--- puppet-0.25.4.orig/Rakefile +++ puppet-0.25.4/Rakefile @@ -3,7 +3,7 @@ $: << File.expand_path('lib') $LOAD_PATH << File.join(File.dirname(__FILE__), 'tasks') -require './lib/puppet.rb' +require 'puppet.rb' require 'rake' require 'rake/packagetask' require 'rake/gempackagetask' --- puppet-0.25.4.orig/install.rb +++ puppet-0.25.4/install.rb @@ -83,7 +83,7 @@ bins = glob(%w{bin/*}) rdoc = glob(%w{bin/* sbin/* lib/**/*.rb README README-library CHANGELOG TODO Install}).reject { |e| e=~ /\.(bat|cmd)$/ } ri = glob(%w(bin/*.rb sbin/* lib/**/*.rb)).reject { |e| e=~ /\.(bat|cmd)$/ } -man = glob(%w{man/man8/*}) +man = glob(%w{man/man[0-9]/*}) libs = glob(%w{lib/**/*.rb lib/**/*.py}) tests = glob(%w{test/**/*.rb}) @@ -355,9 +355,9 @@ # Locate rst2man rst2man = %x{which rst2man.py} rst2man.chomp! - # Create puppet.conf.8 man page + # Create puppet.conf.5 man page %x{bin/puppetdoc --reference configuration > ./puppet.conf.rst} - %x{#{rst2man} ./puppet.conf.rst ./man/man8/puppet.conf.8} + %x{#{rst2man} ./puppet.conf.rst ./man/man5/puppet.conf.5} File.unlink("./puppet.conf.rst") # Create binary man pages --- puppet-0.25.4.orig/debian/puppet.install +++ puppet-0.25.4/debian/puppet.install @@ -0,0 +1,5 @@ +debian/tmp/usr/bin/filebucket usr/bin +debian/tmp/usr/bin/puppet usr/bin +debian/tmp/usr/bin/puppetdoc usr/bin +debian/tmp/usr/sbin/puppetd usr/sbin +debian/tmp/usr/bin/ralsh usr/bin --- puppet-0.25.4.orig/debian/vim-puppet.dirs +++ puppet-0.25.4/debian/vim-puppet.dirs @@ -0,0 +1,3 @@ +usr/share/vim/registry +usr/share/vim/addons/syntax +usr/share/vim/addons/ftdetect --- puppet-0.25.4.orig/debian/puppet-el.emacsen-install +++ puppet-0.25.4/debian/puppet-el.emacsen-install @@ -0,0 +1,25 @@ +#!/bin/sh +# +# emacsen install script for the Debian GNU/Linux puppet-el package + +FLAVOR=$1 +PACKAGE=puppet-el + +ELDIR=/usr/share/emacs/site-lisp/ +ELCDIR=/usr/share/${FLAVOR}/site-lisp/${PACKAGE} +ELFILE="puppet-mode.el" +FLAGS="-batch -no-site-file -l path.el -f batch-byte-compile" + +if [ ${FLAVOR} != emacs ]; then + echo install/${PACKAGE}: Byte-compiling for ${FLAVOR} + + install -m 755 -d ${ELCDIR} + cd ${ELDIR} + cp ${ELFILE} ${ELCDIR} + cd ${ELCDIR} + cat << EOF > path.el +(setq load-path (cons "." load-path) byte-compile-warnings nil) +EOF + ${FLAVOR} ${FLAGS} ${ELFILE} + rm -f ${ELFILE} path.el +fi --- puppet-0.25.4.orig/debian/compat +++ puppet-0.25.4/debian/compat @@ -0,0 +1 @@ +5 --- puppet-0.25.4.orig/debian/README.source +++ puppet-0.25.4/debian/README.source @@ -0,0 +1,2 @@ +The debian directory is now maintained on Alioth in git. +See http://pkg-puppet.alioth.debian.org/ for more information. --- puppet-0.25.4.orig/debian/etckeeper-commit-post +++ puppet-0.25.4/debian/etckeeper-commit-post @@ -0,0 +1,10 @@ +#!/bin/sh + +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +which etckeeper > /dev/null 2>&1 || exit 0 + +etckeeper commit "committing changes in /etc after puppet catalog run" + +# Failure of etckeeper should not be fatal. +exit 0 --- puppet-0.25.4.orig/debian/TODO.Debian +++ puppet-0.25.4/debian/TODO.Debian @@ -0,0 +1 @@ +* clean up initscripts per http://mail.madstop.com/pipermail/puppet-dev/2006-June/001069.html --- puppet-0.25.4.orig/debian/puppet.dirs +++ puppet-0.25.4/debian/puppet.dirs @@ -0,0 +1 @@ +usr/sbin --- puppet-0.25.4.orig/debian/vim-puppet.yaml +++ puppet-0.25.4/debian/vim-puppet.yaml @@ -0,0 +1,5 @@ +addon: puppet +description: "Syntax highlighting for puppet" +files: + - ftdetect/puppet.vim + - syntax/puppet.vim --- puppet-0.25.4.orig/debian/puppet.conf +++ puppet-0.25.4/debian/puppet.conf @@ -0,0 +1,10 @@ +[main] +logdir=/var/log/puppet +vardir=/var/lib/puppet +ssldir=/var/lib/puppet/ssl +rundir=/var/run/puppet +factpath=$vardir/lib/facter +pluginsync=true +templatedir=$confdir/templates +prerun_command=/etc/puppet/etckeeper-commit-pre +postrun_command=/etc/puppet/etckeeper-commit-post --- puppet-0.25.4.orig/debian/fileserver.conf +++ puppet-0.25.4/debian/fileserver.conf @@ -0,0 +1,17 @@ +# This file consists of arbitrarily named sections/modules +# defining where files are served from and to whom + +# Define a section 'files' +# Adapt the allow/deny settings to your needs. Order +# for allow/deny does not matter, allow always takes precedence +# over deny +[files] + path /etc/puppet/files +# allow *.example.com +# deny *.evil.example.com +# allow 192.168.0.0/24 + +[plugins] +# allow *.example.com +# deny *.evil.example.com +# allow 192.168.0.0/24 --- puppet-0.25.4.orig/debian/puppetmaster.postrm +++ puppet-0.25.4/debian/puppetmaster.postrm @@ -0,0 +1,20 @@ +#!/bin/sh -e + +case "$1" in + purge) + rm -rf /var/log/puppet + rm -f /etc/puppet/puppetmasterd.conf + rm -rf /etc/puppet/ssl + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +#DEBHELPER# + +exit 0 --- puppet-0.25.4.orig/debian/puppet-el.emacsen-remove +++ puppet-0.25.4/debian/puppet-el.emacsen-remove @@ -0,0 +1,11 @@ +#!/bin/sh +set -e + +FLAVOR=$1 +PACKAGE=puppet-el +ELCFILE=puppet-mode.elc + +if [ ${FLAVOR} != emacs ]; then + echo remove/${PACKAGE}: Purging byte-compiled files for ${FLAVOR} + rm -f /usr/share/${FLAVOR}/site-lisp/${ELCFILE} +fi --- puppet-0.25.4.orig/debian/docs +++ puppet-0.25.4/debian/docs @@ -0,0 +1 @@ +README --- puppet-0.25.4.orig/debian/vim-puppet.README.Debian +++ puppet-0.25.4/debian/vim-puppet.README.Debian @@ -0,0 +1,13 @@ +Dear user, this package provides the vim addon puppet, but it is not enabled +per default. + +If you want to enable it for your user account just execute + + vim-addons install puppet + +Similarly, to enable it for all users of this system just execute (as root): + + vim-addons -w install puppet + +vim-addons is provided by the vim-addon-manager package, have a look at its +manpage for more information. --- puppet-0.25.4.orig/debian/etckeeper-commit-pre +++ puppet-0.25.4/debian/etckeeper-commit-pre @@ -0,0 +1,10 @@ +#!/bin/sh + +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +which etckeeper > /dev/null 2>&1 || exit 0 + +etckeeper commit "saving uncommitted changes in /etc prior to puppet catalog run" + +# Failure of etckeeper should not be fatal. +exit 0 --- puppet-0.25.4.orig/debian/puppet.default +++ puppet-0.25.4/debian/puppet.default @@ -0,0 +1,7 @@ +# Defaults for puppet - sourced by /etc/init.d/puppet + +# Start puppet on boot? +START=no + +# Startup options +DAEMON_OPTS="" --- puppet-0.25.4.orig/debian/puppet.NEWS +++ puppet-0.25.4/debian/puppet.NEWS @@ -0,0 +1,86 @@ +puppet (0.25.4-1) unstable; urgency=low + + In this packaging version we add a "puppet-common" package, on which the + packages "puppet" and "puppetmaster" depend. + + The editor syntax highlighting code previously in the "puppet" package has + been moved to the packages "puppet-el" and "vim-puppet". + + -- Stig Sandbeck Mathisen Tue, 19 Jan 2010 13:09:36 +0000 + +puppet (0.25.1-3) unstable; urgency=low + + The default setting for puppet starting on boot has been changed from true + to false. This means the puppet client will not automatically start on + install or boot until this file is modified. + + Note that the last Debian packaged version of puppet 0.24.x is too old to + communicate with a 0.25.x puppetmaster server. To resolve this, either + upgrade your client to 0.25.x, or install puppet 0.24.8 from source from: + http://reductivelabs.com/downloads/puppet/puppet-0.24.8.tgz + + -- Nigel Kersten Wed, 16 Dec 2009 12:49:03 -0800 + +puppet (0.23.2-12) unstable; urgency=low + + * Handling of the rundir setting has been changed; we now store PID files + in /var/run/puppet, and the initscripts have been modified to ensure + that this directory exists on startup. It is no longer necessary to set + rundir explicitly in /etc/puppet/puppet.conf, and you should ensure that + you have no explicit rundir setting in your puppet.conf unless you want + to use a custom rundir setting for your own local purposes. + + -- Matthew Palmer Sat, 20 Oct 2007 11:58:58 +1000 + +puppet (0.23.2-3) unstable; urgency=low + + * This version of Puppet makes a fairly major change to the location of + the CA and certificates, from /etc/puppet/ssl to the more FHS-compliant + location /var/lib/puppet/ssl. This is to be both policy-compliant and + to match the location of the ssldir in other distributions. + + If you have transitioned to using the consolidated puppet.conf config + file, there should be no problems. If you are using a stock + puppet.conf, the change should be made for you automatically, while if + you've customised puppet.conf the ssldir will be left where it is and + you should transition to the new location manually. + + The only source of problems is if you're still using per-program config + files (puppetd.conf, puppetmasterd.conf, etc). I haven't been able to + work out a damage-free way of transitioning to the new location, so + things will likely break for you -- ssldir will have been moved to + /var/lib/puppet/ssl, but your puppet programs will use the + old config file (with the default ssldir of /etc/puppet/ssl. In this + case, you'll likely get all sorts of certificate-related problems. + + The solution is to either switch to using puppet.conf (which is + necessary anyway because support for the deprecated per-program config + files will be going away sometime) with the new ssldir setting, or add + the ssldir setting to all your per-program config files (this includes + creating them for programs that don't already have a config file, like + puppetca.conf). Then delete /etc/puppet/ssl (since it's not needed) and + use the existing SSL data that was moved to /var/lib/puppet/ssl. + + -- Matthew Palmer Fri, 24 Aug 2007 16:08:04 +1000 + +puppet (0.23.0-1) unstable; urgency=low + + * As of upstream 0.23.0, the configuration file layout has been largely + revamped. Now, instead of having one file per program, there is now + a single file, /etc/puppet/puppet.conf, which contains sections for + each program, as well as a "main" section that sets global config + options relevant for all programs. + + See http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference for + more info. + + For backwards compatibility, all programs still read the per-program + configuration files, and will ignore the generic puppet.conf file if the + per-program file still exists. To prevent accidents, you will need to + do the configuration change manually, by rewriting puppet.conf to match + your local configuration parameters and then deleting the old files. If + you haven't changed any config parameters, then it should be as simple + as deleting puppetd.conf and puppetmasterd.conf and restarting the + daemons, as the configuration itself hasn't changed between versions. + + -- Matthew Palmer Mon, 25 Jun 2007 10:43:53 +1000 --- puppet-0.25.4.orig/debian/puppet-common.dirs +++ puppet-0.25.4/debian/puppet-common.dirs @@ -0,0 +1,6 @@ +etc/puppet +etc/puppet/manifests +etc/puppet/templates +usr/lib/ruby/1.8 +var/lib/puppet +var/log/puppet --- puppet-0.25.4.orig/debian/watch +++ puppet-0.25.4/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://reductivelabs.com/downloads/puppet/puppet-([0-9]+\.[0-9]+\.[0-9]+)\.tgz --- puppet-0.25.4.orig/debian/puppet-el.emacsen.startup +++ puppet-0.25.4/debian/puppet-el.emacsen.startup @@ -0,0 +1,9 @@ +;; -*-emacs-lisp-*- +;; +;; Emacs startup file for the Debian GNU/Linux puppet-el package + +(autoload 'puppet-mode "puppet-mode" "Major mode for editing puppet manifests") + +(add-to-list 'auto-mode-alist '("\\.pp$" . puppet-mode)) + + --- puppet-0.25.4.orig/debian/puppet-testsuite.install +++ puppet-0.25.4/debian/puppet-testsuite.install @@ -0,0 +1,3 @@ +test/* /usr/share/puppet-testsuite/test +spec/* /usr/share/puppet-testsuite/spec +Rakefile /usr/share/puppet-testsuite/ --- puppet-0.25.4.orig/debian/puppetmaster.manpages +++ puppet-0.25.4/debian/puppetmaster.manpages @@ -0,0 +1,4 @@ +man/man8/puppetmasterd.8 +man/man8/puppetrun.8 +man/man8/puppetca.8 + --- puppet-0.25.4.orig/debian/puppet-common.postinst +++ puppet-0.25.4/debian/puppet-common.postinst @@ -0,0 +1,25 @@ +#!/bin/sh + +set -e + +if [ "$1" = "configure" ]; then + + # Create the "puppet" user + if ! getent passwd puppet > /dev/null; then + adduser --quiet --system --group --home /var/lib/puppet \ + --gecos "Puppet configuration management daemon" \ + puppet + fi + + # Create folders common to "puppet" and "puppetmaster", which need + # to be owned by the "puppet" user + install --owner puppet --group puppet --directory \ + /var/lib/puppet/state + + # Handle + if [ -d /etc/puppet/ssl ] && [ ! -e /var/lib/puppet/ssl ] && grep -q 'ssldir=/var/lib/puppet/ssl' /etc/puppet/puppet.conf; then + mv /etc/puppet/ssl /var/lib/puppet/ssl + fi +fi + +#DEBHELPER# --- puppet-0.25.4.orig/debian/control +++ puppet-0.25.4/debian/control @@ -0,0 +1,95 @@ +Source: puppet +Section: admin +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Puppet Package Maintainers +Uploaders: Micah Anderson , Andrew Pollock , Nigel Kersten , Stig Sandbeck Mathisen +Build-Depends-Indep: ruby (>= 1.8.1), libopenssl-ruby, facter (>= 1.5) +Build-Depends: debhelper (>= 5), openssl +Standards-Version: 3.8.4 +Vcs-Git: git://git.debian.org/git/pkg-puppet/puppet.git +Vcs-Browser: http://git.debian.org/?p=pkg-puppet/puppet.git +Homepage: http://reductivelabs.com/trac/puppet + +Package: puppet +Architecture: all +Depends: ${misc:Depends}, ruby1.8, libxmlrpc-ruby, libopenssl-ruby, libshadow-ruby1.8, adduser, facter, lsb-base, puppet-common (= ${source:Version}) +Recommends: rdoc, libaugeas-ruby1.8 +Suggests: puppet-el, vim-puppet, etckeeper +Description: centralised configuration management for networks + Puppet lets you centrally manage every important aspect of your system + using a cross-platform specification language that manages all the + separate elements normally aggregated in different files, like users, + cron jobs, and hosts, along with obviously discrete elements like + packages, services, and files. + . + Puppet's simple declarative specification language provides powerful + classing abilities for drawing out the similarities between hosts while + allowing them to be as specific as necessary, and it handles dependency + and prerequisite relationships between objects clearly and explicitly. + +Package: puppetmaster +Architecture: all +Depends: ${misc:Depends}, ruby1.8, puppet-common (= ${source:Version}), facter, lsb-base +Conflicts: puppet (<< 0.24.7-1) +Suggests: rails (>= 1.2.3-2), rdoc, libldap-ruby1.8, apache2 | nginx, mongrel, puppet-el, vim-puppet +Description: centralised configuration management control daemon + Puppet lets you centrally manage every important aspect of your system + using a cross-platform specification language that manages all the + separate elements normally aggregated in different files, like users, + cron jobs, and hosts, along with obviously discrete elements like + packages, services, and files. + . + Puppet's simple declarative specification language provides powerful + classing abilities for drawing out the similarities between hosts while + allowing them to be as specific as necessary, and it handles dependency + and prerequisite relationships between objects clearly and explicitly. + . + This package contains the manifest server, 'puppetmaster'. + +Package: puppet-common +Architecture: all +Depends: ${misc:Depends}, ruby1.8, libxmlrpc-ruby, libopenssl-ruby, libshadow-ruby1.8, adduser +Conflicts: puppet (<< ${source:Version}), puppetmaster (<< ${source:Version}) +Description: common files for puppet and puppetmaster + Puppet lets you centrally manage every important aspect of your system + using a cross-platform specification language that manages all the + separate elements normally aggregated in different files, like users, + cron jobs, and hosts, along with obviously discrete elements like + packages, services, and files. + . + Puppet's simple declarative specification language provides powerful + classing abilities for drawing out the similarities between hosts while + allowing them to be as specific as necessary, and it handles dependency + and prerequisite relationships between objects clearly and explicitly. + . + This package contains the files common to the 'puppet' and + 'puppetmaster' packages. + +Package: vim-puppet +Architecture: all +Depends: ${misc:Depends} +Recommends: vim-addon-manager +Conflicts: puppet (<< ${source:Version}) +Description: Vim syntax highlighting for puppet manifests + The vim-puppet package provides filetype detection and syntax highlighting for + puppet manifests (files ending with ".pp"). + +Package: puppet-el +Architecture: all +Depends: ${misc:Depends}, emacsen-common +Conflicts: puppet (<< ${source:Version}) +Description: Emacs syntax highlighting for puppet manifests + The puppet-el package provides syntax highlighting for puppet manifests + +Package: puppet-testsuite +Architecture: all +Depends: ${misc:Depends}, ruby1.8, puppet (= ${source:Version}), facter, lsb-base, rails (>= 1.2.3-2), rdoc, libldap-ruby1.8, mongrel, librspec-ruby, puppetmaster, git-core +Description: centralized configuration management control for networks + Puppet lets you centrally manage every important aspect of your system + using a cross-platform specification language that manages all the + seperate elements normally aggregated in different files, like users, + cron jobs, and hosts, along with obviously discrete elements like + packages, services, and files. + . + This package contains the testsuite for puppet. --- puppet-0.25.4.orig/debian/puppet.manpages +++ puppet-0.25.4/debian/puppet.manpages @@ -0,0 +1,6 @@ +man/man8/puppet.8 +man/man8/filebucket.8 +man/man8/puppet.8 +man/man8/puppetd.8 +man/man8/puppetdoc.8 +man/man8/ralsh.8 --- puppet-0.25.4.orig/debian/changelog +++ puppet-0.25.4/debian/changelog @@ -0,0 +1,822 @@ +puppet (0.25.4-2ubuntu6.6) lucid-security; urgency=low + + * SECURITY UPDATE: correctly drop group privileges and properly handle + symlinks with Klogin. Based on following upstream patches: + - 7df0533f93f229de72694148da0ebfd9e1e831c9 + - 4ec03b81041c25428a32bc2b83d606ae381e0d53 + - f47dd4d3e0aaaa8ebd75b71ef02ce441df663f04 + - d702377a00988c3ca458fc48adbc63c4bfcf3164 + - ea10b0c487c343d6924951f2da522f3078093a98 + - CVE-2012-1053 + - CVE-2012-1054 + * debian/rules: update unit tests to remove tc_suidmanager.rb (part of fix + for the above) + - ed0bc14c54018691013fdf6eaa989bc5e49f1a66 + + -- Jamie Strandboge Tue, 21 Feb 2012 10:36:05 -0600 + +puppet (0.25.4-2ubuntu6.5) lucid-security; urgency=low + + * SECURITY UPDATE: puppet master impersonation via incorrect certificates + - lib/puppet/{defaults,sslcertificates}.rb: disable certdnsnames + setting and issue a warning if it is used. + - Thanks to upstream for providing the patch. + - CVE-2011-3872 + + -- Marc Deslauriers Sun, 23 Oct 2011 10:01:02 -0400 + +puppet (0.25.4-2ubuntu6.4) lucid-security; urgency=low + + * adjust ssh_authorized_key/parsed.rb: save backup file to filebucket before + dropping privileges. Based on upstream commit: + 3f99bd71811be182f9217d727ec0ca7755eec68d + - http://projects.puppetlabs.com/issues/4267 + - LP: #865462 + + -- Jamie Strandboge Tue, 04 Oct 2011 07:54:33 -0500 + +puppet (0.25.4-2ubuntu6.3) lucid-security; urgency=low + + * SECURITY UPDATE: k5login can overwrite arbitrary files as root + - adjust type/k5login.rb to securely open the file before writing to it as + root. Patch from upstream: a4333c110ad084f205605708eaab52ad243d6c86 + - CVE-2011-3869 + * SECURITY UPDATE: didn't drop privileges before creating and changing + permissions on SSH keys + - adjust ssh_authorized_key/parsed.rb to drop privileges before creating + the ssh directory and setting permissions. Patches based on upstream: + ce233aa2a511bf6818f28c226144ec5b05a468ee (required for security fix) + e2c1cd5c957a236f89b9e8cb7b4e4f8769079e8c (security fix) + 8d9575775737c08c6cbfdf7f9a22f2ea4ab21b20 (backported rspec test case) + 0aae5a71a8e3b38cd8d7041f5c40091887c924a8 (fix test when run as root) + - CVE-2011-3870 + * SECURITY UPDATE: fix predictable temporary filename in ralsh + - adjust application/resource.rb to use an unpredictable filename. Patch + from upstream: 21b7192320dbb79a8cfe1fd3e06d0d399c964c0f + - CVE-2011-3871 + + -- Jamie Strandboge Fri, 30 Sep 2011 09:18:51 -0500 + +puppet (0.25.4-2ubuntu6.2) lucid-security; urgency=low + + * SECURITY UPDATE: unauthenticated directory traversal allows writing of + arbitrary files as puppet master (LP: #861182) + - update lib/puppet/indirector.rb, lib/puppet/indirector/ssl_file.rb, + lib/puppet/indirector/yaml.rb, spec/unit/indirector/ssl_file.rb and + spec/unit/indirector/yaml.rb to perform proper input validation. + Patch from upstream (Daniel Pittman ) + 6e5a821cbf94b220dfc021ff7ebad0831c60e207 + - CVE-2011-3848 + - LP: #861182 + + -- Jamie Strandboge Wed, 28 Sep 2011 08:30:14 -0500 + +puppet (0.25.4-2ubuntu6.1) lucid-proposed; urgency=low + + * Work around a bug in Ruby that causes meaningful error messages to be + hidden by a ruby error message (cf. + http://projects.puppetlabs.com/issues/3101). Fixes LP: #700945. + + -- Oliver Brakmann Tue, 05 Apr 2011 11:16:02 -0700 + +puppet (0.25.4-2ubuntu6) lucid; urgency=low + + * Fix init service provider to correctly check the status of services + using upstart jobs (LP: #551544). + * Package spec/ tests so that both test/ and spec/ tests can be run. + + -- Mathias Gug Tue, 13 Apr 2010 18:33:05 -0400 + +puppet (0.25.4-2ubuntu5) lucid; urgency=low + + * Patch from upstream to fix test suite: + + failures: LP: #532202, LP: #532204, LP: #532205, LP: #532208, + LP: #532209, LP: #532215, LP: #532299, LP: #532300, LP: #532302, + LP: #532202, LP: #532307, LP: #532135, LP: #532138, LP: #532198, + + errors: LP: #528816, LP: #528817 + + -- Mathias Gug Thu, 08 Apr 2010 23:57:13 -0400 + +puppet (0.25.4-2ubuntu4) lucid; urgency=low + + * debian/puppetmaster.init: Fix init stop action to not fail if the + puppetmaster is already stopped. + + -- Mathias Gug Fri, 19 Mar 2010 22:24:22 -0400 + +puppet (0.25.4-2ubuntu3) lucid; urgency=low + + [ Angel Abad ] + * Fix return codes puppetmaster.init and puppet.init (LP: #527860) + + [ Mathias Gug ] + * debian/puppet-common.postrm: only remove puppet directories if they're + empty on package purge. + * etckeeper integration: + + debian/README.Debian: add a note about etckeeper integration. + + debian/control: suggest etckeeper. + + -- Mathias Gug Thu, 11 Mar 2010 12:42:32 -0500 + +puppet (0.25.4-2ubuntu2) lucid; urgency=low + + * etckeeper integration (server-lucid-puppet-etckeeper-integration): + - debian/etckeeper-commit-post, debian/etckeeper-commit-pre: + + Call "etckeeper commit" before and after catalog runs. + Silently bail out if etckeeper is not available. + - debian/puppet.conf: + + Call out to the etckeeper hooks using the new prerun_command, + and postrun_command hooks. + - debian/rules: + + Install the etckeeper hook scripts in /etc/puppet. + + -- Soren Hansen Mon, 15 Feb 2010 21:24:54 +0100 + +puppet (0.25.4-2ubuntu1) lucid; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/control: + + Move puppetmaster's Recommends to Suggests. + + Created puppet-testsuite as a seperate package. + Allow the users to run puppet's testsuite. + - tests/Rakefile: Fix rakefile so that the testsuite can actually be + run. + * debian/control: + - Add debhelper misc:depends to puppet-testsuite binary package to fix + lintian warning. + * debian/rules, debian/puppet-common.dirs: + - Create templates directory in puppet config directory and include it in + puppet-common directory. + * debian/puppet-common.postrm: + - On purge delete all puppet directories: /etc/puppet, /var/log/puppet and + /var/lib/puppet. + * Dropped: + - debian/rules: + + Don't start puppet when first installing puppet. puppetd default file + doesn't start puppet by default. + - debian/puppet.conf, lib/puppet/defaults.rb: + + Move templates to /etc/puppet. + Fixed in Debian. + - lib/puppet/defaults.rb: + + Fix /var/lib/puppet/state ownership. + Fixed in Debian. + - lib/puppet/defaults.rb: + + Change owner/group to "service". (LP #509625) + No longer needed. + + -- Mathias Gug Tue, 16 Feb 2010 14:39:11 -0500 + +puppet (0.25.4-2) unstable; urgency=low + + [ Stig Sandbeck Mathisen ] + * puppet: do not explicitly remove /var/lib/puppet on purge (Closes: #525852) + * upstream cherry-pick: Updated man pages and moved puppet.conf.8 to + puppet.conf.5 (Closes: #563567) + * Fix "Improper ownership of /var/lib/puppet/state", explicitly create this + in postinst (and remove in postrm on purge) (Closes: #462551) + * Fix "wrong default location for templates", update default settings, and + create puppet-common.NEWS with information (Closes: #484659) + * Move postinst and postrm handling of shared users and directories to + puppet-common (Closes: #570012) + + -- Stig Sandbeck Mathisen Tue, 16 Feb 2010 06:30:55 +0000 + +puppet (0.25.4-1ubuntu1) lucid; urgency=low + + * Merge from debian testing. Remaining changes: + - debian/rules: + + Don't start puppet when first installing puppet. + - debian/puppet.conf, lib/puppet/defaults.rb: + + Move templates to /etc/puppet. + - lib/puppet/defaults.rb: + + Fix /var/lib/puppet/state ownership. + + Change owner/group to "service". (LP #509625) + - debian/control: + + Move puppetmaster's Recommends to Suggests. + + Created puppet-testsuite as a seperate package. + Allow the users to run puppet's testsuite. + - tests/Rakefile: Fix rakefile so that the testsuite can actually be + run. + + -- Soren Hansen Fri, 12 Feb 2010 17:31:26 +0100 + +puppet (0.25.4-1) unstable; urgency=low + + [Nigel Kersten ] + * New upstream version 0.25.4 + + [ Micah Anderson ] + * Fix debian/rules typo in install of puppet-mode-init.el + * Fix which package puppet-mode-init.el gets installed into + * Add Suggests for vim-puppet and puppet-el on binary packages + + [ Stig Sandbeck Mathisen ] + * Update debian/copyright + * debian/{puppet,puppetmaster}.init: Add status argument, fix pid file + locations (Closes: #545975) + * Refactoring: Add binary packages for puppet-common, puppet-el, vim-puppet + + -- Stig Sandbeck Mathisen Mon, 01 Feb 2010 12:31:58 +0100 + +puppet (0.25.1-3ubuntu2) lucid; urgency=low + + * lib/puppet/defaults.rb: Change owner/group to "service". + (LP: #509625) + + -- Chuck Short Tue, 26 Jan 2010 11:13:30 -0500 + +puppet (0.25.1-3ubuntu1) lucid; urgency=low + + * Merge from debian testing. Remaining changes: + - debian/rules: + + Don't start puppet when first installing puppet. + - debian/puppet.conf, lib/puppet/defaults.rb: + + Move templates to /etc/puppet + - lib/puppet/defaults.rb: + + Fix /var/lib/puppet/state ownership. + - man/man8/puppet.conf.8: + + Fix broken URL in manpage. + - debian/control: + + Update maintainer accordint to spec. + + Puppetmaster Recommends -> Suggests + + Created puppet-testsuite as a seperate. Allow the users to run puppet's + testsuite. + - tests/Rakefile: Fix rakefile so that the testsuite can acutally be ran. + + -- Chuck Short Wed, 23 Dec 2009 00:48:10 +0000 + +puppet (0.25.1-3) unstable; urgency=low + + [ Nigel Kersten ] + * Require modification of /etc/default/puppet to start puppet client daemon. + (closes: #518831) + * cherry pick upstream fix for puppetrun with tags (closes: #559092) + * cherry pick upstream fix for supplementary groups not being reset. + (CVE-2009-3564) (closes: #551073) + + [ Andrew Pollock ] + * debian/{puppet,puppetmaster}.pid: Correct the path to the pidfiles + (closes: #561231) + * debian/control: version the build dependency on facter (closes: #551055) + + -- Andrew Pollock Wed, 16 Dec 2009 11:36:39 -0800 + +puppet (0.25.1-2) unstable; urgency=low + + * Add puppetqd executable to puppetmaster package (closes: #554624) + + -- Nigel Kersten Thu, 05 Nov 2009 11:23:10 -0800 + +puppet (0.25.1-1) unstable; urgency=low + + * New upstream release of 0.25.1 + + -- Nigel Kersten Tue, 27 Oct 2009 10:35:40 -0700 + +puppet (0.25.0-1) unstable; urgency=low + + * New upstream release + * Tweak .install files to cope with new use of sbindir from upstream. + * Add the new auth.conf config file to the puppetmaster package. + + -- Nigel Kersten Sun, 16 Aug 2009 05:34:17 -0700 + +puppet (0.24.8-3) unstable; urgency=low + + [ Micah Anderson ] + * Make logcheck ignore 'Reopening log files' on puppetmaster (Closes: #538721) + + [ Nigel Kersten ] + * switch from unreleased to unstable. + + -- Nigel Kersten Sun, 16 Aug 2009 05:33:53 -0700 + +puppet (0.24.8-2ubuntu5) lucid; urgency=low + + * Fix path reference for the testsuite. (LP: #488708) + + -- Soren Hansen Fri, 27 Nov 2009 10:10:53 +0100 + +puppet (0.24.8-2ubuntu4) karmic; urgency=low + + * debian/control: puppetmaster Recommends -> Suggests. + * debian/rules: Start puppetmaster when installing puppetmaster. + (LP: #427466) + * tests/Rakefile: Fix Rakefile so that the testsuite can acutally be ran. + * Created puppet-testsuite as a seperate. Allow the users to run puppet's + tessuite + + -- Chuck Short Thu, 10 Sep 2009 15:28:17 -0400 + +puppet (0.24.8-2ubuntu3) karmic; urgency=low + + * Fix typo in build. + + -- Chuck Short Tue, 08 Sep 2009 14:18:00 -0400 + +puppet (0.24.8-2ubuntu2) karmic; urgency=low + + * Fix build. + + -- Chuck Short Fri, 04 Sep 2009 10:54:28 -0400 + +puppet (0.24.8-2ubuntu1) karmic; urgency=low + + * debian/rules: Dont start puppet and puppetmaster when first + installing puppet. + * debian/puppet.conf, lib/puppet/defaults.rb: Move templates to + /etc/puppet + * lib/puppet/defaults.rb: Fix /var/lib/puppet/state ownership. + * man/man8/puppet.conf.8: Fix broken URL in manpage. + * Update maintainer according to spec. + + -- Chuck Short Mon, 17 Aug 2009 13:24:34 -0400 + +puppet (0.24.8-2) unstable; urgency=high + + [ Micah Anderson ] + * Cherry-pick upstream versioncmp fix (redmine:#2110) + + [ Andrew Pollock ] + * Enable waiting for certificates for the default value (upstream default + that was previously disabled or enabled with a 5 second value) + * Re-ship the vim syntax file in the correct location (it fell out after the + 0.24.5-3 upload) (closes: #530752) + * Re-add the 0.24.5-3 changelog entry + * debian/puppet.postrm: don't delete the user or group (closes: #528068, + #527381) + * debian/puppet.{preinst,postinst}: Applied modified patch from Stig + Sandbeck Mathisen to call conditionally call adduser in the postinst, if + it's available + + [ Nigel Kersten ] + * Switched to use install.rb, primarily to stop shebangs using /usr/bin/env + * Stopped using dh_movefiles, moved to dh_install + * debian/rules greatly cleaned up due to above two changes + + [ Andrew Pollock ] + * debian/control: add rdoc, libopenssl-ruby and facter to build dependencies + * debian/control: depend on ruby1.8 instead of ruby to placate Lintian + * debian/puppet.install: brown paper bag release averted; install + /usr/lib/ruby/1.8 + * debian/rules: ensure permissions on everything under /usr/lib/ruby/1.8 is + correct + + -- Andrew Pollock Tue, 16 Jun 2009 23:37:22 -0700 + +puppet (0.24.8-1) unstable; urgency=low + + * New upstream release + * debian/control: Add Nigel Kersten and myself as uploaders + * debian/changelog: wrap long lines + * debian/watch: ignore release candidates + * debian/compat: bump to 5 + * debian/control: bump Standards-Version (no changes) + + -- Andrew Pollock Mon, 13 Apr 2009 17:12:47 -0700 + +puppet (0.24.7-2) experimental; urgency=low + + * make puppetmaster conflict previous puppet due to man page move + + -- Micah Anderson Wed, 28 Jan 2009 10:28:23 -0500 + +puppet (0.24.7-1) experimental; urgency=low + + * New upstream release + * Fixed comment in defaults/puppetmaster (Closes: #510881) + * Fixed debian/puppetmaster.manpages and debian/puppet.manpages to + distribute + puppetrun and puppetca correctly, thanks Savvas Radevic (Closes: #511826) + * Added puppetmaster Recommends: libldap-ruby1.8 to silence puppetrun + (Closes: #512639) + * Added puppet Recommends: libaugeas-ruby1.8 for new Augeas support in this + release + + -- Micah Anderson Fri, 23 Jan 2009 09:27:09 -0500 + +puppet (0.24.6-1) experimental; urgency=low + + * New upstream release (Closes: #506129, #504624, #502163) + * Distribute filebucket binary (Closes: #499999) + * Fix missing check for START variable in defaults files (Closes: #498284) + * Fix maintainer scripts so that they do not ignore errors (set -e) + * Fix maintainer scripts so they don't have prepended paths (thanks lintian) + * Cherry-pick fixes from upstream: + - comparison of String with 0 failed (Closes: #500848) + - filename cannot handle ++ (Closes: #502163) + - tidy must specify size, age or both (Closes: #500852) + + -- Micah Anderson Sat, 29 Nov 2008 13:59:25 -0500 + +puppet (0.24.5-3) unstable; urgency=medium + + * Set wait for cert timeout to 5 secs, to avoid resource abuse (Closes: + #509566) + * Distribute filebucket binary (Closes: #499999) + * Place vim syntax in the correct location (LP: #181960) + + -- Thom May Wed, 07 Jan 2009 15:15:34 -0500 + +puppet (0.24.5-2) unstable; urgency=low + + * Fix puppetlast to work with 0.24.5 + * Adjust logcheck to match against new log messages in 0.24.5 + * Update standards version to 3.8.0 (no changes) + * Update changelog to reduce length of line to make lintian happy + + -- Micah Anderson Sat, 26 Jul 2008 15:43:45 -0400 + +puppet (0.24.5-1) unstable; urgency=low + + * New upstream release + * Applied patch from Martin Krafft to improve logcheck file installation + + -- Thom May Thu, 24 Jul 2008 10:58:08 +0100 + +puppet (0.24.4-8) unstable; urgency=low + + * Changed the default port value to 8140 in /etc/default/puppetmaster + to be consistent with the client default port. (Closes: #483823) + * Cherry-picked various bug fixes from upstream: + - further emacs mode updates from Russ Allbery + - misleading error if CA private key can not be decrypted (trac:#1271) + - fix missing bracket in documentation (trac:#1209) + - man pages updates (trac:#1211) + - add dump parameter to mount type (trac:#1212) + - fixed undefined variable in lib/puppet/util/settings.rb (trac:#1218) + - usermod problem on Solaris (trac:#1207) + - added native authorized_keys type + - test within a template if a variable or fact is defined (trac:#1177) + - Fixed Red Hat service disabling (trac:#1219) + - fix crontab provider parse error when line begins w/space (trac:#1216) + - Fix for latest method in rpm provider (trac:#1224) + - puppetd documentation updates (trac:#1227) + - Modified the 'factpath' setting to automatically configure Facter + to load facts there if a new enough version of Facter is used. + - Removing unused file lib/puppet/util/variables.rb (trac:#1229) + - Fixing transaction support for prefetching generated resources. + Previously, we prefetched then generated, which caused generated + resources that needed prefetching not to work. This just reorders + the calls, so generated resources now get prefetched. + - Respect "replace => false" for symlinks (trac:#1235) + - Added cron random function fixing ticket (trac:#311) + - No more clear_cache failures (trac:#1247) + - Fixed Rakefile to install non-.rb files (trac:#1266) + + -- Micah Anderson Sat, 31 May 2008 11:39:47 -0400 + +puppet (0.24.4-7) unstable; urgency=low + + * Update emacs-mode with changes cherry-picked from rra's repository + * Fix typo in puppetmaster.init (Closes: #480019) + * Fix variable name in /etc/default/puppetmaster comments + * Fix incorrect port increment in puppetmaster initscript when mongrel + is used, thanks Francois Deppierraz (Closes: #480263) + * Add puppetmaster.postrm to remove /var/log/puppet on purge + * Added debian/puppetmaster.dirs containing etc/puppet/manifests + * Remove puppet group on purge (Closes: #481511) + * Remove old config files and stray directories (Closes: #454681) + + -- Micah Anderson > Sat, 03 May 2008 16:18:32 -0400 + +puppet (0.24.4-6) unstable; urgency=low + + * Remove bashisms in puppetmaster.init + * Add puppetlast script + + -- Micah Anderson > Wed, 30 Apr 2008 07:37:04 -0400 + +puppet (0.24.4-5) unstable; urgency=low + + * Fix missing --pidfile piece for mongrel startup and make + stop consistent, thanks Bart Cortooms (Closes: #476840) + * Add trailing newline missing from default files + + -- Micah Anderson Sat, 19 Apr 2008 11:03:35 -0400 + +puppet (0.24.4-4) unstable; urgency=low + + * Create /etc/default/puppet and /etc/default/puppetmaster + * Modify /etc/init.d/puppetmaster to support mongrel instances + on multiple ports + * Remove no longer necessary .svn cleaning from debian/rules + * Added $network and $named appropriated places in the LSB + headers in puppet and puppetmaster initscripts, + thanks Sam Quigley + * Install ralsh (Closes: #476629) + * Cherry-pick upstream patches from 0.24.x branch: + - Install manpages + - Fix shebang issues (#1148) + - Updated fix for (#1020) + - Fix for (#1174) + - Emacs mode updates (#1160) + - Debian service [en|dis]able issue (#1161) + - User type group list validation enhancement + - Fix configtimeout issue (#1176) + + -- Micah Anderson Sun, 13 Apr 2008 19:18:46 -0400 + +puppet (0.24.4-3) unstable; urgency=low + + * Remove pi binary, puppetdoc provides this functionality now + (Closes: #472850) + + -- Micah Anderson Fri, 28 Mar 2008 12:38:30 -0400 + +puppet (0.24.4-2) unstable; urgency=low + + * Fix duplicate man8/puppetmasterd.8 install + + -- Micah Anderson Tue, 25 Mar 2008 22:58:22 -0400 + +puppet (0.24.4-1) unstable; urgency=low + + * New upstream release + * Install man pages missing from upstream release + + -- Micah Anderson Tue, 25 Mar 2008 18:17:02 -0400 + +puppet (0.24.3-1) unstable; urgency=low + + [ Micah Anderson] + * New upstream release + * Install man pages (Closes: #385529) + * Apply lsb formatted dependency info into initscripts, thanks + Petter Reinholdtsen (Closes: #462915) + * Install more robust puppet-mode.el + * Add factpath and pluginsync=true to the default puppet.conf so that + facts added through pluginsync are loaded by puppet + * Add [plugins] section to fileserver.conf + * Updated outdated debian/control substrvar for puppet to ${source:Version} + * Updated link in debian/copyright for new URL to license + * Updated copyright in debian/copyright + * Bumped standards version to 3.7.3.0 (no changes) + * Switch debhelper from Build-Depends-Indep to Build-Depends because it is + required to run clean target (lintian check: + clean-should-be-satisfied-by-build-depends) + * Moved homepage from Description to control field + * Added Vcs-Browser and Vcs-Git fields to debian/control + [ Thom May ] + * If puppet can't start, continue with package install + + -- Micah Anderson Sun, 09 Mar 2008 14:03:00 -0400 + +puppet (0.24.1-2) unstable; urgency=low + + * Set rundir correctly (Closes: #460203, #459579) + * Apply patch for puppet#1003 to enable collection of tagged resources + + -- Thom May Wed, 16 Jan 2008 11:08:55 +0100 + +puppet (0.24.1-1) unstable; urgency=low + + * New upstream release (Closes: #445626) + * Set maintainer to pkg-puppet-devel + + -- Thom May Sun, 30 Dec 2007 19:13:47 +0100 + +puppet (0.24.0-1) unstable; urgency=low + + * New upstream release + + -- Thom May Wed, 19 Dec 2007 16:00:34 +0100 + +puppet (0.23.2-15) unstable; urgency=low + + * No change upload setting maintainer to me whilst waiting for an alioth + project. + + -- Thom May Thu, 29 Nov 2007 10:44:50 +0100 + +puppet (0.23.2-14) unstable; urgency=low + + * Orphaning. + * Create /var/lib/puppet in the puppet package. Closes: #452506. + * Start the puppet init script after puppetmaster, to silence whiny bug + reports. Closes: #452064. + * Add a reload command to the Puppet init script. Closes: #452060. + + -- Matthew Palmer Thu, 29 Nov 2007 10:48:21 +1100 + +puppet (0.23.2-13) unstable; urgency=low + + * Drop quotes from an already-quoted value in a query. Closes: #448179. + * Remove excessive quoting from puppet/network/handler/master.rb. + Closes: #448221. + * Force removal of directories during pluginsync. Closes: #448180. + + -- Matthew Palmer Tue, 30 Oct 2007 14:55:19 +1100 + +puppet (0.23.2-12) unstable; urgency=low + + * Create /var/run/puppet and set the perms in the various initscripts, as + well as hardcoding the rundir better in configuration.rb and removing + the explicit rundir setting from puppet.conf. Closes: #447314. + * Apply additional patch given (backwards) to fix export/collect on some + database backends. Closes: #445591 (again!) + + -- Matthew Palmer Sat, 20 Oct 2007 11:28:50 +1000 + +puppet (0.23.2-11) unstable; urgency=low + + * Apply patch from puppet#786 to fix a problem with exported resources not + being properly detected as needing a rerun. Closes: #445591. + * Fix ignore handling for the plugins mount. Closes: #446390. + + -- Matthew Palmer Mon, 15 Oct 2007 09:11:25 +1000 + +puppet (0.23.2-10) unstable; urgency=low + + * Recycle connections when we change (or get) certs. + * Catch and retry more transient errors in the XMLRPC wrapper. + + -- Matthew Palmer Thu, 27 Sep 2007 15:06:11 +1000 + +puppet (0.23.2-9) unstable; urgency=low + + * Recycle the HTTP connection if we get an EPIPE during a request. + Closes: #444177. Thanks to Jos Backus for helping with testing. + + -- Matthew Palmer Thu, 27 Sep 2007 09:55:34 +1000 + +puppet (0.23.2-8) unstable; urgency=low + + * Remove extraneous debugging output accidentally left behind in the last + release. + * Fix spelling mistakes in debian/control and debian/puppet.preinst. + Closes: #444158. + + -- Matthew Palmer Thu, 27 Sep 2007 07:45:07 +1000 + +puppet (0.23.2-7) unstable; urgency=low + + * Ignore ENOENT errors in the module plugin syncing code, since they're + innocuous and expected. + * Allow facts that are downloaded through pluginsync to be used like any + other fact. + * Allow users to still have an old-style plugins mount if they want, by + specifying a path for the mount. Also track down a fault in old-style + fileserving which did strange slash-stripping. Closes: #443932. + + -- Matthew Palmer Tue, 25 Sep 2007 16:41:32 +1000 + +puppet (0.23.2-6) unstable; urgency=low + + * Patch rails/param_name.rb to stop query failures, as per puppet#784. + * Actually honour namevar. + * Only set dbuser if explicitly asked for. + * Fix annoying database deletion error for ParamValue objects. + * Add an accessor for ca_file, since older openssl-ruby only had a writer. + * Fix the fileserver to honour ignore. Thanks to Nathan Ward for the + bug report on IRC. + + -- Matthew Palmer Thu, 20 Sep 2007 16:10:41 +1000 + +puppet (0.23.2-5) unstable; urgency=low + + * Add some NEWS for the ssldir transition. Should have done that earlier. + * Remove the explicit mode change for vardir, and fix up the mode on + statedir, as well. Closes: #425496. + * Only set some database parameters if they're explicitly set; this makes + life easier for PgSQL ident auth. + * Allow empty config options. + + -- Matthew Palmer Thu, 13 Sep 2007 11:09:59 +1000 + +puppet (0.23.2-4) unstable; urgency=low + + * Fix puppet#776 in a slightly better way by only flushing the cache when + a value is changed, rather than whenever a value is read. + * Apply patch from puppet#755 to cache connections to the Puppetmaster, + which improves performance by more than a little. + * Modify the fileserver so that it provides a 'plugins' mount which + exports the union of the plugins directory of all modules. + + -- Matthew Palmer Fri, 31 Aug 2007 15:32:04 +1000 + +puppet (0.23.2-3) unstable; urgency=low + + * Clear the config value cache every time. This is a titchy little + performance hit, but it works around puppet#776 rather nicely. + + -- Matthew Palmer Fri, 24 Aug 2007 16:08:04 +1000 + +puppet (0.23.2-2) unstable; urgency=low + + * Move the SSL state directory to a more policy-friendly location, + /var/lib/puppet/ssl. + + -- Matthew Palmer Tue, 21 Aug 2007 12:54:40 +1000 + +puppet (0.23.2-1) unstable; urgency=low + + * New upstream release. + + -- Matthew Palmer Tue, 7 Aug 2007 12:47:49 +1000 + +puppet (0.23.1-1) unstable; urgency=low + + * New upstream release. + * Switch primary maintainer to me. Thanks jaq. + * Make the recommendation for rails >= 1.2.3-2, to avoid + incompatibilities. This breaks compatibility with stable, but the rails + package from unstable should install cleanly in stable. Closes: #433999 + + -- Matthew Palmer Sat, 21 Jul 2007 16:34:36 +1000 + +puppet (0.23.0-1) unstable; urgency=low + + * New upstream release. + - Includes a new configuration file handling system; see NEWS.Debian. + + -- Matthew Palmer Mon, 25 Jun 2007 09:55:12 +1000 + +puppet (0.22.4-2) unstable; urgency=low + + * Depend on libshadow-ruby1.8, for new password modification functionality + added to upstream 0.22.4. + * Several improvements from Micah Anderson: + - Better vim syntax installation process. + - Install Emacs syntax highlighting. + - Install logcheck rules. Closes: #421851. + + -- Matthew Palmer Thu, 3 May 2007 15:04:15 +1000 + +puppet (0.22.4-1) unstable; urgency=low + + * New upstream release. + + -- Matthew Palmer Wed, 2 May 2007 12:20:15 +1000 + +puppet (0.22.3-1) unstable; urgency=low + + * New upstream release. Closes: #415773. + * Switch to using our own logrotate config, and enhance it as per + David Schmitt's suggestions. Closes: #414282. + * Add puppetrun to the puppetmaster package, and actually put puppetdoc + into the puppet package. Closes: #419273. + * Copy vim syntax highlighting file into the puppet package, and add a + stanza to have Vim automatically highlight .pp files. Closes: #412868. + Thanks to David Schmitt for researching how to do all of that. + * Add a templatedir setting to the default puppetmasterd.conf to make it + obvious that it can be changed. Closes: #407506. + + -- Matthew Palmer Wed, 18 Apr 2007 14:03:33 +1000 + +puppet (0.22.1-1) unstable; urgency=low + + * New upstream release. + + -- Matthew Palmer Fri, 2 Feb 2007 09:06:46 +1100 + +puppet (0.22.0-1) unstable; urgency=low + + * New upstream release. + * Use --startas instead of --init in init scripts, which (according to + Paul Hampson) makes checking for already-running instances work. + Closes: #405912. + + -- Matthew Palmer Mon, 8 Jan 2007 08:41:35 +1100 + +puppet (0.20.1-1) unstable; urgency=low + + * New upstream release. (Closes: #387674) + * Rationalise the puppetmasterd init script. + * Add inclusion of /etc/default files for init scripts. (Closes: #388178) + * Add puppet.conf to match puppetd.conf. (Closes: #385646) + + -- Matthew Palmer Thu, 30 Nov 2006 10:54:19 +1100 + +puppet (0.18.4-1) unstable; urgency=low + + * New upstream release. + - Properly detect all services, including those in rcS.d. + (Closes: #378351) + * Add Homepage: to the long description. (Closes: #377896) + + -- Matthew Palmer Mon, 24 Jul 2006 19:46:06 +1000 + +puppet (0.18.3-1) unstable; urgency=low + + * New upstream version. + - Set DEBIAN_FRONTEND=noninteractive when installing Debian packages. + (Closes: #378338) + + -- Matthew Palmer Sun, 16 Jul 2006 10:58:50 +1000 + +puppet (0.18.1-1) unstable; urgency=low + + * Make Puppet not wait for a cert at all (to prevent startup hangs). + * Cleanup the init scripts to not have NO_START detritus. + * Apply puppet.debian-frontend, to set DEBIAN_FRONTEND=noninteractive on + package installation. + + -- Matthew Palmer Tue, 27 Jun 2006 15:05:32 +1000 + +puppet (0.18.0-1) unstable; urgency=low + + * Initial release. (Closes: #348625) + + -- Matthew Palmer Wed, 24 May 2006 13:10:01 +1000 + --- puppet-0.25.4.orig/debian/puppet.init +++ puppet-0.25.4/debian/puppet.init @@ -0,0 +1,84 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: puppet +# Required-Start: $network $named $remote_fs $syslog +# Required-Stop: $network $named $remote_fs $syslog +# Should-Start: puppetmaster +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/puppetd +DAEMON_OPTS="" +NAME=puppetd +DESC="puppet configuration management tool" +PIDFILE="/var/run/puppet/${NAME}.pid" + +test -x $DAEMON || exit 0 + +[ -r /etc/default/puppet ] && . /etc/default/puppet + +. /lib/lsb/init-functions + +is_true() { + if [ "x$1" = "xtrue" -o "x$1" = "xyes" -o "x$1" = "x0" ] ; then + return 0 + else + return 1 + fi +} + +reload_puppet() { + start-stop-daemon --stop --quiet --signal HUP --pidfile $PIDFILE +} + +start_puppet() { + if is_true "$START" ; then + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --startas $DAEMON -- $DAEMON_OPTS + else + echo "" + echo "puppet not configured to start, please edit /etc/default/puppet to enable" + fi +} + +stop_puppet() { + start-stop-daemon --stop --quiet --pidfile $PIDFILE +} + +status_puppet() { + status_of_proc -p "${PIDFILE}" "${DAEMON}" "${NAME}" +} + +case "$1" in + start) + log_begin_msg "Starting $DESC" + start_puppet + log_end_msg $? + ;; + stop) + log_begin_msg "Stopping $DESC" + stop_puppet + log_end_msg $? + ;; + reload) + log_begin_msg "Reloading $DESC" + reload_puppet + log_end_msg $? + ;; + status) + status_puppet + ;; + restart|force-reload) + log_begin_msg "Restarting $DESC" + stop_puppet + sleep 1 + start_puppet + log_end_msg $? + ;; + *) + echo "Usage: $0 {start|stop|status|restart|force-reload|reload}" >&2 + exit 1 + ;; +esac --- puppet-0.25.4.orig/debian/puppet-el.install +++ puppet-0.25.4/debian/puppet-el.install @@ -0,0 +1 @@ +ext/emacs/puppet-mode.el