Puppet 2.7.19 is a maintenance release candidate for Puppet in the
2.7.x series. It includes many bug fixes, including Windows
improvements, Upstart service provider fixes, and several others.
Downloads are available at:
* Source https://downloads.puppetlabs.com/puppet/puppet-2.7.19.tar.gz
Windows package is available at
https://downloads.puppetlabs.com/windows/puppet-2.7.19.msi
RPMs are available at https://yum.puppetlabs.com/el or /fedora
Debs are available at https://apt.puppetlabs.com
Mac package is available at
https://downloads.puppetlabs.com/mac/puppet-2.7.19.dmg
See the Verifying Puppet Download section at:
https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet
Please report feedback via the Puppet Labs Redmine site, using an
affected puppet version of 2.7.19:
http://projects.puppetlabs.com/projects/puppet/
This release contains contributions from
Andrew Parker, Dustin J. Mitchell, Patrick Carlisle, Nick Lewis, Jakob
Holy, R. Tyler Croy, Michael Stahnke, Josh Cooper, Moses Mendoza, Will
Hopper, nfagerlund, Daniel Pittman, Ken Barber, Dominic Cleal, Stefan
Shulte, Dominic Maraglia, Matthaus Litteken, Jeff McCune, Franz Pletz,
Andy Sykes, and codec.
This release does not address (#15561) regarding slashes in certnames.
This remains a known issue.
## Puppet 2.7.19 Release Notes ##
Ruby 1.9.3 has a different error when `require` fails.
The text of the error message when load fails has changed, resulting in the
test failing. This adapts that to catch the different versions,
allowing this
to pass in all cases.
(#15291) Add Vendor tag to Puppet spec file
Previously the spec file had no Vendor tag, which left it undefined. This
commit adds a Vendor tag that references the _host_vendor macro,
so that it can
be easily set to ''Puppet Labs'' internally and customized
by users
easily. The
Vendor tag makes it easier for users to tell where the package came from.
Add packaging support for fedora 17
This commit modifies the puppet.spec file to use
the ruby vendorlib instead of sitelib if building
for fedora 17, which ships with ruby 1.9. Mostly
borrowed from the official Fedora 17 package.
(#15471) Fix setting mode of last_run_summary
The writlock function didn''t work with setting the mode on the
last_run_summary file. This backports some of the work in commit
7d8fd144949f21eff924602c2a6b7f130f1c0b69. Specifically, the changes
from using writelock to replace_file for saving the summary file. This
builds on top of the backport of getting replace_file to work on
windows.
(#15471) Ensure non-root can read report summary
The security fix for locking down the last_run_report, which contains
sensitive information, also locked down the last_run_summary, which does
not contain sensitive information. Unfortunately this file is often used
by monitoring systems so that they can track puppet runs. Since the
agent runs as root and the monitoring systems do not, this caused the
summary to become unreadable by the monitoring systems.
This commit returns the summary to being world readable which undoes
part of the change done in fd44bf5e6d0d360f6a493d663b653c121fa83c3f
Use Win32 API atomic replace in `replace_file`
The changes to enable Windows support in `replace_file` were not actually
complete, and it didn''t work when the file didn''t exist -
because of
limitations of the emulation done on our side, rather than anything else.
Windows has a bunch of quirks, and Ruby doesn''t actually abstract
over the
underlying platform a great deal. We can use the Windows API
ReplaceFile, and
MoveFileEx, to achieve the desired behaviour though.
This adds even more conditional code inside the `replace_file` method to
handle multiple platforms - but it really isn''t very clean. Better
to get
this working now, then refactor, though.
(#11868) Use `Installer` automation interface to query package state
Previously, Puppet recorded MSI packages it had installed in a YAML
file. However, if the file was deleted or the system modified, e.g.
Add/Remove Programs, then Puppet did not know the package state had
changed.
Also, if the name of the package did not change across versions, e.g.
VMware Tools, then puppet would report the package as insync even though
the installed version could be different than the one pointed to by the
source parameter.
Also, `msiexec.exe` returns non-zero exit codes when either the package
requests a reboot (194), the system requires a reboot (3010), e.g. due
to a locked file, or the system initiates a reboot (1641). This would
cause puppet to think the install failed, and it would try to reinstall
the packge the next time it ran (since the YAML file didn''t get
updated).
