| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
On Mac OS X, it is only possible to directly change the euid of a process, and
not the uid. Thus, when a puppet master started as root on OS X would change to
the service user (puppet), it would leave the uid of its process set to 0.
This allowed any type of Ruby plugin executed on the master (a type, provider,
function, etc.) to trivially regain root privileges (by setting the euid of
its process back to 0) and potentially compromise the master.
Now, when permanently changing user, we will first try
Process::UID.change_privilege, before falling back to setting the euid/uid
ourselves. change_privilege correctly sets the uid of the process to the
desired new uid, preventing the process from later escalating itself back to
root. Similar behavior is also used when changing group. This has no effect on
the behavior when temporarily changing user/group (for instance, to execute a
single command or create a file as a particular user).
Reviewed-By: Jacob Helwig <jacob@puppetlabs.com>
|
| | | |\ \
| | | | |
| | | | |
| | | | |
| | | | | |
joshcooper/ticket/2.6.x/8740-cannot-manage-files-of-type-socket
Ticket/2.6.x/8740 cannot manage files of type socket
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Previously the command 'puppet resource file' would enumerate all files
in the root directory, and generate an exception if the file type was
not a directory, file, or link. Worse, it would also do this when a file
or directory was specified, e.g. 'puppet resource file /etc/hosts'.
Ideally, the find method of the ral terminus should not need to call the
type's instances class method, instead just creating an instance of the
type with the specified name and parameters. However, some types, like
package, depend on this behavior. The type walks all providers and all
instances that they provide, checking to see if the provider provides an
instance with that name, and also warning if another provider provides
an instance with the same name.
Also, ideally, puppet should not blow up when encountering an
unsupported file type, e.g. Unix domain socket, but that would be too
big of a change for 2.6.x.
This commit changes 'puppet resource file' to return a message saying
that the operation is not supported:
Listing all file instances is not supported. Please specify a file
or directory, e.g. puppet resource file /etc
The change is bit of a hack, as ideally, the file type's instances
method could raise an exception when called in a 'search' context, but
return an empty array in a 'find' context. But that also would be too
big of a change for 2.6.x.
This commit also adds spec tests for the resource application and file
type, as well as an acceptance test, which creates a Unix domain socket
in the root directory, while running 'puppet resource file'.
Paired-with: Nick Lewis <nick@puppetlabs.com>
Reviewed-by: Jacob Helwig <jacob@puppetlabs.com>
|
| | | | |/
| | |/|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The cron resource docs previously read, "All fields except the command and the
user are optional, although specifying no periodic fields would result in the
command being executed every minute." This was factually incorrect; instead,
specifying no periodic fields results in a failure and an unhelpful error on
Puppet 2.6 and 2.7.
Although the issue will remain open as a behavior bug, this commit corrects
the documentation of which attributes are required. It also changes the @doc
string to a heredoc to simplify quote escaping.
|
| | |\ \ \
| | | | |
| | | | | |
(#9039) Update Augeas commands documentation
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Added documentation on commands added as part of #6494 and clarified existing
commands documentation.
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The changes attribute for the Augeas type's second example was
incorrect, as it had leading slashes that took the paths out of the
context of /files. This commit fixes the bad example, and changes the doc
string to a heredoc to eliminate some messy escaping.
|
| |\| | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
lib/puppet/provider/augeas/augeas.rb
spec/unit/node_spec.rb
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Because this provider only applies when the posix feature is present (and thus
not the windows feature), it can never be used on Windows. Thus, the
Windows-specific command handling is unnecessary and unused.
Also added more specific error messages for the cases where a command doesn't
exist, isn't a file, and isn't executable. These only apply when the command
path is absolute (otherwise the message is simply command not found).
