Puppet 2.7.19 is a maintenance release candidate for Puppet in the 2.7.x series. It includes many bug fixes, including Windows improvements, Upstart service provider fixes, and several others.
Downloads are available at: * Source https://downloads.puppetlabs.com/puppet/puppet-2.7.19.tar.gz Windows package is available at https://downloads.puppetlabs.com/windows/puppet-2.7.19.msi RPMs are available at https://yum.puppetlabs.com/el or /fedora Debs are available at https://apt.puppetlabs.com Mac package is available at https://downloads.puppetlabs.com/mac/puppet-2.7.19.dmg See the Verifying Puppet Download section at: https://projects.puppetlabs.com/projects/puppet/wiki/Downloading_Puppet Please report feedback via the Puppet Labs Redmine site, using an affected puppet version of 2.7.19: http://projects.puppetlabs.com/projects/puppet/ This release contains contributions from Andrew Parker, Dustin J. Mitchell, Patrick Carlisle, Nick Lewis, Jakob Holy, R. Tyler Croy, Michael Stahnke, Josh Cooper, Moses Mendoza, Will Hopper, nfagerlund, Daniel Pittman, Ken Barber, Dominic Cleal, Stefan Shulte, Dominic Maraglia, Matthaus Litteken, Jeff McCune, Franz Pletz, Andy Sykes, and codec. This release does not address (#15561) regarding slashes in certnames. This remains a known issue. ## Puppet 2.7.19 Release Notes ## Ruby 1.9.3 has a different error when `require` fails. The text of the error message when load fails has changed, resulting in the test failing. This adapts that to catch the different versions, allowing this to pass in all cases. (#15291) Add Vendor tag to Puppet spec file Previously the spec file had no Vendor tag, which left it undefined. This commit adds a Vendor tag that references the _host_vendor macro, so that it can be easily set to 'Puppet Labs' internally and customized by users easily. The Vendor tag makes it easier for users to tell where the package came from. Add packaging support for fedora 17 This commit modifies the puppet.spec file to use the ruby vendorlib instead of sitelib if building for fedora 17, which ships with ruby 1.9. Mostly borrowed from the official Fedora 17 package. (#15471) Fix setting mode of last_run_summary The writlock function didn't work with setting the mode on the last_run_summary file. This backports some of the work in commit 7d8fd144949f21eff924602c2a6b7f130f1c0b69. Specifically, the changes from using writelock to replace_file for saving the summary file. This builds on top of the backport of getting replace_file to work on windows. (#15471) Ensure non-root can read report summary The security fix for locking down the last_run_report, which contains sensitive information, also locked down the last_run_summary, which does not contain sensitive information. Unfortunately this file is often used by monitoring systems so that they can track puppet runs. Since the agent runs as root and the monitoring systems do not, this caused the summary to become unreadable by the monitoring systems. This commit returns the summary to being world readable which undoes part of the change done in fd44bf5e6d0d360f6a493d663b653c121fa83c3f Use Win32 API atomic replace in `replace_file` The changes to enable Windows support in `replace_file` were not actually complete, and it didn't work when the file didn't exist - because of limitations of the emulation done on our side, rather than anything else. Windows has a bunch of quirks, and Ruby doesn't actually abstract over the underlying platform a great deal. We can use the Windows API ReplaceFile, and MoveFileEx, to achieve the desired behaviour though. This adds even more conditional code inside the `replace_file` method to handle multiple platforms - but it really isn't very clean. Better to get this working now, then refactor, though. (#11868) Use `Installer` automation interface to query package state Previously, Puppet recorded MSI packages it had installed in a YAML file. However, if the file was deleted or the system modified, e.g. Add/Remove Programs, then Puppet did not know the package state had changed. Also, if the name of the package did not change across versions, e.g. VMware Tools, then puppet would report the package as insync even though the installed version could be different than the one pointed to by the source parameter. Also, `msiexec.exe` returns non-zero exit codes when either the package requests a reboot (194), the system requires a reboot (3010), e.g. due to a locked file, or the system initiates a reboot (1641). This would cause puppet to think the install failed, and it would try to reinstall the packge the next time it ran (since the YAML file didn't get updated). This commit changes the msi package provider to use the `Installer` Automation (COM) interface to query the state of the system[1]. It