Jira (PUP-11538) Allow a Struct type to have a default key
Title: Message Title James Ralston created an issue Puppet / PUP-11538 Allow a Struct type to have a default key Issue Type: New Feature Assignee: Unassigned Components: Type System Created: 2022/05/06 12:06 AM Priority: Normal Reporter: James Ralston PUP-5942 was a request to permit the Struct type to define keys using a pattern. This requiest was closed as Wontfix due to the complexity involved. I have a related but simpler (and hopefully thus viable) request: permit the Struct type to have a default key that will match any hash element, so long as the data type of the value of the key matches the specified data type. An example may be helpful in describing what I am proposing: class openssh::server ( Struct[{ 'Match' => Hash[String, Hash[String, Scalar]], 'Subsystem' => Hash[String, Scalar],
Jira (PUP-11538) Allow a Struct type to have a default key
Title: Message Title James Ralston updated an issue Puppet / PUP-11538 Allow a Struct type to have a default key Change By: James Ralston PUP-5942 was a request to permit the Struct type to define keys using a pattern. This requiest was closed as _Wontfix_ due to the complexity involved.I have a related but simpler (and hopefully thus viable) request: permit the Struct type to have a _default_ key that will match any hash element, so long as the data type of the value of the key matches the specified data type.An example may be helpful in describing what I am proposing:{code}class openssh::server ( Struct[{'Match' => Hash[String, Hash[String, Scalar]],'Subsystem' => Hash[String, Scalar],default => Scalar, }] $sshd_config,) inherits openssh {{code}For our in-house {{openssh::server}} module, the entire contents of the {{/etc/ssh/sshd_config}} file is passed to the module via a hash, where the key is the option name to set, and the value is the value for that option. For the vast majority of those options, the values are scalars (strings, booleans, or integers), and the ERB template code can generate the correct configuration lines in the {{/etc/ssh/sshd_config}} file without caring what each individual option is.But two sshd_config options are special and require specific data structures to pass their information to the ERB template code. The {{Match}} option takes a hash where the key is the criterion for the Match statement, and the value is a nested hash of options to set within that specific Match block. The {{Subsystem}} option takes a hash where the key is the name of the subsystem, and the value is the command for sshd to execute to invoke that subsystem.What I want to be able to enforce is that if the {{openssh::server::sshd_config}} parameter sets either the {{Match}} or {{Subsystem}} options, the values supplied conform to the data types that those options require. But I don't want to have to laboriously enumerate every one of the ~100 other sshd_config options in the Struct just in order to be able to ensure that the {{Match}} and {{Subsystem}} options conform.(Practically speaking, I _cannot_ enumerate all of the options, even if I wanted to: different distros ship with different versions of OpenSSH, and later OpenSSH versions not only support options that earlier versions do not, but have dropped support for options that earlier versions supported.)Just as it is useful for the Puppet case statement to support a _default_ case that matches if no other case _expression_ matches, it would be useful for Struct to support a _default_ schema key and data type that will match any supplied hash key not explicitly named in the Struct, so long as the data types match.Without this, the only way I can see to implement typedef checking for the {{Match}} and {{Subsystem}} options is to typedef _every_ valid sshd_config option (which as I explained two paragraphs above is impossible), or do something like this:{code}class openssh::server ( Hash[String,
Jira (FACT-2874) facter 4.0.46 should load external fact files in lexicographical order
Title: Message Title James Ralston commented on FACT-2874 Re: facter 4.0.46 should load external fact files in lexicographical order When testing Puppet Platform 7.1, this appears to be fixed: for duplicate facts, the one that appears in the file that sorts lexicographically last is the one that is used. Thank you! Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.379132.1606176297000.101290.160814621%40Atlassian.JIRA.
Jira (FACT-2874) facter 4.0.46 should load external fact files in lexicographical order
Title: Message Title James Ralston created an issue Facter / FACT-2874 facter 4.0.46 should load external fact files in lexicographical order Issue Type: Bug Assignee: Unassigned Created: 2020/11/23 4:04 PM Priority: Normal Reporter: James Ralston Up through facter 3.14.14 (Puppet 6.x), when facter loaded external facts from files in the /etc/facter/facts.d directory, if the same fact appeared in multiple files, the version of the fact that appeared in the file Puppet loaded last won. Starting in facter 4.0.46 (Puppet 7.x), if a fact is duplicated in multiple files, facter appears to use the first value it sees for the ultimate value of that fact, not the last. This is problematic in the case where events can dynamically add and remove files from the /etc/facter/facts.d directory. Here's an example. I have a NetworkManager dispatch script, /etc/NetworkManager/dispatcher.d/50-facter, that drops facter facts into /etc/facter/facts.d that contribute interface information. E.g.: $ ls -lsa /etc/facter/facts.d total 12 0 drwxr-xr-x. 1 root root 112 Nov 23 16:56 ./ 0 drwxr-xr-x. 1 root root 14 Jul 13 2015 ../
Jira (FACT-2869) Puppet 7.0.0 facter changes is_virtual fact to string (from boolean)
Title: Message Title James Ralston created an issue Facter / FACT-2869 Puppet 7.0.0 facter changes is_virtual fact to string (from boolean) Issue Type: Bug Assignee: Unassigned Created: 2020/11/19 9:56 PM Priority: Normal Reporter: James Ralston In Puppet 6.x, facter reports the is_virtual fact as a boolean: $ facter --version; facter --json is_virtual 3.14.14 (commit e36657bea27254f003c8fc71d8ef57454db643e2) { "is_virtual": false } But in Puppet 7.0.0, facter reports the is_virtual fact as a string:
Jira (PUP-10161) Regresssion: puppet 6.11 can't manage selinux on centos/redhat 8
