summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch '2.7.x'Nick Lewis2011-08-176-81/+101
|\
| * Merge branch '2.6.x' into 2.7.xJacob Helwig2011-08-175-68/+82
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 2.6.x: Reset indirector state after configurer tests. (#8770) Don't fail to set supplementary groups when changing user to root (#8770) Always fully drop privileges when changing user (#8662) Migrate suidmanager test case to rspec (#8740) Do not enumerate files in the root directory. (#3553) Explain that cron resources require time attributes Conflicts: lib/puppet/application/resource.rb test/puppet/tc_suidmanager.rb
| | * (#8770) Don't fail to set supplementary groups when changing user to rootNick Lewis2011-08-121-2/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, Puppet::Util::SUIDManager.change_user would always try to set supplementary groups (Process.initgroups) before changing its EUID. Process.initgroups requires the calling process to have EUID 0 in order to succeed. This worked fine in the case where the process was changing from root to a normal user, as it would set groups as root and then change EUID to 0. However, in the case where the process was changing back to root from a normal user, it would attempt to set groups as the normal user, and fail. Now, we check Process.euid before changing, and will set groups first if root, and will set euid first if not root. This ensures we can freely switch back and forth between root. This behavior is maintained inside of the change_user, rather than being broken into eg. raise_privilege and lower_privilege, because it is a relatively minor behavior difference, and the helper methods on their own would not have been generically useful.
| | * Merge remote-tracking branch 'nicklewis/ticket/2.6.x/8770' into 2.6.xJacob Helwig2011-08-112-54/+56
| | |\ | | | | | | | | | | | | | | | | | | | | * nicklewis/ticket/2.6.x/8770: (#8770) Always fully drop privileges when changing user (#8662) Migrate suidmanager test case to rspec
| | | * (#8770) Always fully drop privileges when changing userNick Lewis2011-08-112-54/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On Mac OS X, it is only possible to directly change the euid of a process, and not the uid. Thus, when a puppet master started as root on OS X would change to the service user (puppet), it would leave the uid of its process set to 0. This allowed any type of Ruby plugin executed on the master (a type, provider, function, etc.) to trivially regain root privileges (by setting the euid of its process back to 0) and potentially compromise the master. Now, when permanently changing user, we will first try Process::UID.change_privilege, before falling back to setting the euid/uid ourselves. change_privilege correctly sets the uid of the process to the desired new uid, preventing the process from later escalating itself back to root. Similar behavior is also used when changing group. This has no effect on the behavior when temporarily changing user/group (for instance, to execute a single command or create a file as a particular user). Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
| | * | Merge pull request #32 from ↵Nick Lewis2011-08-112-2/+5
| | |\ \ | | | | | | | | | | | | | | | | | | | | joshcooper/ticket/2.6.x/8740-cannot-manage-files-of-type-socket Ticket/2.6.x/8740 cannot manage files of type socket
| | | * | (#8740) Do not enumerate files in the root directory.Josh Cooper2011-08-112-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously the command 'puppet resource file' would enumerate all files in the root directory, and generate an exception if the file type was not a directory, file, or link. Worse, it would also do this when a file or directory was specified, e.g. 'puppet resource file /etc/hosts'. Ideally, the find method of the ral terminus should not need to call the type's instances class method, instead just creating an instance of the type with the specified name and parameters. However, some types, like package, depend on this behavior. The type walks all providers and all instances that they provide, checking to see if the provider provides an instance with that name, and also warning if another provider provides an instance with the same name. Also, ideally, puppet should not blow up when encountering an unsupported file type, e.g. Unix domain socket, but that would be too big of a change for 2.6.x. This commit changes 'puppet resource file' to return a message saying that the operation is not supported: Listing all file instances is not supported. Please specify a file or directory, e.g. puppet resource file /etc The change is bit of a hack, as ideally, the file type's instances method could raise an exception when called in a 'search' context, but return an empty array in a 'find' context. But that also would be too big of a change for 2.6.x. This commit also adds spec tests for the resource application and file type, as well as an acceptance test, which creates a Unix domain socket in the root directory, while running 'puppet resource file'. Paired-with: Nick Lewis <nick@puppetlabs.com> Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
| | * | | (#3553) Explain that cron resources require time attributesnfagerlund2011-08-101-12/+13
| | | |/ | | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The cron resource docs previously read, "All fields except the command and the user are optional, although specifying no periodic fields would result in the command being executed every minute." This was factually incorrect; instead, specifying no periodic fields results in a failure and an unhelpful error on Puppet 2.6 and 2.7. Although the issue will remain open as a behavior bug, this commit corrects the documentation of which attributes are required. It also changes the @doc string to a heredoc to simplify quote escaping.