will now accurately report on installed packages, even those it did not install, including Puppet itself (#13444). If a package is removed via Add/Remove Programs, Puppet will re-install it the next time it runs. The MSI package provider will now warn in the various reboot scenarios, but report the overall install/uninstall as successful (#14055). When using the msi package resource, the resource title should match the 'ProductName' property in the MSI Property table, which is also the value displayed in Add/Remove Programs, e.g. package { 'Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148': ensure => installed, ... } In cases where the ProductName does not change across versions, e.g. VMware Tools, you MUST use the PackageCode as the name of the resource in order for puppet to accurately determine the state of the system: package { '{0E3AA38E-EAD3-4348-B5C5-051B6852CED6}': ensure => installed, ... } You can obtain the PackageCode in ruby using: require 'win32ole' installer = WIN32OLE.new('WindowsInstaller.Installer') db = installer.OpenDatabase(path, 0) puts db.SummaryInformation.Property(9) where <path> is the path to the MSI. The msi provider does not automatically compare PackageCodes when determining if the resource is insync, because the source MSI could be on a network share, and we do not want to copy the potentially large file just to see if changes need to be made. The msi provider does not use the `Installer` interface to perform install and uninstall, because I have not found a way to obtain useful error codes when reboots are requested. Instead the methods `InstallProduct` and `ConfigureProduct` raise exceptions with the general 0x80020009 error, which means 'Exception occurred'. So for now we continue to use msiexec.exe for install and uninstall, though the msi provider may not uninstall multi-instance transforms correctly, since the transform (MST) used to install the package needs to be respecified during uninstall. This could be resolved by allowing uninstall_options to be specified, or figuring out how to obtain useful error codes when using the `Installer` interface. [1] http://msdn.microsoft.com/en-us/library/windows/desktop/aa369432(v=vs.85).aspx (#14964) Unlink Tempfiles consistently across different ruby versions The previous fix for #14964 relied on inconsisent behavior of ruby 1.8's `Tempfile#close!` method, which is called by `close(true)`. Although the ruby documentation says `close!` is the same as `delete` followed by `unlink`, the exact semantics are different. The former calls the Tempfile's finalizer callback directly and can raise an `Errno::EACCES`, while `unlink` never does. In ruby 1.9, the `Tempfile#close!` method was changed to call `unlink`, making the two APIs consistent. As a result, the begin-ensure block added previously to fix #14964 was wrong. Also, previously if the call to `read` failed, then the Tempfile would not be closed and deleted until its finalizer ran. This commit changes the `wait_for_output` method to close and unlink the Tempfile in two steps. The `unlink` method will not raise an `Errno::EACCES` in either ruby 1.8 or 1.9. It also changes the `read` call to occur within the begin-ensure block, so that the Tempfile is closed and unlinked as soon as we are done with it. (Maint) Require the right file for md5 md5 doesn't exist on 1.9.3. It seems to have been an alias in previous versions of ruby for digest/md5. Requiring the other file directly allows this to work on all supported rubies. Don't allow resource titles which aren't strings It was possible to create resources whose titles weren't strings, by using a variable containing a hash, or the result of a function which doesn't return a string. This can cause problems resolving relationships when the stringified version of the title differs between master and agent. Now we will only accept primitives, and will stringify them. That is: string, symbol, number, boolean. Arrays or nested arrays will still be flattened and used to create multiple resources. Any other value (for instance: a hash) will cause a parse error. Eliminate require calls at runtime. Calling `require` is a surprisingly expensive operation, especially if ActiveRecord has been loaded. Consequently, the places where we do that in the body of a function are hot-spots in the profile. They are also, generally, pretty simple and clear wins: almost all of them can simply require the library the first time they are loaded and everything will work fine. In my testing with a complex, real-world set of manifests this reduces time spent by ~ 3 wall-clock seconds in require and all children. Fix broken ability to remove resources from the catalog. For the last forever, the Puppet catalog object has unable to remove resources