Title: Message Title James Ralston commented on PUP-10161 Re: Regresssion: puppet 6.11 can't manage selinux on centos/redhat 8 Red Hat responded to me. Red Hat asserts (and I have verified) that RHEL7 did build libselinux.so.1 with the rpm_execcon() function. The specific line in the RHEL7 libselinux.spec file (for every version of the RHEL7 libselinux package) is: # FIXME: export DISABLE_RPM="y" This is trivial to verify on a RHEL7 system, using the stock Ruby and libselinux-ruby packages: $ /usr/bin/irb irb(main):001:0> require 'selinux' => true irb(main):002:0> Selinux.rpm_execcon(1, 2, 3, 4) TypeError: Expected argument 1 of type char const *, but got Fixnum 2 in SWIG method 'rpm_execcon' from (irb):2:in `rpm_execcon' from (irb):2 from /usr/bin/irb:12:in `' irb(main):003:0>
Jira (PUP-10161) Regresssion: puppet 6.11 can't manage selinux on centos/redhat 8
Title: Message Title James Ralston commented on PUP-10161 Re: Regresssion: puppet 6.11 can't manage selinux on centos/redhat 8 People who are attempting to use the RHEL8 Puppet packages on Fedora will also be burned by this, as every version of Fedora I have examined (including Rawhide) ships a libselinux package that was built with export DISABLE_RPM="y". (And yes, I know Puppet doesn't officially support running RHEL packages on Fedora. But I experiment with running puppetserver on Fedora, and Puppet doesn't build the puppetserver packages for the official Fedora repositories. Furthermore, because Fedora moves so rapidly, it's generally the case that by the time official Puppet packages appear for Fedora [n] are available, I've already migrated to Fedora [n+1]. For these reasons, I eschew Puppet's official Fedora repositories, and instead use the latest RHEL repository on my Fedora systems.) That notwithstanding, it is unusual for Red Hat to roll out a change for RHEL that hasn't hit Fedora already, as Fedora is essentially RHEL next. It's also somewhat unusual (but not without precedent) for Red Hat to break backwards shared library compatibility with RHEL minor point releases. As such, I think there is a possibility that this change wasn't intentional—that it was an oversight in the libselinux 2.8 → 2.9 rebase between RHEL 8.0 and RHEL 8.1 We are a RHEL shop and have a Red Hat support contract. I filed the following support case with Red Hat, gently questioning this change: why is libselinux now built with 'export DISABLE_RPM="n"'? What problem/issue/behavior are you having trouble with? What do you expect to see? Starting with libselinux-2.9-2.1.el8, the %build section of libselinux.spec file now contains: export DISABLE_RPM="n" This is a change from the previous (RHEL 8.0) version of libselinux, libselinux-2.8-6.el8, which contained: export DISABLE_RPM="y"
Jira (FACT-2055) Facter fails if its working directory does not exist
Title: Message Title James Ralston commented on FACT-2055 Re: Facter fails if its working directory does not exist The problem is that although facter does not call boost::filesystem::current_path directly (at least as far as I can tell), something else it calls does (most likely, another boost library call), and getcwd() fails with ENOENT if the cwd has been unlinked. I'll play devil's advocate here: is this a bug with Puppet, or a feature of Unix? Puppet is not the only program that will fail if its cwd is unlinked. A great many number of standard Unix utilities will throw errors (and potentially die / fail to function) if the cwd does not exist. If facter died or produced errors if the cwd were inaccessible, I would assert that is a bug with facter. (See PUP-9997 for the rationale there.) But facter bombing out if its cwd is unlinked? I'd argue the most reasonable response to that might simply be the punchline to the old "doctor, it hurts when I move my arm this way" joke: then don't do that. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.327976.1570129217000.134972.1570568160103%40Atlassian.JIRA.
Jira (PUP-10080) Exec resources fail if the working directory is inaccessible
Title: Message Title James Ralston commented on PUP-10080 Re: Exec resources fail if the working directory is inaccessible John Bollinger, I propose that there are two separate issues here: Puppet misbehaves / fails if the cwd is inaccessible. Puppet misbehaves / fails if the cwd does not exist. I reopend my ticket PUP-9997, which is solely about issue #1. Would you be willing to confine issue #1 to PUP-9997, and keep issue #2 confined to this ticket? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.327890.1570115712000.134915.1570567080145%40Atlassian.JIRA.
Jira (PUP-5915) exec resources fail unless cwd is readable
Title: Message Title James Ralston commented on PUP-5915 Re: exec resources fail unless cwd is readable I was incorrect. This is not actually fixed. The problem is that the exec resource itself implicitly defaults the cwd parameter to the cwd if the cwd parameter was not provided for the exec resource in question. In the case where Puppet's cwd is inaccessible, this will cause all Puppet exec() resources to fail. I assert that defaulting the cwd parameter to the cwd of the Puppet process is wrong. If the user does not supply a cwd parameter to the exec resource in question, Puppet must assume that the user does not want Puppet to attempt to chdir() to any directory. Assuming that the user wants Puppet to chdir() to the cwd is an erroneous assumption, as 1) this is not what the user specified, and 2) it's nonsensical, as even if the chdir() call succeeds, Puppet has not actually changed the cwd. To fully fix this bug, I agree with John Bollinger in PUP-10080: the "implicitly default the cwd parameter to Puppet's cwd if it was not specified" behavior is wrong and should be removed. I think the only thing required is removing this line from lib/puppet/provider/exec.rb: cwd ||= Dir.pwd This is because, from my read, Puppet::Util::Execution.execute() will do the correct thing if the cwd parameter is unspecified: cwd = options[:cwd] if cwd && ! Puppet::FileSystem.directory?(cwd) raise ArgumentError, _("Working directory %{cwd} does not exist!") % { cwd: cwd } end And: cwd =
Jira (PUP-10080) Exec resources fail if the working directory is inaccessible
Title: Message Title James Ralston commented on PUP-10080 Re: Exec resources fail if the working directory is inaccessible John Bollinger, I'll defer to Puppet folks who want to chime in, but as the reporter of PUP-9997, I would just submit a PR with the code fixes and no tests. From looking at the code for the Exec provider, I think the only thing that is required is removing the cwd ||= Dir.pwd line, as Puppet::Util::Execution.execute() only calls Dir.chdir if the cwd parameter was set. Did you come to a different conclusion? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.327890.1570115712000.134538.1570559100152%40Atlassian.JIRA.