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It was not clear to all readers that /var/tmp/myfile was being extracted from
the tarball. This commit adds a sentence to make the conditions when the exec
will run more explicit and fixes an error in the tar command.
|
| | |\ \ \
| | | | |
| | | | | |
(#8808) Fail Augeas resource when unable to save changes
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Raise a failure when Augeas changes cannot be saved (due to invalid layout of
the tree, permissions etc). Fixes a regression.
|
| |\| | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* 2.7.x: (25 commits)
(#4411) Explain that runinterval = 0 does not mean "never run"
Maint: Fix missing option text in puppet agent and arrange options alphabetically
(#8302) Improve documentation of exec providers
(#7853) Clarify and complete docs for the tagmail report processor
Maint: Mention that audit metaparameter will accept "all"
Maint: Adjust wording for file type's content parameter
Maint: Fix poor documentation for versioncmp function.
maint: Fix case sensitive require
maint: Add inspect app options to help
maint: Fix inspect help
Increment lib/puppet.rb VERSION string
Updated CHANGELOG for 2.7.3rc1
(#4762) Ensure that clients on the moon can successfully connect.
Add document outlining preferred contribution methods
Add document outlining preferred contribution methods
Add document outlining preferred contribution methods
Revert "Merge branch 'vcsrepo'"
Revert "Merge branch 'vcsrepo'"
Updating CHANGELOG for 2.7.2rc3
(#8704) Give better errors for invalid fileserver.conf
...
Manually Resolved Conflicts:
lib/puppet/parser/functions/versioncmp.rb
spec/integration/node/facts_spec.rb
|
| | |\ \ \ \
| | | | | |
| | | | | | |
Maint/2.7.x/minor docs fixes
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Unlike several other tools that accept a number of seconds between runs,
puppet agent doesn't use 0 as a special value representing "never;" instead,
it takes this as an instruction to run continuously. As this has caused some
user confusion, this commit updates runinterval's description to explain this,
and points to the correct method to make puppet agent do nothing.
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
alphabetically
Puppet agent's man text was missing the --no-client option in its command
synopsis, and the long text for --no-client cut off weirdly in the middle of a
sentence. This commit fixes both problems, and arranges all the options
alphabetically so they're easier to reference.
|
| | |\ \ \ \ \
| | | |_|/ /
| | |/| | |
| | | | | |
| | | | | |
| | | | | | |
* 2.6.x:
(#8302) Improve documentation of exec providers
Add document outlining preferred contribution methods
|
| | | | |_|/
| | |/| |
| | | | |
| | | | |
| | | | |
| | | | | |
The documentation for the shell and posix providers didn't fully explain the
differences between them or the security implications of each. This commit
improves the documentation of both providers.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The tagmail report docs did not mention that you could use log levels as
tags, and was unclear in several other minor ways. This commit improves that
documentation.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Previously, `audit => all` wasn't documented anywhere. This commit adds
a note on it to the metaparameter reference.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The content parameter's doc string said: "The primary purpose of this
parameter is to provide a kind of limited templating... This attribute
is especially useful when used with templating." This commit clarifies
said awkward wording.
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | | |
The versioncmp function's documentation was missing punctuation and was
unnecessarily vague. This commit clarifies the return data and makes the
documentation more legible at a glance.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Mac's filesystems aren't case sensitive, so developing this change
didn't catch the issue with requiring filenames that had been
uppercased.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Inspect wasn't documenting the only two options it has, archive_files
and archive_file_server. Now it does.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Running `puppet help inspect` did not result in help:
Unable to find application 'inspect'.
err: exit
err: Try 'puppet help help help' for usage
It turned out that the only reason applications were getting required so
that their help could be found was the LegacyName conversion table in
lib/puppet/util/command_line.rb:7. Inspect never had a legacy name, so
the help system couldn't find it since it never got required. Now
instead of checking for the class constant to see if the application has
been loaded, we try to require the application and exit if it's not
found.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | |/
| |/|
| | |
| | | |
Signed-off-by: Michael Stahnke <stahnma@puppetlabs.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, we only allowed Puppet Clients at a maximum distance of somewhere
between 7,494 and 14,988 kilometers from the master, depending on the variance
in local conditions.
While this gave us good data security against hostile clients connecting from
the dark side of the moon, real world testing shows the moon folks are likely
to just take over a local staging host and attack that way.