This commit changes the msi package provider to use the `Installer`
Automation (COM) interface to query the state of the system[1]. It will
now accurately report on installed packages, even those it did not
install, including Puppet itself (#13444). If a package is removed via
Add/Remove Programs, Puppet will re-install it the next time it runs.
The MSI package provider will now warn in the various reboot scenarios,
but report the overall install/uninstall as successful (#14055).
When using the msi package resource, the resource title should match the
''ProductName'' property in the MSI Property table, which is
also the
value displayed in Add/Remove Programs, e.g.
package { ''Microsoft Visual C++ 2008 Redistributable - x86
9.0.30729.4148'':
ensure => installed,
...
}
In cases where the ProductName does not change across versions, e.g.
VMware Tools, you MUST use the PackageCode as the name of the resource
in order for puppet to accurately determine the state of the system:
package { ''{0E3AA38E-EAD3-4348-B5C5-051B6852CED6}'':
ensure => installed,
...
}
You can obtain the PackageCode in ruby using:
require ''win32ole''
installer = WIN32OLE.new(''WindowsInstaller.Installer'')
db = installer.OpenDatabase(path, 0)
puts db.SummaryInformation.Property(9)
where <path> is the path to the MSI.
The msi provider does not automatically compare PackageCodes when
determining if the resource is insync, because the source MSI could be
on a network share, and we do not want to copy the potentially large
file just to see if changes need to be made.
The msi provider does not use the `Installer` interface to perform
install and uninstall, because I have not found a way to obtain useful
error codes when reboots are requested. Instead the methods
`InstallProduct` and `ConfigureProduct` raise exceptions with the
general 0x80020009 error, which means ''Exception
occurred''. So for now
we continue to use msiexec.exe for install and uninstall, though the msi
provider may not uninstall multi-instance transforms correctly, since
the transform (MST) used to install the package needs to be respecified
during uninstall. This could be resolved by allowing uninstall_options
to be specified, or figuring out how to obtain useful error codes when
using the `Installer` interface.
[1]
http://msdn.microsoft.com/en-us/library/windows/desktop/aa369432(v=vs.85).aspx
(#14964) Unlink Tempfiles consistently across different ruby versions
The previous fix for #14964 relied on inconsisent behavior of ruby
1.8''s
`Tempfile#close!` method, which is called by `close(true)`. Although
the ruby documentation says `close!` is the same as `delete` followed by
`unlink`, the exact semantics are different. The former calls the
Tempfile''s finalizer callback directly and can raise an
`Errno::EACCES`,
while `unlink` never does.
In ruby 1.9, the `Tempfile#close!` method was changed to call `unlink`,
making the two APIs consistent. As a result, the begin-ensure block
added previously to fix #14964 was wrong.
Also, previously if the call to `read` failed, then the Tempfile would
not be closed and deleted until its finalizer ran.
This commit changes the `wait_for_output` method to close and unlink the
Tempfile in two steps. The `unlink` method will not raise an
`Errno::EACCES` in either ruby 1.8 or 1.9. It also changes the `read`
call to occur within the begin-ensure block, so that the Tempfile is
closed and unlinked as soon as we are done with it.
(Maint) Require the right file for md5
md5 doesn''t exist on 1.9.3. It seems to have been an alias in
previous
versions of ruby for digest/md5. Requiring the other file directly
allows this to work on all supported rubies.
Don''t allow resource titles which aren''t strings
It was possible to create resources whose titles weren''t strings,
by
using a variable containing a hash, or the result of a function which
doesn''t return a string. This can cause problems resolving
relationships
when the stringified version of the title differs between master and
agent.
Now we will only accept primitives, and will stringify them. That is:
string, symbol, number, boolean. Arrays or nested arrays will still be
flattened and used to create multiple resources. Any other value (for
instance: a hash) will cause a parse error.
Eliminate require calls at runtime.
Calling `require` is a surprisingly expensive operation, especially if
ActiveRecord has been loaded. Consequently, the places where we do that in
the body of a function are hot-spots in the profile.
They are also, generally, pretty simple and clear wins: almost all
of them can
simply require the library the first time they are loaded and
everything will
work fine.
In my testing with a complex, real-world set of manifests this reduces time
spent by ~ 3 wall-clock seconds in require and all children.
Fix broken ability to remove resources from the catalog.
For the last forever, the Puppet catalog object has unable to
remove resources
correctly - they used the wrong key to remove items from an internal map.
