| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppet.rb
lib/puppet/configurer.rb
man/man5/puppet.conf.5
spec/integration/defaults.rb
spec/unit/configurer.rb
|
| | |
| |
| |
| |
| |
| |
| | |
In my patch for #3088 I made a erroneous assumption about the ruby exception
hierarchy and thus missed the fact that Timeout::error descends from both
SignalError and Interrupt. This is a partial reversion of the patch for #3088
to let these through so that more useful error messages can be produced.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Changing rescues from the default to Exception (to catch errors that don't
descend from StandardError) had the unintended consequence of catching (and
suppressing) SystemExit.
This patch restores the behavior of by reraising the exception.
Of the other exceptions that fall through the same crack (NoMemoryError,
SignalException, LoadError, Interrupt, NotImplementedError, and ScriptError)
this patch also reraises NoMemoryError, SignalException, and Interrupt in the
same way and leaves the rest captured.
|
| |\|
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/ssl/host.rb
spec/spec_helper.rb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This is basically the fix suggested on the ticket, cleaned up and
ruby-ized, with tests. The only functional modification is leaving
the default on entry2hash as --no-fqdn to preserve 0.25.1 behaviour
as the default.
Signed- ff-by: Markus Roberts <Markus@reality.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch implements the two-part suggestion from the ticket;
1) a client that receives a certificate that doesn't match its current
private key does not accept, store or use the certificate--instead it
removes any locally cached copies and acts as if the certificate had
never been found.
2) a puppetmaster that receives a csr from a client for whom it already
has a signed certificate now honors the request and considers it to
supercede any previously signed certificates.
In order to make the cache expiration work as expected, I changed a few
assumptions in the caching system:
* The expiration of a cached certificate is the earlier of the envelope
expiration and the certificate's expiration, as opposed to just overriding
the cache value
* Telling the cache to expire an item now removes it from the cache if
possible, rather than just setting an expiration date in the past and
hoping that somebody notices.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
lib/puppet/agent.rb
lib/puppet/application/puppetd.rb
lib/puppet/parser/ast/leaf.rb
lib/puppet/util/rdoc/parser.rb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is a moderately ugly workaround for the MRI garbage collection
bug (see the ticket for details).
I explored several other potential solutions (notably, monkey
patching the routines that trigger the bug) but none of them were
satisfactory. Monkey patching sub, gsub, sub!, gsub!, etc., for
example, either changes the scoping of $~, $1, etc. in a way that
could potentially subtly change the meaning of programs or (if you
are clever) faithfully reproduces the behaviour of MRI--including
the memory leak.
I decided to go with the standardized and somewhat obnoxious never-
used optional argument as it was easy to automatically insert and
should be even easier to automatically find and remove if a better
fix is developed. It also should be obtrusive enough to escape
accidental removal in refactoring.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If setup code for a process depends on network connectivity
it needs to be protected with a rescue clause as much as the
main body of the process.
Further, Timeout exceptions aren't under StandardError and thus
aren't caught by an un-typed rescue clause. This doesn't matter
if we've morphed the exception, but will cause the program to
fail if we haven't.
There are many places where these concerns _might_ cause a problem
but in most cases they never will in practice; this patch addresses
the five cases where I have been able to confirm that it actually
can cause the client daemon to exit and two more where I suspect
(but can not prove) that it could.
This is an extension of the prior patch to cover additional cases
found by automated testing (repeated catalog runs with a 1% chance
of timeout forced on all timeout-bound operations, ~5000 runs).
The new cases recurred multiple times (>100 each) and in a final pass
with these corrected (~2500 runs) no additional cases were found.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the storeconfig refactoring (ie moving the catalog storeconfig
system under the indirector) in 0.25 we lost the capability to
store the node ip and node environment name.
This patch restores this feature.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If setup code for a process depends on network connectivity
it needs to be protected with a rescue clause as much as the
main body of the process.
Further, Timeout exceptions aren't under StandardError and thus
aren't caught by an un-typed rescue clause. This doesn't matter
if we've morphed the exception, but will cause the program to
fail if we haven't.
There are many places where these concerns _might_ cause a problem
but in most cases they never will in practice; this patch addesses
the two cases where I have been able to confirm that it actually
can cause the client daemon to exit and two more where I suspect
(but can not prove) that it could.
I'd be willing to push this patch as it stands, as it at least
fixes demonstrable problems. A more general solution would be
nice.
|
| |/
|
|
|
|
|
|
|
| |
This allows a separation between the wrapper class
and its internals, which is (at least) necessary for
the CA cert, which might not be found using the
internal name.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bundeling and renaming the pure ruby json library to addresses a
number of cross version serliaization bugs (#2615, et al).
This patch adds a subset of the files from the json_pure gem to
lib/puppet/external/pson (renamed to avoid conflicts with rails) so
that we will always have a known-good erialization format available.
