History

Release Notes¶

The 2.7 series is the current branch of Puppet releases.
The 2.6 series is the maintenance branch of Puppet, and is only being updated with security fixes.

The Release Notes document is a feature roadmap to the various Puppet versions. It details changes to features, functions, language, configuration and types during the course of Puppet’s development. It highlights incompatibilities and specifies when new features were introduced and the extent to which they are backwards-compatible.

Also available is the Roadmap Tracker which lists tickets closed for each release. Just click on the relevant release from the list on the right hand side.

If upgrading you should review this document upward from the version you are upgrading from. Please remember that if upgrading through multiple versions some behaviour may change more than once.

It is also important to note when upgrading that not all versions are backwards compatible. Newer agents may not work with older masters and vice-versa. Where possible backwards-compatibility is maintained but it’s not always totally successful. We strongly recommend ensuring your master and agents are the same version.

When upgrading it is also strongly recommended that you upgrade your master first and then your agents. Earlier agents usually work with later masters but later agents frequently have issues with earlier master versions. For example 0.24.8 agents will work with 2.6.6 masters but 2.6.6 agents may have unpredictable results with a 0.24.8 master.

3.0.0rc2¶

(#14609) Fix master initialization when running under Passenger

There is some initialization that happens in CommandLine.rb
(such as parsing the puppet config file) which was being
bypassed when launching puppetmaster as a Rack/Passenger app.
This commit tweaks the rack config to call into CommandLine
directly, which is unfortunate but works for now.

(#14514) Check for the presence of hiera config

Puppet initializes Hiera using a configuration Hash instead of a
configuration file. Puppet now checks for the existence of the hiera
configuration file and uses an empty configuration and logs a warning
if missing.
We also ensure Hiera uses the Puppet logger by overriding the
configuration hash to set the logger explicitly.

3.0.0rc1¶

Breaking and Important Changes in Telly (Puppet 3.0.0)¶

String#lines and IO#lines revert to real Ruby semantics. Because the earliest versions of Ruby we support lack these, they were monkey-patched into place. Unfortunately, this emulation had different semantics, which have now been reverted to the Ruby norm. In earlier versions they behaved like split, and now they behave as normal – they include the separator character (default $/ == \n) in the output, and include content where they previously wouldn’t.
Puppet::Application: deprecated #should_parse_config, #should_not_parse_config, and #should_parse_config? In previous versions of puppet, individual applications / faces built off of the Puppet::Application class were responsible for determining whether or not the puppet config file should be parsed. This logic is now part of the main puppet engine / framework, and thus applications and faces need no longer specify this via the methods mentioned above. The signatures still exist for now but will print a deprecation warning, and will be removed in a future release.
Puppet::Util::CommandLine: no longer defaults to ‘apply’ if a subcommand is not specified In recent versions of puppet, if you called puppet without specifying a subcommand, it would default to ‘apply’. This behavior has been deprecated for a while (and we’ve included a warning message for a while), and is now officially removed from Telly. A subcommand is now required, and you will get a usage message if you attempt to run without one.
Puppet agent lockfile The semantics of the puppet agent lockfile have changed. These semantics were being treated as API by some external programs (at least mcollective). For a detailed description of the changes please see telly/developer_docs/agent-lockfiles.md.
Console output formatting changes The format of messages displayed to the console has changed slightly, potentially leading to scripts that watch these messages breaking. This does not change the formatting of messages logged through other channels (eg: syslog, files), which remain as they were before. See bug #13559 for details
“Resource Type” API changes The API for querying resource types has changed slightly. This is most likely to be visible to any external tools that were using the REST API to query for information about resource types. Details: You can now add a “kind” option to your request, which will allow you to filter results by one of the following kinds of resource types: “class”, “node”, “defined_type”. The API would previously return a field called ‘type’ for each result. This has been changed to ‘kind’. The API would previously return the value ‘hostclass’ for the ‘type’ field for classes; this has been changed to ‘class’. The API would previously return the value ‘definition’ for the ‘type’ field for classes; this has been changed to ‘defined_type’. The API would previously return a field called ‘arguments’ for any result that contained parameter definitions. This has been changed to ‘parameters’.
Standalone commands The filebucket, pi, puppetdoc, ralsh, puppetca, puppetd, puppetmasterd, puppetqd, and puppetrun standalone executables have been removed. The replacements, puppet filebucket, puppet describe, puppet doc, puppet resource, puppet ca, puppet agent, puppet master, puppet queue, and puppet kick respectively, have already been available for at least one major version.
Removing trailing ‘.’ from FQDN Due to a change made in Facter, the FQDN in Puppet is also being stripped of a trailing ‘.’. This may change the default certificate name, and force users to generate a new certificate.
In auth.conf, auth no and auth any are unified Previously, setting auth no in an auth.conf entry would allow an anonymous user to access the endpoint, but would refuse access to anyone who had a certificate. Since anyone could simply refuse to supply their certificate and get access to the endpoint, we unified the two – now you can access the endpoint with or without a certificate.
Support for DNS SRV records Puppet adds support for DNS SRV records when locating changes. This is disabled by default, but can be enabled to allow load balancing and service discovery to operate. (Disabled by default was added later.)
XML-RPC support is entirely removed XML-RPC support has been removed entirely in favour of the REST interface to Puppet. This has been unused since the 0.25 era, and long deprecated. Anyone integrating with the XML-RPC interface should move to the REST API.
puppet parser validate will read from STDIN Piped content to puppet parser validate will now be read, and validated, rather than ignoring it or requiring a file on disk.
PluginSync related changes
- factsync has been removed (as redundant to pluginsync). The ancient, deprecated in 0.25, factsync option has been eliminated. Pluginsync entirely replaces the facility. (#2277)
- PluginSync no longer loads all downloaded plugins. Previously, when a plugin was downloaded it was automatically loaded during PluginSync – regardless of it actually applying on the system, or being required. Now, instead, only already loaded plugins are reloaded, and others allowed to wait until the system calls for them. This resolves problems where code that depends on platform libraries would cause a failure on the first pluginsync run, but would work correctly subsequently.
- PluginSync operates when using puppet apply. Previously, only the master/agent participated in the PluginSync process. This led to enormous complexity trying to handle the various cases where behaviour similar to PluginSync was desired, but we didn’t invoke it. Now, instead of that we simply PluginSync all the time. This delivers the correct state in all cases, including agent and apply.
The Puppet agent, in daemon mode, applies the catalog in a forked process When running Puppet as a daemon, one of the standard problems was that memory and other resources allocated during the catalog run would not be returned to the OS efficiently because of Ruby VM limitations. The agent now forks a child process to run the catalog, so that when it exits those resources are efficiently returned. This minimizes the amount of work done in the parent daemon process and so reduces system resource pressure.
The exec provider logs output on error by default. The exec provider now logs output when the command fails, by default, rather than requiring the user to request that explicitly. This makes it easier to debug problems with catalog application caused by failing exec resources.
LANG, LC_*, and HOME, environment variables unset during command execution When Puppet runs commands, from providers and from other sources, it now removes a number of potentially confusing or unsafe environment variables. The LANG and other locale environment variables are pushed to C, to ensure consistent command output for providers, types, and other execution. This does not apply to commands run by the exec provider. The HOME and USER environment variables are unset when running commands, including the exec provider. This is because they are generally misleading, and can lead to misbehaviour when applications trust those despite running as a different user.
MacOS 10.4 support has been dropped. We no longer support anything before MacOS-X 10.5.
Report submission supports HTTPS
puppet doc only supported on Ruby 1.8.7 and 1.8.5 Because of changes in the underlying RDoc library used with puppet doc, we are currently unable to support it with Ruby 1.9. http://projects.puppetlabs.com/issues/11786 tracks fixing this.
puppet no longer defaults to the “apply” subcommand In previously releases, invoking puppet with no other arguments assumed you intended to run the puppet apply subcommand. This was long deprecated, and has now been removed.
The include function accepts arrays.
The default console output format and streams have changed. Previously, Puppet didn’t differentiate informational and error messages well: we used the single, STDOUT, stream for both, and tagged them visually. Now, we behave in a much more “Unix” fashion – using STDERR appropriately, tagging errors but not informational output, etc.

2.7.15rc2¶

Contributors¶

Andrew Parker

Bug Fixes¶

(#8174) Allow defines to reference topscope

Because the compiler re-assigned the topscope, looking up topscope vars
or facts from a defined resource type was causing deprecation warnings
when it should not be. By cherry-picking commits
b02aa930a03a282588e81f65e14f47a138a4b9f0 and
c995be16bc9e3ad8dbad9d21b49df76de5b72ea9 the topscope is no longer
re-assigned and so defined resource types can now lookup these kinds of
variables without problem.

Evaluate node classes either in top or node scope

Classes that are tied to a node should be preferred to be evaluated in
the node scope, but if we don't have one then they should be in the top
scope

2.7.15rc1¶

Contributors¶

Chris Price, Patrick Carlisle, Josh Cooper, Kelsey Hightower, Nick Lewis, Nick Fagerlund, Daniel Pittman, Nan Liu, Jeff McCune, Ken Barber, Stefan Schulte, and James Turnbull

Highlights¶

Significantly improve compilation performance when using modules

When autoloading classes/defines, the typeloader constructs a set of
possible locations for the class, based on its name. Effectively, it
will look in the canonical locations corresponding to each namespace in
the fully-qualified name. So for each namespace, it will ask the
environment for a Puppet::Module instance for that module, to ask it
which of the module's potentially manifests match the class it's looking
for. To answer that request, the environment instantiates a
Puppet::Module.

This amounts to potentially thousands of Puppet::Module instances being
created, because it does this many times (based on nesting of the class
name) per include/autoload/import. When Puppet::Module instances are
created, they parse and load their metadata.json file, in part to
validate their use. This implies that each compilation results in
metadata.json being parsed thousands of times, which is extremely slow
(and obviously provides no actual benefit).

Fortunately, the environment object already keeps a list of
Puppet::Module instances for every module in its modulepath. The fix
applied here is simply to change the environment such that it provides
modules by looking them up in its cached list, resulting in up to an
order of magnitude improvement in compilation time.

Colorize console output on Windows

Previously, `Puppet[:color]` was false on Windows, because the Windows
console does not support ANSI escape sequences.

The win32console gem converts ANSI color escape sequences into Win32
console API calls to change the foreground color, etc. If the output
stream has been redirected to a file, then the gem does not translate
the sequences, instead preserving them in the stream, as is done on
Unix.

To disable colorized output specify `color=false` or `--color=false` on
the command line.

This commit adds a `Puppet.features.ansicolor?` feature that defines
whether ANSI color escape sequences are supported. On Windows, this is
only true if the win32console gem can be loaded. On other platforms, the
value is always true.

The win32console gem will be packaged into the Windows installer, and
so, `Puppet[:color]` now defaults to true. If the gem can't be loaded,
then puppet will revert to its previous behavior.

Bug Fixes¶

(#14288) gem provider should tolerate bad lines.

Previously, when the output of the gem command contained a line that didn't
match it was returned as `nil` - but the rest of the provider didn't handle
that value at all!

That led to any mismatch causing various failures to dereference `nil` as a
hash, and general failure.

This fixes this to behave significantly better by just omitting that entry in
the result, returning only the expected content.

(#14123) Puppet shouldn’t explode if PATH contains ~nonexistent_user

As reported in http://bugs.debian.org/669650, when the PATH contained an
expansion for a user that doesn't exist, Puppet handled it the same way Ruby
does - to raise an exception, and explode.

Leaving aside the sanity of literal tilde in the PATH, we shouldn't explode in
that case - we should just skip that entry and carry on to the next element in
the path instead.

(#14173) Enforce that filebucket paths must be absolute

If you passed the filebucket a relative path, perhaps by accidentally quoting
'false', it would happily accept that and create a directory relative to the
current working directory to store content in.

This enforces that the path must be absolute, as well as failing cleanly if
multiple paths are passed.

Fix broken man page rake task

The mass static man page generator was broken! Something changed in commit
82e5fa9561e2d4cb1d699a41c14f50953d8f2d97 which broke the way we were passing
render_as to the man action; while that bears further investigation, we were
able to get the task working again by simply removing it, since the value we
were passing to option turned out to be redundant when using the action from
the API.

We also found that I had unwisely called the argument of the save action for
indirector faces "<object>", which Ronn confuses for an HTML tag of the same
name and then barfs on. This commit fixes that, too.

(#11004) Support Solaris 11 output in pkg package provider

Solaris 11 has merged the status field and the flag field when running
pkg list. So instead of

    SUNPython  2.5.5-0.111  installed  ----

a line may now look like

    compress/zip  3.0-0.175.0.0.0.2.537  i--

Change the regex in the parsing method to be able to correctly
interpret the output on Solaris 11 boxes

(#13645) Do not open a smtp connection if nothing to report

If tagmail finds out that there are no messages that have to be sent to
anyone puppet will still open a smtp connection (if smtpserver is set)
and then close the connection without sending any data. This can lead
to a lot of syslogmessages on your smtp server like

   sendmail: puppet.example.com did not issue MAIL/EXPN/VRFY/ETRN
   during connection to MTA

The fix now does not even enter the send method if there are no reports
to be sent. This does also prevent unnecessary forking if there are no
reports.

(#8778) Make ‘’ == undef commutative in the DSL

Without this patch applied the Puppet DSL treats undef == '' as true
but '' == undef as false.  This is undesirable because the equality
operator should be commutative.

This patch fixes the problem by adding an explicit check for '' == undef
in the AST.  Without this patch applied, Puppet already has an explicit
check for undef == '' but not for '' == undef.

The spec tests are also updated by this patch to reflect the change.

(#3452) Autorequire user for cron

If you specify a “user” on a cron entry, it ought to be automatically
required.

Patch includes tests from Stefan Schulte
Patch thanks to Jim Pirzyk

2.7.14¶

Contributors¶

Andrew Parker, Chris Price, Daniel Pittman, Dominic Cleal, Gary Larizza, Hunter Haugen, Jeff McCune, Jeff Weiss, Josh Cooper, Justin Stoller, Kelsey Hightower, Ken Barber, Lauri Tirkkonen, Matt Robinson, Matthaus Litteken, Moses Mendoza, Nicholas Hubbard, Nick Lewis, Nick Fagerlund, Nigel Kersten, Patrick Carlisle, Pieter van de Bruggen, Reid Vandewiele, and Stefan Schulte

Features¶

Puppet Module Tool Face - the module tool has seen a host of
improvements including dependency resolution, environment handling,
and searching the forge. There are more details available at
http://docs.puppetlabs.com/puppet/2.7/reference/modules_installing.html

Bug Fixes¶

(#13682) Rename Puppet::Module::Tool to Puppet::ModuleTool

Without this patch, Puppet will monkey patch the existing implementation
of the puppet-module Gem if it is used.  This is bad because the two
implementations are all jumbled up inside of one another and behavior
may become unpredictable.  Warnings are also displayed directly to the
end user in the form of redefined constants.

This patch fixes the problem by renaming Puppet::Module::Tool inside of
Puppet to Puppet::ModuleTool  This fixes the problem because Puppet will
no longer monkey-patch the Puppet::Module::Tool module inside of the
puppet-module Gem.

This patch also has the added benefit of making the Module's name match
up with the CamelCase filepath (puppet/module_tool/ =>
Puppet::ModuleTool)  As a result, no file moves are necessary.

(#13682) Fix acceptance test failures

On Lucid, /usr/share/puppet may not exist.  The module upgrade tests all
make the assumption that this parent directory exists.  This causes
false positive failures when running systest against a Lucid system.

This patch modifies the setup code for all of the tests to ensure the
parent directory exists.

(maint) Ensure every file has a trailing newline

Without this patch some files exist in the tree that don't have trailing
newlines.  This is annoying because perl -pli.bak -e will automatically
add a newline to every file it modifies in place.  The files that
actually have modifications by the global search and replace need to be
separated from the files that only have newlines added.

This patch simply adds newlines to everything if they don't exist on the
last line.

Yes, the PNG's are perfectly fine with a trailing newline as well.

(#14036) Handle upstart better

Change the upstart provider to better handle the mix of some services
that are upstart controlled and some that are init script controlled.

(#14060) Fix quoting of commands to interpolate inside the shell.

The `shell` exec provider was supposed to emulate the behaviour of 0.25 exec,
which was to pass the content through the default shell to get it executed.

Unfortunately, it got quoting a bit wrong, and ended up interpolating
variables at the wrong point - it used double quotes where single quotes were
really what was desired.

Thanks to Matthew Byng-Maddick for the report, and a fix to the quoting; in
the end we should not be in this position - we shouldn't be using string
execution where we can pass an array instead.  That avoids any chance that
there is more than one round of shell interpolation entirely.

As a bonus, this fixes the base exec type to support specifying the command to
run that very way, and making it good.

(#14101) Improve deprecation warning for dynamic lookup

The new message will tell the user how to get more information about
what is occuring. More information will be provided at debug level so
that a user can see what the change to the lookup will be.

Better warnings about scoping

Make new scoping look through inherited scopes

Previous to this commit, Puppet would look through a given scope
hierarchy and give deprecation warnings when a value was found in either
an inherited class scope or included class scope, when it should only
give the warning in the case of the included class scope.
This commit makes the new-scope behavior also examine inherited scopes,
though continuing to ignore included scopes.

Implement newlookupvar() to replace dynamic scope

lookupvar() is shifted to oldlookupvar() and newlookupvar() is added. An
intermediary lookupvar() function will query both and if the answer
varies then it will throw a deprecation warning for dynamic scoping. The
intermediary and old lookup functions may be removed at a later date,
thus completing the transition.
A test case has been introduced to detect dynamic scoping and the
deprecation warning. Slight modifications to the spec test scoping
objects were made to bring them more in line with the real world.
All scope tests pass. When oldlookupvar is replaced, the deprecated
dynamic scoping test case will fail and all other scope test cases will
pass.

Augeas Improvements

(#11988) Work around Augeas reload bug when changing save modes

After saving a file in one save mode and switching to another,
Augeas realise
to reload the file when Augeas#load is called again.  Work around this by
explicitly reloading all files we saved while using the first save mode.

(#11988) Don’t overwrite symlinks in augeas provider

Previously, if not running with `force` set, we would try to write the
file in SAVE_NEWFILE mode to create a <filename>.augnew file with the
changes. We determined whether there were changes to be made based on
that file (and used it to show a diff). When it came time to actually
make the changes, we would simply move the .augnew file over the file
being managed. Unfortunately, if the file being managed were a symlink,
this would clobber it.

There was a fallback path in the case of force (or older versions of
augeas not supporting SAVE_NEWFILE) in which we would make the
changes in SAVE_OVERWRITE mode as normal. Now, the behavior is a
combination of the two; we still use SAVE_NEWFILE to determine whether
changes need to be made and to show a diff, but then remove the .augnew
file and always run again in SAVE_OVERWRITE mode to save the changes.
This effectively delegates the behavior of preserving the file, etc.
to augeas, so we don't duplicate effort or bugs.