Jira (PUP-9997) Puppet must not call Dir.chdir() except in a child process
Title: Message Title James Ralston updated an issue Puppet / PUP-9997 Puppet must not call Dir.chdir() except in a child process Change By: James Ralston *Puppet Version:* 6.8.1*Puppet Server Version:* 6.5.0*OS Name/Version:* Red Hat Enterprise Linux 7In Ruby, Dir.chdir changes the current working directory (cwd) of the Ruby process. Under the hood, it calls the the chdir() system call.When Dir.chdir is passed a block, it notes the cwd, then calls chdir() and executes the block. When the block finishes, it calls chdir() again, supplying as the argument the previous cwd that it noted. (This is similar to the pushd/popd shell builtins.)However, in Unix, it is possible for the cwd to be a directory that is inaccessible to the current process. This means that once you chdir() out of the cwd, attempting to chdir() to the old cwd will fail.This is trivial to demonstrate for the non-root user:{noformat}$ cd /tmp$ mkdir foo$ chmod 0700 foo$ cd foo$ /usr/bin/pwd/tmp/foo$ cd /tmp/foo && echo noerrornoerror$ chmod .$ /usr/bin/pwd/tmp/foo$ cd /tmp/foo && echo noerror-bash: cd: /tmp/foo: Permission denied{noformat}In most cases, the root user will never receive permission denied errors when attempting to chdir to a directory. But there are exceptions. One exception is a network filesystem where the local root user has no special privileges, such as Kerberized NFS. On Linux systems, removal of the {{CAP_DAC_OVERRIDE}} and {{CAP_DAC_READ_SEARCH}} capabilities will also prevent root from calling chdir() to an inaccessible directory.So, putting this all together, we reach the following conclusion: the only time where it is safe to call Dir.chdir() is in a child process. Because:# Calling Dir.chdir() without a block has a side-effect of changing the cwd for the execution of all subsequent code. This is undesirable, and dangerous.# Calling Dir.chdir() with a block can fail to restore the cwd when the block exits (as per above), which then reduces to #1.Previously, the _cwd_ parameter of the _exec_ resource was implemented using Dir.chdir() with a block argument. This caused failures for users who ran {{sudo puppet agent --test}} when sitting in a Kerberized NFS home directory that root could not execute, as the very first exec resource encountered would throw an exception when Dir.chdir() received EACCES when attempting to restore the old cwd when the block finished. This spawned at least two tickets: PUP-5808 and PUP-5915. At some point in the recent past In PUP-6919 (specifically , {{Puppet [commit ebb57c3e|https : :Util::Execution //github . execute}} added the ability to specify the cwd of the command to be executed com/puppetlabs/puppet/commit/ebb57c3e60800bdc847cc1276b8a6d9d65c6208b]) , and the exec resource was rewritten to simply pass the cwd to {{Puppet::Util::Execution.execute}} instead of calling Dir.chdir() itself. Since {{Puppet::Util::Execution.execute}} doesn't call Dir.chdir() until after it forks the child process and before it calls exec(), and since calling chdir() in a child
Jira (PUP-5808) puppet via sudo from nfs home is not working
Title: Message Title James Ralston updated an issue Puppet / PUP-5808 puppet via sudo from nfs home is not working From digging, it was PUP-6919 (specifically, commit ebb57c3e) that rewrote the exec resource to have the child process call Dir.chdir(). Puppet 5.5.7 was the first version to contain the fix. Change By: James Ralston Fix Version/s: PUP 5.5.7 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.115050.1454515664000.86229.1567639260400%40Atlassian.JIRA.
Jira (PUP-5808) puppet via sudo from nfs home is not working
Title: Message Title James Ralston commented on PUP-5808 Re: puppet via sudo from nfs home is not working For posterity: the issue with the exec resource failing due to receiving EACCES when attempting to call chdir() to the cwd was resolved as a (perhaps intentional) side-effect of changes made to how the exec resource is implemented. (In essence, Puppet now calls chdir() in the child process it forks to perform the exec, not in the parent process.) But the root cause of this issue—that it is never safe to call chdir() except in a child process—is not completely resolved. See PUP-9997 for details. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.115050.1454515664000.86204.1567638661238%40Atlassian.JIRA.