The pure ruby json gem as distibuted defers to the compiled version
if it is installed. This is problematic in some circumstances so the
files that have been brought over have been modified to always and
only use the bundled version.
It's a large patch, so here's a breakdown of the change categories:
The majority of the lines are only marginally interesting:
* The json lib itself (in lib/puppet/external/pson) make up the bulk
of the lines.
* Renaming of json to pson make up the second largest group.
Somewhat more interesting are the following, which can be located by
searching the diffs for the indicated strings:
* Adjusting tests to reflect the changes
* Changing the encoding/decoding behavior so that nested structures
(e.g. resources) don't serialize as escaped strings. This should
make it much easier to process the results with external tools, if
needed. Search for "to_pson" and "to_pson_data_hash"
* Cleaning up the envelope/metadata
* Now provides a document_type (as opposed to a ruby class name) by
using a symple registration scheme instead of constant lookup
(search for "document_type")
* Added an api_version (search for "api_version")
* Added a hash for document metadata (search for "metadata")
* Removing the yaml monkeypatch and instead disabling yaml serialization
on ruby 1.8.1 in favor of pson (search for "yaml")
* Cleaning up the json/rails feature interaction (they're now totally
independent) (search for "feature")
|
| |
|
|
|
|
|
|
|
|
| |
This allows us to search for a cert, and we use the searched-for
term as the cert name (for the wrapper, not the actual cert object),
rather than the real cert name.
This allows us to use symbolic names like 'ca', as we're currently doing.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was an API compatibility problem with mongrel's HTTPResponse.start()
method between Mongrel 1.0.x and 1.1.x (the number of parameters changed).
The older version does not provide the option to set the response header
message which was used (redundantly with the response body) to return the
error message when the HTTP response was signaling an error.
In order to suport the older version the call was wrapped with a fallback
and the coresponding code in the other rest implementations was adjusted
to always send the error message in the response body. Then the rest
terminus was adjusted to pull the message from the response body (if it
is present) rather than from the header (which is only used as a fallback
for dealing with older puppetmasters), and the tests were augmeted to
verify this behaviour.
Signed-off-by: Markus Roberts <Markus@reality.com>
|
| |
|
|
| |
Puppet::Node::Facts::Rest
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I'd made changes to the internals of the fileserving
system to fix #2544 (mostly switched from passing
the node around and then calculating the environment to just
passing the environment around), but those changes weren't consistent
throughout the fileserving code.
In the process of making them consistent, I realized that the
plain file server actually needs the node name rather than
the environment, so I switched to passing the request around,
because it has both pieces of information.
Also added further integration tests which will hopefully keep
this from cropping up again.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We had to fix the fileserving plumbing to use the request
environment instead of trying to use the node environment.
This was apparently never fixed after we added the environment
to the URI in REST calls.
There's still a bit of refactoring left to clean up the APIs used
in some of this code.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Even though Puppet never transmist a charset information in its
response/request content-type, some proxy (especially Apache with the
infamous AddDefaultCharset configuration) may add this "incorrect"
information.
This patch makes sure that only the mime-type is used when looking
for the format associated with a response or a request.
The patch also provides a better error message when the client or server
code is fed with a request whose mime-type can not be mapped to a known
format.
It also fixes a typo noticed by the original reporter.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
#2507 contains two issues:
* a crash when we filters-out an unwanted resource which had edges
pointing to it.
* resources are losing their virtuality when they are transformed from
Puppet::Parser::Resource to Puppet::Resource. This means we weren't able
to distinguish anymore between an exported resource collected in the same
node as it was exported and an exported resource collected in another node.
The net result is that we can't apply exported resources that are
collected in the same node because they are filtered out by the catalog
filter (see the commits for #2391 for more information).
The fix is to keep the virtuality of the resources so that we can
differentiate those two types of exported resources. We keep this until
the catalog is ready to be sent, where we filter out the virtual resouces
only, the other still exported ones needs to be sent to the client.
To be real sure, the transaction also skips virtual resources.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
| |
All of the tests were failing because we had a call outside
of any of the tests, just to autoload the constant. Removed
that call and stubbed things so the tests don't run without
json.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
report_port setting. Add tests.
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
The various REST SSL terminii were never setup to use the
ca_server/ca_port if one is setup.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Actually, the issue is:
* when the web server gets the request, it creates an indirection
request, filling attributes like ip or node from the HTTP request.
To do this, all the interesting attributes are given in a hash
(called options, see P::I::Request#new).
Once the request is properly initialized the options hash doesn't
contain the ip or node information (see set_attributes)
* the request is then transmitted to the file_serving layer,
which happily wants to use the node attribute to find environments or
perform authorization.
Unfortunately it fetches the node value from the request options hash,
not the request itself.