correctly - they used the wrong key to remove items from an internal map. Because the test was broken we also ran into a situation where this simply wasn't noticed - and, presumably, we simply didn't depend on this in the real world enough to actually discover the failure. This fixes that, as well as the bad test, to ensure that the feature works correctly, and that it stays that way. (#14962) PMT doesn't support setting a relative modulepath We previously fixed expansion for the target_dir, but this only worked when the target_dir was set explicitly, it didn't support relative paths being passed in the modulepath. This patch fixes that and adds tests. As a side-effect, this should also fixes cases where the first modulepath defined in the configuration file is relative. It also corrects the tests previously applied for expanding the target_dir, as it used to rely on expanding the target_dir before adding it to the modulepath. This wasn't necessary, so now we don't bother testing that the targetdir is expanded in the modulepath after being added. Acceptance tests have been added for testing modulepath, with absolute and relative paths. (#15221) Create /etc/puppet/modules directory for puppet module tool Previously, this directory was not created by the package, which caused errors when the puppet module tool was used to install modules. This commit updates the RPM spec file to create this directory upon installation of the package. (#13070) Mark files as loaded before we load There is a loading cycle that occurs in some situations. It showed up as not being able to describe certain types because the description depended on the name of the type's class. For some reason (that is not entirely clear) the multiple loading of code seems to cause the name of the class to be wrong. This patch changes it to mark the file as loaded first, so that we don't get into a loading cycle. Extract host validation in store report processor Extract the validation step and refactor tests around this. Tests now don't touch the filesystem which avoids a corner case on windows that caused test failures. Enforce "must not should" on Puppet::Type instances in tests. Because we define a `should` method on Puppet::Type, and that conflicts with the identically named method in RSpec, we have an alias for `must` defined in the test helper. Sadly, this isn't *complete*: if you call `should` on those instances you actually get no failure, it just silently ignores your actual test. This change monkey-patches Puppet::Type in the spec helper, and adds a type check to fail hard if you supply something "illegal" as the argument to Puppet::Type. (#14531) Change default ensure value from symlink to link If ensure on a file resource is omitted, puppet will set the should value to :symlink in the initialize method of the file type but the ensure property does not use :symlink but :link to identify a link. As a result, puppet will always treat a resource with a specific target property but no ensure property as out of sync: file { '/tmp/a': target => '/tmp/b', } When puppet now calls sync on the ensure property, the fileresource (`/tmp/a`) is removed first (method `remove_existing`) but we do not execute the block passed to `newvalue(:link)` to recreate it. Because there is no `newvalue(:symlink)` block, we instead run the block in `newvalue(/./)` which is just a dummy and does nothing at all. As a result puppet will *always* say it created something while in fact making sure that the resource is *removed*. Change the default ensure value from :symlink to :link if target is set. Upstart code cleanup, init provider improvement This commit adds an is_init? function to the init provider, to prevent the init provider from handling upstart jobs redundantly (which happens with services such as network-interface and network-interface-security). It also adds tests for the exlusion of instances in the upstart provider and exclusion of upstart services from the init instances. It also cleans up some upstart provider code (self.instances, self.search), eliminating redundant code and refactoring some methods (upstart_status, status, normal_status). This also removes the custom status command from upstart, which almost certainly wasn't doing what it was expected. The upstart status command is effective at gauging the status of upstart services. Handle network-interface-security in upstart Similar to network-interface, network-interface-security is an upstart job that requires special handling to get status information. While network-interface takes and interface argument, network-interface-security takes a job argument. This commit adds that special case, and also updates the search method with a corresponding special case so the jobs can be recognized as