| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The resource_spec was failing because /etc is not considered a
fully-qualified path on Windows. Using File.expand_path fixes that.
The suidmanager_spec was failing because we weren't stubbing the
microsoft_windows feature, so SUIDManager.asuser was a no-op when
running as root, and our expectations weren't being met.
|
| |\ |
|
| | |\
| | |
| | |
| | | |
into 2.7.x
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The spec tests failed when running spec/unit/face/node_spec.rb
followed by spec/unit/ssl/certificate_request_spec.rb, because the
clean action for the node face was leaving
Puppet::SSL::Host.ca_location set to :local instead of its default
:none state.
This commit resets the ca_location back to :none in the top-level
after :all block.
|
| | |\ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* 2.6.x:
Reset indirector state after configurer tests.
(#8770) Don't fail to set supplementary groups when changing user to root
(#8770) Always fully drop privileges when changing user
(#8662) Migrate suidmanager test case to rspec
(#8740) Do not enumerate files in the root directory.
(#3553) Explain that cron resources require time attributes
Conflicts:
lib/puppet/application/resource.rb
test/puppet/tc_suidmanager.rb
|
| | | |\ \
| | | | |
| | | | | |
Do not leak indirector state
|
| | | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Because the indirector state persists across tests, we need to make
sure that we clean up after ourselves whenever we explicitly set a
non-default configuration. We now reset the terminus class after all
the tests have run in the context with the modified configuration.
|
| | | |\ \
| | | | |
| | | | |
| | | | |
| | | | | |
* nicklewis/ticket/2.6.x/8770:
(#8770) Don't fail to set supplementary groups when changing user to root
|
| | | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Previously, Puppet::Util::SUIDManager.change_user would always try to set
supplementary groups (Process.initgroups) before changing its EUID.
Process.initgroups requires the calling process to have EUID 0 in order to
succeed.
This worked fine in the case where the process was changing from root to a
normal user, as it would set groups as root and then change EUID to 0.
However, in the case where the process was changing back to root from a normal
user, it would attempt to set groups as the normal user, and fail.
Now, we check Process.euid before changing, and will set groups first if root,
and will set euid first if not root. This ensures we can freely switch back
and forth between root.
This behavior is maintained inside of the change_user, rather than being broken
into eg. raise_privilege and lower_privilege, because it is a relatively minor
behavior difference, and the helper methods on their own would not have been
generically useful.
|
| | | |\ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* nicklewis/ticket/2.6.x/8770:
(#8770) Always fully drop privileges when changing user
(#8662) Migrate suidmanager test case to rspec
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
On Mac OS X, it is only possible to directly change the euid of a process, and
not the uid. Thus, when a puppet master started as root on OS X would change to
the service user (puppet), it would leave the uid of its process set to 0.
This allowed any type of Ruby plugin executed on the master (a type, provider,
function, etc.) to trivially regain root privileges (by setting the euid of
its process back to 0) and potentially compromise the master.
Now, when permanently changing user, we will first try
Process::UID.change_privilege, before falling back to setting the euid/uid
ourselves. change_privilege correctly sets the uid of the process to the
desired new uid, preventing the process from later escalating itself back to
root. Similar behavior is also used when changing group. This has no effect on
the behavior when temporarily changing user/group (for instance, to execute a
single command or create a file as a particular user).
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We're trying to move away from the legacy Test::Unit tests, and toward rspec
specs, so rewrite this file as specs.
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | |\ \ \
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
joshcooper/ticket/2.6.x/8740-cannot-manage-files-of-type-socket
Ticket/2.6.x/8740 cannot manage files of type socket
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Previously the command 'puppet resource file' would enumerate all files
in the root directory, and generate an exception if the file type was
not a directory, file, or link. Worse, it would also do this when a file
or directory was specified, e.g. 'puppet resource file /etc/hosts'.
Ideally, the find method of the ral terminus should not need to call the
type's instances class method, instead just creating an instance of the
type with the specified name and parameters. However, some types, like
package, depend on this behavior. The type walks all providers and all
instances that they provide, checking to see if the provider provides an
instance with that name, and also warning if another provider provides
an instance with the same name.
Also, ideally, puppet should not blow up when encountering an
unsupported file type, e.g. Unix domain socket, but that would be too
big of a change for 2.6.x.