usr/share/emacs/site-lisp --- puppet-0.25.4.orig/debian/rules +++ puppet-0.25.4/debian/rules @@ -0,0 +1,110 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +INSTALL=install -Dp + +prefix := $(CURDIR)/debian/tmp +bindir := $(prefix)/usr/bin +sbindir := $(prefix)/usr/sbin +libdir := $(prefix)/usr/lib +localstatedir := $(prefix)/var +rubylibdir := $(libdir)/ruby/1.8 +sysconfdir := $(prefix)/etc +pkgconfdir := $(sysconfdir)/puppet + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + touch configure-stamp + + +build: build-stamp +build-stamp: configure-stamp + dh_testdir + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + rm -f debian/puppet-common.logcheck.ignore.server + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Note sbindir does nothing right now. Leaving in for future + # puppet versions where it is respected. + $(CURDIR)/install.rb --destdir=debian/tmp --bindir=/usr/bin \ + --sbindir=/usr/sbin --sitelibdir=/usr/lib/ruby/1.8 + + # strip executable bit from all the non-executable files. + find debian/tmp/usr/lib/ruby/1.8 -type f -perm /u+x,g+x,o+x -exec chmod a-x {} \; + # fix the permissions on all of the directories + find debian/tmp/usr/lib/ruby/1.8 -type d -exec chmod 755 {} \; + + # Vim auto-syntax-highlighting stuff + $(INSTALL) -m0644 ext/vim/syntax/puppet.vim \ + $(CURDIR)/debian/vim-puppet/usr/share/vim/addons/syntax/ + $(INSTALL) -m0644 ext/vim/ftdetect/puppet.vim \ + $(CURDIR)/debian/vim-puppet/usr/share/vim/addons/ftdetect/ + $(INSTALL) -m0644 debian/vim-puppet.yaml \ + $(CURDIR)/debian/vim-puppet/usr/share/vim/registry/ + + # Emacs mode + $(INSTALL) -m0644 ext/emacs/puppet-mode.el \ + $(CURDIR)/debian/puppet-el/usr/share/emacs/site-lisp/puppet-mode.el + + # etckeeper integration + $(INSTALL) -m0755 debian/etckeeper-commit-pre \ + $(CURDIR)/debian/puppet/etc/puppet/etckeeper-commit-pre + $(INSTALL) -m0755 debian/etckeeper-commit-post \ + $(CURDIR)/debian/puppet/etc/puppet/etckeeper-commit-post + + dh_installexamples examples/* + + $(INSTALL) -d -m0775 $(pkgconfdir)/templates + + # Logcheck rules. Gee I wish you could specify a file to source + # in dh_installlogcheck. + ln ext/logcheck/puppet debian/puppet-common.logcheck.ignore.server + +# Build architecture-dependent files here. +binary-arch: build install + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir + dh_testroot + dh_install -i + rm -f debian/puppet-testsuite/usr/share/puppet-testsuite/test/puppet/tc_suidmanager.rb # remove tc_suidmanager.rb as part of fix for CVE-2012-1053/1054 + dh_installchangelogs -i CHANGELOG + dh_installdocs -i + dh_installemacsen + dh_installlogcheck + dh_installman + dh_installinit -ppuppetmaster + dh_installinit -ppuppet --error-handler=true -- defaults 21 + dh_installlogrotate -i + dh_compress -i + dh_fixperms -i + dh_installdeb -i + dh_shlibdeps -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- puppet-0.25.4.orig/debian/puppet-common.NEWS +++ puppet-0.25.4/debian/puppet-common.NEWS @@ -0,0 +1,10 @@ +puppet (0.25.4-2) unstable; urgency=low + + The default location of the puppet template directory has been moved to + /etc/puppet/templates from /var/lib/puppet/templates. + + If you use templates in your manifests, please either set "templatedir" in + /etc/puppet/puppet.conf to the old location, or move your templates to the new + location. + + -- Stig Sandbeck Mathisen Sun, 14 Feb 2010 15:33:30 +0100 --- puppet-0.25.4.orig/debian/puppet-el.dirs +++ puppet-0.25.4/debian/puppet-el.dirs @@ -0,0 +1 @@ +usr/share/emacs/site-lisp --- puppet-0.25.4.orig/debian/puppetmaster.init +++ puppet-0.25.4/debian/puppetmaster.init @@ -0,0 +1,125 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: puppetmaster +# Required-Start: $network $named $remote_fs $syslog +# Required-Stop: $network $named $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +DAEMON=/usr/sbin/puppetmasterd +DAEMON_OPTS="" +NAME=puppetmasterd +DESC="puppet configuration management tool master server" + +test -x $DAEMON || exit 0 + +[ -r /etc/default/puppetmaster ] && . /etc/default/puppetmaster + +. /lib/lsb/init-functions + +if [ ! -d /var/run/puppet ]; then + mkdir -p /var/run/puppet +fi + +chown puppet:puppet /var/run/puppet + +is_true() { + if [ "x$1" = "xtrue" -o "x$1" = "xyes" -o "x$1" = "x0" ] ; then + return 0 + else + return 1 + fi +} + +start_puppetmaster() { + if is_true "$START" ; then + if [ "$SERVERTYPE" = "mongrel" ] + then + DAEMON_OPTS="$DAEMON_OPTS --servertype=mongrel" + NUMSTART=0 + STARTPORT=$PORT + while [ $NUMSTART -lt $PUPPETMASTERS ]; do + start-stop-daemon --start --quiet --pidfile=/var/run/puppet/${NAME}-${STARTPORT}.pid \ + --startas $DAEMON -- $DAEMON_OPTS --masterport=$STARTPORT --pidfile=/var/run/puppet/${NAME}-${STARTPORT}.pid + STARTPORT=$(($STARTPORT + 1)) + NUMSTART=$(($NUMSTART + 1)) + done + else + start-stop-daemon --start --quiet --pidfile /var/run/puppet/${NAME}.pid \ + --startas $DAEMON -- $DAEMON_OPTS --masterport=$PORT + fi + else + echo "" + echo "puppetmaster not configured to start, please edit /etc/default/puppetmaster to enable" + fi +} + +stop_puppetmaster() { + if [ "$SERVERTYPE" = "mongrel" ] + then + NUMSTART=0 + STOPPORT=$PORT + while [ $NUMSTART -lt $PUPPETMASTERS ]; do + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/puppet/${NAME}-${STOPPORT}.pid + rm -f /var/run/puppet/${NAME}-${STOPPORT}.pid + STOPPORT=$(($STOPPORT + 1)) + NUMSTART=$(($NUMSTART + 1)) + done + else + start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/puppet/${NAME}.pid + fi +} + +status_puppetmaster() { + if is_true "$START" ; then + if [ "$SERVERTYPE" = "mongrel" ] + then + NUMSTART=0 + STARTPORT=$PORT + while [ $NUMSTART -lt $PUPPETMASTERS ]; do + status_of_proc -p "/var/run/puppet/${NAME}-${STARTPORT}.pid" \ + "${DAEMON}" "${NAME}-${STARTPORT}" + STARTPORT=$(($STARTPORT + 1)) + NUMSTART=$(($NUMSTART + 1)) + done + else + status_of_proc -p "/var/run/puppet/${NAME}.pid" "${DAEMON}" "${NAME}" + fi + else + echo "" + echo "puppetmaster not configured to start" + fi +} + + +case "$1" in + start) + log_begin_msg "Starting $DESC" + start_puppetmaster + log_end_msg $? + ;; + stop) + log_begin_msg "Stopping $DESC" + stop_puppetmaster + log_end_msg $? + ;; + reload) + # Do nothing, as Puppetmaster rechecks its config automatically + ;; + status) + status_puppetmaster + ;; + restart|force-reload) + log_begin_msg "Restarting $DESC" + stop_puppetmaster + sleep 1 + start_puppetmaster + log_end_msg $? + ;; + *) + echo "Usage: $0 {start|stop|status|restart|force-reload}" >&2 + exit 1 + ;; +esac --- puppet-0.25.4.orig/debian/puppet-common.manpages +++ puppet-0.25.4/debian/puppet-common.manpages @@ -0,0 +1 @@ +man/man5/puppet.conf.5 --- puppet-0.25.4.orig/debian/puppetmaster.dirs +++ puppet-0.25.4/debian/puppetmaster.dirs @@ -0,0 +1 @@ +usr/sbin --- puppet-0.25.4.orig/debian/puppetmaster.install +++ puppet-0.25.4/debian/puppetmaster.install @@ -0,0 +1,7 @@ +debian/fileserver.conf etc/puppet +conf/auth.conf etc/puppet +ext/puppetlast usr/bin +debian/tmp/usr/sbin/puppetmasterd usr/sbin +debian/tmp/usr/sbin/puppetca usr/sbin +debian/tmp/usr/sbin/puppetrun usr/sbin +debian/tmp/usr/sbin/puppetqd usr/sbin --- puppet-0.25.4.orig/debian/copyright +++ puppet-0.25.4/debian/copyright @@ -0,0 +1,363 @@ +Format-Specification: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=135 +Name: Puppet +Maintainer: + Andrew Pollock , + Micah Anderson , + Nigel Kersten , + Stig Sandbeck Mathisen +Source: git://github.com/reductivelabs/puppet.git, + http://reductivelabs.com/trac/puppet/wiki/DownloadingPuppet + +Copyright: 2005-2010 Reductive Labs, LLC +License: GPL-2+ + +Files: debian/* +Copyright: + Andrew Pollock , + Jamie Wilkinson , + Matthew Palmer , + Micah Anderson , + Nigel Kersten , + Stig Sandbeck Mathisen , + Thom May +License: GPL-2 + +Files: install.rb +Copyright: Austin Ziegler +License: GPL-2+ + +Files: conf/gentoo/init.d/puppet* +Copyright: Gentoo Foundation +License: GPL-2 + +Files: lib/puppet/util/rdoc/generators/template/puppet/puppet.rb +Copyright: The FaerieMUD Consortium. +License: CC-BY-1.0 + This work is licensed under the Creative Commons Attribution License. To view + a copy of this license, visit http://creativecommons.org/licenses/by/1.0/ or + send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California + 94305, USA. + +Files: conf/osx/createpackage.sh +Copyright: Google Inc. +License: Apache + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License + . + On Debian systems, the full text of the Apache License can be found at + "/usr/share/common-licenses/Apache-2.0" + +Files: lib/puppet/external/event-loop/* +Copyright: Daniel Brockman +License: GPL-2+ + +Files: lib/puppet/external/nagios/parser.rb +Copyright: Minero Aoki +License: other + This program is free software. + You can distribute/modify this program under the same terms of ruby. + . + As a special exception, when this code is copied by Racc + into a Racc output file, you may use that output file + without restriction. + +Files: lib/puppet/network/http_server/mongrel.rb +Copyright: Manuel Holtgrewe, Luke Kanies +License: MIT + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. + +Files: lib/puppet/provider/augeas/augeas.rb, lib/puppet/type/augeas.rb +Copyright: Red Hat Inc. +License: GPL-2+ + +Files: lib/puppet/provider/mcx/mcxcontent.rb +Copyright: Jeff McCune +License: GPL-2+ + +Files: lib/puppet/type/mcx.rb, spec/unit/type/mcx.rb +Copyright: Jeffrey J McCune. +License: GPL-2+ + +Files: lib/puppet/provider/nameservice/directoryservice.rb +Copyright: Jeff McCune +License: GPL-2 + +Files: lib/puppet/provider/package/pkgdmg.rb +Copyright: Jeff McCune Jeff McCune +License: GPL-2 + +Files: test/ral/providers/service/debian.rb +Copyright: David Schmitt +License: missing + +Files: examples/modules/sample-module/lib/puppet/parser/functions/hostname_to_dn.rb +Copyright: David Schmitt +License: BSD + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the Author nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + . + On Debian systems, the full text of the 3-clause BSD license can be found in + the file "/usr/share/common-licenses/BSD". + +License: GPL-2 + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public License + as published by the Free Software Foundation (version 2 of the License) + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin St, Fifth Floor, Boston MA 02110-1301 USA + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + "/usr/share/common-licenses/GPL-2". + +License: GPL-2+ + This program is free software; you can redistribute it + and/or modify it under the terms of the GNU General Public + License as published by the Free Software Foundation; + either version 2 of the License, or (at your option) any + later version. + . + This file is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty + of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + See the GNU General Public License for more details. + . + You should have received a copy of the GNU General Public + License along with this program; if not, write to the Free + Software Foundation, 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301, USA. + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + "/usr/share/common-licenses/GPL-2". + +License: CC-BY-1.0 + THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE + COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY + COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS + AUTHORIZED UNDER THIS LICENSE IS PROHIBITED. + . + BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE + BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS + CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND + CONDITIONS. + . + 1. Definitions + . + "Collective Work" means a work, such as a periodical issue, anthology or + encyclopedia, in which the Work in its entirety in unmodified form, along with + a number of other contributions, constituting separate and independent works in + themselves, are assembled into a collective whole. A work that constitutes a + Collective Work will not be considered a Derivative Work (as defined below) for + the purposes of this License. "Derivative Work" means a work based upon the + Work or upon the Work and other pre-existing works, such as a translation, + musical arrangement, dramatization, fictionalization, motion picture version, + sound recording, art reproduction, abridgment, condensation, or any other form + in which the Work may be recast, transformed, or adapted, except that a work + that constitutes a Collective Work will not be considered a Derivative Work for + the purpose of this License. + . + "Licensor" means the individual or entity that offers the Work under the terms + of this License. "Original Author" means the individual or entity who created + the Work. + . + "Work" means the copyrightable work of authorship offered under the terms of + this License. "You" means an individual or entity exercising rights under this + License who has not previously violated the terms of this License with respect + to the Work, or who has received express permission from the Licensor to + exercise rights under this License despite a previous violation. + . + 2. Fair Use Rights. Nothing in this license is intended to reduce, limit, or + restrict any rights arising from fair use, first sale or other limitations on + the exclusive rights of the copyright owner under copyright law or other + applicable laws. + . + 3. License Grant. Subject to the terms and conditions of this License, Licensor + hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the + duration of the applicable copyright) license to exercise the rights in the + Work as stated below: + . + a. to reproduce the Work, to incorporate the Work into one or more Collective + Works, and to reproduce the Work as incorporated in the Collective Works; + . + b. to create and reproduce Derivative Works; + . + c. to distribute copies or phonorecords of, display publicly, perform publicly, + and perform publicly by means of a digital audio transmission the Work + including as incorporated in Collective Works; + . + d. to distribute copies or phonorecords of, display publicly, perform publicly, + and perform publicly by means of a digital audio transmission Derivative Works; + . + The above rights may be exercised in all media and formats whether now known or + hereafter devised. The above rights include the right to make such + modifications as are technically necessary to exercise the rights in other + media and formats. All rights not expressly granted by Licensor are hereby + reserved. + . + 4. Restrictions. + . + The license granted in Section 3 above is expressly made subject to and limited + by the following restrictions: + . + a. You may distribute, publicly display, publicly perform, or publicly + digitally perform the Work only under the terms of this License, and You must + include a copy of, or the Uniform Resource Identifier for, this License with + every copy or phonorecord of the Work You distribute, publicly display, + publicly perform, or publicly digitally perform. You may not offer or impose + any terms on the Work that alter or restrict the terms of this License or the + recipients' exercise of the rights granted hereunder. You may not sublicense + the Work. You must keep intact all notices that refer to this License and to + the disclaimer of warranties. You may not distribute, publicly display, + publicly perform, or publicly digitally perform the Work with any technological + measures that control access or use of the Work in a manner inconsistent with + the terms of this License Agreement. The above applies to the Work as + incorporated in a Collective Work, but this does not require the Collective + Work apart from the Work itself to be made subject to the terms of this + License. If You create a Collective Work, upon notice from any Licensor You + must, to the extent practicable, remove from the Collective Work any reference + to such Licensor or the Original Author, as requested. If You create a + Derivative Work, upon notice from any Licensor You must, to the extent + practicable, remove from the Derivative Work any reference to such Licensor or + the Original Author, as requested. + . + b. If you distribute, publicly display, publicly perform, or publicly digitally + perform the Work or any Derivative Works or Collective Works, You must keep + intact all copyright notices for the Work and give the Original Author credit + reasonable to the medium or means You are utilizing by conveying the name (or + pseudonym if applicable) of the Original Author if supplied; the title of the + Work if supplied; in the case of a Derivative Work, a credit identifying the + use of the Work in the Derivative Work (e.g., "French translation of the Work + by Original Author," or "Screenplay based on original Work by Original + Author"). Such credit may be implemented in any reasonable manner; provided, + however, that in the case of a Derivative Work or Collective Work, at a minimum + such credit will appear where any other comparable authorship credit appears + and in a manner at least as prominent as such other comparable authorship + credit. + . + 5. Representations, Warranties and Disclaimer + . + a. By offering the Work for public release under this License, Licensor + represents and warrants that, to the best of Licensor's knowledge after + reasonable inquiry: + . + i. Licensor has secured all rights in the Work necessary to grant the license + rights hereunder and to permit the lawful exercise of the rights granted + hereunder without You having any obligation to pay any royalties, compulsory + license fees, residuals or any other payments; + . + ii. The Work does not infringe the copyright, trademark, publicity rights, common + law rights or any other right of any third party or constitute defamation, + invasion of privacy or other tortious injury to any third party. + . + b. EXCEPT AS EXPRESSLY STATED IN THIS LICENSE OR OTHERWISE AGREED IN WRITING OR + REQUIRED BY APPLICABLE LAW, THE WORK IS LICENSED ON AN "AS IS" BASIS, WITHOUT + WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED INCLUDING, WITHOUT + LIMITATION, ANY WARRANTIES REGARDING THE CONTENTS OR ACCURACY OF THE WORK. + . + 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, + AND EXCEPT FOR DAMAGES ARISING FROM LIABILITY TO A THIRD PARTY RESULTING FROM + BREACH OF THE WARRANTIES IN SECTION 5, IN NO EVENT WILL LICENSOR BE LIABLE TO + YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR + EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF + LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + . + 7. Termination + . + a. This License and the rights granted hereunder will terminate automatically + upon any breach by You of the terms of this License. Individuals or entities + who have received Derivative Works or Collective Works from You under this + License, however, will not have their licenses terminated provided such + individuals or entities remain in full compliance with those licenses. Sections + 1, 2, 5, 6, 7, and 8 will survive any termination of this License. + . + b. Subject to the above terms and conditions, the license granted here is + perpetual (for the duration of the applicable copyright in the Work). + Notwithstanding the above, Licensor reserves the right to release the Work + under different license terms or to stop distributing the Work at any time; + provided, however that any such election will not serve to withdraw this + License (or any other license that has been, or is required to be, granted + under the terms of this License), and this License will continue in full force + and effect unless terminated as stated above. + . + 8. Miscellaneous + . + Each time You distribute or publicly digitally perform the Work or a Collective + Work, the Licensor offers to the recipient a license to the Work on the same + terms and conditions as the license granted to You under this License. + . + Each time You distribute or publicly digitally perform a Derivative Work, + Licensor offers to the recipient a license to the original Work on the same + terms and conditions as the license granted to You under this License. + . + If any provision of this License is invalid or unenforceable under applicable + law, it shall not affect the validity or enforceability of the remainder of the + terms of this License, and without further action by the parties to this + agreement, such provision shall be reformed to the minimum extent necessary to + make such provision valid and enforceable. + . + No term or provision of this License shall be deemed waived and no breach + consented to unless such waiver or consent shall be in writing and signed by + the party to be charged with such waiver or consent. + . + This License constitutes the entire agreement between the parties with respect + to the Work licensed here. There are no understandings, agreements or + representations with respect to the Work not specified here. Licensor shall not + be bound by any additional provisions that may appear in any communication from + You. This License may not be modified without the mutual written agreement of + the Licensor and You. --- puppet-0.25.4.orig/debian/puppetmaster.default +++ puppet-0.25.4/debian/puppetmaster.default @@ -0,0 +1,36 @@ +# Defaults for puppetmaster - sourced by /etc/init.d/puppetmaster + +# Start puppet on boot? +START=yes + +# Startup options +DAEMON_OPTS="" + +# What server type to run +# Options: +# webrick (default, cannot handle more than ~30 nodes) +# mongrel (scales better than webrick because you can run +# multiple processes if you are getting +# connection-reset or End-of-file errors, switch to +# mongrel. Requires front-end web-proxy such as +# apache, nginx, or pound) +# See: http://reductivelabs.com/trac/puppet/wiki/UsingMongrel +SERVERTYPE=webrick + +# How many puppetmaster instances to start? Its pointless to set this +# higher than 1 if you are not using mongrel. +PUPPETMASTERS=1 + +# What port should the puppetmaster listen on (default: 8140). If +# PUPPETMASTERS is set to a number greater than 1, then the port for +# the first puppetmaster will be set to the port listed below, and +# further instances will be incremented by one +# +# NOTE: if you are using mongrel, then you will need to have a +# front-end web-proxy (such as apache, nginx, pound) that takes +# incoming requests on the port your clients are connecting to +# (default is: 8140), and then passes them off to the mongrel +# processes. In this case it is recommended to run your web-proxy on +# port 8140 and change the below number to something else, such as +# 18140. +PORT=8140 --- puppet-0.25.4.orig/debian/README.Debian +++ puppet-0.25.4/debian/README.Debian @@ -0,0 +1,8 @@ +puppet for Debian +------------------ + +The default puppet configuration in Debian will automatically integrate with +etckeeper if etckeeper is installed. puppet will automatically commit any +changes made to files in /etc via etckeeper before and after its run. + + -- Mathias Gug Thu, 25 Feb 2010 12:12:37 -0500 --- puppet-0.25.4.orig/debian/puppet.logrotate +++ puppet-0.25.4/debian/puppet.logrotate @@ -0,0 +1,11 @@ +/var/log/puppet/*log { + missingok + create 0644 puppet puppet + compress + rotate 4 + + postrotate + [ -e /etc/init.d/puppetmaster ] && /etc/init.d/puppetmaster restart >/dev/null 2>&1 || true + [ -e /etc/init.d/puppet ] && /etc/init.d/puppet reload > /dev/null 2>&1 || true + endscript +} --- puppet-0.25.4.orig/debian/puppet-common.postrm +++ puppet-0.25.4/debian/puppet-common.postrm @@ -0,0 +1,30 @@ +#!/bin/sh -e + +case "$1" in + purge) + # Remove puppetd.conf (used in > 0.24) + rm -f /etc/puppet/puppetd.conf + + # Remove puppet state directory created by the postinst script. + # This directory can be removed without causing harm + # according to upstream documentation. + rm -rf /var/lib/puppet/state + rmdir --ignore-fail-on-non-empty /var/lib/puppet + + # Remove puppet log files + rm -rf /var/log/puppet/ + ;; + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + +esac + +#DEBHELPER# + +exit 0 --- puppet-0.25.4.orig/debian/puppet-common.install +++ puppet-0.25.4/debian/puppet-common.install @@ -0,0 +1,2 @@ +debian/puppet.conf etc/puppet +debian/tmp/usr/lib/ruby/1.8/* usr/lib/ruby/1.8 --- puppet-0.25.4.orig/man/man8/puppet.8 +++ puppet-0.25.4/man/man8/puppet.8 @@ -2,91 +2,81 @@ .SH NAME \- .\" Man page generated from reStructeredText. - +. .SH SYNOPSIS +.sp Run a stand\-alone +puppet+ manifest. - - .SH USAGE .