Jira (PUP-9997) Puppet must not call Dir.chdir() except in a child process
Title: Message Title James Ralston created an issue Puppet / PUP-9997 Puppet must not call Dir.chdir() except in a child process Issue Type: Bug Assignee: Unassigned Created: 2019/09/04 4:00 PM Priority: Minor Reporter: James Ralston Puppet Version: 6.8.1 Puppet Server Version: 6.5.0 OS Name/Version: Red Hat Enterprise Linux 7 In Ruby, Dir.chdir changes the current working directory (cwd) of the Ruby process. Under the hood, it calls the the chdir() system call. When Dir.chdir is passed a block, it notes the cwd, then calls chdir() and executes the block. When the block finishes, it calls chdir() again, supplying as the argument the previous cwd that it noted. (This is similar to the pushd/popd shell builtins.) However, in Unix, it is possible for the cwd to be a directory that is inaccessible to the current process. This means that once you chdir() out of the cwd, attempting to chdir() to the old cwd will fail. This is trivial to demonstrate for the non-root user: $ cd /tmp $ mkdir foo $ chmod 0700 foo $ cd foo
Jira (PUP-9465) group resource type misunderstands/misuses libuser
Title: Message Title James Ralston commented on PUP-9465 Re: group resource type misunderstands/misuses libuser Gabriel Nagy, I agree that using binaries from 2 different packages in the same provider seems wrong. That's the primary reason why I think there should be two separate providers, even though there is a lot of overlap between the functionality of the providers. Upon reflection, I will walk back my "If both the libuser provider and the groupadd provider are available, prefer the libuser provider" assertion. But I'm not sure that the minor differences in functionality are appropriate selection criteria to prefer one provider over the other, either. As you noted, libuser doesn't support NIS (which shadow supports). But shadow doesn't support LDAP (which libuser supports). How about this: for any system where groupadd is currently the default provider, it should remain the default provider, even if the libuser provider is available. This will make the libuser provider available for those who specifically want it (most likely for the manages_members feature), but it will avoid potential disruption by exposing Puppet users to subtle differences between the groupadd and libuser providers. But I still think that once the libuser provider is available, the forcelocal parameter should be deprecated, and should emit a warning that 1) the forcelocal parameter will be removed in a future Puppet release, and 2) to use the libuser provider instead if the goal is have the manages_members feature. Finally, I wouldn't put much stock in the 2013 comment 2 in Red Hat BZ#1028544 about libuser going away. A lot of what libuser was planned to do was subsumed by the sssd project, which is why development on libuser has slowed. But both the shadow project and the libuser project are active. As another metric, Red Hat Enterprise Linux 8 shipped with libuser. Since libuser was created by Red Hat developers and is maintained by Red Hat developers, that means libuser isn't going anywhere for the lifetime of RHEL8, which doesn't end until May 2029. And libuser is still in Fedora, which is (essentially) the upstream for RHEL. Add Comment This message was sent by
Jira (PUP-9465) group resource type misunderstands/misuses libuser
Title: Message Title James Ralston updated an issue Puppet / PUP-9465 group resource type misunderstands/misuses libuser Change By: James Ralston Affects Version/s: PUP 6.1.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.293306.1548368109000.37199.1564525560475%40Atlassian.JIRA.
Jira (PUP-9465) group resource type misunderstands/misuses libuser
Title: Message Title James Ralston updated an issue Puppet / PUP-9465 group resource type misunderstands/misuses libuser Change By: James Ralston Affects Version/s: PUP 6.6.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.293306.1548368109000.37196.1564525560462%40Atlassian.JIRA.
Jira (PUP-9465) group resource type misunderstands/misuses libuser
Title: Message Title James Ralston updated an issue Puppet / PUP-9465 group resource type misunderstands/misuses libuser Change By: James Ralston Labels: group libuser linux user Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.293306.1548368109000.37202.1564525560485%40Atlassian.JIRA.
Jira (PUP-9465) group resource type misunderstands/misuses libuser
Title: Message Title James Ralston updated an issue Puppet / PUP-9465 group resource type misunderstands/misuses libuser Change By: James Ralston Summary: group resource type should support lgroupadd provider on Linux misunderstands/misuses libuser Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.293306.1548368109000.37106.1564524540140%40Atlassian.JIRA.
Jira (PUP-9465) group resource type should support lgroupadd provider on Linux
Title: Message Title James Ralston commented on PUP-9465 Re: group resource type should support lgroupadd provider on Linux Hi Melissa Stone, Branan Riley, I apologize for taking so long to get back to this. I've reopened this ticket, because I believe there is a fundamental mis-engineering here that should be addressed. Both the Puppet code and the responses to this ticket imply that the Puppet devs believe that lgroupmod is the "local" version of groupmod. But this is not the case. The (groupadd, groupmod, groupdel) programs belong to the shadow project. These utilities explicitly operate on local files (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow) only. The (lgroupadd, lgroupmod, lgroupdel) programs belong to the libuser project. Per its documentation, libuser is a library that implements a standardized interface for manipulating and administering user and group accounts, using pluggable back-ends to interface to data sources. Currently, local files and LDAP backends are supported. In essence, it's a more capable replacement for shadow-utils, designed to easier to maintain (because it's not carrying around 20+ years of warts). It is not the case that the "l" in lgroupmod et. al. means local; it means libuser. The model that Puppet resource types use is that when there are multiple methods that can accomplish a backend task, each method is enumerated as a separate provider, and Puppet chooses the best provider on a per-platform basis. That is a clean, beautiful, easy-to-understand model; it's one of the clear design wins of Puppet. It is what Puppet administrators and developers are used to. This is why the forcelocal parameter is so egregiously wrong and offensive. If Puppet understood how to use the (lgroupadd, lgroupmod, lgroupdel) programs, I fully expected to see Puppet's usage of those programs encapsulated by a separate libuser provider. Seeing no such provider, and searching the documentation in vain for any explicit mention of the (lgroupadd, lgroupmod, lgroupdel) programs, I concluded Puppet did not understand how to use the (lgroupadd, lgroupmod, lgroupdel) programs. (Yes, the documentation does mention libuser. But it does so in a way that has no relation to what libuser actually is and what it actually does.) Fortunately, there is an easy path out of this mess for the group resource: Turn the libuser provider feature into a provider proper, which uses the (lgroupadd, lgroupmod, lgroupdel) programs. The libuser provider should have the manages_members and system_groups features. If both the libuser provider and the groupadd provider are available, prefer the libuser provider. Deprecate the forcelocal parameter, and emit a warning if it is set to true. As a special case, for backwards compatibility, if the groupadd provider was specified and the forcelocal parameter was true, use the libuser provider instead of the groupadd provider. Taking the above steps will correct the long-standing mis-engineering of the group resource, aligning it with the proper Puppet provider model.