This commit changes 'puppet resource file' to return a message saying
that the operation is not supported:
Listing all file instances is not supported. Please specify a file
or directory, e.g. puppet resource file /etc
The change is bit of a hack, as ideally, the file type's instances
method could raise an exception when called in a 'search' context, but
return an empty array in a 'find' context. But that also would be too
big of a change for 2.6.x.
This commit also adds spec tests for the resource application and file
type, as well as an acceptance test, which creates a Unix domain socket
in the root directory, while running 'puppet resource file'.
Paired-with: Nick Lewis <nick@puppetlabs.com>
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
|
| | | |\ \ \ \
| | | |_|/ /
| | |/| | | |
Ticket/2.6.x/3553 cron requires time
|
| | | |/ / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The cron resource docs previously read, "All fields except the command and the
user are optional, although specifying no periodic fields would result in the
command being executed every minute." This was factually incorrect; instead,
specifying no periodic fields results in a failure and an unhelpful error on
Puppet 2.6 and 2.7.
Although the issue will remain open as a behavior bug, this commit corrects
the documentation of which attributes are required. It also changes the @doc
string to a heredoc to simplify quote escaping.
|
| | |\ \ \ \
| | | | | |
| | | | | | |
(#9039) Update Augeas commands documentation
|
| | | | |_|/
| | |/| |
| | | | |
| | | | |
| | | | | |
Added documentation on commands added as part of #6494 and clarified existing
commands documentation.
|
| | |\ \ \ \
| | |/ / /
| |/| | |
| | | | |
| | | | | |
nfagerlund/ticket/2.7.x/8037_incorrect_augeas_example
(#8037) Fix incorrect example in Augeas type reference
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The changes attribute for the Augeas type's second example was
incorrect, as it had leading slashes that took the paths out of the
context of /files. This commit fixes the bad example, and changes the doc
string to a heredoc to eliminate some messy escaping.
|
| |\| | | |
|
| | |\ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
These specs were assuming that paths such as /foo were always absolute, which
is not the case on Windows. Thus, when run on Windows, the provider was
complaining about receiving relative paths when it expected absolute, rather
than succeeding or failing in the intended way. Now we expand all paths we want
to be absolute, to guarantee they will be absolute everywhere.
Also, some specs were failing because they were trying to test the case where a
file isn't executable. That's not something we can reliably check on Windows,
so instead just stub the appropriate executable? methods.
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| |\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Conflicts:
lib/puppet/provider/augeas/augeas.rb
spec/unit/node_spec.rb
|
| | |\| | | |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Because this provider only applies when the posix feature is present (and thus
not the windows feature), it can never be used on Windows. Thus, the
Windows-specific command handling is unnecessary and unused.
Also added more specific error messages for the cases where a command doesn't
exist, isn't a file, and isn't executable. These only apply when the command
path is absolute (otherwise the message is simply command not found).
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| | |\ \ \
| | | | |
| | | | | |
Fix order dependent terminus tests in 2.7.x
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Since the indirector state persists across tests, we were seeing order
dependent test failures with tests that assumed the default indirector
settings.
Specifically, if the following tests were run in order, the first
would cause failures in the second two:
spec/unit/application/apply_spec.rb
spec/unit/node_spec.rb
spec/integration/node_spec.rb
To protect against this state leakage, we now:
- reset the Puppet::Node terminus before each test in
spec/integration/node_spec.rb to ensure we are testing a clean
environment.
- reset the Puppet::Node, and Puppet::Node::Facts terminus, and
cache class after each test in spec/unit/application/apply_spec.rb
to prevent leakage into other tests.
Since the cache class has the same state leakage problem as the
terminus class, but does not have the same ability to lazily populate
the default when set to nil, we remove the test. Testing the default
for the cache class would require running the test before all other
tests to ensure there is no state pollution.n
|
| | |\ \ \ \
| | |/ / /
| |/| | | |
Ticket/2.7.x/8612 exec creates parameter
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
It was not clear to all readers that /var/tmp/myfile was being extracted from
the tarball. This commit adds a sentence to make the conditions when the exec
will run more explicit and fixes an error in the tar command.
|
| | |\ \ \
| | | | |
| | | | | |
(#8808) Fail Augeas resource when unable to save changes
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Raise a failure when Augeas changes cannot be saved (due to invalid layout of
the tree, permissions etc). Fixes a regression.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Since the cacher was removed in master the indirection's terminus class
no longer gets reset between tests by clearing the cache. This meant
that one spec was setting the cache_class and affecting another spec,
causing failures.