| * | | Merge pull request #43 from domcleal/tickets/2.7.x/9039Daniel Pittman2011-08-171-2/+7
| |\ \ \ | | | | | | | | | | (#9039) Update Augeas commands documentation
| | * | | (#9039) Update Augeas commands documentationDominic Cleal2011-08-171-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | Added documentation on commands added as part of #6494 and clarified existing commands documentation.
| * | | | (#8037) Fix incorrect example in Augeas type referencenfagerlund2011-08-171-11/+12
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | The changes attribute for the Augeas type's second example was incorrect, as it had leading slashes that took the paths out of the context of /files. This commit fixes the bad example, and changes the doc string to a heredoc to eliminate some messy escaping.
* | | | Merge branch '2.7.x'Nick Lewis2011-08-162-23/+26
|\| | | | | | | | | | | | | | | | | | | | | | | Conflicts: lib/puppet/provider/augeas/augeas.rb spec/unit/node_spec.rb
| * | | (#5495) Remove dead Windows-specific code from posix exec providerNick Lewis2011-08-161-16/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because this provider only applies when the posix feature is present (and thus not the windows feature), it can never be used on Windows. Thus, the Windows-specific command handling is unnecessary and unused. Also added more specific error messages for the cases where a command doesn't exist, isn't a file, and isn't executable. These only apply when the command path is absolute (otherwise the message is simply command not found). Reviewed-By: Matt Robinson <matt@puppetlabs.com>
| * | | (#8612) Clarify the function of the example for exec's "creates" parameternfagerlund2011-08-151-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | It was not clear to all readers that /var/tmp/myfile was being extracted from the tarball. This commit adds a sentence to make the conditions when the exec will run more explicit and fixes an error in the tar command.
| * | | Merge pull request #22 from domcleal/tickets/2.7.x/8808Daniel Pittman2011-08-121-3/+5
| |\ \ \ | | | | | | | | | | (#8808) Fail Augeas resource when unable to save changes
| | * | | (#8808) Fail Augeas resource when unable to save changesDominic Cleal2011-08-061-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | Raise a failure when Augeas changes cannot be saved (due to invalid layout of the tree, permissions etc). Fixes a regression.
* | | | | Merge branch '2.7.x'Matt Robinson2011-08-1526-861/+320
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 2.7.x: (25 commits) (#4411) Explain that runinterval = 0 does not mean "never run" Maint: Fix missing option text in puppet agent and arrange options alphabetically (#8302) Improve documentation of exec providers (#7853) Clarify and complete docs for the tagmail report processor Maint: Mention that audit metaparameter will accept "all" Maint: Adjust wording for file type's content parameter Maint: Fix poor documentation for versioncmp function. maint: Fix case sensitive require maint: Add inspect app options to help maint: Fix inspect help Increment lib/puppet.rb VERSION string Updated CHANGELOG for 2.7.3rc1 (#4762) Ensure that clients on the moon can successfully connect. Add document outlining preferred contribution methods Add document outlining preferred contribution methods Add document outlining preferred contribution methods Revert "Merge branch 'vcsrepo'" Revert "Merge branch 'vcsrepo'" Updating CHANGELOG for 2.7.2rc3 (#8704) Give better errors for invalid fileserver.conf ... Manually Resolved Conflicts: lib/puppet/parser/functions/versioncmp.rb spec/integration/node/facts_spec.rb
| * | | | Merge pull request #29 from nfagerlund/maint/2.7.x/minor_docs_fixesDaniel Pittman2011-08-102-30/+33
| |\ \ \ \ | | | | | | | | | | | | Maint/2.7.x/minor docs fixes
| | * | | | (#4411) Explain that runinterval = 0 does not mean "never run"nfagerlund2011-08-101-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlike several other tools that accept a number of seconds between runs, puppet agent doesn't use 0 as a special value representing "never;" instead, it takes this as an instruction to run continuously. As this has caused some user confusion, this commit updates runinterval's description to explain this, and points to the correct method to make puppet agent do nothing.