Jira (PUP-9811) incoherent Puppet Platform 6.5.0 announcement versus release notes
Title: Message Title James Ralston created an issue Puppet / PUP-9811 incoherent Puppet Platform 6.5.0 announcement versus release notes Issue Type: Task Affects Versions: PUP 6.5.0 Assignee: Unassigned Components: Docs Created: 2019/06/27 1:47 PM Environment: The email announcement for Puppet Platform 6.5.0 consisted of this text: This release contain bug fixes and enhancement, notably: Support added for Fedora 30 (amd64) New v4 catalog endpoint You can see the full list of changes in the release notes https://puppet.com/docs/puppet/6.5/release_notes_puppet.html However, the 6.5.0 release notes make no mention of the new v4 catalog endpoint. I'm guessing that both the release announcement and the release notes went through multiple iterations of reviews/edits, and the final versions were supposed to be coherent, but this discrepancy was accidentally missed. Please update the release notes to include the information about the new v4 catalog endpoint that the release announcement references. Priority: Normal Reporter: James Ralston
Jira (PUP-9811) incoherent Puppet Platform 6.5.0 announcement versus release notes
Title: Message Title James Ralston updated an issue Puppet / PUP-9811 incoherent Puppet Platform 6.5.0 announcement versus release notes Change By: James Ralston Environment: The email announcement for Puppet Platform 6.5.0 consisted of this text:{quote}This release contain bug fixes and enhancement, notably:* Support added for Fedora 30 (amd64)* New v4 catalog endpoint You can see the full list of changes in the release notes https://puppet.com/docs/puppet/6.5/release_notes_puppet.html{quote}However, the 6.5.0 release notes make no mention of the new v4 catalog endpoint.I'm guessing that both the release announcement and the release notes went through multiple iterations of reviews/edits, and the final versions were supposed to be coherent, but this discrepancy was accidentally missed.Please update the release notes to include the information about the new v4 catalog endpoint that the release announcement references. The email announcement for Puppet Platform 6.5.0 consisted of this text:{quote}This release contain bug fixes and enhancement, notably:* Support added for Fedora 30 (amd64)* New v4 catalog endpoint You can see the full list of changes in the release notes https://puppet.com/docs/puppet/6.5/release_notes_puppet.html{quote}However, the 6.5.0 release notes make no mention of the new v4 catalog endpoint.I'm guessing that both the release announcement and the release notes went through multiple iterations of reviews/edits, and the final versions were supposed to be coherent, but this discrepancy was accidentally missed.Please update the release notes to include the information about the new v4 catalog endpoint that the release announcement references. Add Comment
Jira (PUP-9465) group resource type should support lgroupadd provider on Linux
Title: Message Title James Ralston created an issue Puppet / PUP-9465 group resource type should support lgroupadd provider on Linux Issue Type: New Feature Affects Versions: PUP 6.1.0 Assignee: Unassigned Components: Types and Providers Created: 2019/01/24 2:15 PM Priority: Normal Reporter: James Ralston Puppet Version: 6.1.0 Puppet Server Version: 6.1.0 OS Name/Version: Red Hat Enterprise Linux 7 The group resource type supports the groupadd provider, but not the lgroupadd provider. lgroupadd (and lgroupmod and lgroupdel) are part of the libuser library/package. While libuser is essentially a rewrite of the groupadd, groupmod, and groupdel programs from the shadow-utils package (because Red Hat tends toward NIH syndrome), lgroupmod has one important advantage over groupmod: lgroupmod can manipulate group members directly. E.g., you can do this: $ lgroupmod --member-add user1,user2,user3 somegroup In contrast, groupmod cannot do this. Instead, you have to do this:
Jira (PUP-8947) Automatically cast ACPL results to Sensitive for Sensitive-typed class parameters
Title: Message Title James Ralston commented on PUP-8947 Re: Automatically cast ACPL results to Sensitive for Sensitive-typed class parameters The problem I have with using covert_to in lookup_options is that is completely falls down in a case like this: class duo ( Struct[{ Optional['duo'] => Struct[{ Optional['host'] => Optional[String], Optional['ikey'] => Optional[Sensitive[String]], Optional['skey'] => Optional[Sensitive[String]], Optional['groups']=> Optional[Variant[String, Array[String]]], Optional['failmode'] => Optional[Enum['safe', 'secure']], Optional['pushinfo'] => Optional[Variant[Boolean, Enum['yes', 'no']]], Optional['http_proxy']=> Optional[String], Optional['autopush'] => Optional[Variant[Boolean, Enum['yes', 'no']]], Optional['prompts'] => Optional[Integer[1,default]],
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title James Ralston commented on PUP-8639 Re: need seamless way to replace expiring CA certificate Correction: someone asserted that puppet certregen is a face that the puppetlabs-certregen modules adds. But per the module dependencies, the module doesn't work with Puppet 5, and doesn't seem to be under active development. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8639) need seamless way to replace expiring CA certificate
Title: Message Title James Ralston created an issue Puppet / PUP-8639 need seamless way to replace expiring CA certificate Issue Type: New Feature Assignee: Unassigned Created: 2018/04/06 1:30 PM Priority: Normal Reporter: James Ralston What realistic option does a Puppet open source site have if the expiration on the CA master certificate is approaching, and one wants to smoothly transition to a new CA master certificate? The only official documentation I can find that comes close to this is the following: https://puppet.com/docs/puppet/5.5/ssl_regenerate_certificates.html But that procedure is describing an apocalypse-level security event where all certificates must be treated as untrustworthy and discarded. There is this: https://forge.puppet.com/puppetlabs/certregen …but that module hasn't been updated in almost a year, and is incompatible with Puppet 5, because Puppet 5 removed puppet certregen and replaced it with… nothing, as far as I can tell. The only potential solution I can see is this: https://blog.flyingcircus.io/2017/09/01/how-to-renew-puppet-ca-and-server-certificates-in-place/ Perhaps PE already has a smooth way to do this, but there needs to be a smooth way to do this for Puppet open source as well, without sending sites running open source scurrying to random third-party blog posts. I realize this is both a very unsexy and very challenging issue to solve, but for the sites that need to solve it… it's a DEFCON 1 event.
