>

(#11847) Don't hard code ruby install paths in Windows batch files

Previously, the {filebucket,pi,puppet,puppetdoc,ralsh}.bat files hard

coded the path to the ruby installation, making it impossible to move

the ruby install directory.

This commit changes the script to use the `%~dp0` batch file modifier,

which resolves to the drive letter and path of the directory of the

batch file being executed.

Windows XP and later all support the `%*` modifier, so this commit

removes the Win 9x code paths that are not supported.

### Set password before creating user on Windows    

Author: Paul Tinsley <paul.tinsley@gmail.com>

(#11717) Set password before creating user on Windows

Previously, puppet could not create a user with no password when a

local password complexity policy was set. This commit sets the

password on the user prior to creating it, and updates the spec tests

accordingly.

### Fix fact and plugin sync on Windows    

Author: Josh Cooper <josh@puppetlabs.com>

(#11408) Fix fact and plugin sync on Windows

Previously, fact and pluginsync were broken on Windows, because it was

defaulting the owner and group to Process.uid/gid, and then failing to

translate them into Windows SIDs.

This commit changes the default file owner to the current user name,

and the default file group to Nobody, which is the group that Windows

typically applies to newly created files.

###   Don't copy owner and group when sourcing files from master

Author: Josh Cooper <josh@puppetlabs.com>

(#10586) Don't copy owner and group when sourcing files from master

Previously, puppet on Windows was not able to source files from the

master, because it was attempting to translate the uid/gid from

the Unix master into a Windows account, and obviously failing.

This commit skips the owner and group properties when copying them

from non-local sources, i.e. sources whose URIs have a 'puppet'

scheme.

If the source comes from a local source, then puppet behaves the same

as it did previously, it copies the owner and group if the source

volume supports Windows ACLs, e.g. C:/, samba mapped drives, or uses

default values if the volume does not, e.g. VMware shared drives.

## FreeBSD Highlights

### Add support for user expiriy in pw user provider

Author: Tim Bishop <tim@bishnet.net>

(#11046) Add support for user expiry in pw user provider

Add support for setting an expiry date for a user in the pw user

provider. FreeBSD uses the format DD-MM-YYYY rather than Puppet's

YYYY-MM-DD. Tests added to confirm the value is correctly swapped

around.

Also added custom accessor method to take the unix timestamp given

by the operating system to a Puppet-style YYYY-MM-DD. This stops

Puppet from repeatedly trying to set the expiry date if it's already

correct.

### Improve pw group provider on FreeBSD

Author: Tim Bishop <tim@bishnet.net>

(#11046) Improve pw group provider on FreeBSD

Make the pw group provider on FreeBSD support managing group members.

Also readd the allowdupe feature since in testing on FreeBSD 7, 8

and 9 the -o flag to pw works as documented.

Add tests for the provider.

### Make sure managehome is respected on FreeBSD

Author: Tim Bishop <tim@bishnet.net>

(#10962) Make sure managehome is respected on FreeBSD

When modifying the home directory of a user and managehome is set

the -m flag should be used with pw. This ensures that the new home

directory is created if it doesn't exist.

Also add test to verify this behaviour.

### Add password management on FreeBSD

Author: Tim Bishop <tim@bishnet.net>

(#11318) Add password management on FreeBSD

This adds the manages_passwords feature to the pw user provider. It is based

on the patch by Andrew Hust that was integrated into FreeBSD puppet port. It

adds tests covering the create, delete and modify processes of the provider.

This integrates a fix for #7500 that was introduced by the original patch.

The existing code takes the first character of each property and uses it as a

flag. However, with pw, the -p flag is for setting the password expiration.

The result is that the password isn't set at create time and that the password

is set to expire. The next run of puppet correctly sets the password but the

expiry is still set. The new code avoids using -p for passwords, and also sets

the password correctly when an account is created.

# 2.7.9

This is a bug fix release for regression (#11306) in 2.7.8 on Ruby 1.8.5.

The 1.8.5-incompatible code wasn’t caught because of a long-standing bug in our tests that went unnoticed because of a bug in our CI setup. The former issue caused specs to fail before they even started running on 1.8.5, and the latter caused the run to still be reported as successful. We’ve fixed the former bug, but haven’t yet figured out a way to fix the latter (as it seems to be a bug in Ruby 1.8.5 + rspec). We will, however, be taking steps to ensure that such problems with our CI setup are more visible and caught sooner.

(#11306)

    Fix Ruby 1.8.5-incompatible code in Transaction#eval_generate

    This was previously creating a Hash from an array of pairs.