(#13204) Don’t ignore missing PATH.augnew files

The original fix for #13204 may have masked other potential bugs if the
PATH.augnew file was missing.  It simply tested for the file
existance and not
only when duplicate save events occurred.
This change de-duplicates the list of save events instead, so if a
bug appeared
where PATH.augnew was genuinely missing, the error wouldn't be squashed.

(#13204) Workaround duplicate Augeas save events

Bug #264 in Augeas causes duplicate save events to be returned when editing
under /boot in newfile mode.  Because we loop around these events,
diffing and unlinking the files, this causes an ENOENT error when we process
the same event twice.

This commit checks that the file we intend to operate on exists.

(#7592) Remove redundant call to String#to_s

Previously, the augeas provider made calls like the following:
@aug.get(key).to_s
Since the Augeas#get method returns a String not an array, the to_s
call is redundant. (Note the #match method does return an array.)
The augeas tests were stubbing the #get method to return an array in
some places (and a string in others). Prior to 1.9.2, ruby will
automatically convert ["foo"].to_s to "foo", so everything worked as
expected. However, under 1.9.2, ["foo"].to_s becomes "[\"foo\"]".
These failures weren't noticed earlier, because our 1.9.2@allFeatures
jenkins nodes do not have ruby-augeas installed. In other words, tests
that require Puppet.features.augeas? were never running in
Jenkins. The recent change to improve augeas testing, removed the
dependency on this feature being installed, so these tests started
failing.
This commit just removes the redundant call to String#to_s, and
updates the spec tests to match what the Augeas#get method really
returns.

Zypper Provider Improvements

(#8312) Fix zypper provider so ensure => ‘latest’ now works

Previously the regular expression to match the correct column from
'zypper list-updates' was wrong, it seems to have been based on the command
'zypper packages' instead. This was caused ensure => 'latest' to fail as the
provider couldn't adequately figure out what newer versions were actually
availabe.
So I've fixed the regular expression (based on Felix Frank's
patch) and updated
the spec test so that it uses the real output from zypper
list-updates and now
references an external spec file, as apposed to referencing the
content inline.

Windows Bugfixes

(#12392) Created Windows eventlog message resource dll

This commit adds the ability to build a message resource dll used to
display localized eventlog messages on Windows. Windows eventlog expects
that each log event has a unique id, which can then be localized in a
resource dll, one for each locale. However, puppet does not yet support
this, see #11076. So this commit defines three puppet event ids
corresponding to the three levels of Windows events that we support
(info, warn, and error).
In order to build the dll, you need the Windows SDK installed that
contains the mc, rc, and link utilities.

(Maint) Don’t assume eventlog gem is installed on Windows

Previously, the test would fail when run on a Windows box that didn't
have the eventlog gem installed. Since the Windows agent should be able
to run without the gem installed, and fall back to writing to a log
file, this commit changes the test to only run when the gem is
installed. There is already a test that verifies that we fall back if
the eventlog feature is not available.

2.7.13¶

This is a security release in the 2.7.x branch.

Security Fixes¶

CVE-2012-1906 (High) – appdmg and pkgdmg providers write packages to insecure location¶

http://puppetlabs.com/security/cve/cve-2012-1906

(#13260)

If a remote source is given for a package, the package is downloaded
to a predictable filename in /tmp. It is possible to create a symlink
at this name and use it to clobber any file on the system, or by
switching the symlink install arbitrary packages (and package installers
can execute arbitrary code).

CVE-2012-1986 (High) – Filebucket arbitrary file read¶

http://puppetlabs.com/security/cve/cve-2012-1986

(#13511)

It is possible to construct a REST request to fetch a file from a
filebucket that overrides the puppet master’s defined location
for the files to be stored. If a user has access to construct directories
and symlinks on the machine they can read any file that the user the
puppet master is running as has access to.

CVE-2012-1987 (Moderate) – Filebucket denial of service¶

http://puppetlabs.com/security/cve/cve-2012-1987

(#13552,#13553)

By constructing a marshaled form of a Puppet::FileBucket::File object a
user can cause it it to be written to any place on the disk of the puppet
master. This could be used for a denial of service attack against the
puppet master if an attacker fills a filesystem that can cause systems to
stop working. In order to do this the attacker needs no access to the
puppet master system, but does need access to agent SSL keys.

Using the symlink attack described in Bug #13511 the puppet master
can be caused to read from a stream (e.g. /dev/random) when either
trying to save a file or read a file. Because of the way in which the puppet
master deals with sending files on the filesystem to a remote system via a
REST request the thread handling the request will block forever reading from
that stream and continually consuming more memory. This can lead to the
puppet master system running out of memory and cause a denial of service.

CVE-2012-1988 (High) – Filebucket arbitrary code execution¶

http://puppetlabs.com/security/cve/cve-2012-1988

(#13518)

Filebucket arbitrary code execution
This requires access to the cert on the agent and an unprivileged
account on the master.  By creating a path on the master in a
world-writable location that matches a command string, one can
then make a file bucket request to execute that command.

CVE-2012-1989 (High) – Telnet utility (used for network devices) writes to insecure location¶

http://puppetlabs.com/security/cve/cve-2012-1989

(#13606)

The telnet.rb file opens a NET::Telnet connection with an output log
of /tmp/out.log. That log could be replaced by a symlink anywhere
on the system and the puppet user would happily write through the
symlink, potentially clobbering data or worse.

2.7.12¶

Highlights¶

Features¶

Zypper package provider supports zypper 0.6
Raise default key lengths in Puppet

Plumbing For Puppet Module Tool improvements

Module requirements should include versions
Fix SemVer’s range behavior to work with Ruby 1.9
Face actions should be able to set exit codes
Implement a rich console logging prototype
Enhance the uninstall PMT action
All forge interactions should be centralized
Add module dependency errors to module list output
Enhance PMT search action output

Bug Fixes¶

Windows Bug Fixes

Fix puppet agent —listen on Windows
Don’t add execute bit to newly created files on Windows
Skip default file permissions for sync'ed files on Windows
Allow POSIX paths for files served to Windows agents
Refactor Windows administrator detection
Disable puppet kick on windows
Restored agent lockfile behavior to 2.7.9; in 2.7.10 and 2.7.11, ‘puppet agent —disable’ begun to use a new lock file named ‘puppetdlock.disabled’. This was determined to cause compatibility issues with certain external tools, so the pre-2.7.10 behavior has been restored.
Agent lockfile backwards compatibility to support users upgrading from 2.7.10 or 2.7.11.
Improved status / notification message when attempting to run an agent after agents have been administratively disabled (via ‘puppet agent —disable’).
Cron error messages on Windows less cryptic
Don’t overwrite symlinks in augeas provider
Fix zypper provider so ensure => ‘latest’ works

Details¶

(#11988) Don’t overwrite symlinks in augeas provider

Previously, if not running with `force` set, we would try to write the
file in SAVE_NEWFILE mode to create a <filename>.augnew file with the
changes. We determined whether there were changes to be made based on
that file (and used it to show a diff). When it came time to actually
make the changes, we would simply move the .augnew file over the file
being managed. Unfortunately, if the file being managed were a symlink,
this would clobber it.

There was a fallback path in the case of force (or older versions of
augeas not supporting SAVE_NEWFILE) in which we would make the
changes in SAVE_OVERWRITE mode as normal. Now, the behavior is a
combination of the two; we still use SAVE_NEWFILE to determine whether
changes need to be made and to show a diff, but then remove the .augnew
file and always run again in SAVE_OVERWRITE mode to save the changes.
This effectively delegates the behavior of preserving the file, etc.
to augeas, so we don't duplicate effort or bugs.

(#8312) Fix zypper provider so ensure => ‘latest’ now works

Previously the regular expression to match the correct column from
'zypper list-updates' was wrong, it seems to have been based on the command
'zypper packages' instead. This was caused ensure => 'latest' to fail as the
provider couldn't adequately figure out what newer versions were actually
availabe.

So I've fixed the regular expression (based on Felix Frank's patch) and updated
the spec test so that it uses the real output from zypper list-updates and now
references an external spec file, as apposed to referencing the content inline.

(#12914) Allow puppet to be interrupted while waiting for child

Previously, puppet on Windows could not be interrupted, e.g. Ctrl-C,
while waiting for a child process it executed to exit. For example,
when executing a pre/post run command.

This commit changes puppet to poll the state of the child process'
handle, sleeping for 1 second in between.

(#12844) Agent lockfiles: backwards compatibility with 2.7.10/2.7.11

In 2.7.10 there was a change in behavior introduced with regards
to agent lockfiles.  Basically we split the concept of "an agent
is currently running" apart from the concept of "the agent has
been administratively disabled" by using 2 different lockfiles.

That change was determined to have broken compatibility with
mcollective, so it has been reverted as of 2.7.12.

This commit provides backwards compatibility between 2.7.12+
and 2.7.10/2.7.11 for cases where a user may have administratively
disabled their agent and then upgraded to a newer version of puppet.

(#12881) Fix cron type default name error on windows

On windows I ran into this error with the cron type:

    err: Failed to apply catalog: undefined method 'name' for nil:NilClass

Without this patch, the problem appears to be that the cron type name
parameter defaults to the following block:

    defaultto { Etc.getpwuid(Process.uid).name || "root" }

On windows `Etc.getpwuid(Process.uid)` returns `nil`.  This patch fixes
the problem by binding the object returned by
`Etc.getpwuid(Process.uid)` to a variable.  We then check if the
variable responds to the `name` method, and only send a message to name
if so.  Otherwise, we return "root"

(#12933) Better error message when agent is administratively disabled

Detect the difference between the cases where an agent run is
aborted due to another agent run already in progress vs. being
aborted due to the agent being administratively disabled via
'--disable', and print a more useful message for the latter case.

(#12080) Implement a rich console logging prototype.

The new telly_prototype_console log destination aims to be a more human-friendly logging
endpoint, and acts as a prototype of some of the work we plan to build into Telly.

(#12106) Enhance the uninstall PMT action for UX

Before this patch the uninstall action only uninstalled puppet modules by
name. The uninstallation of a module consists of removing a directory in
the module path that matches the name of the module. This does not take
into account the version of the module installed.

This patch changes the behaviour of the uninstall action with the
following features:

* Modules can be uninstalled by specific version
* Modules can be uninstalled by enviornment
* Output of the unistall command has been enhanced to provide a better UX

This patch also includes updated specs for the change in behaviour.

(#12244) All forge interactions should be centralized

Before this patch each module application makes direct connection to the
Puppet Forge. This is a maintenance nightmare, any changes to the
Forge API requires changes to all the module applications.

This patch re-factors how we communicate with the Forge. All module
application now use the interface exposed by the `lib/puppet/forge.rb`
module.

This patch also includes tests for the new forge.rb module, and updates
others to reflect the new behaviour.

(#12256) Fix SemVer’s range behavior to work with Ruby 1.9

In Ruby 1.9 Range's implementation of include? changed so that if the
objects being compared were non-numeric it would iterate over them
instead of doing a comparison with the endpoints.  We're subclassing
numeric to force non-discrete range behavior.

Numeric doesn't allow singleton methods to be defined, so we had to
change the way inspect worked when dealing with MIN and MAX values.

Paired-with: Pieter van de Bruggen <pieter@puppetlabs.com>

(#12256) module_requirements should include versions

Before this patch module requirements do not include version numbers.
Since modules with the same name, but different version numbers, can be
installed at the same time -- in different parts of the modulepath,
there is no way to tell which module has the dependency.

This patch fixes this issue by changing the data structure that
represents module requirements from a two item Array to a Hash with
three keys: name, version, and version_requirement.

This patch includes updated spec tests related to this change.

(#10299) Use CheckTokenMembership to see if user has admin rights

Previously, on Windows 2003 and earlier, Puppet.features.root? was
implemented by checking if the current user is a member of the local
Administrators group. However, many accounts, e.g. LocalSystem, are
implicit members of this group, so Puppet.features.root? would
incorrectly return false. This led to puppet not being able to find
its default configuration directory, among other things.

Conversely, a process can be executing using a restricted token, so
while the user may be a member of the Administrators group, the
process will be running with less privileges, and
Puppet.features.root?  would incorrectly return true.

This commit uses CheckTokenMembership to determine if the local
Administrators group SID is both present and enabled in the calling
thread's access token.

The behavior on Vista/2008 is unchanged. The calling thread's token
must be currently elevated.

(#12725) Fix puppet agent —listen on Windows

Previously, running `puppet agent --listen` failed on Windows, because
we were trying to set the Fcntl::FD_CLOEXEC flag on webrick's http
access log, but Windows does not support that flag.

There are ways to prevent file handles from being inherited across
calls to CreateProcess (either disabling inheritance on a given handle
or preventing all handles from being inherited). But for now, this
commit just skips setting the flag on Windows.

This commit also re-enables spec tests that were disabled on
Windows. The thinking previously is that webrick would never run on a
Windows agent, but that's not true.

(#11740) Wait on the handle from the PROCESS_INFORMATION structure

Previously, the `Puppet::Util.execute` method was using `waitpid2` to
wait for the child process to exit and retrieve its exit status. On
Windows, this method (as implemented by the win32-process gem) opens a
handle to the process with the given pid, and then calls
`WaitForSingleObject` and `GetExitCodeProcess` on the process
handle. However, the pid-to-handle lookup will raise an exception if
the child process has exited. As a result there was a race condition
whereby puppet could sometimes fail to retrieve the exit status of
child processes.

The normal way of getting the exit code for a child process on Windows
is to use the child process handle contained in the
`PROCESS_INFORMATION` structure returned by `CreateProcess`. This
works regardless of whether the child process is currently executing
or not.

This commit reworks the `Puppet::Util.execute_windows` method to wait
on the child process handle contained in the process information
structure. This requires that we pass the `:close_handles => false`
option to the win32-process gem so that it doesn't close the handles.

This commit also re-enables tests that were previously being skipped
due to this bug.

(#11408): Don’t add execute bit to newly created files on Windows

Previously, if a directory was executable for owner or group, then any
file created at a later time in the directory would have its execute
bit set. For example, if a directory's mode is set to 0750, then any
file created in the directory at a later time would have the same
mode.

This causes the file mode to change unnecessarily across puppet
runs. For example, when puppet starts for the first time, it creates a
$vardir/certs directory that is executable. During the same run, it
writes out its signed cert, which is now executable. The second time
puppet runs, it sees that the mode is out-of-sync, it should be 0644,
and changes the mode.

If the same scenario occurs to a service's configuration file, then
puppet could bounce the service unnecessarily.

This commit creates two sets of inherit-only access control entries on
the parent directory. One set applies the same permissions from the
parent directory to its subdirectories (containers) at creation time. The other set
masks off the execute bit for its files (objects) at creation time.

Note puppet always has FULL_CONTROL (which includes FILE_EXECUTE) for
files it creates, so this commit does not prevent puppet from being
able to execute content that it downloads. It only prevents group and
other from having execute permission by default.

In order to grant execute permission to group and other on a file that
puppet manages, you must explicitly specify the appropriate mode in
the file's resource.

(#11408) Allow POSIX paths for files served to Windows agents

Previously, Windows agents would fail during fact and plugin sync. The
agent would retrieve the remote file metadata and attempt to set the
metadata's path based on the path of the file as it exists on the
remote system. Since the remote system is typically a POSIX puppet
master, our `Puppet::Util.absolute_path?` path check would fail on
Windows.

To complicate matters, the path of the "remote" file can in fact be a
Windows-style path, such as when using puppet apply and a modulepath
that refers to the local filesystem.

This commit changes the `Puppet::FileServing::Base#path=` method to
allow both POSIX and Windows style paths on Windows hosts, but only
allows POSIX style paths on POSIX hosts, since we don't support
running puppet master on Windows.

(#6663) Raise default key lengths in Puppet.

The CA key length was lower than it should be - 1024 bits is no longer secure
enough for real world use.  This raises both client and CA certs to use 4096
bit keys.  Those are slow, but effective for long term security.

People who know enough to decide that the trade-off of speed vs limited window
of security can still totally reduce the size of the key without much trouble,
but we default to being more cautious.

This also pegs the key lengths low in testing, since building a 4K key is
awful slow if you want to do it time and time again over the course of dozens
of tests.

2.7.11¶

This is a security, and bug fix release in the 2.7.x branch.

Security Fixes¶

CVE-2012-1053 (Group Privilege Escalation)¶

http://puppetlabs.com/security/cve/cve-2012-1053/

(#12457, #12458, #12459) A bug in Puppet gives unexpected and improper group privileges to execs and types/providers. When executing commands as a different user, Puppet leaves the forked process with Puppet’s own group permissions. Specifically:

Puppet’s primary group (usually root) is always present in a process’s supplementary groups.
When an exec resource is assigned a user to run as but not a group,
Puppet will set its effective GID to Puppet’s own GID (usually root).
Permanently changing a process’s UID and GID won’t clear the supplementary groups, leaving the process with Puppet’s own supplementary groups (usually including root).

This causes any untrusted code executed by a Puppet exec resource to be given unexpectedly high permissions.

CVE-2012-1054 (User Privilege Escalation)¶

http://puppetlabs.com/security/cve/cve-2012-1054/

(#12460)

If a user’s .k5login file is a symlink, Puppet will overwrite the link’s target when managing that user’s login file with the k5login resource type. This allows local privilege escalation by linking a user’s .k5login file to root’s .k5login file.

2.7.11 also addresses the following regressions in the 2.7.10 release #12572, #12188, #12412, #2927, #12296, #12310, #12464

2.7.10¶

Pulled due to regressions from 2.7.9¶

We are continuing to see several issues introduced Puppet 2.7.10. We are recommending that users discontinue its usage. This could mean using 2.7.9 or waiting patiently until we can get 2.7.11 out the door.

These are the most significant tickets around the 2.7.10 regressions. #12310, #2927, #12269, #12588

Community MVP for this release: Brice Figureau (@masterzen) for the¶

Instrumentation Framework

Highlights¶

We have several section of release notes this month due to the high volume of commits. Sections are Instrumentation, Core, Mac OS, Windows, and FreeBSD.

Instrumentation Features available
Symbolic File modes supports ( e.g. u=rw,go=r) for File type
Write reports to a temporary file and move them into place
Add password get/set behavior for Mac OS X 10.7
Add support for user expiriy in pw user provider
Improve pw group provider on FreeBSD
Make sure managehome is respected on FreeBSD
Add password management on FreeBSD

Bug Fixes¶

Make the Debian service provider handle services that don’t conform to the debian policy manual.
Only load facts once per run
Puppetd removes pid file upon exit
Fix MySQL deadlock possibility within inventory service
Test Augeas versions correctly with versioncmp
Consider package epoch version when comparing yum package versions
Link should autorequire target
Use SMF’s svcadm -s option to wait for errors
Fix fact and plugin sync on Windows
Set password before creating user on Windows
Always serve files in binary mode on Windows
Don’t hard code ruby install paths in Windows batch files
Don’t copy owner and group when sourcing files from master on Windows
Fix OS X supplementary group handling
Use launchctl load -w in launchd provider (Mac OS)
Improve error msg for missing pip command
Better validation for IPv4 and IPv6 address in host type.

