Puppet 2.7.8 is available. 2.7.8 contains everything that was being previewed in the 2.7.7rc series as well as some new content. Key highlight in this release (beyond items from 2.7.7rc series) are: * Allow providers to be selected in the run they become suitable * Showdiff is now not auto-enabled when running in noop mode * Provide default subjectAltNames while bootstrapping master (defaulting to puppet and puppet.<domain>) * Allow optional trailing comma in argument lists. * Output 4-digit file modes in File type Release Notes for 2.7.8 series -- https://projects.puppetlabs.com/projects/puppet/wiki/Release_Notes This release is available for download at: http://downloads.puppetlabs.com/puppet/ See the Verifying Puppet Download section at: http://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected version of 2.7.8 http://projects.puppetlabs.com/projects/puppet Documentation is available at: http://docs.puppetlabs.com/index.html # 2.7.8 == ##10739 Provide default subjectAltNames while bootstrapping master Prior to #2848 (CVE-2011-3872), if Puppet[:certdnsnames] was not set, puppet would add default subjectAltNames to any non-CA cert it signed, including agent certs. The subjectAltNames were of the form: DNS:puppet, DNS:<fqdn>, DNS:puppet.<domain> The fix for #2848, prevented subjectAltNames from ever being implicitly added at signing time. But during this change, the default subjectAltNames behavior was accidentally removed. This commit restores the ''defaulting'' behavior that existed previously, but only when bootstrapping the initial master. Additionally, default subjectAltNames are only ever added when generating the master''s certificate signing request, not at signing time. This is important, because it ensures all subjectAltNames originate from the CSR and are subject to our internal signing policy. The code now requires that all of the following be true in order to add default subjectAltNames to the CSR: 1. We are a CA and master 2. We''re signing the master''s cert, not self-signing the CA 3. The CSR is for the current host 4. No subjectAltNames have been specified, e.g. Puppet[:dns_alt_names] 5. The master can resolve its fqdn These should only ever be true when bootstrapping the initial master. In particular, it should never be true for the CA''s self-signed cert, for remote agents, or for servers that are either masters or CAs, but not both. The fqdn requirement existed previously, and so the same behavior has been restored. Note if Puppet[:dns_alt_names] are specified when bootstrapping the master, then we do not merge the default options -- it''s either one of the other, but not both. #2744 Don''t automatically enable show_diff in noop mode As of 845825a, file diffs are now logged, rather than printed to console. Because log messages may be stored and more broadly readable, we no longer implicitly set show_diff in noop mode. ##6907 Allow providers to be selected in the run they become suitable Previously, if a resource did not specify its provider, it would be assigned the most appropriate suitable provider (typically the default). If no provider was suitable, the run would fail before it even began. This meant that a provider which was going to have its requirements delivered during the run could not be used in that run. In the case that an unsuitable provider was explicitly specified, this would only work in certain conditions. Suitability was lazily checked, which meant the resources installing the provider had to come before the resources using it. If this weren''t true (because the dependencies weren''t specified), those resources would still fail. Now, we will instead *wait* for the provider to become suitable. Similarly, if no provider is specified, we wait for a suitable provider to become available. We accomplish this by deferring unsuitable resources when they are encountered. Once we are out of suitable resources, we re-enqueue our previously-unsuitable resources and check them again. If some are now suitable, we evaluate them as normally, deferring the rest. If all our deferred resources are still deferred, they all fail, and we continue on with their dependents (which will all be marked as skipped due to failed dependencies). This allows providers to be used in the same run as resources using them, without needing to specify any dependencies between resources using the provider and resources installing the provider. Naturally, if the resources installing the provider depend on resources using the provider, the run cannot succeed. Previously, if we chose to use an unsuitable provider, we would not prefetch it because it wasn''t suitable at the beginning of the run. Now, we lazily prefetch, waiting until the first resource of a particular provider is evaluated. If the provider we are prefetching is also the default provider for its type, we also find resources of that type with no specified provider, and assign them the default provider. This allows us to avoid prefetching the same provider twice (once for resources explicitly using it, and once for resources implicitly using it