Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package puppet. 4.8.2-2 fixes a critical bug (#854487) introduced in 4.8.1-3. In short, the puppet package will enable the puppet service by default and puppet will try to connect to the 'puppet' host and receive configuration, which may or may not be intended. Previously, our safeguard against this was to start the puppet service, but leave the agent locked, which meant it would not apply any configuration whatsoever. Unfortunately, this proved to be fragile and stopped working when the agent lock path changed. The fix for this in unstable is to simply not enable the service on new installations at all, rather than enable it but lock the agent. This is a better approach for a number of reasons (resource waste, many systems running puppet under cron anyway etc). The change is properly documented, and also handles the upgrade path from Jessie. See the attached source debdiff for details. unblock puppet/4.8.2-2
diff -Nru puppet-4.8.2/debian/changelog puppet-4.8.2/debian/changelog --- puppet-4.8.2/debian/changelog 2017-01-23 14:39:14.000000000 +0200 +++ puppet-4.8.2/debian/changelog 2017-02-08 15:24:55.000000000 +0200 @@ -1,3 +1,18 @@ +puppet (4.8.2-2) unstable; urgency=high + + * Do not enable the puppet service by default on fresh installs + (Closes: #854487). + + Preserve the agent lock on upgrade from 3.x to safeguard upgrades from + Jessie systems where puppet was installed but never used. + * Update the DEP-8 tests to check that the service is disabled. + * Strip the agent locking logic from puppet.preinst now that we disable the + service by default. + * Add a debian/NEWS entry documenting the disabled service. + * Update the information in README.Debian and remove the (now obsolete) + paragraph about stored configs. + + -- Apollon Oikonomopoulos <apoi...@debian.org> Wed, 08 Feb 2017 15:24:55 +0200 + puppet (4.8.2-1) unstable; urgency=medium * New upstream bugfix release. diff -Nru puppet-4.8.2/debian/NEWS puppet-4.8.2/debian/NEWS --- puppet-4.8.2/debian/NEWS 2017-01-23 14:37:53.000000000 +0200 +++ puppet-4.8.2/debian/NEWS 2017-02-08 15:24:55.000000000 +0200 @@ -1,3 +1,21 @@ +puppet (4.8.2-2) unstable; urgency=high + + As of 4.8.2-2, the puppet service is not enabled by default on new + installations and has to be manually enabled using + + systemctl enable puppet.service + or + update-rc.d puppet enable + + if desired. Note that upgrades from previous puppet versions are not + affected by this change and will preserve the service status. + + Since some versions of the package shipped with the service enabled by + default, if you are upgrading please check and make sure that the service on + your system is properly enabled or disabled to match your preference. + + -- Apollon Oikonomopoulos <apoi...@debian.org> Wed, 08 Feb 2017 17:43:52 +0200 + puppet (4.8.1-2) unstable; urgency=medium The Ruby Puppet master as shipped in Debian can currently handle Puppet 3.x diff -Nru puppet-4.8.2/debian/puppet.postinst puppet-4.8.2/debian/puppet.postinst --- puppet-4.8.2/debian/puppet.postinst 2017-01-23 14:37:53.000000000 +0200 +++ puppet-4.8.2/debian/puppet.postinst 2017-02-08 15:24:55.000000000 +0200 @@ -31,15 +31,24 @@ # Create folders common to "puppet" and "puppetmaster", which need # to be owned by the "puppet" user install --owner puppet --group puppet --directory \ - /var/lib/puppet/state + /var/cache/puppet/state - # Between 4.4.1-2 and 4.8.1-3, puppet was called 'puppet-agent' - # Preserve the systemd and SysV service states - if [ -n "$2" ] && dpkg --compare-versions "$2" gt "4.4.1-2~" && \ + if [ -z "$2" ]; then + # Disable the service by default on new installations + update-rc.d puppet defaults >/dev/null || true + update-rc.d puppet disable >/dev/null || true + elif [ -n "$2" ] && dpkg --compare-versions "$2" gt "4.4.2-1~" && \ dpkg --compare-versions "$2" lt "4.8.1-3~"; then + # Between 4.4.2-1 and 4.8.1-3, puppet was called 'puppet-agent' + # Preserve the systemd and SysV service states if deb-systemd-helper debian-installed puppet-agent.service; then - if ! deb-systemd-helper --quiet was-enabled puppet-agent.service; then - deb-systemd-helper unmask puppet.service >/dev/null || true + # dh_systemd_enable will not enable the service by + # default as of 4.8.2-2; enable it if puppet-agent was + # enabled. + deb-systemd-helper unmask puppet.service >/dev/null || true + if deb-systemd-helper --quiet was-enabled puppet-agent.service; then + deb-systemd-helper enable puppet.service >/dev/null || true + else deb-systemd-helper update-state puppet.service >/dev/null || true fi fi @@ -53,6 +62,18 @@ # Remove puppet-agent's symlinks to avoid duplicate starts # under SysV update-rc.d -f puppet-agent remove >/dev/null || true + elif [ -n "$2" ] && dpkg --compare-versions "$2" lt "4.4.2-1~"; then + # The 4.x series has a different lock path. Mirror the