| | * | | | Maint: Fix missing option text in puppet agent and arrange options ↵nfagerlund2011-08-101-29/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | alphabetically Puppet agent's man text was missing the --no-client option in its command synopsis, and the long text for --no-client cut off weirdly in the middle of a sentence. This commit fixes both problems, and arranges all the options alphabetically so they're easier to reference.
| * | | | | Merge branch '2.6.x' into 2.7.xMatt Robinson2011-08-102-5/+17
| |\ \ \ \ \ | | | |_|/ / | | |/| | | | | | | | | | | | | | | | | | | | | * 2.6.x: (#8302) Improve documentation of exec providers Add document outlining preferred contribution methods
| | * | | | (#8302) Improve documentation of exec providersnfagerlund2011-08-102-5/+17
| | | |_|/ | | |/| | | | | | | | | | | | | | | | | | | | | | The documentation for the shell and posix providers didn't fully explain the differences between them or the security implications of each. This commit improves the documentation of both providers.
| * | | | (#7853) Clarify and complete docs for the tagmail report processornfagerlund2011-08-091-11/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The tagmail report docs did not mention that you could use log levels as tags, and was unclear in several other minor ways. This commit improves that documentation.
| * | | | Maint: Mention that audit metaparameter will accept "all"nfagerlund2011-08-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Previously, `audit => all` wasn't documented anywhere. This commit adds a note on it to the metaparameter reference.
| * | | | Maint: Adjust wording for file type's content parameternfagerlund2011-08-091-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The content parameter's doc string said: "The primary purpose of this parameter is to provide a kind of limited templating... This attribute is especially useful when used with templating." This commit clarifies said awkward wording.
| * | | | Maint: Fix poor documentation for versioncmp function.nfagerlund2011-08-091-6/+9
| | |/ / | |/| | | | | | | | | | | | | | | | | | The versioncmp function's documentation was missing punctuation and was unnecessarily vague. This commit clarifies the return data and makes the documentation more legible at a glance.
| * | | maint: Fix case sensitive requireMatt Robinson2011-08-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mac's filesystems aren't case sensitive, so developing this change didn't catch the issue with requiring filenames that had been uppercased. Reviewed-by: Nick Lewis <nick@puppetlabs.com>
| * | | maint: Add inspect app options to helpMatt Robinson2011-08-091-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Inspect wasn't documenting the only two options it has, archive_files and archive_file_server. Now it does. Reviewed-by: Nick Lewis <nick@puppetlabs.com>
| * | | maint: Fix inspect helpMatt Robinson2011-08-091-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Running `puppet help inspect` did not result in help: Unable to find application 'inspect'. err: exit err: Try 'puppet help help help' for usage It turned out that the only reason applications were getting required so that their help could be found was the LegacyName conversion table in lib/puppet/util/command_line.rb:7. Inspect never had a legacy name, so the help system couldn't find it since it never got required. Now instead of checking for the class constant to see if the application has been loaded, we try to require the application and exit if it's not found. Reviewed-by: Nick Lewis <nick@puppetlabs.com>
| * | | Increment lib/puppet.rb VERSION stringMichael Stahnke2011-08-061-1/+1
| | |/ | |/| | | | | | | Signed-off-by: Michael Stahnke <stahnma@puppetlabs.com>
| * | (#4762) Ensure that clients on the moon can successfully connect.Daniel Pittman2011-08-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, we only allowed Puppet Clients at a maximum distance of somewhere between 7,494 and 14,988 kilometers from the master, depending on the variance in local conditions. While this gave us good data security against hostile clients connecting from the dark side of the moon, real world testing shows the moon folks are likely to just take over a local staging host and attack that way. So, instead, allow clients sufficient time they should be comfortable able to connect to a master from the moon. We still refuse clients further out, like Mars, since it seems unlikely that Puppet management over that distance should work. We advise the manned Mars expedition to deploy a local Puppet Master to manage infrastructure in their base, and to watch out for the martians.