Jira (PUP-8566) "puppet config print" should only emit diagnostic info when run with verbose or higher
Title: Message Title James Ralston commented on PUP-8566 Re: "puppet config print" should only emit diagnostic info when run with verbose or higher R.I.Pienaar wrote: Master, apply etc all have --configprint and all does the right thing. Ummm… ok, I'll ask it: why? Why have the exact same functionality duplicated across different command families? But back to the issue at hand: the original goal of PUP-2868 was to prevent novice users from running puppet config print without --section and then getting confused over which settings applied to which role. Issuing a big fat warning when --section is not used satisfies that goal. Therefore, I agree that the behavior of puppet config print should be reverted to only print the section if --verbose (or perhaps --debug) is passed. (I have no strong opinion as to whether the threshold is --verbose or --debug.) I originally suggested using --quiet to suppress printing the section, but I think this behavior change makes more sense than what I suggested, so I'm all for it. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit
Jira (PUP-8566) "puppet config print" needs --quiet option to disable new (default) verbosity
Title: Message Title James Ralston commented on PUP-8566 Re: "puppet config print" needs --quiet option to disable new (default) verbosity R.I.Pienaar advice appreciated, but alas, in this case, I must use puppet config print, because I'm specifically looking for reportdir, which is defined in the [master] section. So using puppet agent --configprint will give me incorrect results: $ puppet agent --configprint reportdir /opt/puppetlabs/puppet/cache/reports $ puppet config print --color=false --section master reportdir 2>/dev/null /opt/puppetlabs/server/data/puppetserver/reports For now, I've updated my scripts to redirect stderr to /dev/null, but this is just hiding the problem. Add Comment This message was sent by
Jira (PUP-8566) "puppet config print" needs --quiet option to disable new (default) verbosity
Title: Message Title James Ralston created an issue Puppet / PUP-8566 "puppet config print" needs --quiet option to disable new (default) verbosity Issue Type: New Feature Affects Versions: PUP 5.5.0 Assignee: Unassigned Created: 2018/03/21 10:47 AM Priority: Minor Reporter: James Ralston While the enhancements implemented in PUP-2868 are arguably good, because they make puppet config print less confusing for novice users, making puppet config print unconditionally emit messages to stderr is undesirable, as the extraneous stderr messages can confuse programs which are using puppet config print non-interactively and are parsing the output. Case in point: I have multiple cron jobs that use puppet config print to obtain Puppet configuration information. After upgrading to 5.5.0, I am now receiving messages like this on an hourly basis: From: "(Cron Daemon)"To: r...@example.org Subject: Cron run-parts /etc/cron.hourly Date: Wed, 21 Mar 2018 13:01:01 -0400
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title James Ralston commented on PUP-2172 Re: Add exceptions to http_proxy_{port,host} I'm re-opening this ticket, because I believe the severity of the problem hasn't been fully appreciated. Any security-competent site that requires outbound HTTP[S] traffic to use a network proxy will have configured the proxy to deny all requests for internal resources. (Otherwise, internal users can bypass internal network ACLs by routing requests through the proxy.) This means that any application that is proxy-aware must implement an exception list for the proxy. Without this exception list, the application is essentially offering its users two choices: You can access foreign resources, but not local resources. You can access local resources, but not foreign resources. We see this in the applications that rely on the curl-style (http_proxy, https_proxy, and no_proxy) environment variables. E.g.: $ set | grep proxy http_proxy=http://proxy.example.org:8080 https_proxy=http://proxy.example.org:8080 no_proxy=localhost,.example.org The no_proxy setting is not optional: without this, applications will not be able to access local resources. As a real-world example of just how critical the no_proxy list is, consider this example: package { 'r10k': ensure => present, provider => puppet_gem,
Jira (PUP-2172) Add exceptions to http_proxy_{port,host}
Title: Message Title James Ralston updated an issue Puppet / PUP-2172 Add exceptions to http_proxy_{port,host} Change By: James Ralston Affects Version/s: PUP 5.4.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-5915) exec resources fail unless cwd is readable
Title: Message Title James Ralston commented on PUP-5915 Re: exec resources fail unless cwd is readable My first attempt at solving the problem was incorrect, which is why I never submitted a PR. But this is still biting us, so I'll take another crack at it. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-5868) yumrepo does not remove repo file
Title: Message Title James Ralston commented on PUP-5868 Re: yumrepo does not remove repo file Lucas Yamanishi said: Most, if not all repo-release.rpm spec files mark the repo files as %config(noreplace) which will prevent them from being recreated if deleted. This is incorrect. All the %config and %config(noreplace) flags do is to tell rpm that local changes to the file in question must not be lost. (The %config flag retains local changes by moving the current file to .rpmorig; the %config(noreplace) flag retains local changes by installing the new file as .rpmnew. and keeping the current file in place.) But if the file doesn't exist, there are no potential changes to lose, so rpm will always create the file on package install/upgrade. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6589) Resource Type sshkey doesn't allow the declaration of multiple SSH host keys for one host
Title: Message Title James Ralston commented on PUP-6589 Re: Resource Type sshkey doesn't allow the declaration of multiple SSH host keys for one host Bump. This bug makes the sshkey resource type utterly unusable. For any modern ssh implementation, a host may have rsa keys, ecdsa keys, and ed25519 keys. If we're going to publish a host's ssh public keys, we have to publish all of them. The fact that it is impossible to do this using the sshkey resource (unless you want to publish a bunch of fake host names, as per the description) means that there's no point in even attempting to use sshkey resources to manage ssh public keys. (We tried using the sshkey resource years ago, but when we realized that it was broken by design, we abandoned it.) I agree with Peter Meier: what makes a ssh public key unique is the combination of its name and its key type. Neither the name nor the key type by itself is unique. The sshkey resource should use the same uniqueness test. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-868) Deprecate Unusable Certificate Faces