Now that test manually resets its indirection related info.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| |\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* 2.7.x: (25 commits)
(#4411) Explain that runinterval = 0 does not mean "never run"
Maint: Fix missing option text in puppet agent and arrange options alphabetically
(#8302) Improve documentation of exec providers
(#7853) Clarify and complete docs for the tagmail report processor
Maint: Mention that audit metaparameter will accept "all"
Maint: Adjust wording for file type's content parameter
Maint: Fix poor documentation for versioncmp function.
maint: Fix case sensitive require
maint: Add inspect app options to help
maint: Fix inspect help
Increment lib/puppet.rb VERSION string
Updated CHANGELOG for 2.7.3rc1
(#4762) Ensure that clients on the moon can successfully connect.
Add document outlining preferred contribution methods
Add document outlining preferred contribution methods
Add document outlining preferred contribution methods
Revert "Merge branch 'vcsrepo'"
Revert "Merge branch 'vcsrepo'"
Updating CHANGELOG for 2.7.2rc3
(#8704) Give better errors for invalid fileserver.conf
...
Manually Resolved Conflicts:
lib/puppet/parser/functions/versioncmp.rb
spec/integration/node/facts_spec.rb
|
| | |\ \ \ \
| | | | | |
| | | | | | |
Maint/2.7.x/minor docs fixes
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Unlike several other tools that accept a number of seconds between runs,
puppet agent doesn't use 0 as a special value representing "never;" instead,
it takes this as an instruction to run continuously. As this has caused some
user confusion, this commit updates runinterval's description to explain this,
and points to the correct method to make puppet agent do nothing.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
alphabetically
Puppet agent's man text was missing the --no-client option in its command
synopsis, and the long text for --no-client cut off weirdly in the middle of a
sentence. This commit fixes both problems, and arranges all the options
alphabetically so they're easier to reference.
|
| | |\ \ \ \ \
| | | |_|/ /
| | |/| | |
| | | | | |
| | | | | |
| | | | | | |
* 2.6.x:
(#8302) Improve documentation of exec providers
Add document outlining preferred contribution methods
|
| | | |\ \ \ \
| | | |_|_|/
| | |/| | | |
Ticket/2.6.x/8302 exec provider docs
|
| | | |/ / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The documentation for the shell and posix providers didn't fully explain the
differences between them or the security implications of each. This commit
improves the documentation of both providers.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We have historically had the preferred contribution process on the
Redmine wiki, however this is not obvious to people that don't already
know it is there. By adding this document to the repository itself,
it becomes much easier for new contributors to find what the preferred
contribution methods are.
By having the preferred contribution method in the repository also
means that it becomes a "curated" document, which must go through the
same submission/review process that other changes to the repositories
go through.
Reviewed-by: Nick Fagerlund <nick.fagerlund@puppetlabs.com>
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | |\ \ \ \
| | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Merge branch 'maint/2.7.x/misc_doc_fixes' into 2.7.x
* maint/2.7.x/misc_doc_fixes:
(#7853) Clarify and complete docs for the tagmail report processor
Maint: Mention that audit metaparameter will accept "all"
Maint: Adjust wording for file type's content parameter
Maint: Fix poor documentation for versioncmp function.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The tagmail report docs did not mention that you could use log levels as
tags, and was unclear in several other minor ways. This commit improves that
documentation.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Previously, `audit => all` wasn't documented anywhere. This commit adds
a note on it to the metaparameter reference.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The content parameter's doc string said: "The primary purpose of this
parameter is to provide a kind of limited templating... This attribute
is especially useful when used with templating." This commit clarifies
said awkward wording.
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | | |
The versioncmp function's documentation was missing punctuation and was
unnecessarily vague. This commit clarifies the return data and makes the
documentation more legible at a glance.
|
| | |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
* ticket/2.7.x/maint-fix_inspect_help:
maint: Fix case sensitive require
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Mac's filesystems aren't case sensitive, so developing this change
didn't catch the issue with requiring filenames that had been
uppercased.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | |\| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* ticket/2.7.x/maint-fix_inspect_help:
maint: Add inspect app options to help
maint: Fix inspect help
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Inspect wasn't documenting the only two options it has, archive_files
and archive_file_server. Now it does.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