Instrumentation¶

Contributed by: Brice Figureau brice-puppet@daysofwonder.com

The Puppet Instrumentation Framework is a tool to install into a puppet executable:

instrumentation listeners
code probes

Code probes are static commands we add to the Puppet codebase to instrument some specific parts of the code. Currently only the Indirector is covered (but since it is the central piece of Puppet, it should cover a lot of possible use).

Each time the program reaches a code probe (and instrumentation is enabled), the Instrumentation Framework sends an event to the registered instrumentation listeners. Those can be enabled/disabled/added/removed live without restarting the executable. Those listeners responsibility is to produce something useful to the user. The patch shipped with 3 example listeners, one that logs execution time of every probe, another that aggregate some performance data about probes, and the final one decorates the executable process name (as seen in top) with the latest probes it encounters.

The Framework also includes a set of REST API and REST Faces to allow it to enable/disable listeners or probes or to get access to listener performance data if they produce some.

How to use the Instrumentation Framework:

You need a live running Puppet executable (preferably a puppet master which by default listens to REST requests). It might also be necessary to modify the auth.conf to allow the instrumentation requests.

Display the list of known instrumentation listeners

puppet instrumentation_listener search x --terminus rest

Enable the “performance” instrumentation listener

puppet instrumentation_listener enable performance --terminus rest

Know more about the “performance” listener (is it enabled for instance):

puppet instrumentation_listener find performance --terminus rest

Of course this will only work if probes are enabled:

List all the current executable probes:

 puppet instrumentation_probe search x --terminus rest

Enable the instrumentation probes:

 puppet instrumentation_probe enable --terminus rest

How to get access to the data coming from a listener (here the “performance” one):

puppet instrumentation_data find performance --terminus rest

Core¶

Improve error msg for missing pip comand¶

Author: Kelsey Hightower kelsey@puppetlabs.com

(#11958) Improve error msg for missing pip command

Without this patch the pip package provider does not produce a user friendly error message when the pip command is not available. The current error message looks like this:

    err: /Stage[main]/Dummy/Package[virtualenv]/ensure: change from
    absent to present failed: Could not set 'present on ensure:
    undefined method `pip' for
    #<Puppet::Type::Package::ProviderPip:0xb6cf6cd0> at
    /etc/puppet/modules/dummy/manifests/init.pp:5

This patch improves the error message by passing a string argument, ‘Could not locate the pip command.’, when raising the NoMethodError. The new error message looks like this:

    err: /Stage[main]/Dummy/Package[virtualenv]/ensure: change from
    absent to present failed: Could not set 'present on ensure: Could
    not locate the pip command. at
    /etc/puppet/modules/dummy/manifests/init.pp:5

This patch also includes updated spec tests validating this change. No other behavior changes are being introduced.

Better validation for IPv4 and IPv6 address in host type.¶

Author: Daniel Pittman daniel@puppetlabs.com

(#11499) Better validation for IPv4 and IPv6 address in host type.

The previous code was fairly lax in validation, and would allow a bunch of invalid addresses through – as well as rejecting some legal, but uncommon, IPv6 address types.

This adds substantial testing, especially around IPv6 addressing, and replaces the older validation with new, fancy stuff that works for all the cases.

Support symbolic file modes.¶

Author: Daniel Pittman daniel@puppetlabs.com

(#2927) Support symbolic file modes.

This adds a new feature, support for symbolic file modes, to Puppet. In addition to being able to specify the octal mode, you can now use the same symbolic mode style that chmod supports:

    file { "/example": mode => "u=rw,go=r" }

This also supports relative file modes:

    file { "/relative": mode = "u+w,go-wx" }

Support is based on the common GNU and BSD symbolic modes of operation; you specify a comma separated list of actions to take in each you can sit:

The user (u), group (g), other (o), or all (a) of the permission map.

You can modify the ability to read ®, write (w), execute / search (x) on a file or directory.

You can also modify the sticky bit (t), or the setuid and setgid bits (s).

Finally, you can set conditional execute permissions (X), which will result in the file having the execute bit if the target is a directory, or if the target had any execute bit set. (eg: g+X will set x if the original was u=x,g=.)

Only load facts once per puppet run¶

Author: Patrick Carlisle patrick@puppetlabs.com

(#8341) Only load facts once per puppet run

Make the facter terminus the only place that loads facts (with the notable exception of pluginsync which loads any ruby code it syncs).

This should satisfy several requirements:

daemonized puppet agent can get fresh facts on each run
puppet master can load facts
facts are not loaded more than once by the puppet agent fact handler

Puppetd does not remove its pidfile when it exits¶

Author: R.I.Pienaar rip@devco.net

(#5246) Puppetd does not remove its pidfile when it exits

The Puppet::Daemon instance sets up the pid file when it starts but it’s up to the user of that object to arrange for stop to be called

There are signal handlers setup to call stop but in a onetime run those are never called

This change arrange for the stop method to be called after a onetime run is done but do not hand the task of exiting the application over to that so that the agent application can handle the report status based exit codes

Retry inventory ActiveRecord transaction failure¶

Author: Carl Caum carl@carlcaum.com

Retry inventory ActiveRecord transaction failure

Previous to this commit, if the ActiveRecord transaction for saving facts failed do to MySQL deadlock, for example, the transaction would fail printing a message to the user. This primarily occurred during a PE agent installation if multiple agent’s were being creating simultaneously.

This commit adds the ability to retry if a ActiveRecord::StatementInvalid exception is thrown. To accomplish this, this commit ports Cloud Provisioner’s Puppet::CloudPack::Utils#retry_action method to Puppet core under Puppet::Util::RetryAction#retry_action.

Properly track blockers when generating additional resources¶

Author: Nick Lewis nick@puppetlabs.com

(#11641) Properly track blockers when generating additional resources

Previously, we would enqueue any unblocked resources as we added them to the graph. These were our initial resources, with no dependencies, and served as a starting place for traversal. However, we would add_dynamically_generated_resources before traversing, which could add additional resources and dependencies. We never accounted for these, causing our measure of blockedness to become incorrect (a resource could have more dependencies than we counted).

This is similar to the case of eval_generate adding additional resources. In that case, we clear the blockers list and allow it to be recalculated on demand. Unfortunately, that approach doesn’t work for the case where we add resources before traversing (as in add_dynamically_generated_resources), because we wouldn’t have a reliable list of resources to begin traversal with. Now we no longer enqueue resources when adding them, and instead wait until after we have called add_dynamically_generated_resources (which happens only once). This allows us to add our root resources with the assurance they won’t change before we start evaluating them.

Make the Debian service provider handle services that don’t conform to the debain policy manual.¶

Author: Zach Leslie zach@puppetlabs.com

(#7296) Make the Debian service provider handle services that don’t conform to the debain policy manual.

This change is to support initscripts that do not support the —query method of invoke-rc.d used by the Debian provider to determine if service is enabled.

The fix checks that the link count in /etc/rc?.d is equal to 4, which is the number of links that should be present when using the Debian service provider, which is done by update-rc.d #{service} defaults.

Write reports to a temporary file and move them into place¶

Author: Ricky Zhou ricky@fedoraproject.org

(#8119) Write reports to a temporary file and move them into place

When writing reports, there is a window in between opening and writing to the report file when the report file exists as an empty file. This makes writing report processors a little annoying as they have to deal with this case. This writes the report into a temporary file then renames it to the report file.

Test Augueas versions correctly with versioncmp¶

Author: Dominic Cleal dcleal@redhat.com

(#11414) Test Augeas versions correctly with versioncmp

The release of Augeas 0.10.0 broke simplistic version comparisons with the >= operator, so now use versioncmp.

Save/execute changes on versions of Augeas < 0.3.6¶

Author: Dominic Cleal dcleal@redhat.com

(#11414) Save/execute changes on versions of Augeas < 0.3.6

Versions of Augeas prior to 0.3.6 didn’t report their version number, so a fallback of executing changes once in need_to_run? and again in execute_changes is performed. Otherwise a save is done in need_to_run? and this is re-used in execute_changes.

The /augeas/events/saved node is used to tell whether the latter optimisation happened, but the return value of #match wasn’t tested correctly (it’s an empty array).

Make Puppet::Type.ensurable? false when exists? is undefined¶

Author: Ilya Sher ilya.sher@coding-knight.com

(#11333) Make Puppet::Type.ensurable? false when exists? is undefined

Puppet::Type.ensurable? incorrectly returned true even when public_method_defined?(:exists?) was false because the check never actually happened. This make sure all the necessary methods are checked and adds tests.

Consider package epoch version when comparing yum package versions¶

Author: Jude Nagurney jude@pwan.org

(#8062) Consider package epoch version when comparing yum package versions

By including the epoch version in the version returned as the “latest” available, we can now properly consider package updates where only the epoch version has changed.

Log when we start evaluating resource at the info level¶

Author: Patrick Carlisle patrick@puppetlabs.com

(#4865) Log when we start evaluating resources at the info level

Since we log the final time at info it makes sense to log the start at info as well.

Fix array support in schedule’s range parameters¶

Author: Sean Millichamp sean@bruenor.org

(#10321) Fix array support in schedule’s range parameter

Change the schedule type’s range parameter to properly evaluate all elements of a supplied array for validity instead of only checking the first member of the array. Add documentation to clarify that range does accept an array.

Fix the associated tests to use must instead of should (Puppet::Type#should shadows the rspec should).

Make resourcefile work with composite namevars¶

Author: Max Martin max@puppetlabs.com

(#10109) Make resourcefile work with composite namevars

The code for creating the resourcefile was directly calling resource.name_var, which was causing problems with resources that have composite namevars (since, for these, Type#name_var will return false). This patch sanitizes the process by first checking whether there is a single namevar, and simply calling resource.ref if there is not one.

Add README_DEVELOPER describing UTF-8 in Puppet¶

Author: Jeff McCune jeff@puppetlabs.com

(#11246) Add README_DEVELOPER describing UTF-8 in Puppet

Without this patch, developers of Puppet don’t have a clear place to get a high level understanding of the way other Puppet developers are working with UTF-8 and the differences in character encodings between Ruby 1.8 and 1.9.

This patch addresses this problem by adding a new document, README_DEVELOPER.md where developers and contributors can look to for high level information.

Better SSL error message certificate doesn’t match key¶

Author: Joshua Harlan Lifton lifton@puppetlabs.com

(#7110) Better SSL error message certificate doesn’t match key

Previously, any error with the certificate retrieved from the master matching the agent’s private key would give the same static error message, which wasn’t particularly helpful. This commit differentiates three different error cases: missing certificate, missing private key, and certificate doesn’t match private key. In the last case, the error message includes the fingerprint of the certificate in question and explicit command line instructions on how to fix the problem.

Add a defaults argument to create_resources¶

Author: Matthias Pigulla mp@webfactory.de

(#9768) Add a defaults argument to create_resources

Make it possible to supply defaults when calling create_resources using an optional hash argument.

Link should autorequire target¶

Author: Stefan Schulte stefan.schulte@taunusstein.net

(#5421) Link should autorequire target

When we manage a local link to a directory and the target directory is managed by puppet as well, establish an autorequire. So if we have something like

  file { '/foo': ensure => directory }
  file { '/link_to_foo': ensure => '/foo' }
  file { '/link_to_foo/bar': ensure => file }

we can ensure that puppet does not create dead links and does not try to create ‘/link_to_foo/bar’ before /foo is created.

Use SMF’s svcadm -s option to wait for errors¶

Author: Dominic Cleal dcleal@redhat.com

(#10807) Use SMF’s svcadm -s option to wait for errors

By default running svcadm enable example will start the service in the background and won’t return errors if it fails. Using the -s option will cause svcadm to wait and return errors back to the provider if the service cannot start for some reason.

Added missing RequestHeader entries to ext/rack/files/apache2.conf¶

Author: Eli Klein eklein@rallydev.com

Added missing RequestHeader entries to ext/rack/files/apache2.conf

Debug logging when we start evaluating resources.¶

Author: Daniel Pittman daniel@puppetlabs.com

(#4865) Debug logging when we start evaluating resources.

The evaltrace option allowed individual resource evaluation time to be tracked, which made it easier to post-hoc identify which resources took long periods of time to process.

It is also helpful, when doing live debugging, to know where the hang happens; to support that we now log a debug message about starting the evaluation of the resource before we go into the process.

Update storeconfigclean script to read puppet.conf¶

Author: Nan Liu nan@puppetlabs.com

(#8547) Update storeconfigclean script to read puppet.conf

The existing storeconfig script is parsing and reading puppet.conf specifically from the master section. This change allows the script to read from the settings from puppet.conf in the order of master, main, and loads the rails default. This should match the puppet application behaviour.

Add mysql2 gem support¶

Author: Stefan Schulte stefan.schulte@taunusstein.net

(#9997) Add mysql2 gem support

Besides the mysql gem there is a mysql2 gem that is a “modern, simple and very fast Mysql library for Ruby” [1]. It can either be installed as a separate gem (v0.2.x) for ActiveRecord < 3.1 or can be used as part of ActiveRecord 3.1

To use mysql2 the dbadapter setting must be set to “mysql2” and this patch adds support for this setting.

[1] https://github.com/brianmario/mysql2#readme

Mac Highlights¶

Fix OS X Ruby supplementary group handling¶

Author: Gary Larizza gary@puppetlabs.com

(#3419) Fix OS X Ruby supplementary group handling

Catch Errno::EINVAL as some operating systems (OS X in particular) can cause troubles when using Process#groups= to change the user/process list of supplementary groups membership.

Test coverage has been added to check for regressions.

Add a test for the expected failure

Fix group resource in OS X¶

Author: Gary Larizza gary@puppetlabs.com

(#4855) Fix group resource in OS X

The group provider on OS X uses “dseditgroup” to manage group membership. Due to Apple bug 8481241 (“dseditgroup can’t remove unknown users from groups”), however, if the puppet group provider needs to remove a non-existant user from a group it manages, it will fail.

To remedy this, in the meantime, the provider will call dscl to delete the non-existant member from the group. If that fails then the error is rescued and feedback is provided.

Build a Rake task for building Apple Packages¶

Author: Gary Larizza gary@puppetlabs.com

Build a Rake task for building Apple Packages

Use launchctl load -w in launchd provider¶

Author: Gary Larizza gary@puppetlabs.com

(#2773) Use launchctl load -w in launchd provider

There was an issue where a service on OS X would be enabled but also stopped and the launchd service provider couldn’t start it. In this case, the launchd service provider needed to execute launchctl load -w <job_path> to successfully start the service, but it wasn’t programmed to do so.

To remedy this, the launchd service provider’s start method now checks if the job is disabled OR if the job is currently stopped.

A spec test was added to catch for this unique situation.

Add password get/set behavior for 10.7¶

Author: Gary Larizza gary@puppetlabs.com

(#11293) Add password get/set behavior for 10.7

Puppet did not have the ability to get/set passwords in OS X version 10.7. This commit implements this behavior. Users in 10.7 have a binary plist file in /var/db/dslocal/nodes/Default/users that contains a ‘ShadowHashData’ key. The value for this key is actually a binary encrypted plist which contains a ‘SALTED-SHA512’ key containing a base64 encoded string. This string is actually the salted-SHA512 password hash with a 4 byte salt prepending the hash. Puppet expects this 4 byte salt + salted-SHA512 password hash in order to set the user’s password. Since this value is drastically different from previous versions of OS X, Puppet will fail if you try and pass a SHA1 password hash that was used in previous versions of OS X.

Spec tests were added to ensure that Puppet fails with an incorrect password, and that the get/set behavior works properly with OS X version 10.7.

Windows Highlights¶

Always serve files in binary mode¶

Author: Josh Cooper josh@puppetlabs.com

(#11929) Always serve files in binary mode

Previously, Windows agents were reading files in text mode when serving them locally, such as when serving files from a local module, corrupting binary files in the process.

This commit reads files in binary mode, which is a noop on Unix.

Use `%~dp0` to resolve bat file’s install directory

Author: Josh Cooper josh@puppetlabs.com

(#11714) Use %~dp0 to resolve bat file’s install directory

This commit uses the %~dp0 batch script modifier to resolve the drive and path of the directory containing the envpuppet.bat file. This eliminates the need for hard coded paths within the script tselfIt also uses %VAR:\=/% to substitute each backslash for a forward slash in the RUBYLIB environment

Also added a section about running the spec tests on Windows.

Add envpuppet batch file to run Puppet from source on Windows¶

Author: Jeff McCune jeff@puppetlabs.com

(#11714) Add envpuppet batch file to run Puppet from source on Windows

Running Puppet on windows from source is non-trivial since the environment variables behave quite differently. In addition, it’s not clear windows paths expect / rather than \ path separators.

This patch provides an envpuppet batch file to run Puppet from source on Windows platforms.

Don’t hard code ruby install paths in Windows batch files¶

Author: Josh Cooper josh@puppetlabs.com

(#11847) Don’t hard code ruby install paths in Windows batch files

Previously, the {filebucket,pi,puppet,puppetdoc,ralsh}.bat files hard coded the path to the ruby installation, making it impossible to move the ruby install directory.

This commit changes the script to use the %~dp0 batch file modifier, which resolves to the drive letter and path of the directory of the batch file being executed.

Windows XP and later all support the %* modifier, so this commit removes the Win 9x code paths that are not supported.

Set password before creating user on Windows¶

Author: Paul Tinsley paul.tinsley@gmail.com

(#11717) Set password before creating user on Windows

Previously, puppet could not create a user with no password when a local password complexity policy was set. This commit sets the password on the user prior to creating it, and updates the spec tests accordingly.

Fix fact and plugin sync on Windows¶

Author: Josh Cooper josh@puppetlabs.com

(#11408) Fix fact and plugin sync on Windows

Previously, fact and pluginsync were broken on Windows, because it was defaulting the owner and group to Process.uid/gid, and then failing to translate them into Windows SIDs.

This commit changes the default file owner to the current user name, and the default file group to Nobody, which is the group that Windows typically applies to newly created files.

Don’t copy owner and group when sourcing files from master¶

Author: Josh Cooper josh@puppetlabs.com

(#10586) Don’t copy owner and group when sourcing files from master

Previously, puppet on Windows was not able to source files from the master, because it was attempting to translate the uid/gid from the Unix master into a Windows account, and obviously failing.

This commit skips the owner and group properties when copying them from non-local sources, i.e. sources whose URIs have a ‘puppet’ scheme.