upstart jobs. Add exclude list to upstart provider The wait-for-state service seems to be a helper that is used by upstart, but doesn't have a useful status or consistent way to call. Trying to use that upstart service generally results in an error. This commit adds an exclude list similar to the redhat provider so that services like 'wait-for-state' can be excluded from the service instances. (#15027, #15028, #15029) Fix upstart version parsing A leading space in the --version argument would confuse upstart, and the version returned would not always be a semantic version, which caused the upstart provider to fail. This commit updates the initctl call to remove the leading space from the --version argument, and also replaces the implicit SemVer comparisons with wrapper functions that call out to Puppet::Util::Package.versioncmp to do version comparisons. It also fixes a subtly broken regex to grab the full version string. (#13489) Synchronously start and stop services Previously, we were using the `win32-service` gem to start and stop services. It uses Win32 APIs to programmatically send start and stop requests. The actual service starts/stops asynchronously with respect to the request. As a result, when refreshing a service, puppet would issue a stop request, immediately followed by a start request, and that would race as the service would often still be running when the start request occurred, leading to 'An instance of the service is already running'. This commit changes the windows service provider to use `net.exe` to start and stop services. This command will block until the service start/stops, and returns 0 on success, making it easy to adapt to the provider command pattern. The one downside is that the exit codes don't have the same resolution that we can get via the `sc.exe` or by calling the Service Control Manager programmatically. But that is not too critical because we do capture the output of the `net.exe` command, e.g. 'The service name is invalid.' and include it in the exception message. (#14964) Don't fail if we can't unlink the Tempfile on Windows Previously, if the exec resource created a process, e.g. start.exe, that executed another process asynchronously, then the grandchild would inherit the tempfile handle, preventing puppet from being able to unlink it. This is not an issue on POSIX systems. This commit changes the `wait_for_output` method to ignore Errno::EACCES exceptions caused when closing and unlinking the stdout tempfile. The behavior on POSIX systems is unchanged. (#14860) Fix puppet cert exit status on failures Without this patch applied the following command errors out but does not correctly set the exit status: puppet cert generate foo.bar.com --dns_alt_names foo,foo.bar.com The error returned is: err: Could not call generate: CSR 'pe-internal-broker-test' contains subject alternative names (DNS:pe-centos6, \ DNS:pe-centos6.puppetlabs.vm, DNS:pe-internal-broker-test, \ DNS:stomp), which are disallowed. Use `puppet cert \ --allow-dns-alt-names sign pe-internal-broker-test` to sign this \ request. However, the exit status is 0. This is a problem because we need to easily detect if certificate generation from the command line failed or succeeded. The most natural and expected way to check this is by looking at the exit status. The root cause of the problem is that Puppet::SSL::CertificateAuthority::InterFace#apply incorrectly catches and masks the exception raised by the generate method because it simply logs an error with Puppet.err and continues along happily. This patch fixes the problem by re-raising the error produced by generate, allowing the application controller to catch the error appropriately and exit with the non-zero exit status. (#13379) Add path of pluginsync'd lenses to Augeas load_path automatically The path $libdir/augeas/lenses is added to the Augeas load_path initialisation option automatically to support lenses being pluginsynced. Lenses should be added into the <module>/lib/augeas/lenses directory inside a module. The load_path parameter has been expanded to support an array of paths as well as a colon-separated list. Fixes for #10915 and #11200 - user provider for AIX The user provider on AIX fails to set the password for local users using chpasswd. This commit includes the code in ticket #11200 suggested by Josh Cooper. It works in my environment (AIX 5.3 + 6.1). chpasswd can also return 1 even on success; it's not clear if this is by design, as the manpage doesn't mention it. The lack of output from chpasswd indicates success; if there's a problem it dumps output to stderr/stdout. ## Puppet 2.7.19 Changelog ## Andrew Parker (7) 1dd660a (Maint) Remove reference to Patchwork b73d0dd (#15595) Improve message on SSL errors 9567ec8 (#15595) Clear