| * | Revert "Merge branch 'vcsrepo'"Jacob Helwig2011-08-027-763/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | vcsrepo is available in a module of its own, is missing tests, and goes against the long-term goal of moving "extra" types out of core puppet into modules (an example of this is the nagios types). This reverts commit 25b967559dfa39eb094008c7a3952c4ee885530b, reversing changes made to b87a1dea704ed981f2f0af728afac2c63e87b5a8. Reviewed-by: Michael Stahnke <mike@puppetlabs.com>
| * | Merge branch 'ticket/2.7.x/8704-fileserverconf_parse_errors' into 2.7.xMatt Robinson2011-07-291-0/+3
| |\ \ | | | | | | | | | | | | | | | | * ticket/2.7.x/8704-fileserverconf_parse_errors: (#8704) Give better errors for invalid fileserver.conf
| | * | (#8704) Give better errors for invalid fileserver.confMatt Robinson2011-07-291-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you tried to just put an allow or deny line in the fileserver.conf without a mount point, you got a really confusing error message: lib/puppet/network/handler/fileserver.rb:285:in `readconfig': undefined method `info' for nil:NilClass (NoMethodError) Now instead we give an error saying no mount point was specified. Reviewed-by: Josh Cooper <josh@puppetlabs.com>
| * | | Merge branch 'tickets/2.7.x/1886' into 2.7.xPieter van de Bruggen2011-07-281-1/+4
| |\ \ \ | | | | | | | | | | | | | | | | | | | | * tickets/2.7.x/1886: (Maint.) Disable cleaning of storeconfigs.
| | * | | (Maint.) Disable cleaning of storeconfigs.Pieter van de Bruggen2011-07-281-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This feature (and the corresponding tests) were causing intermittent failures which we were unable to trace. We will reintroduce this behavior when we can do so without test fragility. Reviewed-By: Matt Robinson
| * | | | (#8690) Accept 'global' options in Puppet FacesDaniel Pittman2011-07-281-0/+2
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we introduced verification of options, we forgot to handle the case that global options from the Puppet settings system could be passed to the face. This, in turn, means that the system would fail if you used any of those. This remediates that, and now these work as expected. Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
| * | | (#1886) Clean up `node clean` for merge.Pieter van de Bruggen2011-07-282-72/+69
| | | | | | | | | | | | | | | | | | | | This includes various style changes, and assorted fixes to testing. Paired-With: Matt Robinson
| * | | Fix #1886 - Add node cleanup capabilityPeter Meier2011-07-274-17/+202
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Here is a changeset that adds a new action to the puppet node face. This application removes all traces of a node on the puppetmaster (including certs, cached facts and nodes, reports, and storedconfig entries). Furthermore it is capable of unexporting exported resources of a host so that consumers of these resources can remove the exported resources and we will safely remove the node from our infrastructure. Usage: puppet node clean [--unexport] <host> [<host2> ...] To achieve this we add different destroy methods to the different parts of the indirector. So for example for yaml indirections we already offer read access for the yaml, this changeset adds the destroy handler which only removes the yaml file for a request. This can be used to remove cached entries. This work is based on the initial work of Brice Figureau <brice-puppet@daysofwonder.com>
* | | Merge pull request #34 from nanliu/ticket/2.7.x/8814Daniel Pittman2011-08-121-1/+1
|\ \ \ | | | | | | | | (#8814) Update fqdn_rand for ruby 1.9.2 rand bug.
| * | | (#8814) Update fqdn_rand for ruby 1.9.2 rand bug.Nan Liu2011-08-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Ruby 1.9.2 does not accept a string for rand function, so rand('1') fails even though this works in Ruby 1.8.x and the string is implicitly converted to a number. We added to_i to avoid this bug.