    Unfortunately, Ruby 1.8.5 only supports an argument list of pairs rather

    than an array, so this code didn't work with that version.

# 2.7.8

This is a **feature and bug fix** release in the 2.7.x branch.

## Known Issues

**This release introduced a regression that causes errors under Ruby 1.8.5,** which was not noticed until after release. See issue #11306 for more details as we investigate, and delay upgrading to this version if you depend on Ruby 1.8.5 in your node population.

## New Features

### Display file diffs through the Puppet log system.

(#2744)

When Puppet generated a diff after changing a file on disk, it previously

printed it directly to stdout; although a user could view it, it

was lost to the rest of the system, and did not appear in monitoring, logs, or reports.

We now send file diffs through our regular logging system, so that they can be viewed in reports and logs. **Note that this may have security implications if reports are being sent to an untrusted destination, as Puppet now exposes partial file contents in reports.**

### Allow optional trailing comma in argument lists.

(#6335)

You can now put an optional comma at the end of argument lists for parameterized

class definitions and defined types. This makes parameter lists more closely

resemble resource attributes.

## Bug Fixes

### Provide default subjectAltNames when bootstrapping master

(#10739)

When bootstrapping a new puppet master without explicitly setting its valid alternate DNS names, we've always added some default Subject Alternative Names to its certificate so agents could reach it at `puppet` and `puppet.<domain>`. This got broken in the process of fixing #2848 (the CVE-2011-3872 AltNames vulnerability), which caused new puppet masters to get certificates with no valid Subject Alternative Names. (That is, the master could only be reached at its FQDN, not at `puppet`.)

This fix brings back the default AltNames behavior for initial puppet master certificates, while staying true to the policy changes we made for #2848 and making sure the default names never end up in agent certs. As ever, the default DNS names are only used if the `dns_alt_names` setting isn't explicitly set.

### Don't automatically enable `show_diff` in noop mode

(#2744)

As of 845825a, file diffs are now logged, rather than printed to

console. Because log messages may be stored and are more broadly readable,

we no longer implicitly set `show_diff` in noop mode.

### Allow providers to be used in the run they become suitable

(#6907)

At long last! You can now deliver a provider with pluginsync, use a Puppet resource to install executables or files the provider depends on, and use that provider in resources during the same run. 

This works for both explicitly selected providers and providers that would be the default for their type.

### Output four-digit file modes in logging and reporting

(#7274)

When reporting a change to a file's mode, Puppet now outputs the four-digit

file mode instead of omitting the leading 0, i.e. 0755 instead of 755. This

reduces the likelihood of setting the wrong mode on a file through a

copy/paste accident.

### Fix "parenthesize method arguments" warnings under Ruby 1.8.6

(#10161)

In the process of Windows development, we introduced some warnings under Ruby 1.8.6:

    warning: parenthsize arguments(s) for future versions

These have been fixed, along with several testing/spec improvements around order dependent tests, and testing on Windows.

### Restore Mongrel XMLRPC functionality

(#10244)

Some code was over-eagerly removed, which turned out to still be necessary for backward compatibility with XMLRPC clients. It has been re-instated in this release.

### Fix missing facts under Mongrel

(#9109)

When using Puppet with Mongrel, facts were being lost from agent nodes running

2.7.0 or higher. This was caused by Mongrel puppet masters only retrieving

request parameters from the query parameters of the URL, which mixed badly

with clients that submit their facts in a POST request. This has been fixed,

and Mongrel puppet masters can merge the POST request body with the query

parameters.

### Speed up recursive file management in 2.7

(#9671)

Recursively managing file ownership and permissions

is now at least ten times faster. This

speed improvement can also

be seen in some other scenarios.

### Windows: Handle files on non-ACL volumes more gracefully

(#10614) 

* We now check whether a Windows volume supports ACLs before just trying to get or set them. This eliminates a nasty error that would arise when managing owner, group, and/or mode on a file whose volume didn't support ACLs.

* We also insert default ACL values when sourcing file content from a volume that doesn't support Windows ACLs (e.g. a VMware shared drive) to a volume that does; this allows content to be sourced without requiring the owner, group, and mode to be specified in the manifest. A file's owner now defaults to Administrators, its group defaults to Nobody, and its mode defaults to 0644.

* Setting and clearing of the read-only attribute is improved.

* Potential segfaults when attempting to manage ACLs on non-ACL volumes have been fixed by improving our handling of return values from the Windows APIs.