because it''s the default). ##6335 Allow optional trailing comma in argument lists. Support optional comma at the end arguments lists for parameterized class and user defined resources. This makes it behave similar to resource attributes. ##7274 Output 4-digit file modes in File type When updating file mode, output 4 digit file mode instead of omitting the leading 0, i.e. 0755 instead of 755. This fully represents the file mode, and lessens the likelihood of someone incorrectly setting the mode on a file by copy/pasting the incomplete mode specification. # Full Changelog ==e4ee794 (#10739) Provide default subjectAltNames while bootstrapping master 2dedee6 (#2744) Don''t automatically enable show_diff in noop mode ef78358 Give variables more descriptive names cd3d4ea maint: Rename xgenerate to add_dynamically_generated_resources 000a2d8 (#6907) Prefetch unsuitable providers 70114e9 (#6907) Allow providers to be selected in the run they become suitable a0ee5c7 maint: Fix incorrect whitespace 4e8a73c Fix description in service provider test for FreeBSD a2eab4f (#6697) Set service provider default path to /etc/rc.d on Archlinux da75795 (#6335) Allow optional trailing comma in argument lists. 47c786e Update CHANGELOG and packaging for 2.7.7 final 8030428 (#8255) Always use string modes when creating resources from FileSetting settings c804346 (#7274) Output 4-digit file modes in File type 220f2ba (#10799) Regexp escaping too much 4462eb5 Merged 2.6.x into 2.7x 67e048b Updated CHANGELOG for 2.7.7rc2 93aca5a maint: Fix failing specs for Windows exec provider 7f3a1bb (#9617) Use an RbTreeMap to store ready resources 9eff0f4 (#9671) Implement RbTreeMap#each recursively, and #first/#last explicitly 5f7f467 (#9671) Return nodes from internal RbTreeMap recursion 1dc9c72 (#9671) Stop tracking size and height of nodes in RbTreeMap f180f9b (#9617) Add a red-black tree map c62e949 (#9617) Keep track of blockers for resources when traversing 2cb6d72 (#9671) Generated resources should not depend on the completed_ whit a5845b7 (#9671) Exit early from #eval_generate if nothing is created 7002eff (#9617) Be smarter about finding parents when eval_generating 11fda78 maint: Don''t File#expand_path when unmunging file paths ad4316a (#9671) Use Array#concat rather than +20260f3 maint: Correct the spelling of sentinel 4f03384 (#10614) Detect when trying to managing ACLs on a non-ACL volume 37b9f0f (#10614) Provide default metadata values for Windows ACLs 1cb37c9 (#10614) Add method for detecting Windows volumes that support ACLs c9ee5a0 (#10614) Fix setting and clearing read-only attribute on Windows ed27a90 (#10614) Fix error checking for Windows BOOL return values 7f0756d (#10727) Don''t rely on Kernel#Pathname 23379d0 (#10614) Detect when trying to managing ACLs on a non-ACL volume 374fee5 (#10614) Provide default metadata values for Windows ACLs f60e889 (#10614) Add method for detecting Windows volumes that support ACLs 1371dbd (#10614) Fix setting and clearing read-only attribute on Windows 7eb0197 (#10614) Fix error checking for Windows BOOL return values 9dfd011 (#5617) Puppet queue logging 0a34697 (#2744) Display file diffs through the Puppet log system. 0c28238 (#9508) Be explicit is setting `auth any` for default ACLs. f140eca Updated CHANGELOG for 2.7.7rc1 057cda6 (#9508) Default ACL of `auth any` makes sense where we had `auth no` 78670ed (#9983) Checksum file in binary mode when storing to filebucket da11a78 (#9983) Serve file content in binary mode 13f1054 (#9983) Read file content from disk using binary mode 4b4bb8b (#9983) Use binary mode when reading and writing FileBucketFiles 899833b (#9983) Read file content in binary mode when backing up dc8bcf8 (#9983) Restore files in binary mode 489a679 (#9983) Checksum files in binary mode f7bfa05 (#9983) Add method for reading binary files 674068a (#10269) Make directories executable so they can be cleaned up fd747cc (#10365) Add pending test when file overwrites an executable directory fe30d8f (#10315) Add pending tests when following symlinks a22c7aa Maint: Fix test breakage 8576e86 (#10269) Search bit not set on newly created directories a91cfa1 maint: Fix failing spec on old version of rspec 428e08c Stub File.open to not touch the disk aa2a762 (#10289) Add an ext script to upload facts to inventory server a97337f (#10346) Fix storeconfigs spec failures when run alone 5129d38 (#10289) Add a safe alternative to REST for inventory service 5c4daa4 (#7601) Use definition lists in indirection references 7df46a2 (#7601) Use definition lists in type references ad97dc9 (#7601) Add markdown_definitionlist method to reference.rb 455c9aa Maint: Revise reference text for most types and providers ced8e19 (#7601) Remove unnecessarily abstracted paramwrap method a6957ac (#7601) Rename "h" method to "markdown_header" 7a0ade6 (#7601) Use << instead of += in references 7d65796 (#9109) Retrieve request parameters from the request body for POSTs 5a2952c (maint) Fix CA-related specs failing on Windows 42fb76e Fix typo in report debug message eab5965 missing includes in network XML-RPC handlers 7514d32 missing includes in network XML-RPC handlers 614526a (#10244) Restore Mongrel XMLRPC functionality 397a506 (#10244) Restore Mongrel XMLRPC functionality fcaf7c5 Updated CHANGELOG for 2.6.12 f51d221 Improve the error message when a CSR is rejected d551747 Allow a master to bootstrap itself with dns_alt_names and autosign 0405196 (maint) Remove ssl dir before starting a master with DNS alt names 3ed6499 Backport Enumerable#count to Rubies < 1.8.7 5f44c23 More 1.8.5 compatibility fixes. ef1b960 Better 1.8.5 compatible implementation of `lines`. 