* | | | Merge pull request #23 from domcleal/tickets/master/5606Daniel Pittman2011-08-121-5/+24
|\ \ \ \ | | | | | | | | | | (#5606) Print Augeas' /augeas//error info to debug on save failure
| * | | | (#5606) Print Augeas' /augeas//error info to debug on save failureDominic Cleal2011-08-071-3/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When saving fails, the contents of /augeas//error (for put_failed) are printed to the debug log. Should help users track down the issue without needing to replicate it with augtool.
| * | | | (#8808) Fail Augeas resource when unable to save changesDominic Cleal2011-08-071-3/+5
| |/ / / | | | | | | | | | | | | | | | | Raise a failure when Augeas changes cannot be saved (due to invalid layout of the tree, permissions etc). Fixes a regression.
* | | | Stop trying to make config directories in Windows specsNick Lewis2011-08-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | FileSetting#to_resource had a provision to not attempt to manage files in /dev, which effectively stopped spec from trying to make their configuration directories in /dev/null. However, on Windows, the path turns into something like C:/dev/null, so the specs were still trying to manage their configuration directories when this wasn't desired or handled by the spec. Now, we also exclude management of C:/dev (or similar), to mimic the behavior on Windows. Because this isn't a standard path (and thus will not be used for anything else), there seems to be no harm in treating it as though it were really /dev. Reviewed-By: Josh Cooper <josh@puppetlabs.com>
* | | | (#8272) Add missing tests for Windows service provider methods.Cameron Thomas2011-08-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added missing spec tests for Windows service provider methods: :stop, :enable, :disable, and :manual_start Refactored to match Nick's previous work. Reviewed By: Nick Lewis [nick@puppetlabs.com]
* | | | (#8409) Add a default group provider for WindowsNick Lewis2011-08-101-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provider, windows_adsi, uses the Puppet::Util::ADSI module to manage groups. It can only manage group existence and memberships, but is fully functional in those regards. Based on work by: Joel Rosario <joel.r@.internal.directi.com> Based on work by: Cameron Thomas <cameron@puppetlabs.com> Reviewed-By: Matt Robinson <matt@puppetlabs.com>
* | | | (#8408) Add a default user provider for WindowsNick Lewis2011-08-101-0/+71
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This provider, windows_adsi, uses the Puppet::Util::ADSI module to manage users. It can currently only manage group memberships, comments, and home directories, which are the only fields that can be managed via ADSI. Based on work by: Joel Rosario <joel.r@.internal.directi.com> Based on work by: Cameron Thomas <cameron@puppetlabs.com> Reviewed-By: Matt Robinson <matt@puppetlabs.com>
* | | | (#8408/8409) Add a Windows ADSI helper moduleNick Lewis2011-08-092-0/+281
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This module (Puppet::Util::ADSI) provides access to Active Directory Services Interfaces, using win32ole. The base module has methods for generating resource URIs and connecting to ADSI. It also provides classes Puppet::Util::ADSI::User and Puppet::Util::ADSI::Group for managing Active Directory users and groups, along with their properties and group memberships. This will be used to implement the Windows ADSI user and group providers. Based on work by: Joel Rosario <joel.r@.internal.directi.com> Based on work by: Cameron Thomas <cameron@puppetlabs.com> Reviewed-By: Matt Robinson <matt@puppetlabs.com>
* | | Always put a slash between the checksum and path in filebucket URLsJacob Helwig2011-08-021-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since absolute paths on Windows do not always start with /, we need to make sure that there is always a slash between the checksum and the path, or the drive letter will end up being considered as part of the checksum. On systems where absolute paths always start with /, the extra slash is removed by the parsing done to the constructed URL. Reviewed-by: Nick Lewis <nick@puppetlabs.com>
generated by cgit (git 2.34.1) at 2025-09-26 21:29:46 +0000