If the source comes from a local source, then puppet behaves the same as it did previously, it copies the owner and group if the source volume supports Windows ACLs, e.g. C:/, samba mapped drives, or uses default values if the volume does not, e.g. VMware shared drives.

FreeBSD Highlights¶

Add support for user expiriy in pw user provider¶

Author: Tim Bishop tim@bishnet.net

(#11046) Add support for user expiry in pw user provider

Add support for setting an expiry date for a user in the pw user provider. FreeBSD uses the format DD-MM-YYYY rather than Puppet’s YYYY-MM-DD. Tests added to confirm the value is correctly swapped around.

Also added custom accessor method to take the unix timestamp given by the operating system to a Puppet-style YYYY-MM-DD. This stops Puppet from repeatedly trying to set the expiry date if it’s already correct.

Improve pw group provider on FreeBSD¶

Author: Tim Bishop tim@bishnet.net

(#11046) Improve pw group provider on FreeBSD

Make the pw group provider on FreeBSD support managing group members. Also readd the allowdupe feature since in testing on FreeBSD 7, 8 and 9 the -o flag to pw works as documented.

Add tests for the provider.

Make sure managehome is respected on FreeBSD¶

Author: Tim Bishop tim@bishnet.net

(#10962) Make sure managehome is respected on FreeBSD

When modifying the home directory of a user and managehome is set the -m flag should be used with pw. This ensures that the new home directory is created if it doesn’t exist.

Also add test to verify this behaviour.

Add password management on FreeBSD¶

Author: Tim Bishop tim@bishnet.net

(#11318) Add password management on FreeBSD

This adds the manages_passwords feature to the pw user provider. It is based on the patch by Andrew Hust that was integrated into FreeBSD puppet port. It adds tests covering the create, delete and modify processes of the provider.

This integrates a fix for #7500 that was introduced by the original patch. The existing code takes the first character of each property and uses it as a flag. However, with pw, the -p flag is for setting the password expiration. The result is that the password isn’t set at create time and that the password is set to expire. The next run of puppet correctly sets the password but the expiry is still set. The new code avoids using -p for passwords, and also sets the password correctly when an account is created.

2.7.9¶

This is a bug fix release for regression (#11306) in 2.7.8 on Ruby 1.8.5.

The 1.8.5-incompatible code wasn’t caught because of a long-standing bug in our tests that went unnoticed because of a bug in our CI setup. The former issue caused specs to fail before they even started running on 1.8.5, and the latter caused the run to still be reported as successful. We’ve fixed the former bug, but haven’t yet figured out a way to fix the latter (as it seems to be a bug in Ruby 1.8.5 + rspec). We will, however, be taking steps to ensure that such problems with our CI setup are more visible and caught sooner.

(#11306)

Fix Ruby 1.8.5-incompatible code in Transaction#eval_generate

This was previously creating a Hash from an array of pairs.
Unfortunately, Ruby 1.8.5 only supports an argument list of pairs rather
than an array, so this code didn't work with that version.

2.7.8¶

This is a feature and bug fix release in the 2.7.x branch.

Known Issues¶

This release introduced a regression that causes errors under Ruby 1.8.5, which was not noticed until after release. See issue #11306 for more details as we investigate, and delay upgrading to this version if you depend on Ruby 1.8.5 in your node population.

New Features¶

Display file diffs through the Puppet log system.¶

(#2744)

When Puppet generated a diff after changing a file on disk, it previously printed it directly to stdout; although a user could view it, it was lost to the rest of the system, and did not appear in monitoring, logs, or reports.

We now send file diffs through our regular logging system, so that they can be viewed in reports and logs. Note that this may have security implications if reports are being sent to an untrusted destination, as Puppet now exposes partial file contents in reports.

Allow optional trailing comma in argument lists.¶

(#6335)

You can now put an optional comma at the end of argument lists for parameterized class definitions and defined types. This makes parameter lists more closely resemble resource attributes.

Bug Fixes¶

Provide default subjectAltNames when bootstrapping master¶

(#10739)

When bootstrapping a new puppet master without explicitly setting its valid alternate DNS names, we’ve always added some default Subject Alternative Names to its certificate so agents could reach it at puppet and puppet.<domain>. This got broken in the process of fixing #2848 (the CVE-2011-3872 AltNames vulnerability), which caused new puppet masters to get certificates with no valid Subject Alternative Names. (That is, the master could only be reached at its FQDN, not at puppet.)

This fix brings back the default AltNames behavior for initial puppet master certificates, while staying true to the policy changes we made for #2848 and making sure the default names never end up in agent certs. As ever, the default DNS names are only used if the dns_alt_names setting isn’t explicitly set.

Don’t automatically enable `show_diff` in noop mode

(#2744)

As of 845825a, file diffs are now logged, rather than printed to console. Because log messages may be stored and are more broadly readable, we no longer implicitly set show_diff in noop mode.

Allow providers to be used in the run they become suitable¶

(#6907)

At long last! You can now deliver a provider with pluginsync, use a Puppet resource to install executables or files the provider depends on, and use that provider in resources during the same run.

This works for both explicitly selected providers and providers that would be the default for their type.

Output four-digit file modes in logging and reporting¶

(#7274)

When reporting a change to a file’s mode, Puppet now outputs the four-digit file mode instead of omitting the leading 0, i.e. 0755 instead of 755. This reduces the likelihood of setting the wrong mode on a file through a copy/paste accident.

Fix “parenthesize method arguments” warnings under Ruby 1.8.6¶

(#10161)

In the process of Windows development, we introduced some warnings under Ruby 1.8.6:

warning: parenthsize arguments(s) for future versions

These have been fixed, along with several testing/spec improvements around order dependent tests, and testing on Windows.

Restore Mongrel XMLRPC functionality¶

(#10244)

Some code was over-eagerly removed, which turned out to still be necessary for backward compatibility with XMLRPC clients. It has been re-instated in this release.

Fix missing facts under Mongrel¶

(#9109)

When using Puppet with Mongrel, facts were being lost from agent nodes running 2.7.0 or higher. This was caused by Mongrel puppet masters only retrieving request parameters from the query parameters of the URL, which mixed badly with clients that submit their facts in a POST request. This has been fixed, and Mongrel puppet masters can merge the POST request body with the query parameters.

Speed up recursive file management in 2.7¶

(#9671)

Recursively managing file ownership and permissions is now at least ten times faster. This speed improvement can also be seen in some other scenarios.

Windows: Handle files on non-ACL volumes more gracefully¶

(#10614)

We now check whether a Windows volume supports ACLs before just trying to get or set them. This eliminates a nasty error that would arise when managing owner, group, and/or mode on a file whose volume didn’t support ACLs.
We also insert default ACL values when sourcing file content from a volume that doesn’t support Windows ACLs (e.g. a VMware shared drive) to a volume that does; this allows content to be sourced without requiring the owner, group, and mode to be specified in the manifest. A file’s owner now defaults to Administrators, its group defaults to Nobody, and its mode defaults to 0644.
Setting and clearing of the read-only attribute is improved.
Potential segfaults when attempting to manage ACLs on non-ACL volumes have been fixed by improving our handling of return values from the Windows APIs.

These fixes do not affect the POSIX file provider.

Ruby 1.8.1: Don’t rely on Kernel#Pathname¶

(#10727)

We’ve removed an unnecessary incompatibility with pre-1.8.5 Rubies in Puppet::Type::File, which was caused by using Kernel#Pathname.

Allow authenticated clients to access anything clients without certificates can access¶

(#9508)

Previously, the default auth.conf allowed anonymous clients more access to the certificate endpoint than authenticated clients. We now allow authenticated clients to access any endpoint that we trust anonymous clients to use. This improves support for distributed certificate management workflows.

Serve file content in binary mode¶

(#9983)

Previously, Puppet::FileServing::Content opened files in text mode. This has been changed to use binary mode.

2.7.7¶

2.7.7 was killed in the Thunderdome by 2.7.8. It was never released.

2.7.6¶

This is a security, feature, and bug fix release in the 2.7.x branch.

Security Fixes¶

CVE-2011-3872 (AltNames vulnerability)¶

(Full vulnerability and mitigation details)

This is a major security vulnerability which must be manually remediated; upgrading Puppet will not fully protect a site from this vulnerability.

A bug in all previous versions causes Puppet to insert the puppet master’s DNS alt names (“certdnsnames” in puppet.conf) into the X.509 Subject Alternative Name field of all certificates, rather than just the puppet master’s certificate.

Since the puppet agent daemon can use the Subject Alternative Name field to identify its puppet master, your site may contain agent certificates that can be used in a Man in the Middle (MITM) attack to impersonate the puppet master.

This release fixes the underlying bug that caused dangerous certificates to be issued, but any existing certificates with improper DNS alternate names will remain dangerous until your agent nodes have been reconfigured.

Any site where the puppet master’s certdnsnames setting has been enabled is vulnerable to attack. See the CVE-2011-3872 details page for more information, including:

How to determine whether you are affected
How to fully remediate the vulnerability
How to download and use the automated remediation toolkit released by Puppet Labs

Features and Enhancements¶

Enhancement: User/group management on Windows¶

(#9328) Retrieve user and group SIDs on windows.

Puppet can now manage user and group resources on Windows, and will use Windows security identifiers (SIDs) for the uid and gid properties. (The uid and gid properties are read-only for the time being.)

Enhancement: Better file support on Windows¶

The file type and providers have been significantly refactored to properly manage the owners, groups, and permissions of files on Windows.

Some subtleties to be aware of:

In general, this implementation only supports “typical” permissions, where group permissions are a subset of user, and other permissions are a subset of group, e.g. 754, but not 467.
The owner can be either a user or group SID, and most system files are owned by the Administrators group.
The group can be either a user or group SID.
Unexpected results can occur if the owner and group are the same, but the user and group classes are different, e.g. 750. In this case, it is not possible to allow write access to the owner, but not the group. As a result, the actual permissions set on the file would be 770.
In general, only privileged users can set the owner, group, or change the mode for files they do not own. In 2003, the user must be a member of the Administrators group. In Vista/2008, the user must be running with elevated privileges.
A file/dir can be deleted by anyone with the DELETE access right OR by anyone that has the FILE_DELETE_CHILD access right for the parent. See http://support.microsoft.com/kb/238018. But on Unix, the user must have write access to the file/dir AND execute access to all of the parent path components.
Many access control entries are inherited from parent directories, and it is common for file/dirs to have more than 3 entries, e.g. Users, Power Users, Administrators, SYSTEM, etc, which cannot be mapped into the 3 class POSIX model. The get_mode method will set the S_IEXTRA bit flag indicating that an access control entry was found whose SID is neither the owner, group, or other. This enables Puppet to detect when file/dirs are out-of-sync, especially those that Puppet did not create, but is attempting to manage.
On Unix, the owner and group can be modified without changing the mode. But on Windows, an access control entry specifies which SID it applies to. As a result, the set_owner and set_group methods automatically rebuild the access control list based on the new (and different) owner or group.

Enhancement: Support plaintext password in Windows¶

(#9326) Support plaintext passwords in Windows ‘user’ provider.

The Windows ‘user’ provider now includes password support, although passwords must be passed as plaintext instead of as hashes.

Enhancement: Return reports on ral save¶

(#9838) Return the transaction report when doing a ral save

When using puppet resource from the command line, using puppet resource to do a save will log error messages to the console when saving using the ral indirection. However, this doesn’t help when using that indirection in Ruby like you might from MCollective’s puppetral agent.

So we now return the transaction report you get from applying the catalog.

The only place we could find this indirection being used was in the puppet resource application, although it’s possible that code external to puppet uses this indirection and will need to change what it expects for the return value of save.

Bug Fixes¶

Fix: Recognize more duplicate resources¶

(#8596) Title and name must be unique within a given resource

Puppet 2.6 introduced a bug where titles were no longer being compared to names when identifying duplicate resources. For example:

file { '/tmp/foo':
  ensure => file,
}

file { 'same_file':
  path   => '/tmp/foo',
  ensure => absent,
}

This would work, but wasn’t supposed to. It will now register as a duplicate, as intended.

Fix: Allow multi-line exec resources¶

(#9996) Restore functionality for multi-line commands in exec resources

Fix: Eliminate warning on groupadd¶

(#9027) Get rid of spurious info messages in groupadd

Usage of the groupadd provider was leading to spurious log messages of this form:

info: /Group[developer]: Provider groupadd does not support features
manages_aix_lam; not managing attribute ia_load_module

These messages have been eliminated. See also issue #7137, covering similar issues with the useradd provider.

Fix: Remove unnecessary deprecation warning in puppet resource¶

(#9837) Call puppet apply to avoid deprecation warning

puppet resource --edit was causing unnecessary deprecation warnings similar to the following:

warning: Implicit invocation of 'puppet apply' by passing files (or flags) directly
to 'puppet' is deprecated, and will be removed in the 2.8 series.  Please
invoke 'puppet apply' directly in the future.

These have been resolved.

Fix: Resolve issues with Windows URIs¶

Previously, specifying a Windows file URI of the form ‘file:///C:/foo’ as a file source failed to strip the leading slash when attempting to source the file. (Also, there was ambiguity after values were munged, since a value of the form ‘C:/foo’ could either be a Windows file path or a URI whose scheme is ‘C’.)

This behavior has been fixed, and Windows file URIs can be used safely.

Fix: Expose all functions in templates¶

(#4549) Fix templates to be able to call all functions

Only a small subset of Puppet functions were available on the scope in templates. This had people doing workarounds like:

inline_template("<%= Puppet::Parser::Functions.autoloader.loadall; scope.function_extlookup(['hello world']) %>")

These workarounds are no longer necessary, and templates can load any available Puppet function.

Fix: Update pluginsync to only load ruby files.¶

(#4135) Update pluginsync to only load ruby files.

Previously, puppet agent would attempt to load any file distributed via pluginsync as though it were Ruby code. This was causing errors by loading, for example, README files.

Pluginsync will still distribute any type of file, but puppet agent will no longer attempt to load non-Ruby files.

Fix: Fix logging on Windows¶

(#9435) Gracefully handle when syslog feature is unavailable

Previously, Puppet would try to create a syslog log destination when run without a log destination, which would fail on Windows because the Syslog module was not available. Behavior when syslog isn’t available has been fixed.

Fix: Disable daemonizing on Windows¶

(#9329) Disable agent daemonizing on Windows

For this release, we will not be providing the code to run puppet agent as a service, though we have verified that puppet will run as a service using a third-party service wrapper, nssm.

Until support for running the agent as a service is complete, we have changed the default daemonize setting on Windows. Puppet will also report an error if daemonize is set to true on Windows.

2.7.5¶

Puppet 2.7.5 is a security and regression fix release in the 2.7.x branch.

See the 2.7.5 announcement on puppet-announce
You can also see the general security notice email

Security Fixes¶

Three security vulnerabilities¶

This release resolves the following security vulnerabilities:

Follow the links above for details on each vulnerability.

Bug Fixes¶

Fix: storeconfigs regression from 2.7.4¶

(#9832) General StoreConfigs regression.

Some StoreConfigs exported and imported resources were not being found under PostgreSQL. This fix resolves the regression.

2.7.4¶

Puppet 2.7.4 is security and feature release in the 2.7.x branch. Due to the security patches included, it is recommended anybody using the 2.7.x series update to 2.7.4.

In addition to the security patch, this release adds functional Windows providers for several types, and makes changes to the storeconfigs indirection.

Security Fixes¶

CVE-2011-3848 (directory traversal attacks through indirections)¶

(Full vulnerability details)

In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code.

Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption to the overall codebase as possible, making it suitable to deploy as part of older, stable versions of Puppet.

In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice.

Huge thanks to Kristian Erik Hermansen kristian.hermansen@gmail.com for the responsible disclosure, and useful analysis, around this defect.

Fixes and Enhancements¶

Allow cron vars to have leading whitespace¶

Fix #9440

Patch applied from Jeremy Thornhill. This allows whitespace to appear before cron variables. Previously, whitespace before cron variables would trigger a parse failure, and the crontab, except for the puppet managed portion, would get removed. This addresses that issue. It also includes a test for this issue, added into the tests directory, which seems to be where the crontab tests live.

Write out a list of resources that are managed by puppet agent¶

Feature #8667

Similar to how the Puppet classes are written out each catalog apply, the list of resources is now being written out to a text file that can be easily used by tools like MCollective. This allows tools that do ad-hoc management of resources to know if they’re changing a resource that puppet manages, and adjust behavior accordingly.

Fix value validation on options¶

Fix #7114

Support single options that legally include a comma like “from=host1,host2”. We now basically allow either “word” or “key=value” as options. That’s also what the parsedfile provider currently supports when parsing options.

GigabitEthernet/TenGigabitEthernet are uncorrectly parsed¶

Fix #7984

The interface name abbreviation to canonical name doesn’t return the correct name for GigabitEthernet and doesn’t support TenGigabitEthernet interfaces.

Allow macauthorization provider to work on OS X Lion 10.7¶

Fix #9143

We’ve flipped around the confine check so we explicitly exclude the versions of OS X where this provider won’t work, rather than working from a whitelist.

Move complex collect expression error into terminus.¶

Fix #9051

When the StoreConfig system was extracted from core to a set of termini, most of the rules about permitted syntax were pushed down into the same place, to allow them to also be replaced.

One set of restrictions were missed, the limitation that complex search criteria (like and, or, or parenthetical expressions) were not permitted, and remained in our parser.

Now, they live in the terminus, and we enforce them only there. This ensures that StoreConfigs can be replaced with a back-end that supports complex collection criteria without other changes to the Puppet core.

Don’t rely on error message to detect UAC capable platform¶

Fix #8662

The call to Win32::Security.elevated_privileges? can raise an exception when running on a pre-Vista computer or if the process fails to open its process token.

Previously, we were looking at the exception message to determine which case it was. However, Windows 2003 and 2003 R2 return different error codes (and therefore messages) for the pre-Vista case. In 2003, it returns error code 1 (Incorrect function), but in 2003 R2 it returns 87 (The parameter is incorrect). Since SUIDManager was only looking for Incorrect function, SUIDManager.root? would always return false on 2003 R2.

Ideally, we could just check if the GetTokenInformation Win32 API was available, and only call it on platforms where it makes sense. But this API is available on all recent version of Windows. What’s new in Vista and up is the TokenElevation value of the TOKEN_INFORMATION_CLASS enumeration.

This commit changes the suidmanager to only call GetTokenInformation when the major kernel version, as reported by facter, is 6.0 or greater, which corresponds to Vista/2008. See:

http://msdn.microsoft.com/en-us/library/ms724833(v=vs.85).aspx

Add MSI package provider for use with Windows¶

Feature #8412

This provider takes some of its inspiration from the appdmg provider used with OS X. It will maintain a list of packages that have been installed and removed from the system via the provider in a directory under Puppet’s vardir called db/package/msi. These state files will be named the same as the resource name with ‘.yml’ appended. The state files will be a hash containing the resource name, the install options used, and the source location of the MSI.