Because the test was broken we also ran into a situation where this simply
wasn''t noticed - and, presumably, we simply didn''t depend
on this
in the real
world enough to actually discover the failure.
This fixes that, as well as the bad test, to ensure that the feature works
correctly, and that it stays that way.
(#14962) PMT doesn''t support setting a relative modulepath
We previously fixed expansion for the target_dir, but this only
worked when the
target_dir was set explicitly, it didn''t support relative paths
being passed in
the modulepath. This patch fixes that and adds tests.
As a side-effect, this should also fixes cases where the first modulepath
defined in the configuration file is relative.
It also corrects the tests previously applied for expanding the
target_dir, as
it used to rely on expanding the target_dir before adding it to
the modulepath.
This wasn''t necessary, so now we don''t bother testing that
the targetdir is
expanded in the modulepath after being added.
Acceptance tests have been added for testing modulepath, with absolute
and relative paths.
(#15221) Create /etc/puppet/modules directory for puppet module tool
Previously, this directory was not created by the package,
which caused errors when the puppet module tool was used
to install modules. This commit updates the RPM spec file
to create this directory upon installation of the package.
(#13070) Mark files as loaded before we load
There is a loading cycle that occurs in some situations. It showed up as
not being able to describe certain types because the description
depended on the name of the type''s class. For some reason (that is
not
entirely clear) the multiple loading of code seems to cause the name of
the class to be wrong.
This patch changes it to mark the file as loaded first, so that we
don''t
get into a loading cycle.
Extract host validation in store report processor
Extract the validation step and refactor tests around this. Tests now
don''t
touch the filesystem which avoids a corner case on windows that caused test
failures.
Enforce "must not should" on Puppet::Type instances in tests.
Because we define a `should` method on Puppet::Type, and that conflicts with
the identically named method in RSpec, we have an alias for `must`
defined in
the test helper.
Sadly, this isn''t *complete*: if you call `should` on those
instances you
actually get no failure, it just silently ignores your actual test.
This change monkey-patches Puppet::Type in the spec helper, and adds a type
check to fail hard if you supply something "illegal" as the
argument to
Puppet::Type.
(#14531) Change default ensure value from symlink to link
If ensure on a file resource is omitted, puppet will set the should value
to :symlink in the initialize method of the file type but the
ensure property
does not use :symlink but :link to identify a link.
As a result, puppet will always treat a resource with a specific target
property but no ensure property as out of sync:
file { ''/tmp/a'':
target => ''/tmp/b'',
}
When puppet now calls sync on the ensure property, the fileresource
(`/tmp/a`) is removed first (method `remove_existing`) but we do not
execute the block passed to `newvalue(:link)` to recreate it. Because
there is no `newvalue(:symlink)` block, we instead run the block in
`newvalue(/./)` which is just a dummy and does nothing at all. As a
result puppet will *always* say it created something while in fact
making sure that the resource is *removed*.
Change the default ensure value from :symlink to :link if target is
set.
Upstart code cleanup, init provider improvement
This commit adds an is_init? function to the init provider, to
prevent the init
provider from handling upstart jobs redundantly (which happens with services
such as network-interface and network-interface-security). It also
adds tests
for the exlusion of instances in the upstart provider and
exclusion of upstart
services from the init instances. It also cleans up some upstart
provider code
(self.instances, self.search), eliminating redundant code and
refactoring some
methods (upstart_status, status, normal_status).
This also removes the custom status command from upstart, which almost
certainly wasn''t doing what it was expected. The upstart status
command is
effective at gauging the status of upstart services.
Handle network-interface-security in upstart
Similar to network-interface, network-interface-security is an
upstart job that
requires special handling to get status information. While network-interface
takes and interface argument, network-interface-security takes a
job argument.
This commit adds that special case, and also updates the search
method with a
corresponding special case so the jobs can be recognized as upstart jobs.
Add exclude list to upstart provider
The wait-for-state service seems to be a helper that is used by upstart, but
doesn''t have a useful status or consistent way to call. Trying to
use that
upstart service generally results in an error. This commit adds an
exclude list
similar to the redhat provider so that services like
''wait-for-state'' can be
excluded from the service instances.
(#15027, #15028, #15029) Fix upstart version parsing
A leading space in the --version argument would confuse upstart, and the
version returned would not always be a semantic version, which caused the
upstart provider to fail. This commit updates the initctl call to remove the
leading space from the --version argument, and also replaces the implicit
SemVer comparisons with wrapper functions that call out to
Puppet::Util::Package.versioncmp to do version comparisons. It also fixes a
subtly broken regex to grab the full version string.