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 - .TP .B puppet [\-h|\-\-help] [\-V|\-\-version] [\-d|\-\-debug] [\-v|\-\-verbose] [\-e|\-\-execute] +. [\-\-detailed\-exitcodes] [\-l|\-\-logdest ] - .UNINDENT .UNINDENT .UNINDENT - .SH DESCRIPTION +.sp This is the standalone puppet execution tool; use it to execute individual manifests that you write. If you need to execute site\-wide manifests, use +puppetd+ and +puppetmasterd+. - - .SH OPTIONS -Note that any configuration parameter that\'s valid in the configuration -file is also a valid long argument. For example, \'ssldir\' is a valid -configuration parameter, so you can specify \'\-\-ssldir \' as an +.sp +Note that any configuration parameter that\(aqs valid in the configuration +file is also a valid long argument. For example, \(aqssldir\(aq is a valid +configuration parameter, so you can specify \(aq\-\-ssldir \(aq as an argument. - +.sp See the configuration file documentation at \fI\%http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference\fP for the full list of acceptable parameters. A commented list of all configuration options can also be generated by running puppet with -\'\-\-genconfig\'. - +\(aq\-\-genconfig\(aq. +.sp debug: Enable full debugging. - .INDENT 0.0 - .TP .B detailed\-exitcodes: Provide transaction information via exit codes. If -this is enabled, an exit code of \'2\' means there -were changes, and an exit code of \'4\' means that +. +this is enabled, an exit code of \(aq2\(aq means there +were changes, and an exit code of \(aq4\(aq means that there were failures during the transaction. - .UNINDENT +.sp help: Print this help message - .INDENT 0.0 - .TP .B loadclasses: Load any stored classes. +puppetd+ caches configured +. classes (usually at /etc/puppet/classes.txt), and setting this option causes all of those classes to be set in your +puppet+ manifest. - - .TP .B logdest: Where to send messages. Choose between syslog, the +. console, and a log file. Defaults to sending messages to the console. - .UNINDENT +.sp execute: Execute a specific piece of Puppet code - +.sp verbose: Print extra information. - - .SH EXAMPLE .INDENT 0.0 .INDENT 3.5 +.sp puppet \-l /tmp/manifest.log manifest.pp - .UNINDENT .UNINDENT - .SH AUTHOR +.sp Luke Kanies - - .SH COPYRIGHT +.sp Copyright (c) 2005 Reductive Labs, LLC Licensed under the GNU Public License - - -.\" Generated by docutils manpage writer on 2009-12-30 19:24. +.\" Generated by docutils manpage writer. .\" +. --- puppet-0.25.4.orig/man/man8/pi.8 +++ puppet-0.25.4/man/man8/pi.8 @@ -2,55 +2,49 @@ .SH NAME \- .\" Man page generated from reStructeredText. - +. .SH SYNOPSIS -Print help about puppet types on the console. Run with \'\-h\' to get +.sp +Print help about puppet types on the console. Run with \(aq\-h\(aq to get detailed help. - - .SH USAGE .INDENT 0.0 .INDENT 3.5 +.sp pi [\-h|\-\-help] [\-s|\-\-short] [\-p|\-\-providers] [\-l|\-\-list] [\-m|\-\-meta] - .UNINDENT .UNINDENT - .SH DESCRIPTION +.sp Prints details of Puppet types, providers and metaparameters on the console. - - .SH OPTIONS +.sp help: Print this help text - +.sp providers: Describe providers in detail for each type - +.sp list: List all types - +.sp meta: List all metaparameters - +.sp short: List only parameters without detail - - .SH EXAMPLE .INDENT 0.0 .INDENT 3.5 +.sp pi \-\-list pi file \-\-providers pi user \-s \-m - .UNINDENT .UNINDENT - .SH AUTHOR +.sp David Lutterkort - - .SH COPYRIGHT +.sp Copyright (c) 2005 Reductive Labs, LLC Licensed under the GNU Public License - - -.\" Generated by docutils manpage writer on 2009-12-30 19:24. +.\" Generated by docutils manpage writer. .\" +. --- puppet-0.25.4.orig/man/man8/ralsh.8 +++ puppet-0.25.4/man/man8/ralsh.8 @@ -2,127 +2,122 @@ .SH NAME \- .\" Man page generated from reStructeredText. +. +.sp vim: softtabstop=4 shiftwidth=4 expandtab - - .SH SYNOPSIS +.sp Use the Puppet RAL to directly interact with the system. - - .SH USAGE .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 - .TP .B ralsh [\-h|\-\-help] [\-d|\-\-debug] [\-v|\-\-verbose] [\-e|\-\-edit] [\-H|\-\-host ] +. [\-p|\-\-param ] [\-t|\-\-types] type - .UNINDENT .UNINDENT .UNINDENT - .SH DESCRIPTION +.sp This command provides simple facilities for converting current system state into Puppet code, along with some ability to use Puppet to affect the current state. - +.sp By default, you must at least provide a type to list, which case ralsh will tell you everything it knows about all instances of that type. You can optionally specify an instance name, and ralsh will only describe that single instance. - +.sp You can also add +\-\-edit+ as an argument, and ralsh will write its output to a file, open that file in an editor, and then apply the file as a Puppet transaction. You can easily use this to use Puppet to make simple changes to a system. - - .SH OPTIONS -Note that any configuration parameter that\'s valid in the configuration -file is also a valid long argument. For example, \'ssldir\' is a valid -configuration parameter, so you can specify \'\-\-ssldir \' as an +.sp +Note that any configuration parameter that\(aqs valid in the configuration +file is also a valid long argument. For example, \(aqssldir\(aq is a valid +configuration parameter, so you can specify \(aq\-\-ssldir \(aq as an argument. - +.sp See the configuration file documentation at \fI\%http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference\fP for the full list of acceptable parameters. A commented list of all configuration options can also be generated by running puppet with -\'\-\-genconfig\'. - +\(aq\-\-genconfig\(aq. +.sp debug: Enable full debugging. - +.sp edit: - .INDENT 0.0 .INDENT 3.5 +.sp Write the results of the query to a file, open the file in an editor, and read the file back in as an executable Puppet manifest. - .UNINDENT .UNINDENT +.sp host: - .INDENT 0.0 .INDENT 3.5 +.sp When specified, connect to the resource server on the named host and retrieve the list of resouces of the type specified. - .UNINDENT .UNINDENT +.sp help: - .INDENT 0.0 .INDENT 3.5 +.sp Print this help message. - .UNINDENT .UNINDENT +.sp param: - .INDENT 0.0 .INDENT 3.5 +.sp Add more parameters to be outputted from queries. - .UNINDENT .UNINDENT +.sp types: - .INDENT 0.0 .INDENT 3.5 +.sp List all available types. - .UNINDENT .UNINDENT +.sp verbose: Print extra information. - - .SH EXAMPLE +.sp This example uses \fBralsh\fP to return Puppet configuration for the user \fBluke\fP: - - +.sp .nf +.ft C $ ralsh user luke -user { \'luke\': - home => \'/home/luke\', - uid => \'100\', - ensure => \'present\', - comment => \'Luke Kanies,,,\', - gid => \'1000\', - shell => \'/bin/bash\', - groups => [\'sysadmin\',\'audio\',\'video\',\'puppet\'] +user { \(aqluke\(aq: + home => \(aq/home/luke\(aq, + uid => \(aq100\(aq, + ensure => \(aqpresent\(aq, + comment => \(aqLuke Kanies,,,\(aq, + gid => \(aq1000\(aq, + shell => \(aq/bin/bash\(aq, + groups => [\(aqsysadmin\(aq,\(aqaudio\(aq,\(aqvideo\(aq,\(aqpuppet\(aq] } +.ft P .fi - .SH AUTHOR +.sp Luke Kanies - - .SH COPYRIGHT +.sp Copyright (c) 2005\-2007 Reductive Labs, LLC Licensed under the GNU Public License - - -.\" Generated by docutils manpage writer on 2009-12-30 19:24. +.\" Generated by docutils manpage writer. .\" +. --- puppet-0.25.4.orig/man/man8/puppetdoc.8 +++ puppet-0.25.4/man/man8/puppetdoc.8 @@ -2,114 +2,103 @@ .SH NAME \- .\" Man page generated from reStructeredText. - +. .SH SYNOPSIS +.sp Generate a reference for all Puppet types. Largely meant for internal Reductive Labs use. - - .SH USAGE .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 - .TP .B puppetdoc [\-a|\-\-all] [\-h|\-\-help] [\-o|\-\-outputdir ] [\-m|\-\-mode ] +. [\-r|\-\-reference <[type]|configuration|..>] [manifest\-file] - .UNINDENT .UNINDENT .UNINDENT - .SH DESCRIPTION -If mode is not \'rdoc\', then this command generates a restructured\-text +.sp +If mode is not \(aqrdoc\(aq, then this command generates a restructured\-text document describing all installed Puppet types or all allowable arguments to puppet executables. It is largely meant for internal use and is used to generate the reference document available on the Reductive Labs web site. - -In \'rdoc\' mode, this command generates an html RDoc hierarchy describing -the manifests that are in \'manifestdir\' and \'modulepath\' configuration +.sp +In \(aqrdoc\(aq mode, this command generates an html RDoc hierarchy describing +the manifests that are in \(aqmanifestdir\(aq and \(aqmodulepath\(aq configuration directives. The generated documentation directory is doc by default but -can be changed with the \'outputdir\' option. - -If the command is started with \'manifest\-file\' command\-line arguments, +can be changed with the \(aqoutputdir\(aq option. +.sp +If the command is started with \(aqmanifest\-file\(aq command\-line arguments, puppetdoc generate a single manifest documentation that is output on stdout. - - .SH OPTIONS .INDENT 0.0 - .TP -.B all: Output the docs for all of the reference types. In \'rdoc\' +.B all: Output the docs for all of the reference types. In \(aqrdoc\(aq +. modes, this also outputs documentation for all resources - .UNINDENT +.sp help: Print this help message - .INDENT 0.0 - .TP .B outputdir: Specifies the directory where to output the rdoc -documentation in \'rdoc\' mode. - - +. +documentation in \(aqrdoc\(aq mode. .TP -.B mode: Determine the output mode. Valid modes are \'text\', \'trac\', -\'pdf\', \'markdown\' and \'rdoc\'. The \'pdf\' and \'markdown\' modes +.B mode: Determine the output mode. Valid modes are \(aqtext\(aq, \(aqtrac\(aq, +. +\(aqpdf\(aq, \(aqmarkdown\(aq and \(aqrdoc\(aq. The \(aqpdf\(aq and \(aqmarkdown\(aq modes create PDF or Markdown formatted files in the /tmp directory. -Note that \'trac\' mode only works on Reductive Labs servers. -The default mode is \'text\'. In \'rdoc\' mode you must provide -\'manifests\-path\' - - +Note that \(aqtrac\(aq mode only works on Reductive Labs servers. +The default mode is \(aqtext\(aq. In \(aqrdoc\(aq mode you must provide +\(aqmanifests\-path\(aq .TP .B reference: Build a particular reference. Get a list of references by +. running +puppetdoc \-\-list+. - .UNINDENT - .SH EXAMPLE .INDENT 0.0 .INDENT 3.5 +.sp $ puppetdoc \-r type > /tmp/type_reference.rst - .UNINDENT .UNINDENT +.sp or - .INDENT 0.0 .INDENT 3.5 +.sp $ puppetdoc \-\-outputdir /tmp/rdoc \-\-mode rdoc /path/to/manifests - .UNINDENT .UNINDENT +.sp or - .INDENT 0.0 .INDENT 3.5 +.sp $ puppetdoc /etc/puppet/manifests/site.pp - .UNINDENT .UNINDENT +.sp or - .INDENT 0.0 .INDENT 3.5 +.sp $ puppetdoc \-m markdown \-r configuration - .UNINDENT .UNINDENT - .SH AUTHOR +.sp Luke Kanies - - .SH COPYRIGHT +.sp Copyright (c) 2005\-2007 Reductive Labs, LLC Licensed under the GNU Public License - - -.\" Generated by docutils manpage writer on 2009-12-30 19:24. +.\" Generated by docutils manpage writer. .\" +. --- puppet-0.25.4.orig/man/man8/filebucket.8 +++ puppet-0.25.4/man/man8/filebucket.8 @@ -2,120 +2,106 @@ .SH NAME \- .\" Man page generated from reStructeredText. - +. .SH SYNOPSIS +.sp A stand\-alone Puppet filebucket client. - - .SH USAGE .INDENT 0.0 .INDENT 3.5 .INDENT 0.0 - .TP .B filebucket [\-h|\-\-help] [\-V|\-\-version] [\-d|\-\-debug] [\-v|\-\-verbose] +. [\-l|\-\-local] [\-r|\-\-remote] [\-s|\-\-server ] [\-b|\-\-bucket ] ... - .UNINDENT .UNINDENT .UNINDENT - .SH DESCRIPTION +.sp This is a stand\-alone filebucket client for sending files to a local or central filebucket. - - .SH USAGE +.sp This client can operate in three modes, with only one mode per call: - .INDENT 0.0 - .TP .B backup: Send one or more files to the specified file bucket. Each sent +. file is printed with its resulting md5 sum. - - .TP .B get: Return the text associated with an md5 sum. The text is printed +. to stdout, and only one file can be retrieved at a time. - - .TP .B restore: Given a file path and an md5 sum, store the content associated +. with the sum into the specified file path. You can specify an entirely new path to this argument; you are not restricted to restoring the content to its original location. - .UNINDENT +.sp Note that +filebucket+ defaults to using a network\-based filebucket -available on the server named +puppet+. To use this, you\'ll have to be +available on the server named +puppet+. To use this, you\(aqll have to be running as a user with valid Puppet certificates. Alternatively, you can use your local file bucket by specifying +\-\-local+. - - .SH EXAMPLE .INDENT 0.0 .INDENT 3.5 +.sp $ filebucket backup /etc/passwd /etc/passwd: 429b225650b912a2ee067b0a4cf1e949 $ filebucket restore /tmp/passwd 429b225650b912a2ee067b0a4cf1e949 $ - .UNINDENT .UNINDENT - .SH OPTIONS -Note that any configuration parameter that\'s valid in the configuration -file is also a valid long argument. For example, \'ssldir\' is a valid -configuration parameter, so you can specify \'\-\-ssldir \' as an +.sp +Note that any configuration parameter that\(aqs valid in the configuration +file is also a valid long argument. For example, \(aqssldir\(aq is a valid +configuration parameter, so you can specify \(aq\-\-ssldir \(aq as an argument. - +.sp See the configuration file documentation at \fI\%http://reductivelabs.com/trac/puppet/wiki/ConfigurationReference\fP for the full list of acceptable parameters. A commented list of all configuration options can also be generated by running puppet with -\'\-\-genconfig\'. - +\(aq\-\-genconfig\(aq. +.sp debug: Enable full debugging. - +.sp help: Print this help message - .INDENT 0.0 - .TP .B local: Use the local filebucket. This will use the default +. configuration information. - - .TP .B remote: Use a remote filebucket. This will use the default +. configuration information. - .UNINDENT +.sp server: The server to send the file to, instead of locally. - +.sp verbose: Print extra information. - +.sp version: Print version information. - - .SH EXAMPLE .INDENT 0.0 .INDENT 3.5 +.sp filebucket \-b /tmp/filebucket /my/file - .UNINDENT .UNINDENT - .SH AUTHOR +.sp Luke Kanies - - .SH COPYRIGHT +.sp Copyright (c) 2005 Reductive Labs, LLC Licensed under the GNU Public License - - -.\" Generated by docutils manpage writer on 2009-12-30 19:24. +.\" Generated by docutils manpage writer. .\" +. --- puppet-0.25.4.orig/man/man5/puppet.conf.5 +++ puppet-0.25.4/man/man5/puppet.conf.5 @@ -0,0 +1,1469 @@ +.TH CONFIGURATION REFERENCE "" "" "" +.SH NAME +Configuration Reference \- +.\" Man page generated from reStructeredText. +. +.sp +\fBThis page is autogenerated; any changes will get overwritten\fP \fI(last generated on Mon Feb 08 23:57:07 +1100 2010)\fP +.SS Contents +.INDENT 0.0 +.IP \(bu 2 +. +\fI\%Specifying Configuration Parameters\fP +.IP \(bu 2 +. +\fI\%Signals\fP +.IP \(bu 2 +. +\fI\%Configuration Parameter Reference\fP +.UNINDENT +.SH SPECIFYING CONFIGURATION PARAMETERS +.SS On The Command\-Line +.sp +Every Puppet executable (with the exception of \fBpuppetdoc\fP) accepts all of +the parameters below, but not all of the arguments make sense for every executable. +.sp +I have tried to be as thorough as possible in the descriptions of the +arguments, so it should be obvious whether an argument is appropriate or not. +.sp +These parameters can be supplied to the executables either as command\-line +options or in the configuration file. For instance, the command\-line +invocation below would set the configuration directory to \fB/private/puppet\fP: +.sp +.nf +.ft C +$ puppetd \-\-confdir=/private/puppet +.ft P +.fi +.sp +Note that boolean options are turned on and off with a slightly different +syntax on the command line: +.sp +.nf +.ft C +$ puppetd \-\-storeconfigs + +$ puppetd \-\-no\-storeconfigs +.ft P +.fi +.sp +The invocations above will enable and disable, respectively, the storage of +the client configuration. +.SS Configuration Files +.sp +As mentioned above, the configuration parameters can also be stored in a +configuration file, located in the configuration directory. As root, the +default configuration directory is \fB/etc/puppet\fP, and as a regular user, the +default configuration directory is \fB~user/.puppet\fP. As of 0.23.0, all +executables look for \fBpuppet.conf\fP in their configuration directory +(although they previously looked for separate files). For example, +\fBpuppet.conf\fP is located at \fB/etc/puppet/puppet.conf\fP as root and +\fB~user/.puppet/puppet.conf\fP as a regular user by default. +.sp +All executables will set any parameters set within the \fBmain\fP section, +while each executable will also look for a section named for the executable +and load those parameters. For example, \fBpuppetd\fP will look for a +section named \fBpuppetd\fP, and \fBpuppetmasterd\fP looks for a section +named \fBpuppetmasterd\fP. This allows you to use a single configuration file +to customize the settings for all of your executables. +.SS File Format +.sp +The file follows INI\-style formatting. Here is an example of a very simple +\fBpuppet.conf\fP file: +.sp +.nf +.ft C +[main] + confdir = /private/puppet + storeconfigs = true +.ft P +.fi +.sp +Note that boolean parameters must be explicitly specified as \fItrue\fP or +\fIfalse\fP as seen above. +.sp +If you need to change file parameters (e.g., reset the mode or owner), do +so within curly braces on the same line: +.sp +.nf +.ft C +[main] + myfile = /tmp/whatever {owner = root, mode = 644} +.ft P +.fi +.sp +If you\(aqre starting out with a fresh configuration, you may wish to let +the executable generate a template configuration file for you by invoking +the executable in question with the \fI\-\-genconfig\fP command. The executable +will print a template configuration to standard output, which can be +redirected to a file like so: +.sp +.nf +.ft C +$ puppetd \-\-genconfig > /etc/puppet/puppet.conf +.ft P +.fi +.sp +Note that this invocation will replace the contents of any pre\-existing +\fIpuppet.conf\fP file, so make a backup of your present config if it contains +valuable information. +.sp +Like the \fI\-\-genconfig\fP argument, the executables also accept a \fI\-\-genmanifest\fP +argument, which will generate a manifest that can be used to manage all of +Puppet\(aqs directories and files and prints it to standard output. This can +likewise be redirected to a file: +.sp +.nf +.ft C +$ puppetd \-\-genmanifest > /etc/puppet/manifests/site.pp +.ft P +.fi +.sp +Puppet can also create user and group accounts for itself (one \fIpuppet\fP group +and one \fIpuppet\fP user) if it is invoked as \fIroot\fP with the \fI\-\-mkusers\fP argument: +.sp +.nf +.ft C +$ puppetd \-\-mkusers +.ft P +.fi +.SH SIGNALS +.sp +The \fBpuppetd\fP and \fBpuppetmasterd\fP executables catch some signals for special +handling. Both daemons catch (\fBSIGHUP\fP), which forces the server to restart +tself. Predictably, interrupt and terminate (\fBSIGINT\fP and \fBSIGTERM\fP) will shut +down the server, whether it be an instance of \fBpuppetd\fP or \fBpuppetmasterd\fP. +.sp +Sending the \fBSIGUSR1\fP signal to an instance of \fBpuppetd\fP will cause it to +immediately begin a new configuration transaction with the server. This +signal has no effect on \fBpuppetmasterd\fP. +.SH CONFIGURATION PARAMETER REFERENCE +.sp +Below is a list of all documented parameters. Not all of them are valid with all +Puppet executables, but the executables will ignore any inappropriate values. +.SS async_storeconfigs +.sp +Whether to use a queueing system to provide asynchronous database integration. Requires that \fBpuppetqd\fP be running and that \(aqPSON\(aq support for ruby be installed. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS authconfig +.sp +The configuration file that defines the rights to the different namespaces and methods. This can be used as a coarse\-grained authorization system for both \fBpuppetd\fP and \fBpuppetmasterd\fP. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/namespaceauth.conf +.UNINDENT +.SS autoflush +.sp +Whether log files should always flush to disk. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS autosign +.sp +Whether to enable autosign. Valid values are true (which autosigns any key request, and is a very bad idea), false (which never autosigns any key request), and the path to a file, which uses that configuration file to determine which keys to sign. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/autosign.conf +.UNINDENT +.SS bindaddress +.sp +The address a listening server should bind to. Mongrel servers default to 127.0.0.1 and WEBrick defaults to 0.0.0.0. +.SS bucketdir +.sp +Where FileBucket files are stored. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/bucket +.UNINDENT +.SS ca +.sp +Wether the master should function as a certificate authority. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT +.SS ca_days +.sp +How long a certificate should be valid. This parameter is deprecated, use ca_ttl instead +.SS ca_md +.sp +The type of hash used in certificates. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: md5 +.UNINDENT +.SS ca_port +.sp +The port to use for the certificate authority. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $masterport +.UNINDENT +.SS ca_server +.sp +The server to use for certificate authority requests. It\(aqs a separate server because it cannot and does not need to horizontally scale. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $server +.UNINDENT +.SS ca_ttl +.sp +The default TTL for new certificates; valid values must be an integer, optionally followed by one of the units \(aqy\(aq (years of 365 days), \(aqd\(aq (days), \(aqh\(aq (hours), or \(aqs\(aq (seconds). The unit defaults to seconds. If this parameter is set, ca_days is ignored. Examples are \(aq3600\(aq (one hour) and \(aq1825d\(aq, which is the same as \(aq5y\(aq (5 years) +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 5y +.UNINDENT +.SS cacert +.sp +The CA certificate. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/ca_crt.pem +.UNINDENT +.SS cacrl +.sp +The certificate revocation list (CRL) for the CA. Will be used if present but otherwise ignored. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/ca_crl.pem +.UNINDENT +.SS cadir +.sp +The root directory for the certificate authority. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/ca +.UNINDENT +.SS cakey +.sp +The CA private key. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/ca_key.pem +.UNINDENT +.SS capass +.sp +Where the CA stores the password for the private key +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $caprivatedir/ca.pass +.UNINDENT +.SS caprivatedir +.sp +Where the CA stores private certificate information. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/private +.UNINDENT +.SS capub +.sp +The CA public key. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/ca_pub.pem +.UNINDENT +.SS casesensitive +.sp +Whether matching in case statements and selectors should be case\-sensitive. Case insensitivity is handled by downcasing all values before comparison. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS catalog_format +.sp +(Deprecated for \(aqpreferred_serialization_format\(aq) What format to use to dump the catalog. Only supports \(aqmarshal\(aq and \(aqyaml\(aq. Only matters on the client, since it asks the server for a specific format. +.SS cert_inventory +.sp +A Complete listing of all certificates +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/inventory.txt +.UNINDENT +.SS certdir +.sp +The certificate directory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/certs +.UNINDENT +.SS certdnsnames +.sp +The DNS names on the Server certificate as a colon\-separated list. If it\(aqs anything other than an empty string, it will be used as an alias in the created certificate. By default, only the server gets an alias set up, and only for \(aqpuppet\(aq. +.SS certname +.sp +The name to use when handling certificates. Defaults to the fully qualified domain name. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: absinthe.lovedthanlost.net +.UNINDENT +.SS classfile +.sp +The file in which puppetd stores a list of the classes associated with the retrieved configuration. Can be loaded in the separate \fBpuppet\fP executable using the \fB\-\-loadclasses\fP option. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $statedir/classes.txt +.UNINDENT +.SS clientbucketdir +.sp +Where FileBucket files are stored locally. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/clientbucket +.UNINDENT +.SS clientyamldir +.sp +The directory in which client\-side YAML data is stored. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/client_yaml +.UNINDENT +.SS code +.sp +Code to parse directly. This is essentially only used by \fBpuppet\fP, and should only be set if you\(aqre writing your own Puppet executable +.SS color +.sp +Whether to use colors when logging to the console. Valid values are \fBansi\fP (equivalent to \fBtrue\fP), \fBhtml\fP (mostly used during testing with TextMate), and \fBfalse\fP, which produces no color. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: ansi +.UNINDENT +.SS confdir +.sp +The main Puppet configuration directory. The default for this parameter is calculated based on the user. If the process is runnig as root or the user that \fBpuppetmasterd\fP is supposed to run as, it defaults to a system directory, but if it\(aqs running as any other user, it defaults to being in \fB~\fP. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: /etc/puppet +.UNINDENT +.SS config +.sp +The configuration file for puppetdoc. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/puppet.conf +.UNINDENT +.SS config_version +.sp +How to determine the configuration version. By default, it will be the time that the configuration is parsed, but you can provide a shell script to override how the version is determined. The output of this script will be added to every log message in the reports, allowing you to correlate changes on your hosts to the source version on the server. +.SS configprint +.sp +Print the value of a specific configuration parameter. If a parameter is provided for this, then the value is printed and puppet exits. Comma\-separate multiple values. For a list of all values, specify \(aqall\(aq. This feature is only available in Puppet versions higher than 0.18.4. +.SS configtimeout +.sp +How long the client should wait for the configuration to be retrieved before considering it a failure. This can help reduce flapping if too many clients contact the server at one time. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 120 +.UNINDENT +.SS csrdir +.sp +Where the CA stores certificate requests +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/requests +.UNINDENT +.SS daemonize +.sp +Send the process into the background. This is the default. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT +.SS dbadapter +.sp +The type of database to use. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: sqlite3 +.UNINDENT +.SS dblocation +.sp +The database cache for client configurations. Used for querying within the language. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $statedir/clientconfigs.sqlite3 +.UNINDENT +.SS dbmigrate +.sp +Whether to automatically migrate the database. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS dbname +.sp +The name of the database to use. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet +.UNINDENT +.SS dbpassword +.sp +The database password for Client caching. Only used when networked databases are used. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet +.UNINDENT +.SS dbserver +.sp +The database server for Client caching. Only used when networked databases are used. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: localhost +.UNINDENT +.SS dbsocket +.sp +The database socket location. Only used when networked databases are used. Will be ignored if the value is an empty string. +.SS dbuser +.sp +The database user for Client caching. Only used when networked databases are used. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet +.UNINDENT +.SS diff +.sp +Which diff command to use when printing differences between files. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: diff +.UNINDENT +.SS diff_args +.sp +Which arguments to pass to the diff command when printing differences between files. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: \-u +.UNINDENT +.SS downcasefacts +.sp +Whether facts should be made all lowercase when sent to the server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS dynamicfacts +.sp +Facts that are dynamic; these facts will be ignored when deciding whether changed facts should result in a recompile. Multiple facts should be comma\-separated. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: memorysize,memoryfree,swapsize,swapfree +.UNINDENT +.SS environment +.sp +The environment Puppet is running in. For clients (e.g., \fBpuppetd\fP) this determines the environment itself, which is used to find modules and much more. For servers (i.e., \fBpuppetmasterd\fP) this provides the default environment for nodes we know nothing about. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: production +.UNINDENT +.SS evaltrace +.sp +Whether each resource should log when it is being evaluated. This allows you to interactively see exactly what is being done. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS external_nodes +.sp +An external command that can produce node information. The output must be a YAML dump of a hash, and that hash must have one or both of \fBclasses\fP and \fBparameters\fP, where \fBclasses\fP is an array and \fBparameters\fP is a hash. For unknown nodes, the commands should exit with a non\-zero exit code. This command makes it straightforward to store your node mapping information in other data sources like databases. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: none +.UNINDENT +.SS factdest +.sp +Where Puppet should store facts that it pulls down from the central server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/facts/ +.UNINDENT +.SS factpath +.sp +Where Puppet should look for facts. Multiple directories should be colon\-separated, like normal PATH variables. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/facts/ +.UNINDENT +.SS factsignore +.sp +What files to ignore when pulling down facts. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: .svn CVS +.UNINDENT +.SS factsource +.sp +From where to retrieve facts. The standard Puppet \fBfile\fP type is used for retrieval, so anything that is a valid file source can be used here. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet://$server/facts/ +.UNINDENT +.SS factsync +.sp +Whether facts should be synced with the central server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS fileserverconfig +.sp +Where the fileserver configuration is stored. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/fileserver.conf +.UNINDENT +.SS filetimeout +.sp +The minimum time to wait (in seconds) between checking for updates in configuration files. This timeout determines how quickly Puppet checks whether a file (such as manifests or templates) has changed on disk. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 15 +.UNINDENT +.SS genconfig +.sp +Whether to just print a configuration to stdout and exit. Only makes sense when used interactively. Takes into account arguments specified on the CLI. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS genmanifest +.sp +Whether to just print a manifest to stdout and exit. Only makes sense when used interactively. Takes into account arguments specified on the CLI. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS graph +.sp +Whether to create dot graph files for the different configuration graphs. These dot files can be interpreted by tools like OmniGraffle or dot (which is part of ImageMagick). +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS graphdir +.sp +Where to store dot\-outputted graphs. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $statedir/graphs +.UNINDENT +.SS group +.sp +The group puppetmasterd should run as. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet +.UNINDENT +.SS hostcert +.sp +Where individual hosts store and look for their certificates. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $certdir/$certname.pem +.UNINDENT +.SS hostcrl +.sp +Where the host\(aqs certificate revocation list can be found. This is distinct from the certificate authority\(aqs CRL. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/crl.pem +.UNINDENT +.SS hostcsr +.sp +Where individual hosts store and look for their certificate requests. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/csr_$certname.pem +.UNINDENT +.SS hostprivkey +.sp +Where individual hosts store and look for their private key. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $privatekeydir/$certname.pem +.UNINDENT +.SS hostpubkey +.sp +Where individual hosts store and look for their public key. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $publickeydir/$certname.pem +.UNINDENT +.SS http_proxy_host +.sp +The HTTP proxy host to use for outgoing connections. Note: You may need to use a FQDN for the server hostname when using a proxy. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: none +.UNINDENT +.SS http_proxy_port +.sp +The HTTP proxy port to use for outgoing connections +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 3128 +.UNINDENT +.SS httplog +.sp +Where the puppetd web server logs. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $logdir/http.log +.UNINDENT +.SS ignorecache +.sp +Ignore cache and always recompile the configuration. This is useful for testing new configurations, where the local cache may in fact be stale even if the timestamps are up to date \- if the facts change or if the server changes. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS ignoreimport +.sp +A parameter that can be used in commit hooks, since it enables you to parse\-check a single file rather than requiring that all files exist. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS ignoreschedules +.sp +Boolean; whether puppetd should ignore schedules. This is useful for initial puppetd runs. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS keylength +.sp +The bit length of keys. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 1024 +.UNINDENT +.SS ldapattrs +.sp +The LDAP attributes to include when querying LDAP for nodes. All returned attributes are set as variables in the top\-level scope. Multiple values should be comma\-separated. The value \(aqall\(aq returns all attributes. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: all +.UNINDENT +.SS ldapbase +.sp +The search base for LDAP searches. It\(aqs impossible to provide a meaningful default here, although the LDAP libraries might have one already set. Generally, it should be the \(aqou=Hosts\(aq branch under your main directory. +.SS ldapclassattrs +.sp +The LDAP attributes to use to define Puppet classes. Values should be comma\-separated. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppetclass +.UNINDENT +.SS ldapnodes +.sp +Whether to search for node configurations in LDAP. See \fI\%http://reductivelabs.com/trac/puppet/wiki/LDAPNodes\fP for more information. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS ldapparentattr +.sp +The attribute to use to define the parent node. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: parentnode +.UNINDENT +.SS ldappassword +.sp +The password to use to connect to LDAP. +.SS ldapport +.sp +The LDAP port. Only used if \fBldapnodes\fP is enabled. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 389 +.UNINDENT +.SS ldapserver +.sp +The LDAP server. Only used if \fBldapnodes\fP is enabled. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: ldap +.UNINDENT +.SS ldapssl +.sp +Whether SSL should be used when searching for nodes. Defaults to false because SSL usually requires certificates to be set up on the client side. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS ldapstackedattrs +.sp +The LDAP attributes that should be stacked to arrays by adding the values in all hierarchy elements of the tree. Values should be comma\-separated. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppetvar +.UNINDENT +.SS ldapstring +.sp +The search string used to find an LDAP node. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: (&(objectclass=puppetClient)(cn=%s)) +.UNINDENT +.SS ldaptls +.sp +Whether TLS should be used when searching for nodes. Defaults to false because TLS usually requires certificates to be set up on the client side. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS ldapuser +.sp +The user to use to connect to LDAP. Must be specified as a full DN. +.SS lexical +.sp +Whether to use lexical scoping (vs. dynamic). +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS libdir +.sp +An extra search path for Puppet. This is only useful for those files that Puppet will load on demand, and is only guaranteed to work for those cases. In fact, the autoload mechanism is responsible for making sure this directory is in Ruby\(aqs search path +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/lib +.UNINDENT +.SS listen +.sp +Whether puppetd should listen for connections. If this is true, then by default only the \fBrunner\fP server is started, which allows remote authorized and authenticated nodes to connect and trigger \fBpuppetd\fP runs. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS localcacert +.sp +Where each client stores the CA certificate. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $certdir/ca.pem +.UNINDENT +.SS localconfig +.sp +Where puppetd caches the local configuration. An extension indicating the cache format is added automatically. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $statedir/localconfig +.UNINDENT +.SS logdir +.sp +The Puppet log directory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/log +.UNINDENT +.SS manage_internal_file_permissions +.sp +Whether Puppet should manage the owner, group, and mode of files it uses internally +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT +.SS manifest +.sp +The entry\-point manifest for puppetmasterd. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $manifestdir/site.pp +.UNINDENT +.SS manifestdir +.sp +Where puppetmasterd looks for its manifests. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/manifests +.UNINDENT +.SS masterhttplog +.sp +Where the puppetmasterd web server logs. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $logdir/masterhttp.log +.UNINDENT +.SS masterlog +.sp +Where puppetmasterd logs. This is generally not used, since syslog is the default log destination. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $logdir/puppetmaster.log +.UNINDENT +.SS masterport +.sp +Which port puppetmasterd listens on. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 8140 +.UNINDENT +.SS maximum_uid +.sp +The maximum allowed UID. Some platforms use negative UIDs but then ship with tools that do not know how to handle signed ints, so the UIDs show up as huge numbers that can then not be fed back into the system. This is a hackish way to fail in a slightly more useful way when that happens. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 4294967290 +.UNINDENT +.SS mkusers +.sp +Whether to create the necessary user and group that puppetd will run as. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS modulepath +.sp +The search path for modules as a colon\-separated list of directories. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/modules:/usr/share/puppet/modules +.UNINDENT +.SS name +.sp +The name of the service, if we are running as one. The default is essentially $0 without the path or \fB.rb\fP. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppetdoc +.UNINDENT +.SS node_name +.sp +How the puppetmaster determines the client\(aqs identity and sets the \(aqhostname\(aq, \(aqfqdn\(aq and \(aqdomain\(aq facts for use in the manifest, in particular for determining which \(aqnode\(aq statement applies to the client. Possible values are \(aqcert\(aq (use the subject\(aqs CN in the client\(aqs certificate) and \(aqfacter\(aq (use the hostname that the client reported in its facts) +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: cert +.UNINDENT +.SS node_terminus +.sp +Where to find information about nodes. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: plain +.UNINDENT +.SS noop +.sp +Whether puppetd should be run in noop mode. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS paramcheck +.sp +Whether to validate parameters during parsing. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT +.SS parseonly +.sp +Just check the syntax of the manifests. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS passfile +.sp +Where puppetd stores the password for its private key. Generally unused. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $privatedir/password +.UNINDENT +.SS path +.sp +The shell search path. Defaults to whatever is inherited from the parent process. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: none +.UNINDENT +.SS pidfile +.sp +The pid file +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $rundir/$name.pid +.UNINDENT +.SS plugindest +.sp +Where Puppet should store plugins that it pulls down from the central server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $libdir +.UNINDENT +.SS pluginsignore +.sp +What files to ignore when pulling down plugins. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: .svn CVS .git +.UNINDENT +.SS pluginsource +.sp +From where to retrieve plugins. The standard Puppet \fBfile\fP type is used for retrieval, so anything that is a valid file source can be used here. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet://$server/plugins +.UNINDENT +.SS pluginsync +.sp +Whether plugins should be synced with the central server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS postrun_command +.sp +A command to run after every agent run. If this command returns a non\-zero return code, the entire Puppet run will be considered to have failed, even though it might have performed work during the normal run. +.SS preferred_serialization_format +.sp +The preferred means of serializing ruby instances for passing over the wire. This won\(aqt guarantee that all instances will be serialized using this method, since not all classes can be guaranteed to support this format, but it will be used for all classes that support it. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: pson +.UNINDENT +.SS prerun_command +.sp +A command to run before every agent run. If this command returns a non\-zero return code, the entire Puppet run will fail. +.SS privatedir +.sp +Where the client stores private certificate information. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/private +.UNINDENT +.SS privatekeydir +.sp +The private key directory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/private_keys +.UNINDENT +.SS publickeydir +.sp +The public key directory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/public_keys +.UNINDENT +.SS puppetdlockfile +.sp +A lock file to temporarily stop puppetd from doing anything. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $statedir/puppetdlock +.UNINDENT +.SS puppetdlog +.sp +The log file for puppetd. This is generally not used. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $logdir/puppetd.log +.UNINDENT +.SS puppetport +.sp +Which port puppetd listens on. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 8139 +.UNINDENT +.SS queue_source +.sp +Which type of queue to use for asynchronous processing. If your stomp server requires authentication, you can include it in the URI as long as your stomp client library is at least 1.1.1 +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: stomp://localhost:61613/ +.UNINDENT +.SS queue_type +.sp +Which type of queue to use for asynchronous processing. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: stomp +.UNINDENT +.SS rails_loglevel +.sp +The log level for Rails connections. The value must be a valid log level within Rails. Production environments normally use \fBinfo\fP and other environments normally use \fBdebug\fP. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: info +.UNINDENT +.SS railslog +.sp +Where Rails\-specific logs are sent +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $logdir/rails.log +.UNINDENT +.SS report +.sp +Whether to send reports after every transaction. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS report_port +.sp +The port to communicate with the report_server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $masterport +.UNINDENT +.SS report_server +.sp +The server to which to send transaction reports. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $server +.UNINDENT +.SS reportdir +.sp +The directory in which to store reports received from the client. Each client gets a separate subdirectory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/reports +.UNINDENT +.SS reportfrom +.sp +The \(aqfrom\(aq email address for the reports. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: \fI\%report@absinthe.lovedthanlost.net\fP +.UNINDENT +.SS reports +.sp +The list of reports to generate. All reports are looked for in puppet/reports/.rb, and multiple report names should be comma\-separated (whitespace is okay). +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: store +.UNINDENT +.SS reportserver +.sp +(Deprecated for \(aqreport_server\(aq) The server to which to send transaction reports. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $server +.UNINDENT +.SS req_bits +.sp +The bit length of the certificates. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 2048 +.UNINDENT +.SS requestdir +.sp +Where host certificate requests are stored. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $ssldir/certificate_requests +.UNINDENT +.SS rest_authconfig +.sp +The configuration file that defines the rights to the different rest indirections. This can be used as a fine\-grained authorization system for \fBpuppetmasterd\fP. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/auth.conf +.UNINDENT +.SS rrddir +.sp +The directory where RRD database files are stored. Directories for each reporting host will be created under this directory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/rrd +.UNINDENT +.SS rrdinterval +.sp +How often RRD should expect data. This should match how often the hosts report back to the server. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $runinterval +.UNINDENT +.SS rundir +.sp +Where Puppet PID files are kept. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/run +.UNINDENT +.SS runinterval +.sp +How often puppetd applies the client configuration; in seconds. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: 1800 +.UNINDENT +.SS sendmail +.sp +Where to find the sendmail binary with which to send email. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: /usr/sbin/sendmail +.UNINDENT +.SS serial +.sp +Where the serial number for certificates is stored. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/serial +.UNINDENT +.SS server +.sp +The server to which server puppetd should connect +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet +.UNINDENT +.SS servertype +.sp +The type of server to use. Currently supported options are webrick and mongrel. If you use mongrel, you will need a proxy in front of the process or processes, since Mongrel cannot speak SSL. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: webrick +.UNINDENT +.SS show_diff +.sp +Whether to print a contextual diff when files are being replaced. The diff is printed on stdout, so this option is meaningless unless you are running Puppet interactively. This feature currently requires the \fBdiff/lcs\fP Ruby library. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS signeddir +.sp +Where the CA stores signed certificates. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $cadir/signed +.UNINDENT +.SS smtpserver +.sp +The server through which to send email reports. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: none +.UNINDENT +.SS splay +.sp +Whether to sleep for a pseudo\-random (but consistent) amount of time before a run. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS splaylimit +.sp +The maximum time to delay before runs. Defaults to being the same as the run interval. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $runinterval +.UNINDENT +.SS ssl_client_header +.sp +The header containing an authenticated client\(aqs SSL DN. Only used with Mongrel. This header must be set by the proxy to the authenticated client\(aqs SSL DN (e.g., \fB/CN=puppet.reductivelabs.com\fP). See \fI\%http://reductivelabs.com/puppet/trac/wiki/UsingMongrel\fP for more information. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: HTTP_X_CLIENT_DN +.UNINDENT +.SS ssl_client_verify_header +.sp +The header containing the status message of the client verification. Only used with Mongrel. This header must be set by the proxy to \(aqSUCCESS\(aq if the client successfully authenticated, and anything else otherwise. See \fI\%http://reductivelabs.com/puppet/trac/wiki/UsingMongrel\fP for more information. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: HTTP_X_CLIENT_VERIFY +.UNINDENT +.SS ssldir +.sp +Where SSL certificates are kept. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/ssl +.UNINDENT +.SS statedir +.sp +The directory where Puppet state is stored. Generally, this directory can be removed without causing harm (although it might result in spurious service restarts). +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/state +.UNINDENT +.SS statefile +.sp +Where puppetd and puppetmasterd store state associated with the running configuration. In the case of puppetmasterd, this file reflects the state discovered through interacting with clients. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $statedir/state.yaml +.UNINDENT +.SS storeconfigs +.sp +Whether to store each client\(aqs configuration. This requires ActiveRecord from Ruby on Rails. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS strict_hostname_checking +.sp +Whether to only search for the complete hostname as it is in the certificate when searching for node information in the catalogs. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS summarize +.sp +Whether to print a transaction summary. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS syslogfacility +.sp +What syslog facility to use when logging to syslog. Syslog has a fixed list of valid facilities, and you must choose one of those; you cannot just make one up. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: daemon +.UNINDENT +.SS tagmap +.sp +The mapping between reporting tags and email addresses. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $confdir/tagmail.conf +.UNINDENT +.SS tags +.sp +Tags to use to find resources. If this is set, then only resources tagged with the specified tags will be applied. Values must be comma\-separated. +.SS templatedir +.sp +Where Puppet looks for template files. Can be a list of colon\-seperated directories. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/templates +.UNINDENT +.SS thin_storeconfigs +.sp +Boolean; wether storeconfigs store in the database only the facts and exported resources. If true, then storeconfigs performance will be higher and still allow exported/collected resources, but other usage external to Puppet might not work +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS trace +.sp +Whether to print stack traces on some errors +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: false +.UNINDENT +.SS typecheck +.sp +Whether to validate types during parsing. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT +.SS usecacheonfailure +.sp +Whether to use the cached configuration when the remote configuration will not compile. This option is useful for testing new configurations, where you want to fix the broken configuration rather than reverting to a known\-good one. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT +.SS user +.sp +The user puppetmasterd should run as. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: puppet +.UNINDENT +.SS vardir +.sp +Where Puppet stores dynamic and growing data. The default for this parameter is calculated specially, like \fI\%confdir\fP. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: /var/puppet +.UNINDENT +.SS yamldir +.sp +The directory in which YAML data is stored, usually in a subdirectory. +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: $vardir/yaml +.UNINDENT +.SS zlib +.sp +Boolean; whether to use the zlib library +.INDENT 0.0 +.IP \(bu 2 +. +\fBDefault\fP: true +.UNINDENT + +.sp +.ce +---- + +.ce 0 +.sp +.sp +\fIThis page autogenerated on Mon Feb 08 23:57:07 +1100 2010\fP +.\" Generated by docutils manpage writer. +.\" +. --- puppet-0.25.4.orig/test/puppet/tc_suidmanager.rb +++ puppet-0.25.4/test/puppet/tc_suidmanager.rb @@ -11,7 +11,10 @@ include PuppetTest def setup - @user = nonrootuser + the_id = 42 + Puppet::Util::SUIDManager.stubs(:convert_xid).returns(the_id) + Puppet::Util::SUIDManager.stubs(:initgroups) + @user = stub('user', :uid => the_id, :gid => the_id, :name => 'name') super end @@ -39,13 +42,14 @@ end def test_utiluid - assert_not_equal(nil, Puppet::Util.uid(@user.name)) + assert_not_equal(nil, Puppet::Util.uid(nonrootuser.name)) end def test_asuser_as_root Process.stubs(:uid).returns(0) expects_id_set_and_revert @user.uid, @user.gid Puppet::Util::SUIDManager.asuser @user.uid, @user.gid do end + rescue Errno::EPERM end def test_asuser_as_nonroot @@ -96,6 +100,7 @@ private def expects_id_set_and_revert(uid, gid) + Process.stubs(:groups=) Process.expects(:euid).returns(99997) Process.expects(:egid).returns(99996) --- puppet-0.25.4.orig/test/ral/providers/package.rb +++ puppet-0.25.4/test/ral/providers/package.rb @@ -238,6 +238,10 @@ end end + def test_dont_complain_if_theres_nothing_to_test + assert("sometimes the above metaprogramming fails to find anything to test and the runner complains") + end + def modpkg(pkg) case pkg[:provider] when :sun --- puppet-0.25.4.orig/test/ral/providers/sshkey/parsed.rb +++ puppet-0.25.4/test/ral/providers/sshkey/parsed.rb @@ -32,7 +32,7 @@ args = { :name => name || "/fspuppet%s" % @pcount, :key => "thisismykey%s" % @pcount, - :alias => ["host1.domain.com","192.168.0.1"], + :host_aliases => ["host1.domain.com","192.168.0.1"], :type => "dss", :ensure => :present } @@ -68,11 +68,11 @@ key.flush end - assert(key.alias, "No alias set for key") + assert(key.host_aliases, "No host_aliases set for key") hash = key.property_hash.dup text = @provider.target_object(file).read - names = [key.name, key.alias].flatten.join(",") + names = [key.name, key.host_aliases].flatten.join(",") assert_equal("#{names} #{key.type} #{key.key}\n", text) @@ -94,12 +94,12 @@ result = @provider.parse_line("one,two type key") end assert_equal("one", result[:name], "Did not call post hook") - assert_equal(%w{two}, result[:alias], "Did not call post hook") + assert_equal(%w{two}, result[:host_aliases], "Did not call post hook") assert_equal("one,two type key", @provider.to_line(:record_type => :parsed, :name => "one", - :alias => %w{two}, + :host_aliases => %w{two}, :type => "type", :key => "key"), "Did not use pre-hook when generating line" --- puppet-0.25.4.orig/test/ral/providers/host/parsed.rb +++ puppet-0.25.4/test/ral/providers/host/parsed.rb @@ -45,7 +45,7 @@ return { :name => "fakehost%s" % @hcount, :ip => "192.168.27.%s" % @hcount, - :alias => ["alias%s" % @hcount], + :host_aliases => ["alias%s" % @hcount], :ensure => :present } end @@ -67,7 +67,7 @@ # Make sure we convert both directlys correctly using a simple host. def test_basic_isomorphism - hash = {:record_type => :parsed, :name => "myhost", :ip => "192.168.43.56", :alias => %w{another host}} + hash = {:record_type => :parsed, :name => "myhost", :ip => "192.168.43.56", :host_aliases => %w{another host}} str = nil assert_nothing_raised do @@ -103,7 +103,7 @@ assert_equal([ {:record_type => :comment, :line => "# comment one"}, {:record_type => :blank, :line => ""}, - {:record_type => :parsed, :name => "myhost", :ip => "192.168.43.56", :alias => %w{another host}}, + {:record_type => :parsed, :name => "myhost", :ip => "192.168.43.56", :host_aliases => %w{another host}}, {:record_type => :blank, :line => " "}, {:record_type => :comment, :line => "# another comment"}, {:record_type => :parsed, :name => "anotherhost", :ip => "192.168.43.57"} @@ -150,13 +150,13 @@ } # Remove a single field and make sure it gets tossed - name = host.alias - host.alias = [:absent] + name = host.host_aliases + host.host_aliases = [:absent] assert_nothing_raised { host.flush assert(! file.read.include?(name[0]), - "Did not remove alias from disk") + "Did not remove host_aliases from disk") } # Make sure it throws up if we remove a required field --- puppet-0.25.4.orig/test/ral/type/host.rb +++ puppet-0.25.4/test/ral/type/host.rb @@ -108,7 +108,7 @@ # This was a hard bug to track down. assert_instance_of(String, current_values[host.property(:ip)]) - host[:alias] = %w{madstop kirby yayness} + host[:host_aliases] = %w{madstop kirby yayness} assert_events([:host_changed], host) @@ -117,7 +117,7 @@ } assert_equal(%w{madstop kirby yayness}, - current_values[host.property(:alias)]) + current_values[host.property(:host_aliases)]) host[:ensure] = :absent assert_events([:host_removed], host) @@ -184,13 +184,13 @@ end def test_aliasisproperty - assert_equal(:property, @hosttype.attrtype(:alias)) + assert_equal(:property, @hosttype.attrtype(:host_aliases)) end def test_multivalues host = mkhost assert_raise(Puppet::Error) { - host[:alias] = "puppetmasterd yayness" + host[:host_aliases] = "puppetmasterd yayness" } end --- puppet-0.25.4.orig/test/ral/type/sshkey.rb +++ puppet-0.25.4/test/ral/type/sshkey.rb @@ -116,13 +116,13 @@ end def test_aliasisproperty - assert_equal(:property, @sshkeytype.attrtype(:alias)) + assert_equal(:property, @sshkeytype.attrtype(:host_aliases)) end def test_multivalues key = mkkey assert_raise(Puppet::Error) { - key[:alias] = "puppetmasterd yayness" + key[:host_aliases] = "puppetmasterd yayness" } end --- puppet-0.25.4.orig/test/ral/type/resources.rb +++ puppet-0.25.4/test/ral/type/resources.rb @@ -59,70 +59,6 @@ @type = Puppet::Type.type(:resources) end - def test_purge - # Create a purgeable type - mkpurgertype - - purger = nil - assert_nothing_raised do - purger = @type.new :name => "purgetest", :noop => true, :loglevel => :warning - end - assert(purger, "did not get purger manager") - add_purge_lister() - - assert_equal($purgemembers.values.sort, @purgetype.instances.sort) - - # and it should now succeed - assert_nothing_raised do - purger[:purge] = true - end - assert(purger.purge?, "purge boolean was not enabled") - - # Okay, now let's try doing some purging, yo - managed = [] - unmanned = [] - 3.times { managed << mk_purger(true) } # 3 managed - 3.times { unmanned << mk_purger(false) } # 3 unmanaged - - managed.each do |m| - assert(m.managed?, "managed resource was not considered managed") - end - unmanned.each do |u| - assert(! u.managed?, "unmanaged resource was considered managed") - end - - # First make sure we get nothing back when purge is false - genned = nil - purger[:purge] = false - assert_nothing_raised do - genned = purger.generate - end - assert_equal([], genned, "Purged even when purge is false") - - # Now make sure we can purge - purger[:purge] = true - assert_nothing_raised do - genned = purger.generate - end - assert(genned, "Did not get any generated resources") - - genned.each do |res| - assert(res.purging, "did not mark resource for purging") - end - assert(! genned.empty?, "generated resource list was empty") - - # Now make sure the generate method only finds the unmanaged resources - assert_equal(unmanned.collect { |r| r.title }.sort, genned.collect { |r| r.title }, - "Did not return correct purge list") - - # Now make sure our metaparams carried over - genned.each do |res| - [:noop, :loglevel].each do |param| - assert_equal(purger[param], res[param], "metaparam %s did not carry over" % param) - end - end - end - # Part of #408. def test_check # First check a non-user @@ -173,19 +109,5 @@ end end - # The other half of #408. - def test_check_is_called - res = Puppet::Type.type(:resources).new :name => :user, :purge => true - - list = nil - assert_nothing_raised { list = res.generate } - - assert(! list.empty?, "did not get any users") - - bad = list.find_all { |u| - %w{root bin nobody}.include?(u[:name]) or (cv = u.retrieve and cv[u.property(:uid)] < 500) - } - assert(bad.empty?, "incorrectly passed users %s" % bad.collect { |u| u[:name]}.join(", ")) - end end --- puppet-0.25.4.orig/test/ral/type/file.rb +++ puppet-0.25.4/test/ral/type/file.rb @@ -978,25 +978,4 @@ assert_equal("/", obj.title, "/ directory was changed to empty string") end - # #1010 and #1037 -- write should fail if the written checksum does not - # match the file we thought we were writing. - def test_write_validates_checksum - file = tempfile - inst = Puppet::Type.newfile(:path => file, :content => "something") - - tmpfile = file + ".puppettmp" - - wh = mock 'writehandle', :print => nil - rh = mock 'readhandle' - rh.expects(:read).with(4096).times(2).returns("other").then.returns(nil) - File.expects(:open).with { |*args| args[0] == tmpfile and args[1] != "r" }.yields(wh) - File.expects(:open).with { |*args| args[0] == tmpfile and args[1] == "r" }.yields(rh) - - File.stubs(:rename) - FileTest.stubs(:exist?).returns(true) - FileTest.stubs(:file?).returns(true) - - inst.expects(:fail) - inst.write("something", :whatever) - end end --- puppet-0.25.4.orig/test/lib/puppettest/support/utils.rb +++ puppet-0.25.4/test/lib/puppettest/support/utils.rb @@ -154,11 +154,12 @@ module PuppetTest include PuppetTest::Support::Utils - def self.fakedata(dir,pat='*') + def fakedata(dir,pat='*') glob = "#{basedir}/test/#{dir}/#{pat}" files = Dir.glob(glob,File::FNM_PATHNAME) raise Puppet::DevError, "No fakedata matching #{glob}" if files.empty? files end + module_function :fakedata end --- puppet-0.25.4.orig/test/other/transactions.rb +++ puppet-0.25.4/test/other/transactions.rb @@ -368,7 +368,7 @@ # 'subscribe' expects an array of arrays #component[:require] = [[file.class.name,file.name]] - ecomp[:subscribe] = fcomp + ecomp[:subscribe] = fcomp.ref exec[:refreshonly] = true trans = assert_events([], config) --- puppet-0.25.4.orig/test/util/settings.rb +++ puppet-0.25.4/test/util/settings.rb @@ -463,7 +463,7 @@ def test_correct_type_assumptions file = Puppet::Util::Settings::FileSetting - element = Puppet::Util::Settings::Setting + setting = Puppet::Util::Settings::Setting bool = Puppet::Util::Settings::BooleanSetting # We have to keep these ordered, unfortunately. @@ -472,8 +472,8 @@ ["true", bool], [true, bool], ["false", bool], - ["server", element], - ["http://$server/yay", element], + ["server", setting], + ["http://$server/yay", setting], ["$server/yayness", file], ["$server/yayness.conf", file] ].each do |ary| @@ -483,7 +483,7 @@ assert_nothing_raised { config.setdefaults(:yayness, name => { :default => value, :desc => name.to_s}) } - elem = config.element(name) + elem = config.setting(name) assert_instance_of(type, elem, "%s got created as wrong type" % value.inspect) @@ -529,7 +529,7 @@ assert_nothing_raised do config.setdefaults :test, :blocktest => {:default => "yay", :desc => "boo", :hook => proc { |value| testing = value }} end - elem = config.element(:blocktest) + elem = config.setting(:blocktest) assert_nothing_raised do assert_equal("yay", elem.value) @@ -578,7 +578,7 @@ :mydir => {:default => tempfile(), :mode => 0644, :owner => "root", - :group => "root", + :group => "service", :desc => "yay" }, :mkusers => [false, "yay"] --- puppet-0.25.4.orig/test/network/handler/fileserver.rb +++ puppet-0.25.4/test/network/handler/fileserver.rb @@ -947,12 +947,16 @@ end # Now, check that they use Facter info - Puppet.notice "The following messages are normal" client = nil - Facter.stubs(:value).with(:ipaddress).returns("127.0.0.1") Facter.stubs(:value).with { |v| v.to_s == "hostname" }.returns("myhost") Facter.stubs(:value).with { |v| v.to_s == "domain" }.returns("mydomain.com") - Facter.stubs(:value).with(:domain).returns("mydomain.com") + + Facter.stubs(:to_hash).returns({ + :ipaddress => "127.0.0.1", + :hostname => "myhost", + :domain => "mydomain.com", + }) + {"%h" => "myhost", # Short name "%H" => "myhost.mydomain.com", # Full name @@ -979,13 +983,15 @@ # When mocks attack, part 2 kernel_fact = Facter.value(:kernel) - Facter.stubs(:value).with(:kernel).returns(kernel_fact) - Facter.stubs(:value).with(:ipaddress).returns("127.0.0.1") - Facter.stubs(:value).with { |v| v.to_s == "hostname" }.returns("myhost") - Facter.stubs(:value).with { |v| v.to_s == "domain" }.returns("mydomain.com") - Facter.stubs(:value).with(:domain).returns("mydomain.com") - ip = Facter.value(:ipaddress) + ip = '127.0.0.1' + + Facter.stubs(:to_hash).returns({ + :kernel => kernel_fact, + :ipaddress => "127.0.0.1", + :hostname => "myhost", + :domain => "mydomain.com", + }) Dir.mkdir(dir) host = "myhost.mydomain.com" --- puppet-0.25.4.orig/ext/puppetlast +++ puppet-0.25.4/ext/puppetlast @@ -1,4 +1,4 @@ -#!/usr/bin/env ruby +#!/usr/bin/ruby1.8 # Puppetlast, a script to output the last check-in time of nodes. Also outputs the cached configuration state, if expired or not. # # AJ "Fujin" Christensen --- puppet-0.25.4.orig/lib/puppet/defaults.rb +++ puppet-0.25.4/lib/puppet/defaults.rb @@ -222,9 +222,21 @@ to the fully qualified domain name.", :call_on_define => true, # Call our hook with the default value, so we're always downcased :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }}, - :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list. - If it's anything other than an empty string, it will be used as an alias in the created - certificate. By default, only the server gets an alias set up, and only for 'puppet'."], + :certdnsnames => {:default => '', + :desc => "The DNS names on the Server certificate as a + colon-separated list. If it's anything other than an empty string, + it will be used as an alias in the created certificate. By + default, only the server gets an alias set up, and only for + 'puppet'.", + :hook => proc { |value| + msg = < { :default => "$ssldir/certs", :owner => "service", --- puppet-0.25.4.orig/lib/puppet/indirector.rb +++ puppet-0.25.4/lib/puppet/indirector.rb @@ -31,7 +31,13 @@ @indirection end - module ClassMethods + # Helper definition for indirections that handle filenames. + BadNameRegexp = Regexp.union(/^\.\./, + %r{[\\/]}, + "\0", + /(?i)^[a-z]:/) + + module ClassMethods attr_reader :indirection def cache_class=(klass) --- puppet-0.25.4.orig/lib/puppet/daemon.rb +++ puppet-0.25.4/lib/puppet/daemon.rb @@ -32,7 +32,7 @@ Puppet::Util::Log.reopen rescue => detail Puppet.err "Could not start %s: %s" % [Puppet[:name], detail] - Puppet::Util::secure_open("/tmp/daemonout", "w") { |f| + Puppet::Util::replace_file("/tmp/daemonout", 0644) { |f| f.puts "Could not start %s: %s" % [Puppet[:name], detail] } exit(12) --- puppet-0.25.4.orig/lib/puppet/sslcertificates.rb +++ puppet-0.25.4/lib/puppet/sslcertificates.rb @@ -57,16 +57,7 @@ key_usage = %w{cRLSign keyCertSign} when :server basic_constraint = "CA:FALSE" - dnsnames = Puppet[:certdnsnames] name = hash[:name].to_s.sub(%r{/CN=},'') - if dnsnames != "" - dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d } - subject_alt_name << 'DNS:' + name # Add the fqdn as an alias - elsif name == Facter.value(:fqdn) # we're a CA server, and thus probably the server - subject_alt_name << 'DNS:' + "puppet" # Add 'puppet' as an alias - subject_alt_name << 'DNS:' + name # Add the fqdn as an alias - subject_alt_name << 'DNS:' + name.sub(/^[^.]+./, "puppet.") # add puppet.domain as an alias - end key_usage = %w{digitalSignature keyEncipherment} ext_key_usage = %w{serverAuth clientAuth emailProtection} when :ocsp --- puppet-0.25.4.orig/lib/puppet/util.rb +++ puppet-0.25.4/lib/puppet/util.rb @@ -1,8 +1,10 @@ # A module to collect utility functions. - require 'puppet/util/monkey_patches' -require 'sync' require 'puppet/external/lock' +require 'sync' +require 'monitor' +require 'tempfile' +require 'pathname' module Puppet # A command failed to execute. @@ -28,40 +30,24 @@ # Change the process to a different user def self.chuser if group = Puppet[:group] - group = self.gid(group) - unless group - raise Puppet::Error, "No such group %s" % Puppet[:group] - end - unless Puppet::Util::SUIDManager.gid == group - begin - Puppet::Util::SUIDManager.egid = group - Puppet::Util::SUIDManager.gid = group - rescue => detail - Puppet.warning "could not change to group %s: %s" % - [group.inspect, detail] - $stderr.puts "could not change to group %s" % group.inspect - - # Don't exit on failed group changes, since it's - # not fatal - #exit(74) - end + begin + Puppet::Util::SUIDManager.change_group(group, true) + rescue => detail + Puppet.warning "could not change to group #{group.inspect}: #{detail}" + $stderr.puts "could not change to group #{group.inspect}" + + # Don't exit on failed group changes, since it's + # not fatal + #exit(74) end end if user = Puppet[:user] - user = self.uid(user) - unless user - raise Puppet::Error, "No such user %s" % Puppet[:user] - end - unless Puppet::Util::SUIDManager.uid == user - begin - Puppet::Util::SUIDManager.initgroups(user) - Puppet::Util::SUIDManager.uid = user - Puppet::Util::SUIDManager.euid = user - rescue => detail - $stderr.puts "Could not change to user %s: %s" % [user, detail] - exit(74) - end + begin + Puppet::Util::SUIDManager.change_user(user, true) + rescue => detail + $stderr.puts "Could not change to user #{user}: #{detail}" + exit(74) end end end @@ -188,10 +174,10 @@ if bin =~ /^\// return bin if FileTest.file? bin and FileTest.executable? bin else - ENV['PATH'].split(File::PATH_SEPARATOR).each do |dir| - dest=File.join(dir, bin) - return dest if FileTest.file? dest and FileTest.executable? dest - end + ENV['PATH'].split(File::PATH_SEPARATOR).each do |dir| + dest=File.join(dir, bin) + return dest if FileTest.file? dest and FileTest.executable? dest + end end return nil end @@ -215,7 +201,6 @@ end end - return output end def execfail(command, exception) @@ -249,13 +234,6 @@ Puppet.debug "Executing '%s'" % str end - if arguments[:uid] - arguments[:uid] = Puppet::Util::SUIDManager.convert_xid(:uid, arguments[:uid]) - end - if arguments[:gid] - arguments[:gid] = Puppet::Util::SUIDManager.convert_xid(:gid, arguments[:gid]) - end - @@os ||= Facter.value(:operatingsystem) output = nil child_pid, child_status = nil @@ -267,7 +245,6 @@ output_file="/dev/null" error_file="/dev/null" if ! arguments[:squelch] - require "tempfile" output_file = Tempfile.new("puppet") if arguments[:combine] error_file=output_file @@ -294,14 +271,8 @@ $stderr.reopen(error_file) 3.upto(256){|fd| IO::new(fd).close rescue nil} - if arguments[:gid] - Process.egid = arguments[:gid] - Process.gid = arguments[:gid] unless @@os == "Darwin" - end - if arguments[:uid] - Process.euid = arguments[:uid] - Process.uid = arguments[:uid] unless @@os == "Darwin" - end + Puppet::Util::SUIDManager.change_privileges(arguments[:uid], arguments[:gid], true) + ENV['LANG'] = ENV['LC_ALL'] = ENV['LC_MESSAGES'] = ENV['LANGUAGE'] = 'C' if command.is_a?(Array) Kernel.exec(*command) @@ -418,32 +389,85 @@ yield } - return seconds end module_function :memory, :thinmark - def secure_open(file,must_be_w,&block) - raise Puppet::DevError,"secure_open only works with mode 'w'" unless must_be_w == 'w' - raise Puppet::DevError,"secure_open only requires a block" unless block_given? - Puppet.warning "#{file} was a symlink to #{File.readlink(file)}" if File.symlink?(file) - if File.exists?(file) or File.symlink?(file) - wait = File.symlink?(file) ? 5.0 : 0.1 - File.delete(file) - sleep wait # give it a chance to reappear, just in case someone is actively trying something. - end + # Replace a file, securely. This takes a block, and passes it the file + # handle of a file open for writing. Write the replacement content inside + # the block and it will safely replace the target file. + # + # This method will make no changes to the target file until the content is + # successfully written and the block returns without raising an error. + # + # As far as possible the state of the existing file, such as mode, is + # preserved. This works hard to avoid loss of any metadata, but will result + # in an inode change for the file. + # + # Arguments: `filename`, `default_mode` + # + # The filename is the file we are going to replace. + # + # The default_mode is the mode to use when the target file doesn't already + # exist; if the file is present we copy the existing mode value across. + def replace_file(file, default_mode, &block) + raise Puppet::DevError, "replace_file requires a block" unless block_given? + + file = Pathname(file) + tempfile = Tempfile.new(file.basename.to_s, file.dirname.to_s) + + file_exists = file.exist? + + # If the file exists, use its current mode/owner/group. If it doesn't, use + # the supplied mode, and default to current user/group. + if file_exists + stat = file.lstat + + # We only care about the four lowest-order octets. Higher octets are + # filesystem-specific. + mode = stat.mode & 07777 + uid = stat.uid + gid = stat.gid + else + mode = default_mode + uid = Process.euid + gid = Process.egid + end + + # Set properties of the temporary file before we write the content, because + # Tempfile doesn't promise to be safe from reading by other people, just + # that it avoids races around creating the file. + tempfile.chmod(mode) + tempfile.chown(uid, gid) + + # OK, now allow the caller to write the content of the file. + yield tempfile + + # Now, make sure the data (which includes the mode) is safe on disk. + tempfile.flush begin - File.open(file,File::CREAT|File::EXCL|File::TRUNC|File::WRONLY,&block) - rescue Errno::EEXIST - desc = File.symlink?