246e875 (#2848) Config options require ''_'', not ''-''. 3bdeb3a Ruby 1.8.5 compatibility changes in tests and code. 6866d4b Add `lines` alias for `each_line` in Ruby 1.8.5. 2f9ec3c s/not_to/should_not/ for older versions of RSpec 2. 56320ea (#2848) Eliminate redundant `master_dns_alt_names`. de19861 (#2848) Remove the legacy SSLCertificates code cf008a6 (#2848) Rework the xmlrpc CA handler to use the modern SSL code 32be180 (#2848) Remove unused xmlrpc code 5f2a44d (#2848) Consistent return values from `subject_alt_names` accessors. 5e507f2 (#2848) Consistently use `subject_alt_names` as accessor name. 5ac2417 (#2848) Don''t strip the subjectAltName label when listing. 44cf3a2 (#2848) Don''t enable `emailProtection` for server keys. d66def9 (#2848) Only mark `subjectAltName` critical if `subject` is empty. 8174047 (#2848) Migrate `dns-alt-names` back to settings. f18df2b Wire up the `setbycli` slot in Puppet settings. efa61f2 (#2848) rename subject-alt-name option to dns-alt-names f103b20 (#2848) Rename `certdnsnames` to match new behaviour. 363b47b (#2848) Use `certdnsnames` when bootstrapping a local master. 49334ff (#2848) CSR subjectAltNames handling while signing. 5f2af93 (#2848) List subject alt names in output of puppet cert --list bb475ec (#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names bab9310 (#2848) Rewrite SSL Certificate Factory, fixing `subjectAltName` leak. fca1ff0 (#2848) Reject unknown (== all) extensions on the CSR. 443a756 (#2848) extract the subjectAltName value from the CSR. 66101f1 (#2848) Set `certdnsnames` values into the CSR. 77b814f (#6928) Don''t blow up when the method is undefined... 5427f1e (#6928) backport Symbol#to_proc for Ruby < 1.8.7 6ef1d3a (#6371) Update lastchg field in shadow file on Solaris. c343615 (#10161) Parenthesize method arguments 5721ab9 Maint: Remove duplicate path extension code edc721e (#9636) Always set $CHILD_STATUS when executing on Windows 448d5db (#9636) Fix PATHEXT resolution for paths other than system32 424379d (#9996) Restore functionality for multi-line commands in exec resources ad98d47 (#9831) Standardize Windows provider confining cf8fae2 (#9832) General StoreConfigs regression. 1e8a2cd (#9607) Only validate package source when it is set or needed 0258096 (#9461) Resolve executables using PATHEXT on Windows d78afda (#9938) Allow directory sticky-ness to be set 23b4864 Maint: Document tag metaparameter''s ability to take an array b3c0f1d Stub method for getting roles from the user provider 006a128 Set vardir so that msi package provider runs on Windows 4185b4e Add Windows-specific tests when user parameter specified in exec aab6b40 Disable mount provider tests on Windows 58f97e3 Update test due to lack of ''true'' on Windows 1fd90c3 Change tests to not use ''mount'' provider 220f5e0 Added ''touch'' method enabling tests to run on Windows ca0bc4f Change test to not call ''rm -rf'' 1883455 Remove ''fails_on_windows'' tag for passing tests 0d7c797 (#8414) Create scheduled_task type for use with Windows scheduled tasks 4ddef89 (#8414) Require win32-taskscheduler gem on Windows 0ecf3ab Add ability to look up fully qualified local accounts using Puppet::Util::Adsi.sid_for_account 23d5aeb Add support for displaying hashes to Puppet::Parameter.format_value_for_display f0c3414 Move parameter formatting rules into helper method 845e05b Wrap long lines in Type::Package 18d65ec Whitespace cleanup in Type::SshAuthorizedKey b2e2175 Include necessary Facter stubs f5bc897 Remove test dependencies on QUANTITY of calls 51adf31 Reset the @macosx_version_major variable 4b9dfdd Reset the @job_list variable between tests 446a5bf Remove use of defined?() 0e4079d Use memoization instead of ''unless'' 9d504ff (#9796) ssh_authorized_key supports whitespace again 122b8c2 (#9459) Fix problems with Windows ''user'' and ''group'' providers. ee107cf Use instance variable for job_list d1e0fa1 Refactor launchd provider spec tests 3440c10 Refactor status method 62b8d6b Deprecation Warning if using Facter <= 1.5.5 8a50c3a Test prefetching f09d264 Stub call to Facter a6bc5a5 Optimize @product_version variable af42ff8 Documentation Commit 55610bf Whitespace Commit cf3d378 Change method used to get Fact Value ce776b0 Revert launchd_spec f65b111 Rearrange launchd provider ed90957 First attempt at launchd spec 637b57b Implement Caching 60482f4 Whitespace and Alignment Commit 5b52bd6 Bring up to date with topic branch 27057a6 Maint: Fix the "provider" parameter documentation -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.