(#13489) Synchronously start and stop services
Previously, we were using the `win32-service` gem to start and stop
services. It uses Win32 APIs to programmatically send start and stop
requests. The actual service starts/stops asynchronously with respect
to the request. As a result, when refreshing a service, puppet would
issue a stop request, immediately followed by a start request, and that
would race as the service would often still be running when the start
request occurred, leading to ''An instance of the service is already
running''.
This commit changes the windows service provider to use `net.exe` to
start and stop services. This command will block until the service
start/stops, and returns 0 on success, making it easy to adapt to the
provider command pattern. The one downside is that the exit codes
don''t
have the same resolution that we can get via the `sc.exe` or by calling
the Service Control Manager programmatically. But that is not too
critical because we do capture the output of the `net.exe` command, e.g.
''The service name is invalid.'' and include it in the
exception message.
(#14964) Don''t fail if we can''t unlink the Tempfile on
Windows
Previously, if the exec resource created a process, e.g. start.exe, that
executed another process asynchronously, then the grandchild would inherit
the tempfile handle, preventing puppet from being able to unlink it. This
is not an issue on POSIX systems.
This commit changes the `wait_for_output` method to ignore Errno::EACCES
exceptions caused when closing and unlinking the stdout tempfile. The
behavior on POSIX systems is unchanged.
(#14860) Fix puppet cert exit status on failures
Without this patch applied the following command errors out but does not
correctly set the exit status:
puppet cert generate foo.bar.com --dns_alt_names foo,foo.bar.com
The error returned is:
err: Could not call generate: CSR
''pe-internal-broker-test''
contains subject alternative names (DNS:pe-centos6, \
DNS:pe-centos6.puppetlabs.vm, DNS:pe-internal-broker-test, \
DNS:stomp), which are disallowed. Use `puppet cert \
--allow-dns-alt-names sign pe-internal-broker-test` to sign this \
request.
However, the exit status is 0.
This is a problem because we need to easily detect if certificate
generation from the command line failed or succeeded. The most natural
and expected way to check this is by looking at the exit status.
The root cause of the problem is that
Puppet::SSL::CertificateAuthority::InterFace#apply incorrectly catches
and masks the exception raised by the generate method because it simply
logs an error with Puppet.err and continues along happily.
This patch fixes the problem by re-raising the error produced by
generate, allowing the application controller to catch the error
appropriately and exit with the non-zero exit status.
(#13379) Add path of pluginsync''d lenses to Augeas load_path
automatically
The path $libdir/augeas/lenses is added to the Augeas load_path
initialisation
option automatically to support lenses being pluginsynced. Lenses should be
added into the <module>/lib/augeas/lenses directory inside a module.
The load_path parameter has been expanded to support an array of
paths as well
as a colon-separated list.
Fixes for #10915 and #11200 - user provider for AIX
The user provider on AIX fails to set the password for local users
using chpasswd.
This commit includes the code in ticket #11200 suggested by Josh
Cooper. It works in my environment (AIX 5.3 + 6.1).
chpasswd can also return 1 even on success; it''s not clear if this
is
by design, as the manpage doesn''t mention it. The lack of output
from
chpasswd indicates success; if there''s a problem it dumps output to
stderr/stdout.
## Puppet 2.7.19 Changelog ##
Andrew Parker (7)
1dd660a (Maint) Remove reference to Patchwork
b73d0dd (#15595) Improve message on SSL errors
9567ec8 (#15595) Clear up tests around ssl errors
57a74f7 (13070) Mark files as loaded before we load
690c39b (Maint) Require the right file for md5
Ab540aa0 (#15471) Fix setting mode of last_run_summary
7c7cffe (#15471) Ensure non-root can read report summary
Hailee Kenny (6)
a26d1ee Replace "the short version" with outline
6a43e96 Update CONTRIBUTING.md
c44973c (Maint) Remove some more ambiguity
00b563d (Maint) Be more honest about submission methods
b90c92b (Maint) Clarify that Redmine tickets are mandatory
62c14bd (Maint) Clarify which branches changes should be based on
Dustin J. Mitchell (3)
ccca77f use error_message instead of error
3809b59 updates as requested
e7b3049 (#15595) Offer better errors for certificate validation errors
Patrick Carlisle (7)
c236001 Use rspec 2.11 compatible block syntax
04fbccd Try again to avoid circular dependency in file indirections
3e23686 Avoid circular requirement in FileMetadata indirection
44ada58 Extract host validation in store report processor
91df2f3 Use cross-platform absolute paths in file_serving tests
b227aa1 Remove useless tests for Envelope
86ccca4 Clear deprecation warnings between tests
Nick Lewis (2)
b504ab7 Fix buggy resource title tests
cc4d8d2 Don''t allow resource titles which aren''t strings
Jakob Holy (1)
c0a0a45 tidy.rb: Added info about the default value of
''type'' to the doc.