(file) ? "symlink to #{File.readlink(file)}" : File.stat(file).ftype - puts "Warning: #{file} was apparently created by another process (as" - puts "a #{desc}) as soon as it was deleted by this process. Someone may be trying" - puts "to do something objectionable (such as tricking you into overwriting system" - puts "files if you are running as root)." - raise + tempfile.fsync + rescue NotImplementedError + # fsync may not be implemented by Ruby on all platforms, but + # there is absolutely no recovery path if we detect that. So, we just + # ignore the return code. + # + # However, don't be fooled: that is accepting that we are running in + # an unsafe fashion. If you are porting to a new platform don't stub + # that out. end + + tempfile.close + + File.rename(tempfile.path, file) + + # Ideally, we would now fsync the directory as well, but Ruby doesn't + # have support for that, and it doesn't matter /that/ much... + + # Return something true, and possibly useful. + file end - module_function :secure_open + module_function :replace_file end end --- puppet-0.25.4.orig/lib/puppet/indirector/yaml.rb +++ puppet-0.25.4/lib/puppet/indirector/yaml.rb @@ -50,6 +50,11 @@ # Return the path to a given node's file. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + File.join(base, self.class.indirection_name.to_s, name.to_s + ".yaml") end --- puppet-0.25.4.orig/lib/puppet/indirector/ssl_file.rb +++ puppet-0.25.4/lib/puppet/indirector/ssl_file.rb @@ -54,6 +54,11 @@ # Use a setting to determine our path. def path(name) + if name =~ Puppet::Indirector::BadNameRegexp then + Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}") + raise ArgumentError, "invalid key" + end + if ca?(name) and ca_location ca_location elsif collection_directory --- puppet-0.25.4.orig/lib/puppet/application/ralsh.rb +++ puppet-0.25.4/lib/puppet/application/ralsh.rb @@ -119,18 +119,25 @@ end.compact.join("\n") if options[:edit] - file = "/tmp/x2puppet-#{Process.pid}.pp" + require 'tempfile' + # Prefer the current directory, which is more likely to be secure + # and, in the case of interactive use, accessible to the user. + tmpfile = Tempfile.new('x2puppet', Dir.pwd) begin - File.open(file, "w") do |f| - f.puts text - end - ENV["EDITOR"] ||= "vi" - system(ENV["EDITOR"], file) - system("puppet -v " + file) + # sync write, so nothing buffers before we invoke the editor. + tmpfile.sync = true + tmpfile.puts text + + # edit the content + system(ENV["EDITOR"] || 'vi', tmpfile.path) + + # ...and, now, pass that file to puppet to apply. Because + # many editors rename or replace the original file we need to + # feed the pathname, not the file content itself, to puppet. + system('puppet -v ' + tmpfile.path) ensure - #if FileTest.exists? file - # File.unlink(file) - #end + # The temporary file will be safely removed. + tmpfile.close(true) end else puts text --- puppet-0.25.4.orig/lib/puppet/provider/service/init.rb +++ puppet-0.25.4/lib/puppet/provider/service/init.rb @@ -134,7 +134,15 @@ # we just return that; otherwise, we return false, which causes it to # fallback to other mechanisms. def statuscmd - (@resource[:hasstatus] == :true) && [initscript, :status] + if @resource[:hasstatus] == :true then + # Workaround the fact that initctl status command doesn't return + # proper exit codes. Can be removed once LP: #552786 is fixed. + if File.symlink?(initscript) && File.readlink(initscript) == "/lib/init/upstart-job" then + ['sh', '-c', "LANG=C invoke-rc.d #{File::basename(initscript)} status | grep -q '^#{File::basename(initscript)}.*running'" ] + else + [initscript, :status ] + end + end end end --- puppet-0.25.4.orig/lib/puppet/provider/ssh_authorized_key/parsed.rb +++ puppet-0.25.4/lib/puppet/provider/ssh_authorized_key/parsed.rb @@ -62,36 +62,24 @@ end def flush - # As path expansion had to be moved in the provider, we cannot generate new file - # resources and thus have to chown and chmod here. It smells hackish. - - # Create target's parent directory if nonexistant - if target - dir = File.dirname(target) - if not File.exist? dir - Puppet.debug("Creating directory %s which did not exist" % dir) - Dir.mkdir(dir, dir_perm) - end + raise Puppet::Error, "Cannot write SSH authorized keys without user" unless user + raise Puppet::Error, "User '#{user}' does not exist" unless uid = Puppet::Util.uid(user) + # ParsedFile usually calls backup_target much later in the flush process, + # but our SUID makes that fail to open filebucket files for writing. + # Fortunately, there's already logic to make sure it only ever happens once, + # so calling it here supresses the later attempt by our superclass's flush method. + self.class.backup_target(target) + + Puppet::Util::SUIDManager.asuser(@resource.should(:user)) do + unless File.exist?(dir = File.dirname(target)) + Puppet.debug "Creating #{dir}" + Dir.mkdir(dir, dir_perm) end - # Generate the file super - # Ensure correct permissions - if target and user - uid = Puppet::Util.uid(user) - - if uid - File.chown(uid, nil, dir) - File.chown(uid, nil, target) - else - raise Puppet::Error, "Specified user does not exist" - end - end - - if target - File.chmod(file_perm, target) - end + File.chmod(file_perm, target) + end end # parse sshv2 option strings, wich is a comma separated list of --- puppet-0.25.4.orig/lib/puppet/provider/user/user_role_add.rb +++ puppet-0.25.4/lib/puppet/provider/user/user_role_add.rb @@ -1,3 +1,4 @@ +require 'puppet/util' require 'puppet/util/user_attr' Puppet::Type.type(:user).provide :user_role_add, :parent => :useradd do @@ -44,6 +45,13 @@ cmd end + # This helper makes it possible to test this on stub data without having to + # do too many crazy things! + def target_file_path + "/etc/shadow" + end + private :target_file_path + def user_attributes @user_attributes ||= UserAttr.get_attributes_by_name(@resource[:name]) end @@ -159,7 +167,7 @@ #No abstraction, all esoteric knowledge of file formats, yay def password #got perl? - if ary = File.readlines("/etc/shadow").reject { |r| r =~ /^[^\w]/}.collect { |l| l.split(':')[0..1] }.find { |user, passwd| user == @resource[:name] } + if ary = File.readlines(target_file_path).reject { |r| r =~ /^[^\w]/}.collect { |l| l.split(':')[0..1] }.find { |user, passwd| user == @resource[:name] } pass = ary[1] end pass @@ -169,24 +177,23 @@ #Smooth like 80 grit def password=(cryptopw) begin - File.open("/etc/shadow", "r") do |shadow| - File.open("/etc/shadow_tmp", "w", 0600) do |shadow_tmp| - while line = shadow.gets do - line_arr = line.split(':') - if line_arr[0] == @resource[:name] - line_arr[1] = cryptopw - line = line_arr.join(':') - end - shadow_tmp.print line + shadow = File.read(target_file_path) + + # Go Mifune loves the race here where we can lose data because + # /etc/shadow changed between reading it and writing it. + # --daniel 2012-02-05 + Puppet::Util.replace_file(target_file_path, 0640) do |fh| + shadow.each_line do |line| + line_arr = line.split(':') + if line_arr[0] == @resource[:name] + line_arr[1] = cryptopw + line = line_arr.join(':') end + fh.print line end end - File.rename("/etc/shadow_tmp", "/etc/shadow") rescue => detail - fail "Could not write temporary shadow file: %s" % detail - ensure - # Make sure this *always* gets deleted - File.unlink("/etc/shadow_tmp") if File.exist?("/etc/shadow_tmp") + fail "Could not write replace #{target_file_path}: #{detail}" end end end --- puppet-0.25.4.orig/lib/puppet/type/k5login.rb +++ puppet-0.25.4/lib/puppet/type/k5login.rb @@ -1,6 +1,7 @@ # $Id: k5login.rb 2468 2007-08-07 23:30:20Z digant $ # # Plug-in type for handling k5login files +require 'puppet/util' Puppet::Type.newtype(:k5login) do @doc = "Manage the .k5login file for a user. Specify the full path to @@ -81,7 +82,9 @@ private def write(value) - File.open(@resource[:name], "w") { |f| f.puts value.join("\n") } + Puppet::Util.replace_file(@resource[:name], 0644) do |f| + f.puts value + end end end end --- puppet-0.25.4.orig/lib/puppet/rails/benchmark.rb +++ puppet-0.25.4/lib/puppet/rails/benchmark.rb @@ -64,6 +64,6 @@ data = {} end data[branch] = $benchmarks - Puppet::Util.secure_open(file, "w") { |f| f.print YAML.dump(data) } + Puppet::Util.replace_file(file, 0644) { |f| f.print YAML.dump(data) } end end --- puppet-0.25.4.orig/lib/puppet/util/monkey_patches.rb +++ puppet-0.25.4/lib/puppet/util/monkey_patches.rb @@ -6,3 +6,16 @@ } end end + +# Workaround for bug in MRI 1.8.7, see +# http://redmine.ruby-lang.org/issues/show/2708 +# for details +# + +if RUBY_VERSION == '1.8.7' + class NilClass + def closed? + true + end + end +end --- puppet-0.25.4.orig/lib/puppet/util/suidmanager.rb +++ puppet-0.25.4/lib/puppet/util/suidmanager.rb @@ -1,6 +1,7 @@ require 'facter' require 'puppet/util/warnings' require 'forwardable' +require 'etc' module Puppet::Util::SUIDManager include Puppet::Util::Warnings @@ -14,66 +15,115 @@ module_function method end - if Facter['kernel'].value == 'Darwin' - # Cannot change real UID on Darwin so we set euid - alias :uid :euid - alias :gid :egid + def self.root? + Process.uid == 0 end - # Runs block setting uid and gid if provided then restoring original ids + # Methods to handle changing uid/gid of the running process. In general, + # these will noop or fail on Windows, and require root to change to anything + # but the current uid/gid (which is a noop). + + # Runs block setting euid and egid if provided then restoring original ids. + # If running on Windows or without root, the block will be run with the + # current euid/egid. def asuser(new_uid=nil, new_gid=nil) - return yield unless Process.uid == 0 - # We set both because some programs like to drop privs, i.e. bash. - old_uid, old_gid = self.uid, self.gid + return yield if Puppet.features.microsoft_windows? + return yield unless root? + return yield unless new_uid or new_gid + old_euid, old_egid = self.euid, self.egid - old_groups = self.groups begin - self.egid = convert_xid :gid, new_gid if new_gid - self.initgroups(convert_xid(:uid, new_uid)) if new_uid - self.euid = convert_xid :uid, new_uid if new_uid - + change_privileges(new_uid, new_gid, false) yield ensure - self.euid, self.egid = old_euid, old_egid - self.groups = old_groups + change_privileges(new_uid ? old_euid : nil, old_egid, false) end end module_function :asuser + # If `permanently` is set, will permanently change the uid/gid of the + # process. If not, it will only set the euid/egid. If only uid is supplied, + # the primary group of the supplied gid will be used. If only gid is + # supplied, only gid will be changed. This method will fail if used on + # Windows. + def change_privileges(uid=nil, gid=nil, permanently=false) + return unless uid or gid + + unless gid + uid = convert_xid(:uid, uid) + gid = Etc.getpwuid(uid).gid + end + + change_group(gid, permanently) + change_user(uid, permanently) if uid + end + module_function :change_privileges + + # Changes the egid of the process if `permanently` is not set, otherwise + # changes gid. This method will fail if used on Windows, or attempting to + # change to a different gid without root. + def change_group(group, permanently=false) + gid = convert_xid(:gid, group) + raise Puppet::Error, "No such group #{group}" unless gid + + if permanently + Process::GID.change_privilege(gid) + else + Process.egid = gid + end + end + module_function :change_group + + # As change_group, but operates on uids. If changing user permanently, + # supplementary groups will be set the to default groups for the new uid. + def change_user(user, permanently=false) + uid = convert_xid(:uid, user) + raise Puppet::Error, "No such user #{user}" unless uid + + if permanently + # If changing uid, we must be root. So initgroups first here. + initgroups(uid) + + Process::UID.change_privilege(uid) + else + # If we're already root, initgroups before changing euid. If we're not, + # change euid (to root) first. + if Process.euid == 0 + initgroups(uid) + Process.euid = uid + else + Process.euid = uid + initgroups(uid) + end + end + end + module_function :change_user + # Make sure the passed argument is a number. def convert_xid(type, id) map = {:gid => :group, :uid => :user} - raise ArgumentError, "Invalid id type %s" % type unless map.include?(type) + raise ArgumentError, "Invalid id type #{type}" unless map.include?(type) ret = Puppet::Util.send(type, id) if ret == nil - raise Puppet::Error, "Invalid %s: %s" % [map[type], id] + raise Puppet::Error, "Invalid #{map[type]}: #{id}" end - return ret + ret end module_function :convert_xid - # Initialize supplementary groups - def initgroups(user) - require 'etc' - Process.initgroups(Etc.getpwuid(user).name, Process.gid) + # Initialize primary and supplemental groups to those of the target user. We + # take the UID and manually look up their details in the system database, + # including username and primary group. This method will fail on Windows, or + # if used without root to initgroups of another user. + def initgroups(uid) + pwent = Etc.getpwuid(uid) + Process.initgroups(pwent.name, pwent.gid) end - module_function :initgroups def run_and_capture(command, new_uid=nil, new_gid=nil) - output = Puppet::Util.execute(command, :failonfail => false, :uid => new_uid, :gid => new_gid) - [output, $?.dup] + output = Puppet::Util.execute(command, :failonfail => false, :combine => true, :uid => new_uid, :gid => new_gid) + [output, $CHILD_STATUS.dup] end module_function :run_and_capture - - def system(command, new_uid=nil, new_gid=nil) - status = nil - asuser(new_uid, new_gid) do - Kernel.system(command) - status = $?.dup - end - status - end - module_function :system end - --- puppet-0.25.4.orig/lib/puppet/util/reference.rb +++ puppet-0.25.4/lib/puppet/util/reference.rb @@ -36,7 +36,7 @@ def self.pdf(text) puts "creating pdf" - Puppet::Util.secure_open("/tmp/puppetdoc.txt", "w") do |f| + Puppet::Util.replace_file("/tmp/puppetdoc.txt", 0644) do |f| f.puts text end rst2latex = %x{which rst2latex} --- puppet-0.25.4.orig/lib/puppet/network/server.rb +++ puppet-0.25.4/lib/puppet/network/server.rb @@ -22,7 +22,7 @@ $stderr.reopen $stdout Puppet::Util::Log.reopen rescue => detail - Puppet::Util.secure_open("/tmp/daemonout", "w") { |f| + Puppet::Util.secure_open("/tmp/daemonout", 0644) { |f| f.puts "Could not start %s: %s" % [Puppet[:name], detail] } raise "Could not start %s: %s" % [Puppet[:name], detail] --- puppet-0.25.4.orig/spec/spec_helper.rb +++ puppet-0.25.4/spec/spec_helper.rb @@ -18,7 +18,7 @@ require 'puppettest' require 'puppettest/runnable_test' require 'mocha' -gem 'rspec', '>=1.2.2' +#gem 'rspec', '>=1.2.2' require 'spec/autorun' # So everyone else doesn't have to include this base constant. --- puppet-0.25.4.orig/spec/unit/util.rb +++ puppet-0.25.4/spec/unit/util.rb @@ -0,0 +1,105 @@ +#!/usr/bin/env spec +require 'spec_helper' +require 'puppet_spec/files' + +describe Puppet::Util do + subject { Puppet::Util } + include PuppetSpec::Files + + context "#replace_file" do + it { should respond_to :replace_file } + + let :target do + target = Tempfile.new("puppet-util-replace-file") + target.puts("hello, world") + target.flush # make sure content is on disk. + target.fsync rescue nil + target.close + target + end + + it "should fail if no block is given" do + expect { subject.replace_file(target.path, 0600) }.to raise_error /block/ + end + + it "should replace a file when invoked" do + # Check that our file has the expected content. + File.read(target.path).should == "hello, world\n" + + # Replace the file. + subject.replace_file(target.path, 0600) do |fh| + fh.puts "I am the passenger..." + end + + # ...and check the replacement was complete. + File.read(target.path).should == "I am the passenger...\n" + end + + [0555, 0600, 0660, 0700, 0770].each do |mode| + it "should copy 0#{mode.to_s(8)} permissions from the target file by default" do + File.chmod(mode, target.path) + + (File.stat(target.path).mode & 07777).should == mode + + subject.replace_file(target.path, 0000) {|fh| fh.puts "bazam" } + + (File.stat(target.path).mode & 07777).should == mode + File.read(target.path).should == "bazam\n" + end + end + + it "should copy the permissions of the source file before yielding" do + File.chmod(0555, target.path) + inode = File.stat(target.path).ino + + yielded = false + subject.replace_file(target.path, 0600) do |fh| + (File.stat(fh.path).mode & 07777).should == 0555 + yielded = true + end + yielded.should be_true + + # We can't check inode on Windows + File.stat(target.path).ino.should_not == inode + + (File.stat(target.path).mode & 07777).should == 0555 + end + + it "should use the default permissions if the source file doesn't exist" do + new_target = target.path + '.foo' + File.should_not be_exist(new_target) + + begin + subject.replace_file(new_target, 0555) {|fh| fh.puts "foo" } + (File.stat(new_target).mode & 07777).should == 0555 + ensure + File.unlink(new_target) if File.exists?(new_target) + end + end + + it "should not replace the file if an exception is thrown in the block" do + yielded = false + threw = false + + begin + subject.replace_file(target.path, 0600) do |fh| + yielded = true + fh.puts "different content written, then..." + raise "...throw some random failure" + end + rescue Exception => e + if e.to_s =~ /some random failure/ + threw = true + else + raise + end + end + + yielded.should be_true + threw.should be_true + + # ...and check the replacement was complete. + File.read(target.path).should == "hello, world\n" + end + end +end --- puppet-0.25.4.orig/spec/unit/indirector/yaml.rb +++ puppet-0.25.4/spec/unit/indirector/yaml.rb @@ -50,6 +50,21 @@ it "should use the object's name to determine the file name" do @store.path(:me).should =~ %r{me.yaml$} end + + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @store.path(input) }.to raise_error + end + end + end describe Puppet::Indirector::Yaml, " when storing objects as YAML" do --- puppet-0.25.4.orig/spec/unit/indirector/ssl_file.rb +++ puppet-0.25.4/spec/unit/indirector/ssl_file.rb @@ -89,6 +89,25 @@ end end + ['../foo', '..\\foo', './../foo', '.\\..\\foo', + '/foo', '//foo', '\\foo', '\\\\goo', + "test\0/../bar", "test\0\\..\\bar", + "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar", + " / bar", " /../ bar", " \\..\\ bar", + "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar", + "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar", + "//?/c:/foo", + ].each do |input| + it "should resist directory traversal attacks (#{input.inspect})" do + expect { @searcher.path(input) }.to raise_error + end + end + + # REVISIT: Should probably test MS-DOS reserved names here, too, since + # they would represent a vulnerability on a Win32 system, should we ever + # support that path. Don't forget that 'CON.foo' == 'CON' + # --daniel 2011-09-24 + describe "when finding certificates on disk" do describe "and no certificate is present" do before do --- puppet-0.25.4.orig/spec/unit/provider/ssh_authorized_key/parsed.rb +++ puppet-0.25.4/spec/unit/provider/ssh_authorized_key/parsed.rb @@ -15,6 +15,9 @@ before :each do @sshauthkey_class = Puppet::Type.type(:ssh_authorized_key) @provider = @sshauthkey_class.provider(:parsed) + @keyfile = File.join(tmpdir, 'authorized_keys') + @user = 'random_bob' + Puppet::Util.stubs(:uid).with(@user).returns 12345 end after :each do @@ -23,22 +26,24 @@ def mkkey(args) fakeresource = fakeresource(:ssh_authorized_key, args[:name]) + fakeresource.stubs(:should).with(:user).returns @user + fakeresource.stubs(:should).with(:target).returns @keyfile key = @provider.new(fakeresource) args.each do |p,v| key.send(p.to_s + "=", v) end - return key + key end def genkey(key) @provider.stubs(:filetype).returns(Puppet::Util::FileType::FileTypeRam) - file = @provider.default_target - + File.stubs(:chown) + File.stubs(:chmod) + Puppet::Util::SUIDManager.stubs(:asuser).yields key.flush - text = @provider.target_object(file).read - return text + @provider.target_object(@keyfile).read end PuppetTest.fakedata("data/providers/ssh_authorized_key/parsed").each { |file| @@ -93,6 +98,7 @@ @provider = provider_class.new(@resource) provider_class.stubs(:filetype).returns(Puppet::Util::FileType::FileTypeRam) + Puppet::Util::SUIDManager.stubs(:asuser).yields end describe "when flushing" do @@ -117,15 +123,15 @@ @provider.flush end - it "should chown the directory to the user" do + it "should absolutely not chown the directory to the user" do uid = Puppet::Util.uid("random_bob") - File.expects(:chown).with(uid, nil, "/tmp/.ssh_dir") + File.expects(:chown).never @provider.flush end - it "should chown the key file to the user" do + it "should absolutely not chown the key file to the user" do uid = Puppet::Util.uid("random_bob") - File.expects(:chown).with(uid, nil, "/tmp/.ssh_dir/place_to_put_authorized_keys") + File.expects(:chown).never @provider.flush end @@ -147,23 +153,38 @@ # but mocha objects strenuously to stubbing File.expand_path # so I'm left with using nobody. @dir = File.expand_path("~nobody/.ssh") - end + end - it "should create the directory" do + it "should create the directory if it doesn't exist" do File.stubs(:exist?).with(@dir).returns false Dir.expects(:mkdir).with(@dir,0700) @provider.flush end - it "should chown the directory to the user" do + it "should not create or chown the directory if it already exist" do + File.stubs(:exist?).with(@dir).returns false + Dir.expects(:mkdir).never + @provider.flush + end + + it "should absolutely not chown the directory to the user if it creates it" do + File.stubs(:exist?).with(@dir).returns false + Dir.stubs(:mkdir).with(@dir,0700) uid = Puppet::Util.uid("nobody") - File.expects(:chown).with(uid, nil, @dir) + File.expects(:chown).never @provider.flush end - it "should chown the key file to the user" do + it "should not create or chown the directory if it already exist" do + File.stubs(:exist?).with(@dir).returns false + Dir.expects(:mkdir).never + File.expects(:chown).never + @provider.flush + end + + it "should absolutely not chown the key file to the user" do uid = Puppet::Util.uid("nobody") - File.expects(:chown).with(uid, nil, File.expand_path("~nobody/.ssh/authorized_keys")) + File.expects(:chown).never @provider.flush end @@ -179,17 +200,9 @@ @resource.stubs(:should).with(:target).returns("/tmp/.ssh_dir/place_to_put_authorized_keys") end - it "should make the directory" do - File.stubs(:exist?).with("/tmp/.ssh_dir").returns false - Dir.expects(:mkdir).with("/tmp/.ssh_dir", 0755) - @provider.flush - end - - it "should chmod the key file to 0644" do - File.expects(:chmod).with(0644, "/tmp/.ssh_dir/place_to_put_authorized_keys") - @provider.flush + it "should raise an error" do + proc { @provider.flush }.should raise_error end end - end end --- puppet-0.25.4.orig/spec/unit/provider/user/user_role_add.rb +++ puppet-0.25.4/spec/unit/provider/user/user_role_add.rb @@ -1,249 +1,288 @@ #!/usr/bin/env ruby require File.dirname(__FILE__) + '/../../../spec_helper' +require 'tempfile' +require 'puppet_spec/files' provider_class = Puppet::Type.type(:user).provider(:user_role_add) describe provider_class do + include PuppetSpec::Files + + before do + @resource = stub("resource", :name => "myuser", :managehome? => nil) + @resource.stubs(:should).returns "fakeval" + @resource.stubs(:[]).returns "fakeval" + @resource.stubs(:allowdupe?).returns false + @provider = provider_class.new(@resource) + end + + describe "when calling command" do + before do + klass = stub("provider") + klass.stubs(:command).with(:foo).returns("userfoo") + klass.stubs(:command).with(:role_foo).returns("rolefoo") + @provider.stubs(:class).returns(klass) + end + + it "should use the command if not a role and ensure!=role" do + @provider.stubs(:is_role?).returns(false) + @provider.stubs(:exists?).returns(false) + @resource.stubs(:[]).with(:ensure).returns(:present) + @provider.command(:foo).should == "userfoo" + end + + it "should use the role command when a role" do + @provider.stubs(:is_role?).returns(true) + @provider.command(:foo).should == "rolefoo" + end + + it "should use the role command when !exists and ensure=role" do + @provider.stubs(:is_role?).returns(false) + @provider.stubs(:exists?).returns(false) + @resource.stubs(:[]).with(:ensure).returns(:role) + @provider.command(:foo).should == "rolefoo" + end + end + + describe "when calling transition" do + it "should return the type set to whatever is passed in" do + @provider.expects(:command).with(:modify).returns("foomod") + @provider.transition("bar").include?