Title: Message Title James Ralston commented on PUP-868 Re: Deprecate Unusable Certificate Faces Moses Mendoza: thanks; I commented on SERVER-1747 as well. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-868) Deprecate Unusable Certificate Faces
Title: Message Title James Ralston commented on PUP-868 Re: Deprecate Unusable Certificate Faces Andrew Parker, we use the certificate_revocation_list face to distribute our CA master's crl to our [non-CA] Puppet master pool, by having the non-CA masters regularly poll the CA master for the latest crl: $ puppet certificate_revocation_list find ca --terminus rest I do not see a way to do this using puppet cert. The only way I see to do it is to call the Puppet HTTP API directly. E.g.: $ CA_SERVER=$(puppet config print --section master ca_server) $ LOCAL_CA_CERT=$(puppet config print --section master localcacert) $ curl --cacert ${LOCAL_CA_CERT} https://${CA_SERVER}:8140/puppet-ca/v1/certificate_revocation_list/ca\?environment\=ignored Am I missing how to perform the same action using puppet cert? Or are you deprecating a face that provides needed functionality (for sites running Puppet Open Source with multiple Puppet servers) without providing a functional replacement? Add Comment
Jira (PUP-5868) yumrepo does not remove repo file
Title: Message Title James Ralston commented on PUP-5868 Re: yumrepo does not remove repo file Leaving the zero-length *.repo files is the correct thing to do, because removing them could create unintended side-effects. For example, say that /etc/yum.repos.d/foo.repo is contributed by the foo-release package. It defines a single repository, foo. You create a yumrepo resource to remove that repository via ensure => absent. This leaves a zero-length foo.repo file, which doesn't perturb yum in the slightest. But if the yumrepo resource were to remove that zero-length foo.repo file, then if the foo-release package is upgraded to a more recent package, the foo.repo file will be recreated, with the foo repository definition that you told Puppet to remove, and will persist until the next Puppet agent run. In contrast, if the yumrepo resource keeps the zero-length foo.repo file, then upgrading the foo-release package won't magically recreate the foo repository definition. (Worst case, you'll get a foo.repo.rpmnew file, which yum will ignore.) Of course, in this example, removing the foo-release package from the system would be a more optimal solution to get rid of the foo repository definition. But yumrepo can't assume that it's always going to be employed in the most optimal way. I suspect yumrepo's behavior of keeping zero-length *.repo files wasn't specifically intentional, but is a side-effect of the fact that the yumrepo resource uses the Ruby inifile gem to do all the reading/writing behind the scenes, and the inifile gem will cheerfully write out a configuration file that has nothing in it if you have removed all of the sections/settings. This is because it cannot assume that you want the configuration file to be removed entirely just because you aren't setting anything in it—in most cases, that assumption would be wrong, and would potentially break things (e.g., a daemon that will run just fine if its configuration file is empty, but will refuse to start if its configuration file is missing entirely). Regardless, whether intentional or not, yumrepo's behavior of leaving zero-length *.repo files is the correct behavior. If those files really task you, then script (via an exec resource that you trigger from your yumrepo resources, a cron job, et. al.) something like this to try to remove them safely: $ find /etc/yum.repos.d -name '*.repo' -type f -size 0 -print | xargs -r rpm -qf | grep 'not owned by any package' |
Jira (PUP-6865) puppet 4.8.0 breaks code that uses strftime()
Title: Message Title James Ralston commented on PUP-6865 Re: puppet 4.8.0 breaks code that uses strftime() Just to confirm: Thomas Hallgren's hunch was correct: I had updated puppet-agent on the master, but hadn't restarted the master. Restarting the master resolved the problems. The real issue here is that the puppetserver package is broken, because the server needs to be restarted if the puppet-agent package changes, but the puppetserver spec file lacks a %triggerpostun trigger on the puppet-agent package. (See PA-681 for more information and a suggested fix.) Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6943) control ordering of classic Hiera versus environment data searching
Title: Message Title James Ralston commented on PUP-6943 Re: control ordering of classic Hiera versus environment data searching It feels hackish, but I believe your suggestion would work. For example, right now, in our global (version 3) hiera.yaml file, we have: :yaml: :datadir: /etc/puppetlabs/code/hiera :hierarchy: - nodes/%{fqdn}/config - ./%{hiera_area_0}/config - ./%{hiera_area_1}/config - ./%{hiera_area_2}/config - ./%{hiera_area_3}/config - ./%{hiera_area_4}/config - ./%{hiera_area_5}/config
Jira (PUP-6943) control ordering of classic Hiera versus environment data searching
Title: Message Title James Ralston created an issue Puppet / PUP-6943 control ordering of classic Hiera versus environment data searching Issue Type: New Feature Affects Versions: PUP 4.8.1 Assignee: Unassigned Created: 2016/11/28 7:38 PM Priority: Normal Reporter: James Ralston From Puppet Lookup: Quick reference for Hiera users: Every time you request data through Puppet lookup, Puppet will search three tiers of data, in this order: Classic Hiera. Environment data. Module data. … Environment data is the core of Puppet lookup. It’s where most of your data should live. Classic Hiera is for global overrides, when you need to fix
Jira (PUP-6865) puppet 4.8.0 breaks code that uses strftime()
Title: Message Title James Ralston created an issue Puppet / PUP-6865 puppet 4.8.0 breaks code that uses strftime() Issue Type: Bug Affects Versions: PUP 4.8.0 Assignee: Unassigned Components: AIO Created: 2016/11/02 7:15 PM Priority: Normal Reporter: James Ralston After upgrading to puppet-agent-1.8.0, my catalogs fail to compile with the following error: Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, uninitialized constant Puppet::Pops::Time at /etc/puppetlabs/code/modules/bind/manifests/master_zone.pp:27:12 at /etc/puppetlabs/code/modules/bind/manifests/init.pp:286 on node shieldbreaker.l33tskillz.local
Jira (PUP-5915) exec resources fail unless cwd is readable