R. Tyler Croy (1)
2d994c2 Switch Rakefile off deprecated rake/gempackagetask
Michael Stahnke (1)
7324f54 Update main readme to have links to contrib and dev docs
Josh Cooper (11)
a23cf6e (Maint) Don''t assume paths are absolute
125ecec (Maint) Spec test wasn''t testing anything
4c18d08 (#14964) Unlink Tempfiles consistently across different
ruby versions
8efc492 (#13489) Use let to memoize instance variables
03d546e (Maint) Document common Windows issues
761b48f (#11868) Use `Installer` automation interface to query
package state
dc5f57c (#13489) Synchronously start and stop services
3ada851 (#14964) Don''t fail if we can''t unlink the
Tempfile on Windows
d7e77eb (#14749) Clear reference to invalid task after saving
a2d9597 (#13008) Allow scheduled task arguments to be specified
c6af946 (#13009) Compare scheduled task commands using backslashes
Moses Mendoza (1)
dd96d84 Determine packaging version with git describe
7611753 Add packaging support for fedora 17
a619bfd Add additional commits to CHANGELOG missed in 2.7.19rc1
Will Hopper (3)
c7e4ca7 (#15221) Create /etc/puppet/modules directory for puppet
module tool
300fce9 (#14909) Update createpackage.sh to resolve permissions issues
ddf8358 Update logrotate config to not restart puppetmasterd
nfagerlund (1)
c05489b (Maint:) Fix bad doc strings for two settings ("wether")
Daniel Pittman (8)
85f5543 Ruby 1.9.3 has a different error when `require` fails.
37742db Eliminate require calls at runtime.
be5fcf4 Fix broken TransBucket transformation tests.
8f99187 Fix broken ability to remove resources from the catalog.
9bd4fd3 Fix type check when transforming catalog.
825b80d Fix all trivial "should to must" errors in our tests.
7a7bea7 Enforce "must not should" on Puppet::Type instances in
tests.
a257105 Use Win32 API atomic replace in `replace_file`
Ken Barber (1)
9f0bf4 (#14962) PMT doesn''t support setting a relative modulepath
Dominic Cleal (3)
39f425f (#15078) Document USR2 log rotation signal
5146397 (#13379) Add path of pluginsync''d lenses to Augeas
load_path automatically
087d5ae (#7285) Add spec for Augeas initialisation and file loading
Stefan Shulte (5)
0d5a46a (#14600) Fix cleanup of tempfiles in file_spec
0219818 (#14531) Change default ensure value from symlink to link
b572810 (#14599) Handle ENOTDIR in file type
0859364 (#13880) Add openrc spec - service with extreme long name
af6f7ba (#13880) Add openrc service provider for Gentoo and Funtoo
Dominic Maraglia (1)
2141905 (maint) Add --test to puppet run
Matthaus Litteken (8)
da771cb (maint) Add symlink stub to gentoo service provider spec
0e87fe1 Add comment to upstart provider explaining exclusion of
''wait-for-state''
0cab9ee Upstart code cleanup, init provider improvement
91628be Add spec test for network-interface-security
b60ad19 Add basic service resource test to upstart acceptance
a6245f9 Handle network-interface-security in upstart
60e37b6 Add exclude list to upstart provider
2911fec (#15027, #15028, #15029) Fix upstart version parsing
b2d08a4 (#15291) Add Vendor tag to Puppet spec file
Jeff McCune (1)
0b01bb3 (#14860) Fix puppet cert exit status on failures
Franz Pletz (1)
2fc7191 (#9160) Change logging facility to debug for not
supported provider features
Andy Sykes (1)
06eb9a9 Fixes for #10915 and #11200 - user provider for AIX
codec (1)
ed73845 (#10354) added delete command to fix missing userdel flag
in useradd provider
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.