So, instead, allow clients sufficient time they should be comfortable able to
connect to a master from the moon. We still refuse clients further out, like
Mars, since it seems unlikely that Puppet management over that distance should
work.
We advise the manned Mars expedition to deploy a local Puppet Master to manage
infrastructure in their base, and to watch out for the martians.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
vcsrepo is available in a module of its own, is missing tests, and
goes against the long-term goal of moving "extra" types out of core
puppet into modules (an example of this is the nagios types).
This reverts commit 25b967559dfa39eb094008c7a3952c4ee885530b, reversing
changes made to b87a1dea704ed981f2f0af728afac2c63e87b5a8.
Reviewed-by: Michael Stahnke <mike@puppetlabs.com>
|
| | |\ \
| | | |
| | | |
| | | |
| | | | |
* ticket/2.7.x/8704-fileserverconf_parse_errors:
(#8704) Give better errors for invalid fileserver.conf
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If you tried to just put an allow or deny line in the fileserver.conf
without a mount point, you got a really confusing error message:
lib/puppet/network/handler/fileserver.rb:285:in `readconfig': undefined method `info' for nil:NilClass (NoMethodError)
Now instead we give an error saying no mount point was specified.
Reviewed-by: Josh Cooper <josh@puppetlabs.com>
|
| | |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
* tickets/2.7.x/1886:
(Maint.) Disable cleaning of storeconfigs.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This feature (and the corresponding tests) were causing intermittent
failures which we were unable to trace. We will reintroduce this
behavior when we can do so without test fragility.
Reviewed-By: Matt Robinson
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When we introduced verification of options, we forgot to handle the case that
global options from the Puppet settings system could be passed to the face.
This, in turn, means that the system would fail if you used any of those.
This remediates that, and now these work as expected.
Reviewed-By: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
This includes various style changes, and assorted fixes to testing.
Paired-With: Matt Robinson
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Here is a changeset that adds a new action to the puppet node face.
This application removes all traces of a node on the puppetmaster
(including certs, cached facts and nodes, reports, and storedconfig
entries).
Furthermore it is capable of unexporting exported resources of a
host so that consumers of these resources can remove the exported
resources and we will safely remove the node from our
infrastructure.
Usage:
puppet node clean [--unexport] <host> [<host2> ...]
To achieve this we add different destroy methods to the different
parts of the indirector. So for example for yaml indirections we
already offer read access for the yaml, this changeset adds
the destroy handler which only removes the yaml file for
a request. This can be used to remove cached entries.
This work is based on the initial work of Brice Figureau
<brice-puppet@daysofwonder.com>
|
| |\ \ \
| | | |
| | | | |
(#8814) Update fqdn_rand for ruby 1.9.2 rand bug.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ruby 1.9.2 does not accept a string for rand function, so rand('1')
fails even though this works in Ruby 1.8.x and the string is implicitly
converted to a number. We added to_i to avoid this bug.
|
| |\ \ \ \
| | | | |
| | | | | |
(#5606) Print Augeas' /augeas//error info to debug on save failure
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When saving fails, the contents of /augeas//error (for put_failed) are printed
to the debug log. Should help users track down the issue without needing to
replicate it with augtool.
|
| | |/ / /
| | | |
| | | |
| | | |
| | | | |
Raise a failure when Augeas changes cannot be saved (due to invalid layout of
the tree, permissions etc). Fixes a regression.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
FileSetting#to_resource had a provision to not attempt to manage files in /dev,
which effectively stopped spec from trying to make their configuration
directories in /dev/null. However, on Windows, the path turns into something
like C:/dev/null, so the specs were still trying to manage their configuration
directories when this wasn't desired or handled by the spec.
Now, we also exclude management of C:/dev (or similar), to mimic the behavior
on Windows. Because this isn't a standard path (and thus will not be used for
anything else), there seems to be no harm in treating it as though it were
really /dev.