These fixes do not affect the POSIX file provider.

### Ruby 1.8.1: Don't rely on Kernel#Pathname

(#10727)

We've removed an unnecessary incompatibility with pre-1.8.5 Rubies in `Puppet::Type::File`, which was caused by using Kernel#Pathname.

### Allow authenticated clients to access anything clients _without_ certificates can access

(#9508)

Previously, the default `auth.conf` allowed anonymous clients *more* access to the certificate endpoint than authenticated clients. We now allow authenticated clients to access any endpoint that we trust anonymous clients to use. This improves support for distributed certificate management workflows.

### Serve file content in binary mode

(#9983)

Previously, Puppet::FileServing::Content opened files in text

mode. This has been changed to use binary mode.

# 2.7.7

2.7.7 was killed in the Thunderdome by 2.7.8. It was never released.

# 2.7.6

This is a **security, feature, and bug fix** release in the 2.7.x branch.

## Security Fixes

### CVE-2011-3872 (AltNames vulnerability)

[(Full vulnerability and mitigation details)][cve20113872]

[cve20113872]: http://puppetlabs.com/security/cve/cve-2011-3872/

**This is a major security vulnerability which must be manually remediated;**

upgrading Puppet will not fully protect a site from this vulnerability.

A bug in all previous versions causes Puppet to insert the puppet master’s DNS

alt names ("certdnsnames" in puppet.conf) into the X.509 Subject Alternative

Name field of all certificates, rather than just the puppet master’s

certificate.

Since the puppet agent daemon can use the Subject Alternative Name field to

identify its puppet master, your site may contain agent certificates that can

be used in a Man in the Middle (MITM) attack to impersonate the puppet master.

This release fixes the underlying bug that caused dangerous certificates to be

issued, but **any existing certificates with improper DNS alternate names will

remain dangerous until your agent nodes have been reconfigured.**

Any site where the puppet master's `certdnsnames` setting has been enabled is

vulnerable to attack. See the [CVE-2011-3872 details page][cve20113872] for

more information, including:

* How to determine whether you are affected

* How to fully remediate the vulnerability

* How to download and use the automated remediation toolkit released by Puppet Labs

## Features and Enhancements

### Enhancement: User/group management on Windows

(#9328) Retrieve user and group SIDs on windows.

Puppet can now manage user and group resources on Windows, and will use

Windows security identifiers (SIDs) for the uid and gid properties. (The uid

and gid properties are read-only for the time being.)

### Enhancement: Better file support on Windows

The file type and providers have been significantly refactored to properly

manage the owners, groups, and permissions of files on Windows.

Some subtleties to be aware of:

* In general, this implementation only supports "typical" permissions,

  where group permissions are a subset of user, and other permissions

  are a subset of group, e.g. 754, but not 467.

* The owner can be either a user or group SID, and most system files

  are owned by the Administrators group.

* The group can be either a user or group SID.

* Unexpected results can occur if the owner and group are the

  same, but the user and group classes are different, e.g. 750. In

  this case, it is not possible to allow write access to the owner,

  but not the group. As a result, the actual permissions set on the

  file would be 770.

* In general, only privileged users can set the owner, group, or

  change the mode for files they do not own. In 2003, the user must

  be a member of the Administrators group. In Vista/2008, the user

  must be running with elevated privileges.

* A file/dir can be deleted by anyone with the DELETE access right

  OR by anyone that has the FILE_DELETE_CHILD access right for the

  parent. See http://support.microsoft.com/kb/238018. But on Unix,

  the user must have write access to the file/dir AND execute access

  to all of the parent path components.

* Many access control entries are inherited from parent directories,

  and it is common for file/dirs to have more than 3 entries,

  e.g. Users, Power Users, Administrators, SYSTEM, etc, which cannot

  be mapped into the 3 class POSIX model. The get_mode method will

  set the S_IEXTRA bit flag indicating that an access control entry

  was found whose SID is neither the owner, group, or other. This

  enables Puppet to detect when file/dirs are out-of-sync,

  especially those that Puppet did not create, but is attempting

  to manage.

* On Unix, the owner and group can be modified without changing the

  mode. But on Windows, an access control entry specifies which SID

  it applies to. As a result, the set_owner and set_group methods

  automatically rebuild the access control list based on the new

  (and different) owner or group.

### Enhancement: Support plaintext password in Windows

(#9326) Support plaintext passwords in Windows 'user' provider.

The Windows 'user' provider now includes password support, although passwords

must be passed as plaintext instead of as hashes.