Any properties that a user wishes to provide to the MSI can be specified as key/value pairs in the install_options parameter. For example:

package { 'mysql':
  provider => msi,
  source => 'E:\mysql.msi',
  ensure => installed,
  install_options => { 'INSTALLDIR' => 'C:\mysql' },
}

The MSI properties specified by install_options will be appropriately quoted when invoking msiexec.exe to install the MSI.

Because the source parameter is integral to the functionality of being able to install and uninstall MSI packages, we also override validate_source to make sure that the source parameter is always set, and is not an empty string when using this provider.

Add a Windows exec provider¶

Feature #8140

This provider inherits from the Puppet::Provider::Exec class, and is very similar to the posix provider in its behavior. This provider doesn’t have the ability to run as a particular user or group and will fail if that is attempted, but does support setting all other parameters, as well as autorequires.

Rather than the shell provider inheriting from the posix provider, they both now inherit from a common Puppet::Provider::Exec class. This new base class and inheritance structure will allow the forthcoming windows provider to also inherit from that class, rather than from the unsuitable posix provider.

Also, now that Puppet::Util.execute supports commands as strings in addition to arrays, the command to execute is passed to Puppet::Util::SUIDManager.run_and_capture as a string, rather than a string wrapped in an array. This ensures we will never improperly quote a command with arguments provided as a single string.

Default config dir to %PROGRAMDATA% on Windows¶

Fix #8660

The puppet install.rb script now defaults the config directory to %PROGRAMDATA%\PuppetLabs\puppet\etc on Windows. This is more inline with Windows best-practices, as this directory is used to store application data across all users. The PROGRAMDATA environment variable also takes into account alternate system drives, by using the SYSTEMDRIVE environment variable.

Note that the Dir::COMMON_APPDATA constant is so named because it corresponds to the CSIDL_COMMON_APPDATA constant, which on 2000, XP, and 2003 is %ALLUSERSPROFILE%\Application Data, and on Vista, Win7 and 2008 is %SYSTEMDRIVE%\ProgramData.

This commit also updates puppet’s default run_mode var and conf directories when running as “root” to match the install script, and fixes the spec test, which was looking in the Dir::WINDOWS directory.

2.7.3¶

2.7.3 is a maintenance and enhancement release in the 2.7.x branch.

Add Node Clean action¶

Fix #1886 – Add node cleanup capability

This adds a new “clean” action to the puppet node face, which removes all traces of a node on the puppetmaster (including certs, cached facts and nodes, reports, and storedconfig entries).

Furthermore, it is capable of unexporting exported resources of a host so that consumers of these resources can remove the exported resources and we will safely remove the node from our infrastructure.

Usage:

puppet node clean [--unexport] <host> [<host2> ...]

To achieve this we add different destroy methods to the different parts of the indirector. So for example for yaml indirections we already offer read access for the yaml, this changeset adds the destroy handler which only removes the yaml file for a request. This can be used to remove cached entries.

Deprecate RestAuthConfig#allowed? in favor of #check_authorization¶

#allowed? was a poorly named method since it isn’t actually a predicate method. Instead of returning a boolean, this methods throws an exception when the access is denied (in order to keep the full context of what ACE triggered the deny).

Given that #allowed? was overriding the behavior from AuthConfig, we leave a version of #allowed? in place that will issue a deprecation warning before delegating to #check_authorization. Once support for XML-RPC agents is removed from the master, we will be able to remove this delegation, since there should no longer be a reason for a distinction between AuthConfig and RestAuthConfig.

#6026 – security file should support inline comments¶

Auth.conf, namespaceauth.conf and fileserver.conf were not supporting trailing inlined comments. Also this commit fixes some indentation and error management.

Suggest where to start troubleshooting SSL error message¶

Much like the infamous “hostname was not match” error message, there is another SSL error that people run into that is not clear how to troubleshoot.

err: Could not send report: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed.

As far as I can tell this only ever happens when the clock is off on the master or client. People seem to think it will happen other times, but I have not been able to reproduce it other ways – missing private key, revoked cert, offline CA all have their own errors. I googled around and the only thing I’ve seen for this error in relation to puppet is the time sync problem.

So the error message text just has some additional info to suggest you check your clocks.

#8596 Detect resource alias conflicts when titles do not match¶

The introduction of composite namevars caused the resource title used in resource aliases to be set as an array, even when the resource only had one namevar. This would fail to conflict with non-alias entries in the resource table, which used a string for the title, even though the single element array contained the same string.

Now, we flatten the key used in the resource table, so that single element arrays are represented as strings, and will properly conflict with resource titles.

maint: Adding logging to include environment when source fails¶

maint: Add debug logging when the master receives a report¶

It’s always bothered me that when running puppet inspect (or any application that produces a report really) the master gives no indication that anything happened when it processes the report.

#6789 Port SSL::CertificateAuthority::Interface to a Face¶

The Puppet::SSL::CertificateAuthority::Interface class was an early prototype heading toward building out a system like Faces. Now that we have done that, this changeset ports the early code to a new face.

#8401 Document that —detailed-exitcodes is a bitmask¶

The agent/apply/device man pages mentioned the 2 and 4 exit codes, but didn’t mention that they can combine to make 6 if there are both changes and failures. This commit adds the missing information to all three man pages.

#4142 Fix module check not to fail when empty metadata.json¶

Even though the puppet module tool was fixed to generate the required metadata attributes when it packages modules, it still creates an empty metadata.json file that gets checked into everybody’s module repos. This causes the module to be unusable straight from a git clone since puppet was requiring all the required metadata attributes just with the presence of that file, and resulting in the error:

No source module metadata provided for mcollective at

This change makes it so that if you have an empty metadata.json (like the moduletool generates), puppet doesn’t consider it to have metadata. If you have ANY metadata attributes in that file, it will still check to make sure all the required attributes are present.

The work around up to this point has just been to delete the metadata.json file in git cloned modules.

This also fixed the tests around this to actually run, since previously the tests depended on the a json feature, which we didn’t have. We do, however, have a pson feature.

#8147 Change default reporturl to match newer Dashboard versions¶

Puppet’s default reporturl setting was http://localhost:3000/reports, which has been deprecated in Puppet Dashboard in favor of http://localhost:3000/reports/upload. As Dashboard is the first-class destination for the http report processor, this commit changes Puppet’s default to match what current versions of Dashboard expect.

#6857 Password disclosure when changing a user’s password¶

Make the should_to_s and is_to_s functions to return a form of ‘redacted’.

Rather than send the password hash to system logs in cases of failure or running in —noop mode, just state whether it’s the new or old hash. We’re already doing this with password changes that work, so this just brings it inline with those, albeit via a slightly different pair of methods.

Additional Notes¶

Several odd behaviors seen in 2.7.2rc2 should now meet expectations.
8ec0804 #8301 Red Hat spec file for 2.7.2rc1 won’t work
2263be6 #5108 Update service type docs for new hasstatus default

This merges up all changes in the 2.6.9 release that were unable to be merged into 2.7.{0,1} due to 2.7 being frozen in release candidate state.

Highlights include:

99330fa (#7224) Reword ‘hostname was not match’ error message
1d867b0 (#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names
db1a392 (#7506) Organize READMEs; specify supported Ruby versions in README.md
98ba407 (#7127) Stop puppet if a prerun command fails
caca469 (#4416) Ensure types are providified after reloading
413b136 (#4416) Always remove old provider before recreating it
98f58ce (#2128) Add WARNING for node_name_{fact,value} descriptions
3f0dbb5 (#650) Allow symlinks for configuration directories
1c70f0c (#2128) Add support for setting node name based on a fact
c629958 (#2128) Get facts before retrieving catalog
8eb0e16 (#2728) Add diff output for changes made by Augeas provider
c02126d (#5966) Add support for hostname regular expressions in auth.conf
75e2764 (#5318) Always notice changes to manifests when compiling.
0bcbca5 maint: Dedup the loadpath so we don’t have to walk it multiple times
89d447b (#6962) Add “arguments” method to help API
8eea3f5 Added the vcsrepo type and providers to the core
107b38a maint: Fix pacman provider to work with Ruby 1.9
0b8ebac (#7300) Fix instances method of mount provider

2.7.2¶

2.7.2 was slain in the Thunderdome by 2.7.3.

2.7.1¶

2.7.1 is a bug fix release in the 2.7.x branch.

Fixing bug #8048. This made users of Puppet as a gem unable to install Puppet 2.7.0 release if gem was configured to use rdoc, as rdoc failed to parse on one file.

This issue only impacted users of Puppet as a gem.

2.7.0¶

2.7.0 is a new feature release of Puppet.

Notable Features and Bug Fixes¶

Apache License¶

Puppet is now released under the Apache 2.0 license. More info is available here.

Ruby 1.9 Support¶

There are some known issues with the 2.7.0 release, but we now support Ruby 1.9.2 and higher, and will be aggressively fixing bugs under Ruby 1.9.

Deterministic Catalog Application¶

Previously, Puppet didn’t guarantee that it would apply unrelated resources in any particular order. This meant that if you forgot to specify some important before or require relationship, a single catalog might work fine on eight nodes and then fail mysteriously on the ninth and tenth. This could be frustrating! Now it’s gone: Puppet will make sure that the same catalog will always be applied in the same order on every machine, and it’ll either succeed reliably or fail reliably. (This change will also be appearing in the final 2.6.x releases.)

(See issue #6911.)

Manage Network Devices¶

Based on an open-space discussion that happened at PuppetCamp EU in May, 2010, Brice Figureau has implemented the start of a network management solution.

Currently this initial solution has a base network type/provider and providers for managing Cisco interfaces and vlans. The puppet provider connects to remote switches and routers through either ssh or telnet.

To manage an interface:

interface { "FastEthernet 0/1":
  device_url          => "ssh://user:pass@cisco2960.domain.com/",
  mode                => trunk,
  encapsulation       => dot1q,
  trunk_allowed_vlans => "1-99,200,253",
  description         => "to back bone router"
}

interface { "Vlan 1":
  device_url  => "ssh://user:pass@router.domain.com/",
  description => "internal net",
  ipaddress   => [ "192.168.0.1/24", "fe08::/128 link-local"]
}

And to manage vlans:

vlan { "99":
  description => "management",
  device_url  => "ssh://user:pass@cisco2960.domain.com/",
}

A current limitation is that it isn’t possible to have 2 switches with the same interface name.

Dependency cycle reporting¶

We have significantly improved dependency cycle reporting so that the cycle is clearly identifiable, and will produce graphs of such cycles for easier debugging. Error messages will now appear as follows:

Found 2 dependency cycles: (Notify[a] => Notify[b] => Notify[a]) (Notify[mp2-2] => Notify[mp2] => Notify[mp2-2])

Man Pages¶

We’ve spiffed up our man pages. Static man files are in the man/ directory of the source, and should be installed for you if you installed Puppet with your OS’s packaging system. We’ve also introduced a puppet man subcommand that can render man pages on the fly using ronn. (We recommend running gem install ronn before using it; if it isn’t installed, puppet man will just print a human-readable version of the man page source text.)

Deprecations¶

We’re starting the hourglass on a few older features:

‘puppet’ as a synonym for ‘puppet apply’ —– Starting today, running puppet my-manifest.pp will issue a warning; you should start using puppet apply directly instead. Support for implicit invocation of puppet apply will be dropped in Puppet 2.8.
Dynamic scope —– We’ve started issuing warnings when variables or resource defaults are found via dynamic lookup. There’s more info and explanation in a guide on the docs site, but the short version is that you should start referencing variables with their qualified names instead of counting on dynamic scope. We hope to drop support for dynamic scope in Puppet 2.8. (Issue #5027)
No more --parseonly option —– This one’s already gone, because we used Faces to build a drop-in replacement: use puppet parser validate [<manifest>] [<manifest> ...] instead.

Notice Changed Manifests on the First Try¶

During the 2.6.x series, puppet agent would sometimes require two runs to receive new configurations when puppet master was running under Passenger. This persistent bug has been dealt with. (This change will also be appearing in the final 2.6.x releases.)

Static Compiler¶

We’ve introduced static_compiler, a new catalog_terminus which can be configured in puppet.conf on your puppet master. (See issue #6873.) The static compiler works by wrapping the default compiler terminus and replacing every puppet:/// URL in the catalog it returns with an MD5 reference to a filebucket object; this saves a lot of describe calls while the agent is running, and it ensures that the agent won’t grab inconsistent file versions if one of the source files changes while it’s running.

There are some known issues that keep it from being used as-is, yet —– you have to manually sync the agent’s filebucket to that of the master, the compiler’s behavior around recursion hasn’t been rigorously tested, we haven’t specified how it should behave if your puppet master is serving files through a load balancer, and files are read into memory rather than being streamed. However, this new approach has the potential to drastically speed up file-heavy Puppet runs, and if your site serves a lot of files and you have some lab time to test it, it could be worth a look.

Improved APIs¶

You can now manage and sign certificates via Puppet’s REST API, which means that in the near future you’ll be able to check off signing requests for new nodes right from Puppet Dashboard. (And someone can now easily write an iPhone or Android app to fetch and handle CSRs, hint hint. :) )

Services Are Assumed to Have Status Commands¶

Per issue #5108, the service type’s hasstatus attribute now defaults to true, which means init scripts are expected to have working status commands. This is a potentially incompatible change. If you use an OS where broken status commands are still the norm, you may need to add the following resource default to your site.pp manifest:

Service {
  hasstatus => false,
}

This will effectively restore the old behavior.

Default ACL improvements¶

We have adjusted the default ACL in the puppet master to allow a node to query configuration information about itself from the internal or external node classifier.

pkgutil Provider¶

pkgutil provider support has been significantly improved, resolving issue #4258.

Puppet Faces¶

Faces is a new API for creating new Puppet subcommands. Faces dramatically simplifies the process of extending Puppet by building new capabilities, including additional nouns and verbs that can be called by issuing commands from your command line interface.

We’re particularly excited about Faces and the opportunities it offers for our user base. You can see how easy it is to create a subcommand and action with our new manifest validator

This provides a new subcommand and a single action as follows:

puppet parser validate <mymanifest.pp>

It’s also easy to create new actions for existing subcommands, which is a great way to extend the Puppet model, and it’s also become significantly easier to access Puppet subsystems as shown by the configurer subcommand:

This shows how easy it is to access these subcommands and actions in Ruby code:

  facts = Puppet::Face[:facts, '0.0.1'].find(certname)
  catalog = Puppet::Face[:catalog, '0.0.1'].download(certname, facts)
  report = Puppet::Face[:catalog, '0.0.1'].apply(catalog)

That small amount of code offers this on the command line:

$ puppet configurer synchronize

which accomplishes basically the same functionality as ‘puppet agent —test’, but is much simpler to rearrange and modify for your own needs.

We look forward to seeing what the community comes up with now that it is so easy to interact with and extend the underlying model.

To get a look at the new subcommands, start by running puppet help. To see the API in action, look at the source for the secret_agent and parser faces.

Certificate API¶

Read or alter the status of a certificate or pending certificate request. This endpoint is roughly equivalent to the puppet cert command; rather than returning complete certificates, signing requests, or revocation lists, this endpoint returns information about the various certificates (and potential and former certificates) known to the CA.

GET /{environment}/certificate_status/{certname}

Retrieve a PSON hash containing information about the specified host’s certificate. Similar to puppet cert —list {certname}.

GET /{environment}/certificate_statuses/no_key

Retrieve a list of PSON hashes containing information about all known certificates. Similar to puppet cert —list —all.

PUT /{environment}/certificate_status/{certname}

Change the status of the specified host’s certificate. The desired state is sent in the body of the PUT request as a one-item PSON hash; the two allowed complete hashes are {“desired_state”:“signed”} (for signing a certificate signing request; similar to puppet cert —sign) and {“desired_state”:“revoked”} (for revoking a certificate; similar to puppet cert —revoke); see examples below for details.

When revoking certificates, you may wish to use a DELETE request instead, which will also clean up other info about the host.

DELETE /{environment}/certificate_status/{hostname}

Cause the certificate authority to discard all information regarding a host (including any certificates, certificate requests, and keys), and revoke the certificate if one is present. Similar to puppet cert —clean.

Examples include:

curl -k -H "Accept: pson" https://puppetmaster:8140/production/certificate_status/testnode.localdomain
curl -k -H "Accept: pson" https://puppetmaster:8140/production/certificate_statuses/all
curl -k -X PUT -H "Content-Type: text/pson" --data '{"desired_state":"signed"}' https://puppetmaster:8140/production/certificate_status/client.network.address
curl -k -X PUT -H "Content-Type: text/pson" --data '{"desired_state":"revoked"}' https://puppetmaster:8140/production/certificate_status/client.network.address
curl -k -X DELETE -H "Accept: pson" https://puppetmaster:8140/production/certificate_status/client.network.address

2.6.16¶

This release addresses and reverts a behavior change related to puppet’s pidfile that was introduced in Puppet 2.6.15.

65446c9 Revert “(#5246) Puppetd does not remove it’s pidfile when it exits”

2.6.15¶

This is a security release in the 2.6.x branch.

Security Fixes¶

CVE-2012-1906 (High) – appdmg and pkgdmg providers write packages to insecure location¶

http://puppetlabs.com/security/cve/cve-2012-1906

(#13260)

If a remote source is given for a package, the package is downloaded
to a predictable filename in /tmp. It is possible to create a symlink at this
name and use it to clobber any file on the system, or by switching
the symlink install arbitrary packages (and package installers can
execute arbitrary code).

CVE-2012-1986 (High) – Filebucket arbitrary file read¶

http://puppetlabs.com/security/cve/cve-2012-1986

(#13511)

It is possible to construct a REST request to fetch a file from a
filebucket that overrides the puppet master’s defined location
for the files to be stored. If a user has access to construct directories
and symlinks on the machine they can read any file that the user the
puppet master is running as has access to.

CVE-2012-1987 (Moderate) – Filebucket denial of service¶

http://puppetlabs.com/security/cve/cve-2012-1987

(#13552,#13553)

By constructing a marshaled form of a Puppet::FileBucket::File
object a user can cause it it to be written to any place on the disk
of the puppet master. This could be used for a denial of service attack
against the puppet master if an attacker fills a filesystem that can cause
systems to stop working. In order to do this the attacker needs no access
to the puppet master system, but does need access to agent SSL keys.

Using the symlink attack described in Bug #13511 the puppet master
can be caused to read from a stream (e.g. /dev/random) when either
trying to save a file or read a file. Because of the way in which the puppet
master deals with sending files on the filesystem to a remote system via a
REST request the thread handling the request will block forever reading from
that stream and continually consuming more memory. This can lead to the
puppet master system running out of memory and cause a denial of service.