up tests around ssl errors 57a74f7 (13070) Mark files as loaded before we load 690c39b (Maint) Require the right file for md5 Ab540aa0 (#15471) Fix setting mode of last_run_summary 7c7cffe (#15471) Ensure non-root can read report summary Hailee Kenny (6) a26d1ee Replace "the short version" with outline 6a43e96 Update CONTRIBUTING.md c44973c (Maint) Remove some more ambiguity 00b563d (Maint) Be more honest about submission methods b90c92b (Maint) Clarify that Redmine tickets are mandatory 62c14bd (Maint) Clarify which branches changes should be based on Dustin J. Mitchell (3) ccca77f use error_message instead of error 3809b59 updates as requested e7b3049 (#15595) Offer better errors for certificate validation errors Patrick Carlisle (7) c236001 Use rspec 2.11 compatible block syntax 04fbccd Try again to avoid circular dependency in file indirections 3e23686 Avoid circular requirement in FileMetadata indirection 44ada58 Extract host validation in store report processor 91df2f3 Use cross-platform absolute paths in file_serving tests b227aa1 Remove useless tests for Envelope 86ccca4 Clear deprecation warnings between tests Nick Lewis (2) b504ab7 Fix buggy resource title tests cc4d8d2 Don't allow resource titles which aren't strings Jakob Holy (1) c0a0a45 tidy.rb: Added info about the default value of 'type' to the doc. R. Tyler Croy (1) 2d994c2 Switch Rakefile off deprecated rake/gempackagetask Michael Stahnke (1) 7324f54 Update main readme to have links to contrib and dev docs Josh Cooper (11) a23cf6e (Maint) Don't assume paths are absolute 125ecec (Maint) Spec test wasn't testing anything 4c18d08 (#14964) Unlink Tempfiles consistently across different ruby versions 8efc492 (#13489) Use let to memoize instance variables 03d546e (Maint) Document common Windows issues 761b48f (#11868) Use `Installer` automation interface to query package state dc5f57c (#13489) Synchronously start and stop services 3ada851 (#14964) Don't fail if we can't unlink the Tempfile on Windows d7e77eb (#14749) Clear reference to invalid task after saving a2d9597 (#13008) Allow scheduled task arguments to be specified c6af946 (#13009) Compare scheduled task commands using backslashes Moses Mendoza (1) dd96d84 Determine packaging version with git describe 7611753 Add packaging support for fedora 17 a619bfd Add additional commits to CHANGELOG missed in 2.7.19rc1 Will Hopper (3) c7e4ca7 (#15221) Create /etc/puppet/modules directory for puppet module tool 300fce9 (#14909) Update createpackage.sh to resolve permissions issues ddf8358 Update logrotate config to not restart puppetmasterd nfagerlund (1) c05489b (Maint:) Fix bad doc strings for two settings ("wether") Daniel Pittman (8) 85f5543 Ruby 1.9.3 has a different error when `require` fails. 37742db Eliminate require calls at runtime. be5fcf4 Fix broken TransBucket transformation tests. 8f99187 Fix broken ability to remove resources from the catalog. 9bd4fd3 Fix type check when transforming catalog. 825b80d Fix all trivial "should to must" errors in our tests. 7a7bea7 Enforce "must not should" on Puppet::Type instances in tests. a257105 Use Win32 API atomic replace in `replace_file` Ken Barber (1) 9f0bf4 (#14962) PMT doesn't support setting a relative modulepath Dominic Cleal (3) 39f425f (#15078) Document USR2 log rotation signal 5146397 (#13379) Add path of pluginsync'd lenses to Augeas load_path automatically 087d5ae (#7285) Add spec for Augeas initialisation and file loading Stefan Shulte (5) 0d5a46a (#14600) Fix cleanup of tempfiles in file_spec 0219818 (#14531) Change default ensure value from symlink to link b572810 (#14599) Handle ENOTDIR in file type 0859364 (#13880) Add openrc spec - service with extreme long name af6f7ba (#13880) Add openrc service provider for Gentoo and Funtoo Dominic Maraglia (1) 2141905 (maint) Add --test to puppet run Matthaus Litteken (8) da771cb (maint) Add symlink stub to gentoo service provider spec 0e87fe1 Add comment to upstart provider explaining exclusion of 'wait-for-state' 0cab9ee Upstart code cleanup, init provider improvement 91628be Add spec test for network-interface-security b60ad19 Add basic service resource test to upstart acceptance a6245f9 Handle network-interface-security in upstart 60e37b6 Add exclude list to upstart provider 2911fec (#15027, #15028, #15029) Fix upstart version parsing b2d08a4 (#15291) Add Vendor tag to Puppet spec file Jeff McCune (1) 0b01bb3 (#14860) Fix puppet cert exit status on failures Franz Pletz (1) 2fc7191 (#9160) Change logging facility to debug for not supported provider features Andy Sykes (1) 06eb9a9 Fixes for #10915 and #11200 - user provider for AIX codec (1) ed73845 (#10354) added delete command to fix missing userdel flag in useradd provider -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.