Since this node information is empty, puppet fails to find the
proper mount point, and fails the download.
This change makes sure we pass all the way down the node and fix
the authorization check.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The issue is that when we convert Puppet::Parser::Resource catalog
to a Puppet::Resource catalog before storing it to the database,
we don't allow virtual resource to be converted.
Unfortunately exported resources are virtual by design, and as
such aren't converted, and we lose them, so it isn't possible
to store them in the database.
Unfortunately, the client will get the exported resources too.
The fix is dual-fold:
* we make sure exported resource are skipped when the transaction is
applied as a last safeguard
* we filter-out the catalog through the catalog compiler terminus before
the catalog is returned to the client
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem is that URI.escape by default doesn't escape '+' (and
some other characters). But some web framework (at least webrick)
unescape the query string behind Puppet's back changing all '+'
to spaces corrupting facts containing '+' characters (like base64
encoded values).
The current fix makes sure we use CGI.escape for all query string
parameters. Indirection keys/path are still using URI escaping because
this part of the URI format shouldn't be handled like query string
parameters (otherwise '/' url separators are encoded which changes
the uri path).
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were two problems:
* server->client communications is using Content-Type with the
direct format name instead of the format mime-type.
* client->server communications is not using Content-Type to
send the format of the serialized object. Instead it is using the
first member of the Accept header. The Accept header is usually
reserved for the other side, ie what the client will accept
when the server will respond.
This patch makes sure s->c communication contains correct Content-Type
headers.
This patch also adds a Content-Type header containing the mime-type of
the object sent by the client when saving.
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
|
| |
This provides about a 75x speedup, so it's totally
worth it. The downside is that queueing requires json,
but only on the server side.
|
| | |
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
This method name clashed with Puppet::Indirector::Envelope#expired?,
and its name wasn't actually very appropriate.
The new method name is 'dependent_data_expired?'.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes the requirement of shared fact caching
on the servers, since the server responding to the catalog
request will receive the facts as part of the request.
The facts are serialized as a parameter to the request,
rather than each being set as a separate request parameter.
This hard-codes yaml as the serialization format for the
facts, because I couldn't get marshal to work and it's just not
as big a deal for such a small amount of data.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
Removing class methods and such, and switching to
relying solely on a setting for the queue configuration.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
Also working around a YAML bug in Ruby.
And fixing tests that were broken in a previous commit
in this rebase but not caught earlier.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
| |
This eventually will allow catalog storage ("storeconfigs") to be taken out of the critical request-handling path of puppetmasterd, such that:
* Puppet::Node::Catalog can be serialized to a message queue via the indirector's "save" method
* a separate process can use Puppet::Node::Catalog::Queue.subscribe to pick up these catalog objects as they come in and can save them to the database through the :active_record terminus
|
| |
|
|
| |
The queue abstract terminus allows the standard indirector behaviors to interact with a message queue broker, such that the indirector's "save" method writes the relevant model object out to a queue on the message broker. While the indirector's "find" method does not map to a message queue, the queue terminus class offers a "subscribe" method that allows for easy implementation of an event loop, receiving indirected objects saved to a queue as they come in.
|
| |
|
|
|
|
|
|
| |
This moves all code from the Parser class into
the ActiveRecord classes, and gets rid of
'ar_hash_merge'.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
| |
This provides the last piece of ActiveRecord integration.
It's pretty much just pass-through and *only* works
if you're storing Parser resources to the db.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
| |
This is most of the way to replacing standard StoreConfigs
integration with the Indirector. We still need to convert
the Catalog and then change all of the integraiton points
(which is mostly the 'store' call in the Compiler).
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
|
|
|
| |
We were already writing all specific files with
appropriate permissions; this change makes all of
the files that are part of a group (which largely
means files saved by puppetmasterd and puppetca)
are also written using the correct permissions.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
|
|
| |
If the main terminus fails you get an exception, but
not if a cache terminus fails.
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
bin/ralsh
lib/puppet/executables/client/certhandler.rb
lib/puppet/parser/functions/versioncmp.rb
lib/puppet/parser/resource/reference.rb
lib/puppet/provider/augeas/augeas.rb
lib/puppet/provider/nameservice/directoryservice.rb
lib/puppet/provider/ssh_authorized_key/parsed.rb
lib/puppet/type.rb
lib/puppet/type/file/checksum.rb
spec/integration/defaults.rb
spec/integration/transaction/report.rb
spec/unit/executables/client/certhandler.rb
spec/unit/indirector/ssl_rsa/file.rb
spec/unit/node/catalog.rb
spec/unit/provider/augeas/augeas.rb
spec/unit/rails.rb
spec/unit/type/ssh_authorized_key.rb
spec/unit/type/tidy.rb
test/executables/filebucket.rb
test/executables/puppetbin.rb
|
| | |
| |
| |
| | |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