CVE-2012-1988 (High) – Filebucket arbitrary code execution¶

http://puppetlabs.com/security/cve/cve-2012-1988

(#13518)

Filebucket arbitrary code execution
This requires access to the cert on the agent and an unprivileged
account on the master.  By creating a path on the master in a
world-writable location that matches a command string, one can
then make a file bucket request to execute that command.

2.6.14¶

This is a security release in the 2.6.x branch.

Security Fixes¶

CVE-2012-1053 (Group Privilege Escalation)¶

http://puppetlabs.com/security/cve/cve-2012-1053/

Puppet’s primary group (usually root) is always present in a process’s supplementary groups.
When an exec resource is assigned a user to run as but not a group,
Puppet will set its effective GID to Puppet’s own GID (usually root).
Permanently changing a process’s UID and GID won’t clear the supplementary groups, leaving the process with Puppet’s own supplementary groups (usually including root).

This causes any untrusted code executed by a Puppet exec resource to be given unexpectedly high permissions.

CVE-2012-1054 (User Privilege Escalation)¶

http://puppetlabs.com/security/cve/cve-2012-1054/

(#12460)

2.6.13¶

2.6.13 Release Notes¶

Fix #10739 Provide default subjectAltNames while bootstrapping master

Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set,
puppet would add default subjectAltNames to any non-CA cert it signed,
including agent certs. The subjectAltNames were of the form:

  DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain>

The fix for #2848, prevented subjectAltNames from ever being
implicitly added at signing time. But during this change, the default
subjectAltNames behavior was accidentally removed.

This commit restores the 'defaulting' behavior that existed
previously, but only when bootstrapping the initial master.
Additionally, default subjectAltNames are only ever added when
generating the master's certificate signing request, not at signing
time. This is important, because it ensures all subjectAltNames
originate from the CSR and are subject to our internal signing policy.

The code now requires that all of the following be true in order to
add default subjectAltNames to the CSR:

 1. We are a CA and master
 2. We're signing the master's cert, not self-signing the CA
 3. The CSR is for the current host
 4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names]
 5. The master can resolve its fqdn

These should only ever be true when bootstrapping the initial
master. In particular, it should never be true for the CA's
self-signed cert, for remote agents, or for servers that are either
masters or CAs, but not both.

The fqdn requirement existed previously, and so the same behavior has
been restored.

Note if Puppet[:dns_alt_names] are specified when bootstrapping the
master, then we do not merge the default options -- it's either one of
the other, but not both.

Fix #10289

Add an ext script to upload facts to inventory server

This script, ext/upload_facts, will read facts from the master's yaml
dir and save them to the facts terminus. The intended use of this is
when the facts terminus is set to inventory_service, to be run
periodically via cron to ensure facts are uploaded even if the
inventory_service becomes temporarily unavailable. It supports a
--minutes option, which will limit the facts uploaded to only those
added in the last n minutes.

Add a safe alternative to REST for inventory service

With the default implementation of the inventory service, with a
terminus REST and cache YAML, a failed upload to the inventory service
would cause compilation to fail. This means the inventory service was a
single point of failure for the entire Puppet infrastructure. Now, we
introduce an inventory_service terminus which can be used in place of
the REST terminus, and will absorb failures, allowing compilation to
continue.

2.6.13 Changelog¶

e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master
9dfd011 (#5617) Puppet queue logging
a91cfa1 maint: Fix failing spec on old version of rspec
aa2a762 (#10289) Add an ext script to upload facts to inventory server
5129d38 (#10289) Add a safe alternative to REST for inventory service
7514d32 missing includes in network XML-RPC handlers
397a506 (#10244) Restore Mongrel XMLRPC functionality
8d86e5a (9547) Minor mods to acceptance tests
2bf6721 Reset indirector state after configurer tests.
bb224dd (#8770) Don’t fail to set supplementary groups when changing user to root
2a0de12 (#8770) Always fully drop privileges when changing user
00c4b25 (#8662) Migrate suidmanager test case to rspec
d7c9c76 (#8740) Do not enumerate files in the root directory.
0e00473 (#3553) Explain that cron resources require time attributes
769d432 (#8302) Improve documentation of exec providers
c209f62 Add document outlining preferred contribution methods
fb2ffd6 (#8596) Detect resource alias conflicts when titles do not match
89c021c (#8418) Fix inspect app to have the correct run_mode
3165364 maint: Adding logging to include environment when source fails
f484851 maint: Add debug logging when the master receives a report
e639868 Confine password disclosure acceptance test to hosts with required libraries
a109c90 (maint) Cleanup and strengthen acceptance tests
b268fb3 (#7144) Update Settings#writesub to convert mode to Fixnum
4a2f22c (maint) Fix platform dection for RHEL
111a4b5 (#6857) Password disclosure when changing a user’s password

2.6.12¶

This is a security release in the 2.6.x branch.

Security Fixes¶

CVE-2011-3872 (AltNames vulnerability)¶

(Full vulnerability and mitigation details)

This is a major security vulnerability which must be manually remediated; upgrading Puppet will not fully protect a site from this vulnerability.

Any site where the puppet master’s certdnsnames setting has been enabled is vulnerable to attack. See the CVE-2011-3872 details page for more information, including:

How to determine whether you are affected
How to fully remediate the vulnerability
How to download and use the automated remediation toolkit released by Puppet Labs

2.6.11¶

This is a security release in the 2.6.x branch.

Security Fixes¶

Three security vulnerabilities¶

This release resolves the following security vulnerabilities:

Follow the links above for details on each vulnerability.

2.6.10¶

2.6.10 is a security release in the 2.6.x branch.

Security Fixes¶

CVE-2011-3848 (directory traversal attacks through indirections)¶

(Full vulnerability details)

In the long term we will also address this higher up the stack, to prevent these problems from reoccurring, but for now this will suffice.

Huge thanks to Kristian Erik Hermansen kristian.hermansen@gmail.com for the responsible disclosure, and useful analysis, around this defect.

Commits¶

ec5a32a Update spec and lib/puppet.rb for 2.6.10 release fe2de81 Resist directory traversal attacks through indirections. (CVE-2011-3484)

2.6.9¶

2.6.9 is a maintenance release in the 2.6.x branch.

Notable Fixes and Features¶

Bug #5318

Puppet master behind Passenger no longer requires two runs to detect changes to manifests.

Bug #7127:

A puppet run will now stop if a prerun command fails.

Bug #650

Puppet will now honor symlinks for configuration directories

Feature #2128

Added support for hostname setting based on facts, also get facts before retrieving the catalog.

Bug #7139

Accept ‘/’ as a valid path in filesets

2.6.8¶

2.6.8 is a maintenance release in the 2.6.x branch.

Notable Features and Bug Fixes¶

Bug #4884:

Added a new shell exec provider that executes code as a raw shell script. Although the posix provider remains the default, the new provider allows the use of shell globbing and built-ins, and does not require that the path to a command be fully-qualified. The shell provider closely resembles the behavior of the exec type in Puppet 0.25.x.

Bug #5670:

Failed resources don’t improperly trigger a refresh

Feature #2331:

New macports provider

2.6.7¶

2.6.7 is a maintenance release in the 2.6.x branch.

Notable Features and Bug Fixes¶

Inventory Service Available¶

The inventory service is a way to track facts for all nodes. Preliminary documentation can be found here, which will be finalized by the time 2.6.7 is released.

Plugin sync works when using tags¶

Bug #5073 This fixes a regression from 0.25.x

Don’t truncate remotely-sourced files on 404¶

Bug #4922 Now 404s just cause a normal failure without affecting the file

Storeconfigs compatibility with older version of Puppet¶

Bug #5428 Upgrading from 0.25.x caused problems with the data format that storeconfigs used, and previously you had to delete your old storeconfigs data to work with 2.6.x. 2.6.7 can now work with the old storeconfigs data.

Selectors now can use hashes¶

Ticket #5516 Example:

$int = { 'eth0' => 'bla' }
$foo = $int['eth0'] ? {
  'bla' => 'foo',
   default => 'bleh'
}

Hashes can now be multiple levels deep¶

Bug #6269 The following now works:

$hash = { 'a' => { 'b' => { 'c' => 'it works' } } }
$out = $hash['a']['b']['c']

Documented autorequire relationships¶

Ticket #6606

Better support for multiple key attributes¶

Bugs #5661 #5662 #5605

Better error message when realizing a non-existent virtual resource¶

Bug #5392 The error message you used to get when realizing a bogus virtual resource didn’t give you any indication of what was happening to cause the error. Now it should be much faster to figure out that the virtual resource was bad.

Noop no longer suppresses error codes¶

Bug #6322 Running in noop mode used to always return 0. It will now return the same exit code that a regular run would if possible

Settings Propagate Environment¶

Bug #6513 The code in settings did not always propagate the environment, creating situations in which inconsistent results were produced

Able to create system users¶

Ticket #2645 You can now create users like when running useradd -r if you specify system => true on a user resource.

The reports directory is now automatically created¶

Bug #5794 If the reports directory didn’t exist the report creation used to fail until it was manually added

DESTDIR in install.rb now warns that it’s deprecated in favor of `--destdir`

Ticket #5724

Allow disabling of default SELinux context detection for files¶

Ticket #3999

Add `_search` REST API aliases for plural GET requests

Ticket #6376 The plural form creates problems when the name of the indirection is already plural, e.g. “facts” pluralizes to “factss”

2.6.6¶

2.6.6 is a maintenance release in the 2.6.x branch.

Notable Features and Bug Fixes¶

No longer audit recursive files¶

Bug #6418: Files with the “source” parameter set are automatically set to audit

The audit functionality was activated unexpectedly on file resources that use the “source” parameter. This could cause spurrious notify events. These notifications could trigger unintended refreshes of subscribed resources.

No longer truncate files when given an invalid checksum¶

Bug #6541: File type truncates target when filebucket can not retrieve hash

In the case where a file resource had content specified using an invalid checksum (Eg: “{md5}not-a-checksum”) or the valid checksum of a file not contained in the filebucket, the file would end up being truncated. This is now properly reported as an error, instead of zeroing out the file.

2.6.5¶

2.6.5 is a maintenance release in the 2.6.x branch.

Notable Features and Bug Fixes¶

Faster Passenger support¶

Bug #6257: Rack POST and PUT request handling is very slow.

The speed of the Rack HTTP handler has been dramatically improved. This should prevent timeouts that some users were experiencing when running under Passenger.

Parameterised class support in external node classifiers¶

Bug #5045: External node classifiers should be able to specify parameters for parameterized classes

External node classifiers can now declare parameterized classes (with parameters). To declare the following parameterized class:

class foo($foobar='default', $foobaz, $fooblah) {
  notify { 'foobar': message => $foobar }
  notify { 'foobaz': message => $foobaz }
  notify { 'fooblahfirst': message => $fooblah[0] }
  notify { 'fooblahsecond': message => $fooblah[1] }
}

…your external node classifier should return the following YAML:

classes:
    foo:
      foobar: onesie
      foobaz: twosie
      fooblah:
          - one
          - two

New puppet inspect application¶

Puppet now includes puppet inspect, an application which sends inspection reports to the puppet master. Inspection reports document the current state of resource attributes which marked for auditing in the most recently applied catalog, and are useful in certain pre-existing workflows.

`$name` can now be used to set default values in defined resource types

Feature #5061: should be able to access ($name, $module_name, $title) from within defined resources type parameter list

The $name variable is now resolved within the scope of the resource being declared, rather than the enclosing scope. This enables usages like:

define audited_file($filename = $name) {
    file { $filename:
        audit => all,
    }
}

audited_file { "/etc/hosts": }

Managed resource attributes can now be audited¶

Bug #5408: Puppet should allow audited attributes to also be managed

The audit metaparameter can now be used on attributes which are managed by Puppet.

Manifests can now specify arbitrary data for file contents¶

Bug #5261: Need a way to transmit binary data for file contents in manifests

Previous versions of Puppet would experience errors when file contents contained invalid UTF8.

Puppet agent reliably writes valid cache YAML for very large catalogs¶

Bug #5755: Unable to load puppet generated catalog via YAML.load_file

In Puppet 2.6.3 and 2.6.4, puppet agent would sometimes write invalid YAML to its cache when serializing extremely large catalogs, and subsequent tasks attempting to consume this YAML would fail. This has been fixed.

The environment column in storeconfigs is no longer corrupted¶

Bug #4487: Environment column in hosts table updating incorrectly

A bug which corrupted the environment column in storeconfigs databases has been fixed.

Mount resource on AIX has been improved¶

Bug #5681: Puppet mount module Puppet::Provider::Mount does not properly parse AIX mount command output

Puppet resource can now manage files¶

Bug #3165: Ralsh can’t manage files

The puppet resource shell can now manage file resources.

Generating puppet.conf with `--genconfig` no longer sets genconfig = true

Bug #5914: Genconfig returns genconfig=true

Using the --genconfig command line option now generates fully usable puppet.conf content.

Bug #5977: Puppet applications in multiple directories.

Setting RUBYLIB should no longer have the potential to break finding puppet sub-commands.

License is now GPLv2¶

Previous versions of Puppet were licensed as GPL version 2 or greater; the license is now specified as GPL version 2.

Filebucket API can now provide diffs of file contents¶

The filebucket service can now diff file contents specified by MD5 checksum. From the REST API documentation:

GET /{environment}/file_bucket_file/md5/{checksum}?diff_with={checksum}

No tools using this feature are currently shipping; however, a future version of Puppet Dashboard will support viewing diffs of arbitrary file content revisions.

Report format has changed; report formats are now versioned¶

The report format has been made more consistent, more documentatable, and less redundant. Report formats are now versioned, and inspection reports are now supported with the kind attribute.

See the wiki for details:

“user” type now takes -1 to disable password aging¶

Bug #6061: password_max_age can not be set to null or -1

Time and timestamp checksum options have been removed from the “file” type¶

These attributes, deprecated in 0.25.0, have been removed.

“file” type now accepts POSIX files with multiple slashes¶

Bug #6091: Fix Posix file paths with multiple slashes

Valid POSIX file paths with multiple slashes are now usable.

Document the `--apply` and `--compile` options to `puppet apply` and `puppet master`

Feature #3646: Updated documentation for puppet apply, and puppet master.

2.6.4¶

2.6.4 is a security release in the 2.6.x branch and contains only security related bug fixes and one update to copyright information.

2.6.3¶

2.6.3 is a maintenance release in the 2.6.x branch and contains only bug fixes and no new features.

2.6.2¶

This release is largely a maintenance release for the 2.6.x cycle

Types and Providers¶

User type now manages password age¶

We’ve add a new feature to user providers manages_password_age, along with the new properties password_min_age and password_max_age to the user type. These represent password minimum and maximum age in days. The useradd and user_role_add providers now support these new properties.

User type now manages user expiry¶

We’ve add a new feature to user providers, manages_expiry, along with a new property, expiry. The expiry property is specified in the form of YYYY-MM-DD and sets an expiration date for an account.

An example of these new features:

user { "james":
  password_min_age => '10',
  password_max_age => '30',
  expiry => '2010-09-30',
  ...
  ensure => present,
}

2.6.1¶

This release is largely a maintenance release for 2.6.0 but also includes basic support for running Puppet under JRuby.

Functions¶

Extlookup¶

R.I. Pienaar’s extlookup function has been added to core. This is an initial import of this function. Additional functionality, including YAML and JSON backends, will be added in future releases.

This is a parser function to read data from external files, this version uses CSV files but the concept can easily be adjust for databases, yaml or any other queryable data source.

The object of this is to make it obvious when it’s being used, rather than magically loading data in when an module is loaded I prefer to look at the code and see statements like:

$snmp_contact = extlookup("snmp_contact")

The above snippet will load the snmp_contact value from CSV files, this in its own is useful but a common construct in puppet manifests is something like this:

case $domain {
   "myclient.com": { $snmp_contact = "John Doe <john@myclient.com>" }
   default:        { $snmp_contact = "My Support <support@my.com>" }
}

Over time there will be a lot of this kind of thing spread all over your manifests and adding an additional client involves grepping through manifests to find all the places where you have constructs like this.

This is a data problem and shouldn’t be handled in code, a using this function you can do just that.

First you configure it in site.pp:

$extlookup_datadir = "/etc/puppet/manifests/extdata"
$extlookup_precedence = ["%{fqdn}", "domain_%{domain}", "common"]

The array tells the code how to resolve values, first it will try to find it in web1.myclient.com.csv then in domain_myclient.com.csv and finally in common.csv

Now create the following data files in /etc/puppet/manifests/extdata like this:

domain_myclient.com.csv:

 snmp_contact,John Doe <john@myclient.com>
 root_contact,support@%{domain}
 client_trusted_ips,192.168.1.130,192.168.10.0/24

common.csv:

 snmp_contact,My Support <support@my.com>
 root_contact,support@my.com

Now you can replace the case statement with the simple single line to achieve the exact same outcome:

$snmp_contact = extlookup("snmp_contact")

The obove code shows some other features, you can use any fact or variable that is in scope by simply using %{varname} in your data files, you can return arrays by just having multiple values in the csv after the initial variable name.

In the event that a variable is nowhere to be found a critical error will be raised that will prevent your manifest from compiling, this is to avoid accidentally putting in empty values etc. You can however specify a default value:

$ntp_servers = extlookup("ntp_servers", "1.${country}.pool.ntp.org")

In this case it will default to “1.${country}.pool.ntp.org” if nothing is defined in any data file.

You can also specify an additional data file to search first before any others at use time, for example:

$version = extlookup("rsyslog_version", "present", "packages")
package{"rsyslog": ensure => $version }

This will look for a version configured in packages.csv and then in the rest as configured by $extlookup_precedence if it’s not found anywhere it will default to “present”, this kind of use case makes puppet a lot nicer for managing large amounts of packages since you do not need to edit a load of manifests to do simple things like adjust a desired version number.

md5¶

An md5 hashing function

Documentation¶

Migration of internal Restructured Text Documentation to Markdown

Types and Providers¶

Added http_refresh and cost parameters to the yumrepo type

2.6.0¶

Language¶

Support for parameterised classes¶

The Rowlf release provides an extension to the existing class syntax to allow parameters to be passed to classes. This brings classes more in line with definitions, with the significant difference that definitions have multiple instances whilst classes remain singletons.

To create a class with parameters you can now specify:

class apache($version) {

... class contents ...

}

Classes with parameters are NOT added using the include function but rather the resulting class can then be included more like a definition:

node webserver {
    class { apache: version => "1.3.13" }
}

Like definitions, you can also specify default parameter values in your class like so:

class apache($version="1.3.13",$home="/var/www") {

... class contents ...

}

New relationship syntax¶

You can now specify relationships directly in the language:

File[/foo] -> Service[bar]

Specifies a normal dependency while:

File[/foo] ~> Service[bar]

Specifies a subscription.

You can also do relationship chaining, specifying multiple relationships on a single line:

File[/foo] -> Package[baz] -> Service[bar]

Note that while it’s confusing, you don’t have to have all of the arrows be the same direction:

File[/foo] -> Service[bar] <~ Package[baz]

This can provide some succinctness at the cost of readability.