("type=bar") + end + end + + describe "when calling create" do + before do + @provider.stubs(:password=) + end + + it "should use the add command when the user is not a role" do + @provider.stubs(:is_role?).returns(false) + @provider.expects(:addcmd).returns("useradd") + @provider.expects(:run).at_least_once + @provider.create + end + + it "should use transition(normal) when the user is a role" do + @provider.stubs(:is_role?).returns(true) + @provider.expects(:transition).with("normal") + @provider.expects(:run) + @provider.create + end + end + + describe "when calling destroy" do + it "should use the delete command if the user exists and is not a role" do + @provider.stubs(:exists?).returns(true) + @provider.stubs(:is_role?).returns(false) + @provider.expects(:deletecmd) + @provider.expects(:run) + @provider.destroy + end + + it "should use the delete command if the user is a role" do + @provider.stubs(:exists?).returns(true) + @provider.stubs(:is_role?).returns(true) + @provider.expects(:deletecmd) + @provider.expects(:run) + @provider.destroy + end + end + + describe "when calling create_role" do + it "should use the transition(role) if the user exists" do + @provider.stubs(:exists?).returns(true) + @provider.stubs(:is_role?).returns(false) + @provider.expects(:transition).with("role") + @provider.expects(:run) + @provider.create_role + end + + it "should use the add command when role doesn't exists" do + @provider.stubs(:exists?).returns(false) + @provider.expects(:addcmd) + @provider.expects(:run) + @provider.create_role + end + end + + describe "when allow duplicate is enabled" do before do - @resource = stub("resource", :name => "myuser", :managehome? => nil) - @resource.stubs(:should).returns "fakeval" - @resource.stubs(:[]).returns "fakeval" - @resource.stubs(:allowdupe?).returns false - @provider = provider_class.new(@resource) - end - - describe "when calling command" do - before do - klass = stub("provider") - klass.stubs(:command).with(:foo).returns("userfoo") - klass.stubs(:command).with(:role_foo).returns("rolefoo") - @provider.stubs(:class).returns(klass) - end - - it "should use the command if not a role and ensure!=role" do - @provider.stubs(:is_role?).returns(false) - @provider.stubs(:exists?).returns(false) - @resource.stubs(:[]).with(:ensure).returns(:present) - @provider.command(:foo).should == "userfoo" - end - - it "should use the role command when a role" do - @provider.stubs(:is_role?).returns(true) - @provider.command(:foo).should == "rolefoo" - end - - it "should use the role command when !exists and ensure=role" do - @provider.stubs(:is_role?).returns(false) - @provider.stubs(:exists?).returns(false) - @resource.stubs(:[]).with(:ensure).returns(:role) - @provider.command(:foo).should == "rolefoo" - end - end - - describe "when calling transition" do - it "should return the type set to whatever is passed in" do - @provider.expects(:command).with(:modify).returns("foomod") - @provider.transition("bar").include?("type=bar") - end - end - - describe "when calling create" do - before do - @provider.stubs(:password=) - end - - it "should use the add command when the user is not a role" do - @provider.stubs(:is_role?).returns(false) - @provider.expects(:addcmd).returns("useradd") - @provider.expects(:run) - @provider.create - end - - it "should use transition(normal) when the user is a role" do - @provider.stubs(:is_role?).returns(true) - @provider.expects(:transition).with("normal") - @provider.expects(:run) - @provider.create - end - end - - describe "when calling destroy" do - it "should use the delete command if the user exists and is not a role" do - @provider.stubs(:exists?).returns(true) - @provider.stubs(:is_role?).returns(false) - @provider.expects(:deletecmd) - @provider.expects(:run) - @provider.destroy - end - - it "should use the delete command if the user is a role" do - @provider.stubs(:exists?).returns(true) - @provider.stubs(:is_role?).returns(true) - @provider.expects(:deletecmd) - @provider.expects(:run) - @provider.destroy - end - end - - describe "when calling create_role" do - it "should use the transition(role) if the user exists" do - @provider.stubs(:exists?).returns(true) - @provider.stubs(:is_role?).returns(false) - @provider.expects(:transition).with("role") - @provider.expects(:run) - @provider.create_role - end - - it "should use the add command when role doesn't exists" do - @provider.stubs(:exists?).returns(false) - @provider.expects(:addcmd) - @provider.expects(:run) - @provider.create_role - end - end - - describe "when allow duplicate is enabled" do - before do - @resource.expects(:allowdupe?).returns true - @provider.stubs(:is_role?).returns(false) - @provider.expects(:execute).with { |args| args.include?("-o") } - end - - it "should add -o when the user is being created" do - @provider.stubs(:password=) - @provider.create - end - - it "should add -o when the uid is being modified" do - @provider.uid = 150 - end - end - - [:roles, :auths, :profiles].each do |val| - describe "when getting #{val}" do - it "should get the user_attributes" do - @provider.expects(:user_attributes) - @provider.send(val) - end - - it "should get the #{val} attribute" do - attributes = mock("attributes") - attributes.expects(:[]).with(val) - @provider.stubs(:user_attributes).returns(attributes) - @provider.send(val) - end - end - end - - describe "when getting the keys" do - it "should get the user_attributes" do - @provider.expects(:user_attributes) - @provider.keys - end - - it "should call removed_managed_attributes" do - @provider.stubs(:user_attributes).returns({ :type => "normal", :foo => "something" }) - @provider.expects(:remove_managed_attributes) - @provider.keys - end - - it "should removed managed attribute (type, auths, roles, etc)" do - @provider.stubs(:user_attributes).returns({ :type => "normal", :foo => "something" }) - @provider.keys.should == { :foo => "something" } - end - end - - describe "when adding properties" do - it "should call build_keys_cmd" do - @resource.stubs(:should).returns "" - @resource.expects(:should).with(:keys).returns({ :foo => "bar" }) - @provider.expects(:build_keys_cmd).returns([]) - @provider.add_properties - end - - it "should add the elements of the keys hash to an array" do - @resource.stubs(:should).returns "" - @resource.expects(:should).with(:keys).returns({ :foo => "bar"}) - @provider.add_properties.must == ["-K", "foo=bar"] - end - end - - describe "when calling build_keys_cmd" do - it "should build cmd array with keypairs seperated by -K ending with user" do - @provider.build_keys_cmd({"foo" => "bar", "baz" => "boo"}).should.eql? ["-K", "foo=bar", "-K", "baz=boo"] - end - end - - describe "when setting the keys" do - before do - @provider.stubs(:is_role?).returns(false) - end - - it "should run a command" do - @provider.expects(:run) - @provider.keys=({}) - end - - it "should build the command" do - @resource.stubs(:[]).with(:name).returns("someuser") - @provider.stubs(:command).returns("usermod") - @provider.expects(:build_keys_cmd).returns(["-K", "foo=bar"]) - @provider.expects(:run).with(["usermod", "-K", "foo=bar", "someuser"], "modify attribute key pairs") - @provider.keys=({}) - end - end - - describe "when getting the hashed password" do - before do - @array = mock "array" - end - - it "should readlines of /etc/shadow" do - File.expects(:readlines).with("/etc/shadow").returns([]) - @provider.password - end - - it "should reject anything that doesn't start with alpha numerics" do - @array.expects(:reject).returns([]) - File.stubs(:readlines).with("/etc/shadow").returns(@array) - @provider.password - end - - it "should collect splitting on ':'" do - @array.stubs(:reject).returns(@array) - @array.expects(:collect).returns([]) - File.stubs(:readlines).with("/etc/shadow").returns(@array) - @provider.password - end - - it "should find the matching user" do - @resource.stubs(:[]).with(:name).returns("username") - @array.stubs(:reject).returns(@array) - @array.stubs(:collect).returns([["username", "hashedpassword"], ["someoneelse", "theirpassword"]]) - File.stubs(:readlines).with("/etc/shadow").returns(@array) - @provider.password.must == "hashedpassword" - end - - it "should get the right password" do - @resource.stubs(:[]).with(:name).returns("username") - File.stubs(:readlines).with("/etc/shadow").returns(["#comment", " nonsense", " ", "username:hashedpassword:stuff:foo:bar:::", "other:pword:yay:::"]) - @provider.password.must == "hashedpassword" - end - end - - describe "when setting the password" do - #how can you mock these blocks up? - it "should open /etc/shadow for reading and /etc/shadow_tmp for writing" do - File.expects(:open).with("/etc/shadow", "r") - File.stubs(:rename) - @provider.password=("hashedpassword") - end - - it "should rename the /etc/shadow_tmp to /etc/shadow" do - File.stubs(:open).with("/etc/shadow", "r") - File.expects(:rename).with("/etc/shadow_tmp", "/etc/shadow") - @provider.password=("hashedpassword") - end + @resource.expects(:allowdupe?).returns true + @provider.stubs(:is_role?).returns(false) + @provider.stubs(:execute) + @provider.expects(:execute).with { |args| args.include?("-o") } + end + + it "should add -o when the user is being created" do + @provider.stubs(:password=) + @provider.create + end + + it "should add -o when the uid is being modified" do + @provider.uid = 150 + end + end + + [:roles, :auths, :profiles].each do |val| + describe "when getting #{val}" do + it "should get the user_attributes" do + @provider.expects(:user_attributes) + @provider.send(val) + end + + it "should get the #{val} attribute" do + attributes = mock("attributes") + attributes.expects(:[]).with(val) + @provider.stubs(:user_attributes).returns(attributes) + @provider.send(val) + end + end + end + + describe "when getting the keys" do + it "should get the user_attributes" do + @provider.expects(:user_attributes) + @provider.keys + end + + it "should call removed_managed_attributes" do + @provider.stubs(:user_attributes).returns({ :type => "normal", :foo => "something" }) + @provider.expects(:remove_managed_attributes) + @provider.keys + end + + it "should removed managed attribute (type, auths, roles, etc)" do + @provider.stubs(:user_attributes).returns({ :type => "normal", :foo => "something" }) + @provider.keys.should == { :foo => "something" } + end + end + + describe "when adding properties" do + it "should call build_keys_cmd" do + @resource.stubs(:should).returns "" + @resource.expects(:should).with(:keys).returns({ :foo => "bar" }) + @provider.expects(:build_keys_cmd).returns([]) + @provider.add_properties + end + + it "should add the elements of the keys hash to an array" do + @resource.stubs(:should).returns "" + @resource.expects(:should).with(:keys).returns({ :foo => "bar"}) + @provider.add_properties.must == ["-K", "foo=bar"] + end + end + + describe "when calling build_keys_cmd" do + it "should build cmd array with keypairs seperated by -K ending with user" do + @provider.build_keys_cmd({"foo" => "bar", "baz" => "boo"}).should.eql? ["-K", "foo=bar", "-K", "baz=boo"] + end + end + + describe "when setting the keys" do + before do + @provider.stubs(:is_role?).returns(false) + end + + it "should run a command" do + @provider.expects(:run) + @provider.keys=({}) + end + + it "should build the command" do + @resource.stubs(:[]).with(:name).returns("someuser") + @provider.stubs(:command).returns("usermod") + @provider.expects(:build_keys_cmd).returns(["-K", "foo=bar"]) + @provider.expects(:run).with(["usermod", "-K", "foo=bar", "someuser"], "modify attribute key pairs") + @provider.keys=({}) + end + end + + describe "when getting the hashed password" do + before do + @array = mock "array" + end + + it "should readlines of /etc/shadow" do + File.expects(:readlines).with("/etc/shadow").returns([]) + @provider.password + end + + it "should reject anything that doesn't start with alpha numerics" do + @array.expects(:reject).returns([]) + File.stubs(:readlines).with("/etc/shadow").returns(@array) + @provider.password + end + + it "should collect splitting on ':'" do + @array.stubs(:reject).returns(@array) + @array.expects(:collect).returns([]) + File.stubs(:readlines).with("/etc/shadow").returns(@array) + @provider.password + end + + it "should find the matching user" do + @resource.stubs(:[]).with(:name).returns("username") + @array.stubs(:reject).returns(@array) + @array.stubs(:collect).returns([["username", "hashedpassword"], ["someoneelse", "theirpassword"]]) + File.stubs(:readlines).with("/etc/shadow").returns(@array) + @provider.password.must == "hashedpassword" + end + + it "should get the right password" do + @resource.stubs(:[]).with(:name).returns("username") + File.stubs(:readlines).with("/etc/shadow").returns(["#comment", " nonsense", " ", "username:hashedpassword:stuff:foo:bar:::", "other:pword:yay:::"]) + @provider.password.must == "hashedpassword" + end + end + + describe "when setting the password" do + let(:path) { tmpfile('etc-shadow') } + + before :each do + @provider.stubs(:target_file_path).returns(path) + end + + def write_fixture(content) + File.open(path, 'w') { |f| f.print(content) } + end + + it "should update the target user" do + write_fixture < 'present', + :path => path, + :principals => 'fred@EXAMPLE.COM' + }.merge(attrs) + + if content = attrs.delete(:content) + File.open(path, 'w') { |f| f.print(content) } + end + + resource = Puppet::Type.type(:k5login).new(attrs) + resource + end + + def properties_to_names(property_hash) + property_hash.inject({}) { |h,(k,v)| h.merge(k.name => v) } + end + + before :each do + FileUtils.touch(path) + end + + context "the provider" do + context "when the file is missing" do + it "should initially be absent" do + File.delete(path) + # This comes back as Property => value, so map keys to names + properties = properties_to_names(resource.retrieve) + properties[:ensure].should == :absent + end + + it "should create the file when synced" do + resource(:ensure => 'present').parameter(:ensure).sync + File.should be_exist path + end + end + + context "when the file is present" do + context "retrieved initial state" do + subject { properties_to_names(resource.retrieve) } + + it "should retrieve its properties correctly with zero principals" do + subject[:ensure].should == :present + subject[:principals].should == [] + # We don't really care what the mode is, just that it got it + subject[:mode].should_not be_nil + end + + context "with one principal" do + subject { properties_to_names(resource(:content => "daniel@EXAMPLE.COM\n").retrieve) } + + it "should retrieve its principals correctly" do + subject[:principals].should == ["daniel@EXAMPLE.COM"] + end + end + + context "with two principals" do + subject do + content = ["daniel@EXAMPLE.COM", "george@EXAMPLE.COM"].join("\n") + properties_to_names(resource(:content => content).retrieve) + end + + it "should retrieve its principals correctly" do + subject[:principals].should == ["daniel@EXAMPLE.COM", "george@EXAMPLE.COM"] + end + end + end + + it "should remove the file ensure is absent" do + resource(:ensure => 'absent').property(:ensure).sync + File.should_not be_exist path + end + + it "should write one principal to the file" do + File.read(path).should == "" + resource(:principals => ["daniel@EXAMPLE.COM"]).property(:principals).sync + File.read(path).should == "daniel@EXAMPLE.COM\n" + end + + it "should write multiple principals to the file" do + content = ["daniel@EXAMPLE.COM", "george@EXAMPLE.COM"] + + File.read(path).should == "" + resource(:principals => content).property(:principals).sync + File.read(path).should == content.join("\n") + "\n" + end + + describe "when setting the mode", :unless => Puppet.features.microsoft_windows? do + # The defined input type is "mode, as an octal string" + ["400", "600", "700", "644", "664"].each do |mode| + it "should update the mode to #{mode}" do + resource(:mode => mode).property(:mode).sync + + (File.stat(path).mode & 07777).to_s(8).should == mode + end + end + end + end + end +end --- puppet-0.25.4.orig/spec/unit/type/file.rb +++ puppet-0.25.4/spec/unit/type/file.rb @@ -16,6 +16,42 @@ @file.catalog = @catalog end + describe "#write" do + + it "should propagate failures encountered when renaming the temporary file" do + File.stubs(:open) + + File.expects(:rename).raises ArgumentError + file = Puppet::Type::File.new(:name => "/my/file", :backup => "puppet") + + lambda { file.write("something", :content) }.should raise_error(Puppet::Error) + end + + describe "when validating the checksum" do + before { @file.stubs(:validate_checksum?).returns(true) } + + it "should fail if the checksum property and content checksums do not match" do + property = stub('checksum_property', :checktype => :md5, :md5 => 'checksum_a', :getsum => 'checksum_b') + @file.stubs(:property).with(:checksum).returns(property) + + @file.stubs(:validate_checksum?).returns(true) + lambda { @file.write "something", :NOTUSED }.should raise_error(Puppet::Error) + end + end + + describe "when not validating the checksum" do + before { @file.stubs(:validate_checksum?).returns(false) } + + it "should not fail if the checksum property and content checksums do not match" do + property = stub('checksum_property', :checktype => :md5, :md5 => 'checksum_a', :getsum => 'checksum_b') + @file.stubs(:property).with(:checksum).returns(property) + + lambda { @file.write "something", :NOTUSED }.should_not raise_error(Puppet::Error) + end + + end + end + it "should have a method for determining if the file is present" do @file.must respond_to(:exist?) end @@ -764,15 +800,4 @@ file.finish end end - - describe "when writing the file" do - it "should propagate failures encountered when renaming the temporary file" do - File.stubs(:open) - - File.expects(:rename).raises ArgumentError - file = Puppet::Type::File.new(:name => "/my/file", :backup => "puppet") - - lambda { file.write("something", :content) }.should raise_error(Puppet::Error) - end - end end --- puppet-0.25.4.orig/spec/unit/util/suidmanager.rb +++ puppet-0.25.4/spec/unit/util/suidmanager.rb @@ -0,0 +1,220 @@ +#!/usr/bin/env spec + +require 'spec_helper' + +describe Puppet::Util::SUIDManager do + let :user do + Puppet::Type.type(:user).new(:name => 'name', :uid => 42, :gid => 42) + end + + let :xids do + Hash.new {|h,k| 0} + end + + before :each do + Puppet::Util::SUIDManager.stubs(:convert_xid).returns(42) + pwent = stub('pwent', :name => 'fred', :uid => 42, :gid => 42) + Etc.stubs(:getpwuid).with(42).returns(pwent) + + [:euid, :egid, :uid, :gid, :groups].each do |id| + Process.stubs("#{id}=").with {|value| xids[id] = value } + end + end + + describe "#initgroups" do + it "should use the primary group of the user as the 'basegid'" do + Process.expects(:initgroups).with('fred', 42) + Puppet::Util::SUIDManager.initgroups(42) + end + end + + describe "#uid" do + it "should allow setting euid/egid" do + Puppet::Util::SUIDManager.egid = user[:gid] + Puppet::Util::SUIDManager.euid = user[:uid] + + xids[:egid].should == user[:gid] + xids[:euid].should == user[:uid] + end + end + + describe "#asuser" do + it "should not get or set euid/egid when not root" do + Process.stubs(:uid).returns(1) + + Process.stubs(:egid).returns(51) + Process.stubs(:euid).returns(50) + + Puppet::Util::SUIDManager.asuser(user[:uid], user[:gid]) {} + + xids.should be_empty + end + + context "when root and not windows" do + before :each do + Process.stubs(:uid).returns(0) + Puppet.features.stubs(:microsoft_windows?).returns(false) + end + + it "should set euid/egid when root" do + Process.stubs(:uid).returns(0) + + Process.stubs(:egid).returns(51) + Process.stubs(:euid).returns(50) + + Puppet::Util::SUIDManager.stubs(:convert_xid).with(:gid, 51).returns(51) + Puppet::Util::SUIDManager.stubs(:convert_xid).with(:uid, 50).returns(50) + Puppet::Util::SUIDManager.stubs(:initgroups).returns([]) + + yielded = false + Puppet::Util::SUIDManager.asuser(user[:uid], user[:gid]) do + xids[:egid].should == user[:gid] + xids[:euid].should == user[:uid] + yielded = true + end + + xids[:egid].should == 51 + xids[:euid].should == 50 + + # It's possible asuser could simply not yield, so the assertions in the + # block wouldn't fail. So verify those actually got checked. + yielded.should be_true + end + + it "should just yield if user and group are nil" do + yielded = false + Puppet::Util::SUIDManager.asuser(nil, nil) { yielded = true } + yielded.should be_true + xids.should == {} + end + + it "should just change group if only group is given" do + yielded = false + Puppet::Util::SUIDManager.asuser(nil, 42) { yielded = true } + yielded.should be_true + xids.should == { :egid => 42 } + end + + it "should change gid to the primary group of uid by default" do + Process.stubs(:initgroups) + + yielded = false + Puppet::Util::SUIDManager.asuser(42) { yielded = true } + yielded.should be_true + xids.should == { :euid => 42, :egid => 42 } + end + + it "should change both uid and gid if given" do + # I don't like the sequence, but it is the only way to assert on the + # internal behaviour in a reliable fashion, given we need multiple + # sequenced calls to the same methods. --daniel 2012-02-05 + horror = sequence('of user and group changes') + Puppet::Util::SUIDManager.expects(:change_group).with(43, false).in_sequence(horror) + Puppet::Util::SUIDManager.expects(:change_user).with(42, false).in_sequence(horror) + Puppet::Util::SUIDManager.expects(:change_group). + with(Puppet::Util::SUIDManager.egid, false).in_sequence(horror) + Puppet::Util::SUIDManager.expects(:change_user). + with(Puppet::Util::SUIDManager.euid, false).in_sequence(horror) + + yielded = false + Puppet::Util::SUIDManager.asuser(42, 43) { yielded = true } + yielded.should be_true + end + end + end + + describe "#change_group" do + describe "when changing permanently" do + it "should try to change_privilege if it is supported" do + Process::GID.expects(:change_privilege).with do |gid| + Process.gid = gid + Process.egid = gid + end + + Puppet::Util::SUIDManager.change_group(42, true) + + xids[:egid].should == 42 + xids[:gid].should == 42 + end + end + + describe "when changing temporarily" do + it "should change only egid" do + Puppet::Util::SUIDManager.change_group(42, false) + + xids[:egid].should == 42 + xids[:gid].should == 0 + end + end + end + + describe "#change_user" do + describe "when changing permanently" do + it "should try to change_privilege if it is supported" do + Process::UID.expects(:change_privilege).with do |uid| + Process.uid = uid + Process.euid = uid + end + + Puppet::Util::SUIDManager.expects(:initgroups).with(42) + + Puppet::Util::SUIDManager.change_user(42, true) + + xids[:euid].should == 42 + xids[:uid].should == 42 + end + end + + describe "when changing temporarily" do + it "should change only euid and groups" do + Puppet::Util::SUIDManager.stubs(:initgroups).returns([]) + Puppet::Util::SUIDManager.change_user(42, false) + + xids[:euid].should == 42 + xids[:uid].should == 0 + end + + it "should set euid before groups if changing to root" do + Process.stubs(:euid).returns 50 + + when_not_root = sequence 'when_not_root' + + Process.expects(:euid=).in_sequence(when_not_root) + Puppet::Util::SUIDManager.expects(:initgroups).in_sequence(when_not_root) + + Puppet::Util::SUIDManager.change_user(0, false) + end + + it "should set groups before euid if changing from root" do + Process.stubs(:euid).returns 0 + + when_root = sequence 'when_root' + + Puppet::Util::SUIDManager.expects(:initgroups).in_sequence(when_root) + Process.expects(:euid=).in_sequence(when_root) + + Puppet::Util::SUIDManager.change_user(50, false) + end + end + end + + describe "when running commands" do + before :each do + # We want to make sure $CHILD_STATUS is set + Kernel.system '' if $CHILD_STATUS.nil? + end + + describe "with #run_and_capture" do + it "should capture the output and return process status" do + Puppet::Util. + expects(:execute). + with('yay', :combine => true, :failonfail => false, :uid => user[:uid], :gid => user[:gid]). + returns('output') + output = Puppet::Util::SUIDManager.run_and_capture 'yay', user[:uid], user[:gid] + + output.first.should == 'output' + output.last.should be_a(Process::Status) + end + end + end +end