### Enhancement: Return reports on ral save

(#9838) Return the transaction report when doing a ral save

When using puppet resource from the command line, using `puppet resource`

to do a save will log error messages to the console when

saving using the ral indirection.  However, this doesn't help when using

that indirection in Ruby like you might from MCollective's puppetral

agent.

So we now return the transaction report you get from applying the

catalog.

The only place we could find this indirection being used was in the

`puppet resource` application, although it's possible that code external

to puppet uses this indirection and will need to change what it expects

for the return value of save.

## Bug Fixes

### Fix: Recognize more duplicate resources

(#8596) Title and name must be unique within a given resource

Puppet 2.6 introduced a bug where titles were no longer being compared to

names when identifying duplicate resources. For example:

    file { '/tmp/foo':

      ensure => file,

    }

    file { 'same_file':

      path   => '/tmp/foo',

      ensure => absent,

    }

This would work, but wasn't supposed to. It will now register as a duplicate, as intended.

### Fix: Allow multi-line exec resources

(#9996) Restore functionality for multi-line commands in exec resources

### Fix: Eliminate warning on groupadd

(#9027) Get rid of spurious info messages in groupadd

Usage of the groupadd provider was leading to spurious log messages of

this form:

    info: /Group[developer]: Provider groupadd does not support features

    manages_aix_lam; not managing attribute ia_load_module

These messages have been eliminated. See also issue #7137, covering

similar issues with the useradd provider.

### Fix: Remove unnecessary deprecation warning in puppet resource

(#9837) Call puppet apply to avoid deprecation warning

`puppet resource --edit` was causing unnecessary deprecation warnings similar to the following:

    warning: Implicit invocation of 'puppet apply' by passing files (or flags) directly

    to 'puppet' is deprecated, and will be removed in the 2.8 series.  Please

    invoke 'puppet apply' directly in the future.

These have been resolved.

### Fix: Resolve issues with Windows URIs

Previously, specifying a Windows file URI of the form 'file:///C:/foo'

as a file source failed to strip the leading slash when attempting to

source the file. (Also, there was ambiguity after values were munged, since a

value of the form 'C:/foo' could either be a Windows file path or a

URI whose scheme is 'C'.)

This behavior has been fixed, and Windows file URIs can be used safely.

### Fix: Expose all functions in templates

(#4549) Fix templates to be able to call all functions

Only a small subset of Puppet functions were available on the scope in

templates.  This had people doing workarounds like:

    inline_template("<%= Puppet::Parser::Functions.autoloader.loadall; scope.function_extlookup(['hello world']) %>")

These workarounds are no longer necessary, and templates can load any available

Puppet function.

### Fix: Update pluginsync to only load ruby files.

(#4135) Update pluginsync to only load ruby files.

Previously, puppet agent would attempt to load any file distributed via

pluginsync as though it were Ruby code. This was causing errors by loading,

for example, README files.

Pluginsync will still distribute any type of file, but puppet agent will no

longer attempt to load non-Ruby files.

### Fix: Fix logging on Windows

(#9435) Gracefully handle when syslog feature is unavailable

Previously, Puppet would try to create a syslog log destination when run

without a log destination, which would fail on Windows because the Syslog

module was not available. Behavior when syslog isn't available has been fixed.

### Fix: Disable daemonizing on Windows

(#9329) Disable agent daemonizing on Windows

For this release, we will not be providing the

code to run puppet agent as a service, though we have verified that

puppet will run as a service using a third-party service wrapper,

nssm.

Until support for running the agent as a service is complete, we have changed

the default `daemonize` setting on Windows. Puppet will also report an error if

`daemonize` is set to true on Windows.

# 2.7.5

Puppet 2.7.5 is a **security and regression fix** release in the 2.7.x branch.

* See the 2.7.5 [announcement](http://groups.google.com/group/puppet-announce/t/5c363480686372e3) on puppet-announce

* You can also see the general [security notice email](http://groups.google.com/group/puppet-announce/t/91e3b46d2328a1cb)

## Security Fixes

### Three security vulnerabilities

This release resolves the following security vulnerabilities:

* [CVE-2011-3869 -- k5login can overwrite arbitrary files as root][cve20113869]

* [CVE-2011-3870 -- SSH auth key local privilege escalation][cve20113870]

* [CVE-2011-3871 -- Predictable temporary filename in puppet resource/ralsh][cve20113871]

Follow the links above for details on each vulnerability.

[cve20113871]: http://puppetlabs.com/security/cve/cve-2011-3871/