You can also specify full resources, rather than just resource references:

file { "/foo": ensure => present } -> package { bar: ensure => installed }

But wait! There’s more! You can also specify a subscription on either side of the relationship marker:

yumrepo { foo: .... }
package { bar: provider => yum, ... }
Yumrepo <| |> -> Package <| provider == yum |>

This, finally, provides easy many to many relationships in Puppet, but it also opens the door to massive dependency cycles. This last feature is a very powerful stick, and you can considerably hurt yourself with it.

Run Stages¶

Run Stages are a way for you to provide coarse-grained ordering in your manifests without having to specify relationships to every resource you want in a given order. It’s most useful for setup work that needs to be done before the vast majority of your catalog even works – things like configuring yum repositories so your package installs work.

Run Stages are currently (intentionally) a bit limited – you can only put entire classes into a run stage, you can’t put individual resources there.

There’s a main stage that resources all exist in by default; if you don’t use run stages, everything’s in this, but it doesn’t matter to you. You can define new stages via the new stage resource type:

stage { pre: before => Stage[main] }

Here we’ve used the before metaparameter but you could also use after, require, etc to establish the necessary relationships between stages.

Now you just specify that your class belongs in your new run stage:

class yum { ... }
class redhat {
  ...
  class { yum: stage => pre }
}

This will make sure that all of the resources in the yum are applied before the main stage is applied.

Note that we’re using the new parameterized classes here – this is necessary because of the class-level limitations of Run Stages. These limitations are present because of the complication of trying to untangle resource dependencies across stage boundaries if we allowed arbitrary resources to specify stages.

On a related note, if you specify a stage for a given class, you should specify as few as possible explicit relationships to or from that class. Otherwise you risk a greater chance of dependency cycles.

This can all be visualized relatively easily using the --graph option to puppetd and opening the graphs in OmniGraffle or GraphViz.

Specifying the ordering of Run Stages also works much better when specified using the new relationship syntax, too:

stage { [pre, post]: }
Stage[pre] -> Stage[main] -> Stage[post]

This way it’s very easy to see at a glance exactly how the stages are ordered.

Support for hashes in the DSL¶

This brings a new container syntax to the Puppet DSL: hashes.

Hashes are defined like Ruby Hashes:

{ key1 => val1, ... }

The Hash keys are strings but hash values can be any possible right values admitted in Puppet DSL (i.e. a function call or a variable)

Currently it is possible:

to assign hashes to a variable:

$myhash = { key1 => “myval”, key2 => $b }

to access hash members (recursively) from a variable containing a hash (works for array too):
```
$myhash = { key => { subkey => “b” }}
notice($myhash[key][subkey]]
```
to use hash member access as resource title
to use hash in default definition parameter or resource parameter if the type supports it (none for the moment).

It is not possible to use an hash as a resource title. This might be possible once we support compound resource title.

The “in” syntax¶

From Puppet 2.6.0 you can also use the “in” syntax. This operator allows you to find if the left operand is in the right one. The left operand must be a string, but the right operand can be:

a string
an array
a hash (the search is done on the keys)

This syntax can be used in any place where an expression is supported:

$eatme = 'eat'
if $eatme in ['ate', 'eat'] {
...
}

$value = 'beat generation'
if 'eat' in $value {
  notice("on the road")
}

Pure Ruby Manifests¶

Puppet now supports pure Ruby manifests as equivalent to Puppet’s custom language. That is, you can now have Ruby programs along side your Puppet manifests. As is our custom, it’s a limited first version, but it covers most of the specification functionality of the current language. For instance, here’s a simple ssh class:

hostclass :ssh do
  package "ssh", :ensure => :present
  file "/etc/ssh/sshd_config", :source => "puppet:///ssh/sshd_config", :require => "Package[ssh]"
  service :sshd, :ensure => :running, :require => "File[/etc/ssh/sshd_config]"
end

Similar to the ‘hostclass’ construct here, you can specify defined resource types:

define "apache::vhost", :ip, :docroot, :modperl => false do
  file "/etc/apache2/sites-enabled/#{@name}.conf", :content => template("apache/vhost.erb")
end

As you can see from this code, the parameters for the resources become instance variables inside of the defined resource types (and classes, now that we support parameterized classes).

We can do nodes, too:

node "mynode" do
  include "apache"
end

Ruby has become a first-class citizen alongside the existing external DSL. That means anywhere you can put a manifest, you should be able to put ruby code and have it behave equivalently. So, the ‘ssh’ class above could be put into ‘$modules/ssh/manifests/init.rb’, the apache vhost type should be placed in ‘$modules/apache/manifests/vhost.rb’, and the node should probably be in your ‘site.pp’ file. You can also apply ruby manifests directly with puppet:

puppet -e mystuff.rb

Note that the Ruby support does not yet cover all of the functionality in Puppet’s language. For instance, there is not yet support for overrides or defaults, nor for resource collections. Virtual and exported resources are done using a separate method:

virtual file("/my/file", :content => "something")

All of the standard functions are also pulled into Ruby and should work fine — e.g., ‘include’, ‘template’, and ‘require’.

Support for an elsif syntax¶

Allows use of an elsif construct:

  if $server == 'mongrel' {
      include mongrel
  } elsif $server == 'nginx' {
      include nginx
  } else {
      include thin
  }

Audit Metaparameter¶

Puppet now supports an audit metaparameter in the style of Tripwire.

Using this new metaparameter we can specify our resource like:

file { '/etc/hosts':
   audit => [ owner, group, mode ],
}

Now instead of changing each value (though you can change it too if you wish) Puppet will instead generate auditing log messages, which are available in your standard Puppet reports:

audit change: previously recorded value owner root has been changed to owner james

This allows you to track any changes that occur on resources under management on your hosts. You can specify this audit metaparameter for any resource and all their attributes and track users, groups, files, services and the myriad of other resources Puppet can manage.

You can also specify the special value of all to have Puppet audit every attribute of a resource rather than needing to list all possible attributes, like so:

file { '/etc/hosts':
   audit => all,
}

You can also combine the audited resources with managed resources allowing you to manage some configuration items and simply track others. It is important to remember though, unlike many file integrity systems, that your audit state is not protected by a checksum or the like and is stored on the client in the state.yaml file. In future releases we will look at protecting and centralising this state data.

Case and Selectors now support undef¶

The case and selector statements now support the undef syntax (see #2818).

Stored Configuration¶

Support is now added for using Oracle databases as a back-end for your stored configuration.

Facts¶

There are three new facts available in manifests:

$clientcert – the name of the client certificate
$module_name – the name of the current module (see #1545)
$caller_module_name – the name of the calling module (see #1545)

In addition all puppet.conf configuration items are now available as facts in your manifests. These can be accessed using the structure:

$settings::setting_name

Where setting_name is the name of the configuration option you’d like to retrieve.

Types and Providers¶

Basic Windows support has been introduced…

A new provider for pkg has been added to support Solaris and OpenSolaris (pkgadd).

A new package provider has been added to support AIX package management.

The augeas type has added the ‘incl’ and ‘lens’ parameters. These parameters allow loading a file anywhere on the filesystem; using them also greatly speeds up processing the resource.

Binaries and Configuration¶

Single Binary¶

Puppet is now available as a single binary with sub-arguments for the functions previously provided by the seperate binaries (the existing binaries remain for backwards compatibility). This includes renaming several Puppet functions to better fit an overall model.

List of binary changes

puppetmasterd –> puppet master
puppetd –> puppet agent
puppet –> puppet apply
puppetca –> puppet cert
ralsh –> puppet resource
puppetrun –> puppet kick
puppetqd –> puppet queue
filebucket –> puppet filebucket
puppetdoc –> puppet doc
pi –> puppet describe

This also results in a change in the puppet.conf configuration file. The sections, previously things like [puppetd], now should be renamed to match the new binary names. So [puppetd] becomes [agent]. You will be prompted to do this when you start Puppet. You will be prompted to do this when you start Puppet with a log message for each section that needs to be renamed. This is merely a warning – existing configuration file will work unchanged.

New options¶

A new option is available, ca_name, to specify the name to use for the Certificate Authority certificate. It defaults to the value of the certname option (see http://projects.puppetlabs.com/issues/1507).

A new option, dbconnections, is now available that specifies a limit for the number of database connections made to remote databases (postgreSQL, MySQL).

A new option, dbport, is now available that specifies the database port for remote database connections.

There’s also a new option/feature that lets the puppet client use HTTP compression (--http_compression):

Allow http compression in REST communication with the master. This setting might improve performance for agent –> master communications over slow WANs. Your puppetmaster needs to support compression (usually by activating some settings in a reverse-proxy in front of the puppetmaster, which rules out webrick).

It is harmless to activate this settings if your master doesn’t support compression, but if it supports it, this setting might reduce on high-speed LANs.

Binary changes¶

The puppetd (or puppet agent) binary now supports the --detailed-exitcodes option available in the puppet binary.

The puppet agent will now create the ssl when passed the --noop option.

Certificates cleaned with puppetca (or puppet cert) are now also revoked.

The puppetca (puppet cert) and puppetd (puppet agent) binaries now have support for certificate fingerprinting and support for specifying digest algorithms. To display the fingerprint of a client certificate use:

$ puppetd --fingerprint

$ puppet agent --fingerprint

To specify a particular digest algorithm use --digest DIGESTNAME.

To fingerprint a certificate with puppetca use:

$ puppetca --fingerprint host.example.com

$ puppet cert --fingerprint host.example.com

Also supported is the --digest option.

The puppetdoc binary now documents inheritance between nodes, shows classes added via the require function and resources added via the realize function.

Functions¶

The regsubst function now takes arrays as input (see #2491).

Reports¶

There is a new report type called http. If you specify:

reports = http

Then the new report processor will make a HTTP POST of the report in YAML format to a specified URL. By default this URL is the report import URL for a local Puppet Dashboard installation. You can override this with the new reporturl setting.

reports = http
reporturl = http://yoururl/post/

Puppet Runner¶

In order for this to run at all:

puppetrun --foreground --host XXX

you must alter auth.conf to include:

path /run
method save
allow *

otherwise you will receive:

Host $PUPPET failed: Error 403 on SERVER: Forbidden request: $MASTER(X.X.X.X) access to /run/$PUPPET [save] authenticated  at line 101

Incompatibilities¶

PID files for puppet and master used to be named:

puppetd.pid
puppetmasterd.pid

new names are:

agent.pid
master.pid

0.25.5¶

Binaries and Configuration¶

The default location for Puppet’s dynamic files, the $vardir option, has changed from /var/puppet to /var/lib/puppet. This is already the default for the Fedora EPEL and Debian/Ubuntu packages and brings Puppet into FHS compliance.

The default factpath is now $vardir/lib/facter/.

The “use_cached_catalog” option is available. This determines whether to only use the cached catalog rather than compiling a new catalog on every run. Puppet can be run with this enabled by default and then selectively disabled when a recompile is desired. The option defaults to false.

Functions¶

The generate function now sets the working directory to the directory containing the specified command.

Types and Providers¶

You can now specify checksum => none in the file type to disable file check-summing.

Error Messages¶

The “warning: Value of ‘preferred_serialization_format’ (‘pson’) is invalid, using default (‘yaml’)” is now a debug level message.

0.25.4¶

Binaries and Configuration¶

Pre- and Post- transaction hooks.

These hooks allow you to specify commands that should be run pre and post a Puppet configuration transaction. They are set with the prerun_command and postrun_command settings in the puppet.conf configuration file:

prerun_command = /bin/runbeforetransaction
postrun_command = /bin/runaftertransaction

The command must exit with 0, i.e. succeed, otherwise the transaction will fail – if the pre command fails before the transaction is run and if the post command fails at the end of the transaction.

0.25.3¶

No major notes.

0.25.2¶

Binaries and Configuration¶

Puppet now has the manage_internal_file_permissions option which allows you to enable or disable Puppet management of internal files, for example those in /var/lib/puppet. When false Puppet will NOT manage these files. Defualt is true.

The puppetdoc binary now works with Regex node names

Fix for temporary file issues (https://bugzilla.redhat.com/show_bug.cgi?id=502881)

Types and Providers¶

Cron type now supported on AIX

Mailist type is now working again

SELinux now supports contexts with upper case titles

When setting aliases using the host and sshkey types now use the host_aliases attribute rather than alias.

Error Messages¶

File serving permissions error messages enhanced

The debug format message has been changed and clarified from:

debug: Format s not supported for Puppet::FileServing::Metadata; has not implemented method 'from_s'

to:

debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson

Dependencies¶

When running the tests you no longer need to use RSpec version 1.2.2 but rather versions including and newer than.

LDAP¶

There are now valid and proper OIDs in the LDAP puppet.schema that are unique and registered for Puppet.

0.25.1¶

Functions¶

We’ve clarified that the new ‘require’ function only works for 0.25.x clients. If the function is specified with 0.24.x or earlier clients the class will be included but the inherent dependency will not be created. A warning message will be generated informing you of this.

Language¶

Node regular expression matching rules have been clarified you can see the rules [[Language_Tutorial#matching-nodes-with-regular-expressions|Language Tutorial]] .

Types and Providers¶

The Nagios serviceescalation type now supports the use of the servicegroup_name attribute.

Binaries and Configuration¶

The Puppet gem now installs all binaries to the ‘bin’ directory because Gems lack support for both a bin and sbin directory. Facter (version later than 1.5.1) is now also a dependency for the gem.

0.25.0¶

Migration to REST¶

There are substantial changes in Puppet 0.25.0 and more changes to come in the future. Most of the changes in 0.25.0 are internal refactoring rather than behavioural. The 0.25.0 release should be fully backwards compatible behaviourally with the 0.24.x branch.

This means a 0.25.0 master will be able to manage 0.24.x clients. You will need, however, to upgrade both your master and your clients to take advantage of all the new features and the substantial gains in performance offered by 0.25.0.

The principal change is the introduction of Indirected REST to replace XML-RPC as the underlying Puppet communications mechanism.

This is a staged change with some functions migrated in this release and some in the next release. In the first stage of the Indirected REST implementation the following functions have been migrated:

Certificates
Catalogue
Reports
Files

In 0.26.0 (the next release) the following remaining functions will be migrated:

Filebucket
Resource handler
Runner handler
Status handler

The new REST implementation also comes with authorisation configuration in a similar style to the namespaceauth used for XML-RPC. This new authorisation is managed through the auth.conf file (there is an example file in the conf directory of the tarball). This does not yet fully replace the namespaceauth.conf file but will when the remaining handlers are migrated to REST. It works in a similar way to the namespaceauth.conf file and the example file contains additional documentation.

As a result of the introduction of REST and other changes you should see substantial performance improvements in this release. These particularly include improvements in:

File serving
The performance of large graphs with lots of edges
Stored configuration (see also Puppet Queuing below)

Other new features include (this is not a complete list – please see the Roadmap for all tickets closed in this release):

Deprecations¶

Custom types and facts in modules have been moved from the module/plugins to module/lib. Please rename your directories.

The modules share and the module name must now be specified in source attributes of the file type, i.e:

file { "file":
    source => "puppet://server/modules/module_name/file",
}

Binary-specific configuration files, such as puppetd.conf or puppetmasterd.conf are now totally deprecated and ignored.

New Language Features¶

Regular expression matching is now possible in node definitions:

node /web|db/ {
    include blah
}

node /^(foo|bar)\.example\.com$/ {
    include blah
}

Puppet now also allows regular expressions in if statements with the use of the =\~ (match) and !\~ (not match) operators:

if $uname =~ /Linux|Debian/ {
   ...
}

Also available are ephemeral variables ($0 to $9) in the current scope which contain regex captures:

if $uname =~ /(Linux|Debian)/ {
    notice("this is a $1 system")
}

Similar functionality is available in case and selector statements:

$var = "foobar"
case $var {
    "foo": {
         notify { "got a foo": }
    }
    /(.*)bar$/: {
         notify{ "hey we got a $1": }
    }
}

$val = $test ? {
        /^match.*$/ => "matched",
        default => "default"
}

New functions¶

There are four new functions:

require – Similar to the include function but creates a dependency on the required class in the current class. This means the required class will be loaded before the current class is processed.

split – allows you to split strings and arrays

versioncmp – allows you to compare versions

shellquote – Quote and concatenate arguments for use in the shell, for example as part of Exec type commands.

Configuration Versioning¶

A new configuration option, config_version, is now available:

config_version = /usr/local/bin/return_version

The option allows you to specify a command that returns a version for the configuration that is being applied to your hosts. The command should return a string, such as a version number or name.

Puppet then runs this command at compile time. Each resource is marked with the value returned from this command. This value is also added to the log instance, serialised and sent along with any report generated. This allows you to parse your report output and ascertain which configuration version was used to generate the resource.

Command Line Compile & Apply¶

Puppet now has the capability to compile a catalogue and output it in JSON from the Puppet master. You can do this via the --compile command line option.

# puppetmasterd --compile nodename

Corresponding with this feature is the ability to apply a JSON configuration from the puppet binary using the --apply option.

$ puppet --apply cataloguefile

Or you can use – to read the JSON in from standard input. Puppet will then compile and apply the configuration.

Thin Stored Configuration¶

0.25.0 also introduces the concept of “thin” stored configurations. This is a version of stored configuration that only stores the facts and exported resources in the database. This will perform better than full stored configuration but because not all resources are available this may not suit all purposes.

Thin stored configurations are initiated by setting the thin_storeconfigs option on the Puppet master or on the puppetmasterd command line using --thin_storedconfigs.

Puppet Queuing¶

There is a new binary called puppetqd that supports queuing for stored configurations. You can read about how it works and how to implement it at:

Using Stored Configuration

Further documentation is in the README.queuing file in the tarball.

Application Controller¶

All the logic has been moved out of the binary commands and added to an Application Controller. You can see the controller code at lib/puppet/application.rb and the logic for each application at lib/puppet/application/binaryname.rb.

Types and Providers¶

The return values from the Exec type can now be specified as an array.

The SMF and daemontools service providers can now import a configuration file.

The mailist type is now supported on Red Hat, CentOS and Fedora distributions

The NetInfo provider has been deprecated for OSX in favour of the Directory Services provider.

Binary Location Move¶

To bring Puppet more in line with general packaging standards the puppetd, puppetca, puppetrun, puppetmasterd, and puppetqd binaries now reside in the sbin directory rather than the bin directory when installed from the source package.

Passenger¶

Ensure you have the latest version of the config.ru file from the ext/rack/files/ directory in the tarball.

Rails¶

Rails versions up to 2.3.x are now supported. Rails version 2.2.2 or greater is required.