old + # agent lock to the new path to preserve the lock state. + # Note that we could disable the service here instead, but + # there is always the case $old_lock was not used because of + # local configuration (in which case $new_lock will probably + # not be consulted as well). + old_lock="/var/lib/puppet/state/agent_disabled.lock" + new_lock="/var/cache/puppet/state/agent_disabled.lock" + if [ -f "$old_lock" ]; then + cp "$old_lock" "$new_lock" + fi fi fi diff -Nru puppet-4.8.2/debian/puppet.preinst puppet-4.8.2/debian/puppet.preinst --- puppet-4.8.2/debian/puppet.preinst 2017-01-23 14:37:53.000000000 +0200 +++ puppet-4.8.2/debian/puppet.preinst 2017-02-08 15:24:55.000000000 +0200 @@ -13,17 +13,6 @@ # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package -disable_puppet_agent() { - mkdir -p /var/lib/puppet/state - tmp_lockfile=$(mktemp /var/lib/puppet/state/agent_disabled.lock.XXXXXXXX) - lockfile=/var/lib/puppet/state/agent_disabled.lock - - printf '{"disabled_message":"Disabled by default on new or unconfigured old installations"}' \ - > $tmp_lockfile - - mv $tmp_lockfile $lockfile -} - # The "postrm" of the "puppet-common" package in puppet 3.x contains a # harmful "rm -rf /var/lib/puppet". which is called when that package # is purged. @@ -44,22 +33,6 @@ if [ -e '/var/lib/dpkg/info/puppet-common.postrm' ]; then defang_puppet_common_postrm fi - - # disable the puppet agent on the first install - if [ -z "$2" ]; then - disable_puppet_agent - elif dpkg --compare-versions "$2" lt "3.2.4-1~" && \ - [ -e "/etc/default/puppet" ]; then - # Also disable puppet if we use conffiles from a version where the - # START flag mattered. - . /etc/default/puppet - - if [ "x$START" != "xtrue" -a "x$START" != "xyes" -a "x$START" != "x0" ]; then - # Note that "0" is not a typo, it reflects the checks done - # in wheezy's initscript. - disable_puppet_agent - fi - fi ;; upgrade) @@ -70,19 +43,6 @@ [ -e '/var/lib/dpkg/info/puppet-common.postrm' ]; then defang_puppet_common_postrm fi - - # Disable puppet if we are upgrading from a version where the START - # flag mattered. - if dpkg --compare-versions "$2" lt "3.2.4-1~" && \ - [ -e "/etc/default/puppet" ]; then - . /etc/default/puppet - - if [ "x$START" != "xtrue" -a "x$START" != "xyes" -a "x$START" != "x0" ]; then - # Note that "0" is not a typo, it reflects the checks done - # in wheezy's initscript. - disable_puppet_agent - fi - fi ;; abort-upgrade) diff -Nru puppet-4.8.2/debian/README.Debian puppet-4.8.2/debian/README.Debian --- puppet-4.8.2/debian/README.Debian 2017-01-23 14:37:53.000000000 +0200 +++ puppet-4.8.2/debian/README.Debian 2017-02-08 15:24:55.000000000 +0200 @@ -1,26 +1,12 @@ puppet for Debian ------------------ -To enable the puppet agent after installation, run +The puppet agent service is disabled by default on new installations. To enable +the service after installation, run - "puppet agent --enable" + `systemctl enable puppet.service' or `update-rc.d puppet enable' -The default puppet configuration in Debian will automatically integrate with -etckeeper if etckeeper is installed. puppet will automatically commit any -changes made to files in /etc via etckeeper before and after its run. +If you rely on other means for running puppet agent (e.g. cron), you should +leave the service disabled. - -- Stig Sandbeck Mathisen <s...@debian.org>, Mon, 5 Aug 2013 23:36:19 +0200 - -Using stored configs --------------------- - -Using the master's stored configs functionality with the ActiveRecord backend -requires the ruby-activerecord (and, since Jessie, -ruby-activerecord-deprecated-finders) packages to be installed. Furthermore a -database adapter for the database of choice (e.g. ruby-mysql) must be -installed. - -Note that ActiveRecord-based stored configs are deprecated and will be removed -in Puppet 4 in favor of PuppetDB. - - -- Apollon Oikonomopulos <apoi...@debian.org> Thu, 12 Mar 2015 10:50:47 +0200 + -- Apollon Oikonomopoulos <apoi...@debian.org> Wed, 08 Feb 2017 19:16:29 +0200 diff -Nru puppet-4.8.2/debian/rules puppet-4.8.2/debian/rules --- puppet-4.8.2/debian/rules 2017-01-23 14:37:53.000000000 +0200 +++ puppet-4.8.2/debian/rules 2017-02-08 15:24:55.000000000 +0200 @@ -35,3 +35,7 @@ override_dh_clean: dh_clean debian/puppet-common.logcheck.ignore.server metadata.yml + +override_dh_systemd_enable: + dh_systemd_enable -ppuppet --no-enable + dh_systemd_enable --remaining-packages diff -Nru puppet-4.8.2/debian/tests/spec/puppet/puppet_spec.rb puppet-4.8.2/debian/tests/spec/puppet/puppet_spec.rb --- puppet-4.8.2/debian/tests/spec/puppet/puppet_spec.rb 2017-01-23 14:37:53.000000000 +0200 +++ puppet-4.8.2/debian/tests/spec/puppet/puppet_spec.rb 2017-02-08 15:24:55.000000000 +0200 @@ -31,6 +31,6 @@ end describe service('puppet') do - it { should be_enabled } - it { should be_running } + it { should_not be_enabled } + it { should_not be_running } end