diff options
Diffstat (limited to 'lib/puppet')
| -rw-r--r-- | lib/puppet/defaults.rb | 18 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 21 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_factory.rb | 2 | ||||
| -rw-r--r-- | lib/puppet/util/settings.rb | 12 |
4 files changed, 35 insertions, 18 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 2a2a81be6..fa604667e 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -60,12 +60,6 @@ module Puppet this directory can be removed without causing harm (although it might result in spurious service restarts)." }, - :ssldir => { - :default => "$confdir/ssl", - :mode => 0771, - :owner => "root", - :desc => "Where SSL certificates are kept." - }, :rundir => { :default => rundir, :mode => 01777, @@ -172,7 +166,7 @@ module Puppet fqdn = hostname end - Puppet.setdefaults(:ssl, + Puppet.setdefaults(:main, :certname => [fqdn, "The name to use when handling certificates. Defaults to the fully qualified domain name."], :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list. @@ -181,6 +175,12 @@ module Puppet :certdir => ["$ssldir/certs", "The certificate directory."], :crl => [true, "Whether to use a certificate revocation list. If this is set to true and the CRL does not exist, you will get a failure."], + :ssldir => { + :default => "$confdir/ssl", + :mode => 0771, + :owner => "root", + :desc => "Where SSL certificates are kept." + }, :publickeydir => ["$ssldir/public_keys", "The public key directory."], :requestdir => ["$ssldir/certificate_requests", "Where host certificate requests are stored."], :privatekeydir => { :default => "$ssldir/private_keys", @@ -286,7 +286,7 @@ module Puppet :serial => { :default => "$cadir/serial", :owner => "$user", :group => "$group", - :mode => 0600, + :mode => 0644, :desc => "Where the serial number for certificates is stored." }, :autosign => { :default => "$confdir/autosign.conf", @@ -319,7 +319,7 @@ module Puppet self.setdefaults(self.settings[:name], :config => ["$confdir/puppet.conf", "The configuration file for #{Puppet[:name]}."], - :pidfile => ["", "The pid file"], + :pidfile => ["$rundir/$name.pid", "The pid file"], :bindaddress => ["", "The address to bind to. Mongrel servers default to 127.0.0.1 and WEBrick defaults to 0.0.0.0."], :servertype => ["webrick", "The type of server to use. Currently supported diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 0329f5354..5054c1dbe 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -16,11 +16,16 @@ class Puppet::SSL::CertificateAuthority require 'puppet/ssl/certificate_authority/interface' + def self.ca? + return false unless Puppet[:ca] + return false unless Puppet[:name] == "puppetmasterd" + return true + end + # If this process can function as a CA, then return a singleton # instance. def self.instance - return nil unless Puppet[:ca] - return nil unless Puppet[:name] == "puppetmasterd" + return nil unless ca? unless defined?(@instance) and @instance @instance = new @@ -177,11 +182,17 @@ class Puppet::SSL::CertificateAuthority # file so this one is considered used. def next_serial serial = nil + + # This is slightly odd. If the file doesn't exist, our readwritelock creates + # it, but with a mode we can't actually read in some cases. So, use + # a default before the lock. + unless FileTest.exist?(Puppet[:serial]) + serial = 0x0 + end + Puppet.settings.readwritelock(:serial) { |f| if FileTest.exist?(Puppet[:serial]) - serial = File.read(Puppet.settings[:serial]).chomp.hex - else - serial = 0x0 + serial ||= File.read(Puppet.settings[:serial]).chomp.hex end # We store the next valid serial, not the one we just used. diff --git a/lib/puppet/ssl/certificate_factory.rb b/lib/puppet/ssl/certificate_factory.rb index 4b1669804..41155fd41 100644 --- a/lib/puppet/ssl/certificate_factory.rb +++ b/lib/puppet/ssl/certificate_factory.rb @@ -115,7 +115,7 @@ class Puppet::SSL::CertificateFactory dnsnames = Puppet[:certdnsnames] name = @name.to_s.sub(%r{/CN=},'') if dnsnames != "" - dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d } + dnsnames.split(':').each { |d| @subject_alt_name << 'DNS:' + d } @subject_alt_name << 'DNS:' + name # Add the fqdn as an alias elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server @subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias diff --git a/lib/puppet/util/settings.rb b/lib/puppet/util/settings.rb index 09bba5b59..1b953c95e 100644 --- a/lib/puppet/util/settings.rb +++ b/lib/puppet/util/settings.rb @@ -699,13 +699,19 @@ Generated on #{Time.now}. [file] end - writesub(default, tmpfile, *args, &bloc) + # If there's a failure, remove our tmpfile + begin + writesub(default, tmpfile, *args, &bloc) + rescue + File.unlink(tmpfile) if FileTest.exist?(tmpfile) + raise + end begin File.rename(tmpfile, file) rescue => detail - Puppet.err "Could not rename %s to %s: %s" % - [file, tmpfile, detail] + Puppet.err "Could not rename %s to %s: %s" % [file, tmpfile, detail] + File.unlink(tmpfile) if FileTest.exist?(tmpfile) end end end |