0.24.9¶

Binaries and Configuration¶

Fix for temporary file issues (https://bugzilla.redhat.com/show_bug.cgi?id=502881)

0.24.8¶

Functions¶

Added sprintf function

Added regsubst function

0.24.7¶

Binary and Configuration¶

The puppetdoc binary has been updated to output manifest and module documentation

Removed conf/debian directory and Debian packaging information now maintained downstream

The puppetca binary can now clean unsigned certificates

Removed all the vendor gems

Added Rake tasks to support continuous integration

Types and Providers¶

Added augeas type

Added MCX type

Add the macauthorization type

Add the directoryservice type

Deprecated the NetInfo nameservice provider

Added zfs, zpool types and branded zones support to the zones type

Added uninstall functionality to yum provider

Added preseed support to apt provider’s uninstall and purge functions

Added versionable feature to the RPM provider

Replaced SELInux calls to binaries with Ruby SELinux bindings

Updates to the Nagios types

Language and Facts¶

Added support for @doc type and manifest documentation support

Added multiline comment support

Classes and nodes should set $name variables

Functions¶

Add inline_template function

Stored Configuration¶

The environment has been added to the stored configuration database structure. You will need to specify the dbmigrate = true in your puppet.conf to ensure your database is upgraded to the new schema.

Errata¶

#1922: Severe breakage when using parser functions with complex arguments.

0.24.6¶

Dependencies¶

#1553: Depends on Facter 1.5

Binary and Configuration¶

Added --detailed-exits option to puppet binary that adds specific exit codes after runs.

Log messages are now tagged with the log level, making it easier to match messages in the tagmail report.

Added support for running Puppet inside a Rack application (mod_rails) with Passenger and Apache

Fixed the puppetca --clean --all binary so that both signed and unsigned certificates are cleaned.

Moved individual functions out of functions.rb into lib/puppet/parser/functions directory. New functions should be created in this directory.

Added the -P/--ping option to puppetrun.

Allow specification of --bindir --sbindir --sitelibdir --mandir --destdir in installation

Language and Facts¶

Allow multiple overrides in one statement

Fixed #1585 – Allow complex ‘if’ and variable expressions

Fixed #1584 – Added support for appended variables

Types and Providers¶

Feature #1624 – Added RBAC roles to solaris user provider

Fixed #1586 – Specifying “fully qualified” package names in Gentoo

Fixed #1530 – ssh_authorized_keys provider does not crash anymore on SSH type 1 keys

Fixes #1455 – Adds HP-UX support for user type

Added daemontools and runit providers for service type

Fixed #1508 – Added HP-UX package provider

Fixed #1456 – add proxy configuration capability to yum repo

0.24.5¶

Binary and Configuration¶

Added the catalog_format configuration option which accepts the yaml or marshal options. This option allows you to switch the catalog formatting from YAML to Marshal. Marshal formatting should provide significant performance enhancement over YAML.

The return code from waitpid now right shifted 8 bits.

Added support for the --all option to puppetca --clean. If puppetca --clean --all is issued then all client certificates are removed.

Environments¶

The default environment is now production.

Types and Providers¶

The interface type is buggy and has been disabled.

A native type type for managing ssh authorized_keys files is available

The gem package type can now specify source repositories.

The service type now supports HP-UX.

On Red Hat instead of deleting the init scripts (with chkconfig --del) we disable it with chkconfig service off, and do the same for enable => true;

Added LDAP providers for users and groups.

Functions¶

Added SHA1 function from DavidS to core

Language and Facts¶

Facts in plugin directories should now be autoloaded, as long as you’re using Facter 1.5.

Aliases to titles now work for resources.

Modified the ‘factpath’ setting to automatically configure Facter to load facts there if a new enough version of Facter is used.

Modules¶

Templates in the templatedir are preferred to module templates.

LDAP¶

Removed support for the ‘node_name’ setting in LDAP and external node lookups.

Nodes¶

Removed support for ‘default’ nodes in external nodes. LDAP nodes now use the certificate name, the short name, and ‘default’, but external nodes just use the certificate name and any custom terminus types will use just the certificate name.

Virtual and Exported/Collected Resources¶

Exporting or collecting resources no longer raises an exception when no storeconfigs is enabled, it just produces a warning.

0.24.4¶

Binary and Configuration¶

The http keep-alive is now disabled by default. There is now a constant in Puppet::Network::HttpPool that will disable or enable this feature but it you enable it you may be at risk of corruption, especially in file serving.

The yamldir is automatically created by the server now that it’s in the puppetmasterd section rather than a separate yaml section.

Types and Providers¶

In the OpenBSD package provider, assume a source ending in a / indicates it is a directory, and pass it to pkg_add via PKG_PATH. Allows pkg_add to resolve dependencies, and make it possible to specify packages without version numbers.

Provider suitability is now checked at resource evaluation time, rather than resource instantiation time. This means that you don’t catch your “errors” as early, but it also means you should be able to realistically configure a whole host in one run.

Documentation¶

Puppet now has man pages available. These are recreated at each release. They are located in the man directory and are installed into mandir.

0.24.3¶

Languages and Facts¶

Downloading plugins and facts now ignores noop. Note that this changes the behaviour of a resource’s noop setting. The resources noop setting will now alway override the global setting (previously, whichever was true would win).

Host names can now have dashes anywhere.

Binaries and Configuration¶

The CA serial file will no longer ever be owned by root.

External Nodes¶

External node commands can specify an environment and Puppet will now use it.

LDAP Nodes¶

LDAP nodes now support environments, and the schema has been updated accordingly.

0.24.2¶

Plugins¶

Autoloading now searches the plugins directory in each module, in addition to the libdir directory. The libdir directory is also deprecated, but supported for now to give people a chance to convert.

Virtual Resources¶

Virtual defined types are no longer evaluated. This introduces a behaviour change, in that you previously could realize a resource within a virtual defined resource, and now you must realize the entire defined resource, rather than just the contained resource.

Tags¶

The full name of qualified classes and the class parts are now added as tags. This is supported by the new Tagging module.

Binaries and Configuration¶

The rundir directory permissions are again set to 1777.

The yamldir setting has been moved to its own yaml section. This should keep the yamldir from being created on clients.

Language and Facts¶

Classes can once again be included multiple times.

Exec resources must now have unique names, although the commands can still be duplicated. This is easily accomplished by just specifying a unique name with whatever (unique or otherwise) command you need.

There is a change in Puppet’s parser – the order of statement evaluation is no longer changed. This means case statements can now set variables that can be used by other variables.

Types and Providers¶

Added built-in support for Nagios types using Naginator to parse and generate the files.

The package type (and Puppet overall) is now compatible with gems 1.0.1.

You can now copy links using the file type.

Removed the loglevels from the valid values for logoutput in the exec resource type — the log levels are specified using the loglevel parameter, not logoutput.

0.24.1¶

Binaries and Configuration¶

Removed the ability to disable http keep-alive.

Removed warning about deprecated explicit plugins mounts.

0.24.0 (misspiggy)¶

External Nodes¶

External node support now requires that you set the node_terminus setting to exec:

node_terminus = exec

External nodes can now co-exist with manifest-based nodes. Previously you had to select one or the other.

LDAP Nodes¶

LDAP nodes can now co-exist with manifest-based nodes. Previously you had to select one or the other.

Plugins¶

Added plugins mount – see PluginsInModules on the wiki for information.

Certificates¶

Certificates now always specify a subjectAltName, but it defaults to *`, meaning that it doesn’t require DNS names to match. You can override that behaviour by specifying a value for the ``certdnsnames configuration option which will then require that hostname as a match.

The behaviour of the certdnsnames setting has changed. It now defaults to an empty string, and will only be used if it is set to something else. If it is set, then the host’s FQDN will also be added as an alias. The default behaviour is now to add puppet and puppet.$domain as DNS aliases when the name for the cert being signed is equal to the signing machine’s name, which will only be the case for CA servers. This should result in servers always having the alias set up and no one else, but you can still override the aliases if you want.

Mongrel¶

Changed the behaviour of --debug to include Mongrel client debugging information. Mongrel output will be written to the terminal only, not to the puppet debug log.

Language and Facts¶

The node scope is now above all other scopes besides the main scope, which should help make its variables visible to other classes, assuming those classes were not included in the node’s parent.

Relationship metaparameters :notify, :require, :subscribe, and :before now stack when they are collecting metaparameter values from their containers. For instance, if a resource inside a definition has a value set for require, and you call the definition with require, the resource gets both requires, where before it would only retain its initial value.

Binaries and Configuration¶

Added the --no-daemonize option to puppetd and puppetmasterd which prevents both binaries from daemonizing. If you use daemontools or runit you must pass the --no-daemonize to puppetd and puppetmasterd. Additionally, the default behavior of --verbose and --debug no longer cause puppetd and puppetmasterd to not daemonize.

The --use-nodes and --no-nodes options are now obsolete. Puppet automatically detects when nodes are defined, and if they are defined it will require that a node be found, else it will not look for a node nor will it fail if it fails to find one.

You now must specify an environment and you are required to specify the valid environments for your site.

The http_enable_post_connection_check added as a configuration option for puppetd. This defaults to true, which validates the server SSL certificate against the requested host name in new versions of Ruby.

Types and Providers¶

Added k5login type.

Removed type and running as valid attributes from the service types as they are both deprecated.

Modified how services manage their list of paths. Services now default to the paths specified by the provider classes.

0.23.2¶

Binaries and Configuration¶

The --gen_config option now generates a configuration with all parameters under a heading that matches the relevant process name, rather than keeping section headings.

Types and Providers¶

Added support for managing interfaces on Red Hat.

0.23.1 (beaker)¶

Language and Facts¶

You can now specify relationships to classes, which work exactly like relationships to defined types:

require => Class[myclass]

This works with qualified classes, too.

Added the +> syntax to resources, so parameter values can be added to.

Hostnames can now be double quoted.

Both class and node names must both now be unique, for example you cannot have a node and class with the same name.

Exported/Collected Resources¶

You can now do simple queries in a collection of exported resources. You still cannot do multi-condition queries, though.

Binaries and Configuration¶

Running puppetca with --clean now exits with a non-zero code if it cannot find any host certificates to clean.

The Rails log level can now be set via the rails_loglevel parameter.

Puppet clients now have http proxy support.

Types and Providers¶

Added the maillist type for managing mailing lists.

Added a mailalias type for managing mail aliases.

Modules¶

Added autoloading of modules – you can now ‘include’ classes from modules without ever needing to specifically load them.

Plugins¶

The configuration client now pulls libraries down to $libdir, and all autoloading is done from there with full support for any reloadable file, such as types and providers. This is not backward compatible — if you’re using pluginsync you’ll need to disable it on your clients until you can upgrade them.

0.23.0¶

Functions¶

Fixed functions so that they accept most other rvalues as valid values.

Nodes¶

From 0.23.0 only ONE node source can be used – you can either use LDAP, code, or an external node program, but not more than one.

LDAP Nodes¶

LDAP node support has two changes, first, the “ldapattrs” attribute is now used for setting the attributes to retrieve from the server (in addition to required attributes), and second, all retrieved attributes are set as variables in the top scope. This means you can set attributes on your LDAP nodes and they will automatically appear as variables in your configurations.

External Nodes¶

External node support has been completely rewritten – this breaks compatibility with earlier versions and older external node scripts will not work. External node scripts must now generate a YAML dump of a hash, with “classes” and “parameters” keys. The classes should be an array, and the parameters should be a hash. The external node program has no support for parent nodes — the script must handle that on its own.

Stored Configuration¶

Reworked the database schema used to store configurations with the --storeconfigs option.

File Locations¶

Changed the location of the classes.txt to the state directory.

Moved puppetd and puppetmasterd to sbin.

Types and Providers¶

Added a package provider called appdmg able to install .app packages on .dmg files on OS X.

Added fink package provider (#642), as provided by ‘do’.

Marked the dpkg package provider as versionable (#647).

Language and Facts¶

Added an ‘undef’ keyword, which will evaluate to “” within strings but when used as a resource parameter value will cause that parameter to be evaluated as undefined.

Tags, definitions, and classes can now be a single character.

Binaries and Configuration¶

Significantly reworking configuration parsing. Executables all now look for puppet.conf rather than the older configuration binary-specific configuration files. The old-style configuration files will be parsed if they are present, although they throw a deprecation warning.

Transaction summaries are now available with the --summarize option. These are useful for getting a quick idea of what happened in a transaction. Currently only useful on the client or with the puppet interpreter.

Added the dynamicfact configuration option; any facts in a comma-separated list will be ignored when comparing facts to see if they have changed and thus whether a recompile is necessary.

Added a splay option to randomly distribute client connections. The value is random but cached. It defaults to the runinterval but can be tuned with --splaylimit. It’s disabled when running under --test in puppetd.

0.22.4¶

Modules¶

Modules no longer return directories in the list of found manifests.

Types and Providers¶

The crontab provider now defaults to root when there is no USER set in the environment.

The useradd provider for the user type can now manage passwords. No other providers can, at this point.

Language and Facts¶

Added a syntax for referring to variables defined in other classes (e.g., $puppet::server).

0.22.3¶

Binaries and Configuration¶

Added a stand-alone filebucket client, named filebucket.

Types and Providers¶

The -M option is no longer added when home directories are being managed on Red Hat with the user type.

0.22.2 (grover)¶

Language and Facts¶

Definitions now support both ‘name’ and ‘title’, just like any other resource type.

Import statements can now specify multiple comma-separated arguments:

import apache, mongrel, squid

Changed the servername fact set on the server to use the server’s fqdn, instead of the short-name.

File Locations¶

Changing the location of the configuration cache. It now defaults to being in the state directory, rather than in the configuration directory.

Mongrel¶

Support for Mongrel added. Currently you need to start each individual process and it requires you setup a proxy in front of the mongrel processes.

Binaries and Configuration¶

Renamed x2puppet to ralsh.

The bind address for puppetmasterd can now be specified with --bindaddress.

Added the ignorecache option to tell puppetd to ignore the cache and force a recompile.

Certificate Authorities¶

You can now run seperate Certificate Authorities rather than using the inbuilt CA.

Functions¶

Added a file() function to read in files with no interpolation. The first found file has its content returned.

Added the generate() function which sets values to the result of an external command.

Functions can now be called with no arguments.

Types and Providers¶

When doing file recursion, ensure only affects the top-level directory.

Users can now manage their home directories, using the managehome parameter.

Using the package type you can now purge apt and dpkg packages.

Made up2date the default for RHEL < 4 and yum the default for the rest.

The yum provider now supports versions.

Switched apt/aptitide to using “apt-cache policy” instead of “apt-cache showpkg” for determining the latest available version.

States have been renamed to Properties.

0.22.1 (kermit)¶

Resource Relationships¶

Explicit relationships now override automatic relationships, allowing you to manually specify deletion order when removing resources.

Resources with dependencies can now be deleted as long as all of their dependencies are also being deleted.

Language and Facts¶

Downcasing of facts can be selectively disabled.

Types and Providers¶

The netinfo mounts provider was commented out, because it really doesn’t work at all.

0.22.0¶

Types and Providers¶

Added the resources type which includes the ability to purge unwanted resources.

All providers now directly execute commands instead of going through a sub-shell – this means arguments don’t need to be quoted or escaped.

Stored Configuration¶

Export and collect updated making the database incompatible with the 0.20 version. You will need to re-create your database.

Language and Facts¶

Facts are no longer down-cased and the language is case-insensitive.

0.20.0¶

Virtual and Exported/Collected Resources¶

Virtual resources are now represented by single sigils, @user, and exported/collected resources are represented by double sigils, @@sshkey.

Resource Relationships¶

Resources relationships are now identified by capitalizing the resource like so:

File["/etc/passwd"]

puppet_ssl_cleanup.rb (3.7 kB) Redmine Admin, 05/15/2008 06:36 pm

Puppet

New To Puppet¶

Release Notes¶

References and Advanced Topics¶

Wiki

Release Notes¶

3.0.0rc2¶

3.0.0rc1¶

Breaking and Important Changes in Telly (Puppet 3.0.0)¶

2.7.15rc2¶

Contributors¶

Bug Fixes¶

2.7.15rc1¶

Contributors¶

Highlights¶

Bug Fixes¶

2.7.14¶

Contributors¶

Features¶

Bug Fixes¶

2.7.13¶

Security Fixes¶

CVE-2012-1906 (High) – appdmg and pkgdmg providers write packages to insecure location¶

CVE-2012-1986 (High) – Filebucket arbitrary file read¶

CVE-2012-1987 (Moderate) – Filebucket denial of service¶

CVE-2012-1988 (High) – Filebucket arbitrary code execution¶

CVE-2012-1989 (High) – Telnet utility (used for network devices) writes to insecure location¶

2.7.12¶

Highlights¶

Features¶

Bug Fixes¶

Details¶

2.7.11¶

Security Fixes¶

CVE-2012-1053 (Group Privilege Escalation)¶

CVE-2012-1054 (User Privilege Escalation)¶

2.7.10¶

Pulled due to regressions from 2.7.9¶

Community MVP for this release: Brice Figureau (@masterzen) for the¶

Highlights¶

Bug Fixes¶

Instrumentation¶

Core¶

Improve error msg for missing pip comand¶

Better validation for IPv4 and IPv6 address in host type.¶

Support symbolic file modes.¶

Only load facts once per puppet run¶

Puppetd does not remove its pidfile when it exits¶

Retry inventory ActiveRecord transaction failure¶

Properly track blockers when generating additional resources¶

Make the Debian service provider handle services that don’t conform to the debain policy manual.¶

Write reports to a temporary file and move them into place¶

Test Augueas versions correctly with versioncmp¶

Save/execute changes on versions of Augeas < 0.3.6¶

Make Puppet::Type.ensurable? false when exists? is undefined¶

Consider package epoch version when comparing yum package versions¶

Log when we start evaluating resource at the info level¶

Fix array support in schedule’s range parameters¶

Make resourcefile work with composite namevars¶

Add README_DEVELOPER describing UTF-8 in Puppet¶

Better SSL error message certificate doesn’t match key¶

Add a defaults argument to create_resources¶

Link should autorequire target¶

Use SMF’s svcadm -s option to wait for errors¶

Added missing RequestHeader entries to ext/rack/files/apache2.conf¶

Debug logging when we start evaluating resources.¶

Update storeconfigclean script to read puppet.conf¶

Add mysql2 gem support¶

Mac Highlights¶

Fix OS X Ruby supplementary group handling¶

Fix group resource in OS X¶

Build a Rake task for building Apple Packages¶

Use launchctl load -w in launchd provider¶

Add password get/set behavior for 10.7¶

Windows Highlights¶

Always serve files in binary mode¶

Use %~dp0 to resolve bat file’s install directory

Add envpuppet batch file to run Puppet from source on Windows¶

Don’t hard code ruby install paths in Windows batch files¶

Set password before creating user on Windows¶

New To Puppet ¶

Release Notes ¶

Use `%~dp0` to resolve bat file’s install directory

Don’t automatically enable `show_diff` in noop mode