Title: Message Title James Ralston commented on PUP-5915 Re: exec resources fail unless cwd is readable Also, unless I'm missing something, the fix is pretty simple. Here's a quick diff (ignoring whitespace changes, so that it's easier to read): --- /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/exec.rb.ORIG 2016-02-02 14:10:21.0 -0500 +++ /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/exec.rb 2016-02-17 14:05:12.750781461 -0500 @@ -12,7 +12,9 @@ checkexe(command) if dir = resource[:cwd] - unless File.directory?(dir) + if File.directory?(dir) +Dir.chdir(dir) + else
Jira (PUP-5915) exec resources fail unless cwd is readable
Title: Message Title James Ralston created an issue Puppet / PUP-5915 exec resources fail unless cwd is readable Issue Type: Bug Affects Versions: PUP 4.3.2 Assignee: Unassigned Created: 2016/02/17 10:44 AM Priority: Normal Reporter: James Ralston The exec() resource always attempts to perform a chdir() to the current working directory (cwd). This is true regardless of the value of the cwd parameter. If the cwd isn't accessible by the user running Puppet, Puppet will fail to apply the exec() resource. This is true regardless of whether the command being executed actually requires the cwd to be readable. An example: $ cd /tmp $ mkdir test
Jira (PUP-5256) some puppet-agent package builds lack selinux.so Ruby module
Title: Message Title James Ralston created an issue Puppet / PUP-5256 some puppet-agent package builds lack selinux.so Ruby module Issue Type: Bug Affects Versions: puppet-agent 1.2.4 Assignee: Unassigned Created: 2015/09/16 9:29 AM Priority: Normal Reporter: James Ralston Some builds of puppet-agent available at http://yum.puppetlabs.com/ are missing the selinux.so module. This means that when the Puppet agent applies a catalog, it does not ensure correct SELinux file contexts on the files it updates. For example, the Fedora 21 packages lack the selinux.so module: $ rpm -q puppet-agent puppet-agent-1.2.4-1.fedoraf21.x86_64
Jira (PUP-5259) puppet-agent SRPM packages missing from http://yum.puppetlabs.com
Title: Message Title James Ralston created an issue Puppet / PUP-5259 puppet-agent SRPM packages missing from http://yum.puppetlabs.com Issue Type: Bug Assignee: Unassigned Created: 2015/09/16 1:25 PM Priority: Normal Reporter: James Ralston I am attempting to roll a patch to address CPR-222. Since the Puppet Agent Git repository is not public on Github (as far as I can tell), my only option for obtaining the puppet-agent.spec file for Red Hat is to pull it out of the latest available SRPM package. However, all puppet-agent SRPM packages are currently missing from http://yum.puppetlabs.com/, even though the binary packages are present. I heavily doubt this intentional. Could someone please go find and correct whatever is going wrong with the RPM publishing process that is dropping the puppet-agent SRPM packages on the floor? Add Comment
Jira (PUP-4785) External facts not working with cfacter
Title: Message Title James Ralston commented on PUP-4785 Re: External facts not working with cfacter We're seeing the exact same issue. This might be related to the fact (no pun intended) that facter in Puppet 4.2.0 appears to have silently become cfacter, even though there's no mention of that in the release notes. Regardless, it simply ignores external facts; they aren't outputted, and they aren't sent to the master. THIS IS A SHOWSTOPPER BUG. Our site relies on external facts extensively to customize our host configuration. When Puppet 4.2.0 hit a dozen or so of our test boxes, it essentially rendered them unusable, and I'm going to have to spend the rest of the day peeling puppet-agent-1.2.0 off of them and repairing them. We can't be the only site where important functionality is determined by external facts. Seriously. This is a critical bug, and it needs to be fixed immediately. Add Comment This message was sent by Atlassian JIRA (v6.3.15#6346-sha1:dbc023d) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4661) Puppet agent fights with RPM package over owner/group of certain directories
Title: Message Title James Ralston commented on PUP-4661 Re: Puppet agent fights with RPM package over owner/group of certain directories And yes, this might seem like a trivial issue. But some people operate Linux hosts that must conform to the United States Government Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs). And the RHEL6 STIG contains this rule (among many others): Group ID (Vulid): V-38454 Group Title: SRG-OS-99 Rule ID: SV-50254r1_rule Severity: CAT III Rule Version (STIG-ID): RHEL-06-000516 Rule Title: The system package management tool must verify ownership on all files and directories associated with packages. Vulnerability Discussion: Ownership of system binaries and configuration files that is incorrect could allow an unauthorized user to gain privileges that they should not have. The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated. Check Content: The following command will list which files on the system have ownership different from what is expected by the RPM database: # rpm -Va | grep '^.U' If there is output, this is a finding. Fix Text: The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database: # rpm -qf \[file or directory name\] # rpm --setugids \[package\] Whether one agrees with this rule is irrelevant: if you are required to comply with the STIG, you will be regularly audited on your compliance. And the behavior of the Puppet
Jira (PUP-4661) Puppet agent fights with RPM package over owner/group of certain directories
Title: Message Title James Ralston created an issue Puppet / PUP-4661 Puppet agent fights with RPM package over owner/group of certain directories Issue Type: Bug Affects Versions: PUP 4.1.0 Assignee: Unassigned Created: 2015/05/27 3:33 PM Environment: Red Hat Enterprise Linux Priority: Normal Reporter: James Ralston For Red Hat Enterprise Linux systems, the puppet-agent RPM packages the following directories as user root, group root: $ rpm --verify puppet-agent S.5T. c /etc/puppetlabs/puppet/puppet.conf
Jira (PUP-3377) Puppet fails to manage file resources containing invalid UTF-8
Title: Message Title James Ralston commented on PUP-3377 Re: Puppet fails to manage file resources containing invalid UTF-8 Guys, any progress on this? What makes this bug so horribly egregious is that Puppet will fail to apply a file resource if the file's current content isn't encoded in UTF-8, even though that content is going to be cheerfully obliterated by Puppet. Michal Ruzicka already made this point, but just to pound on it some more, let's say that the foo package drops the config file /etc/foo.conf, which contains non-ASCII characters and is encoded in ISO-8859-1. We want to override the package-provided /etc/foo.conf file with our own version, which contains only US-ASCII. So we create a file resource to manage it: file { '/etc/foo.conf': ensure = file, require = Package['foo'], owner = root, group = root, mode= '0644', source = 'puppet:///modules/foo/foo.conf', }