Reviewed-By: Josh Cooper <josh@puppetlabs.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Added missing spec tests for Windows service provider methods:
:stop, :enable, :disable, and :manual_start
Refactored to match Nick's previous work.
Reviewed By: Nick Lewis [nick@puppetlabs.com]
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This provider, windows_adsi, uses the Puppet::Util::ADSI module to manage
groups. It can only manage group existence and memberships, but is fully
functional in those regards.
Based on work by: Joel Rosario <joel.r@.internal.directi.com>
Based on work by: Cameron Thomas <cameron@puppetlabs.com>
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This provider, windows_adsi, uses the Puppet::Util::ADSI module to manage
users. It can currently only manage group memberships, comments, and home
directories, which are the only fields that can be managed via ADSI.
Based on work by: Joel Rosario <joel.r@.internal.directi.com>
Based on work by: Cameron Thomas <cameron@puppetlabs.com>
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This module (Puppet::Util::ADSI) provides access to Active Directory Services
Interfaces, using win32ole. The base module has methods for generating resource
URIs and connecting to ADSI.
It also provides classes Puppet::Util::ADSI::User and Puppet::Util::ADSI::Group
for managing Active Directory users and groups, along with their properties and
group memberships. This will be used to implement the Windows ADSI user and
group providers.
Based on work by: Joel Rosario <joel.r@.internal.directi.com>
Based on work by: Cameron Thomas <cameron@puppetlabs.com>
Reviewed-By: Matt Robinson <matt@puppetlabs.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since absolute paths on Windows do not always start with /, we need to
make sure that there is always a slash between the checksum and the
path, or the drive letter will end up being considered as part of the
checksum.
On systems where absolute paths always start with /, the extra slash
is removed by the parsing done to the constructed URL.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, we only considered files that matched the *nix concept of
'absolute' as being absolute paths. Since absolute paths on Windows
look more like URLs with this world-view, we need to specifically look
for the Windows absolute paths, and treat them as such.
We will still treat *nix absolute paths as absolute on Windows, even
though they are actually relative to the "current" drive. We do not
currently limit which "style" of absolute path is allowed based on
what the agent is.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Rather than stating the logic as 'if !thing', the two checks done when
initializing a new Puppet::FileBucket::File are now phrased as 'unless
thing', which should lessen the likelihood of overlooking the '!'.
We also now provide a reason for the ArgumentError being raised, which
should help users of Puppet::FileBucket::File quickly figure out what
is the problem when these exceptions are raised.
In addition to updating the tests to look for these new error
messages, we update the existing tests to specify which type of
exception, and what message it should have, when something is raised.
Reviewed-by: Nick Lewis <nick@puppetlabs.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The host provider did not work on Windows because it didn't know where
to find its hosts file. The provider now uses Win32::Resolv, which is
part of the standard ruby library, to find it.
Several host type/provider spec tests were marked as fails_on_windows,
but now that the provider is working, I removed the tag from those
tests, and verified that the tests now pass. There are two tests in
resources_spec that fail because the user and exec providers are not
supported on Windows yet, so those tests are marked as fails_on_windows.
Reviewed-by: Pieter van de Bruggen <pieter@puppetlabs.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The puppet install.rb script now defaults the config directory to
%PROGRAMDATA%\PuppetLabs\puppet\etc on Windows. This is more inline
with Windows best-practices, as this directory is used to store
application data across all users. The PROGRAMDATA environment
variable also takes into account alternate system drives, by using the
SYSTEMDRIVE environment variable.
Note that the Dir::COMMON_APPDATA constant is so named because it
corresponds to the CSIDL_COMMON_APPDATA constant, which on 2000, XP,
and 2003 is %ALLUSERSPROFILE%\Application Data, and on Vista, Win7 and
2008 is %SYSTEMDRIVE%\ProgramData.
This commit also updates puppet's default run_mode var and conf
directories when running as "root" to match the install script, and
fixes the spec test, which was looking in the Dir::WINDOWS directory.
Reviewed-by: Cameron Thomas <cameron@puppetlabs.com>
|
