diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index a61e2e8ef..a5a63a2a7 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -1,1937 +1,1931 @@ module Puppet def self.default_diffargs if (Facter.value(:kernel) == "AIX" && Facter.value(:kernelmajversion) == "5300") "" else "-u" end end ############################################################################################ # NOTE: For information about the available values for the ":type" property of settings, # see the docs for Settings.define_settings ############################################################################################ AS_DURATION = %q{This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).} STORECONFIGS_ONLY = %q{This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.} # This is defined first so that the facter implementation is replaced before other setting defaults are evaluated. define_settings(:main, :cfacter => { :default => false, :type => :boolean, :desc => 'Whether or not to use the native facter (cfacter) implementation instead of the Ruby one (facter). Defaults to false.', :hook => proc do |value| return unless value raise ArgumentError, 'facter has already evaluated facts.' if Facter.instance_variable_get(:@collection) raise ArgumentError, 'cfacter version 0.2.0 or later is not installed.' unless Puppet.features.cfacter? CFacter.initialize end } ) define_settings(:main, :confdir => { :default => nil, :type => :directory, :desc => "The main Puppet configuration directory. The default for this setting is calculated based on the user. If the process is running as root or the user that Puppet is supposed to run as, it defaults to a system directory, but if it's running as any other user, it defaults to being in the user's home directory.", }, :vardir => { :default => nil, :type => :directory, :owner => "service", :group => "service", :desc => "Where Puppet stores dynamic and growing data. The default for this setting is calculated specially, like `confdir`_.", }, ### NOTE: this setting is usually being set to a symbol value. We don't officially have a ### setting type for that yet, but we might want to consider creating one. :name => { :default => nil, :desc => "The name of the application, if we are running as one. The default is essentially $0 without the path or `.rb`.", } ) define_settings(:main, :logdir => { :default => nil, :type => :directory, :mode => "0750", :owner => "service", :group => "service", :desc => "The directory in which to store log files", }, :log_level => { :default => 'notice', :type => :enum, :values => ["debug","info","notice","warning","err","alert","emerg","crit"], :desc => "Default logging level for messages from Puppet. Allowed values are: * debug * info * notice * warning * err * alert * emerg * crit ", :hook => proc {|value| Puppet::Util::Log.level = value }, :call_hook => :on_initialize_and_write, }, :disable_warnings => { :default => [], :type => :array, :desc => "A comma-separated list of warning types to suppress. If large numbers of warnings are making Puppet's logs too large or difficult to use, you can temporarily silence them with this setting. If you are preparing to upgrade Puppet to a new major version, you should re-enable all warnings for a while. Valid values for this setting are: * `deprecations` --- disables deprecation warnings.", :hook => proc do |value| values = munge(value) valid = %w[deprecations] invalid = values - (values & valid) if not invalid.empty? raise ArgumentError, "Cannot disable unrecognized warning types #{invalid.inspect}. Valid values are #{valid.inspect}." end end } ) define_settings(:main, :priority => { :default => nil, :type => :priority, :desc => "The scheduling priority of the process. Valid values are 'high', 'normal', 'low', or 'idle', which are mapped to platform-specific values. The priority can also be specified as an integer value and will be passed as is, e.g. -5. Puppet must be running as a privileged user in order to increase scheduling priority.", }, :trace => { :default => false, :type => :boolean, :desc => "Whether to print stack traces on some errors", }, :profile => { :default => false, :type => :boolean, :desc => "Whether to enable experimental performance profiling", }, :autoflush => { :default => true, :type => :boolean, :desc => "Whether log files should always flush to disk.", :hook => proc { |value| Log.autoflush = value } }, :syslogfacility => { :default => "daemon", :desc => "What syslog facility to use when logging to syslog. Syslog has a fixed list of valid facilities, and you must choose one of those; you cannot just make one up." }, :statedir => { :default => "$vardir/state", :type => :directory, :mode => "01755", :desc => "The directory where Puppet state is stored. Generally, this directory can be removed without causing harm (although it might result in spurious service restarts)." }, :rundir => { :default => nil, :type => :directory, :mode => "0755", :owner => "service", :group => "service", :desc => "Where Puppet PID files are kept." }, :genconfig => { :default => false, :type => :boolean, :desc => "When true, causes Puppet applications to print an example config file to stdout and exit. The example will include descriptions of each setting, and the current (or default) value of each setting, incorporating any settings overridden on the CLI (with the exception of `genconfig` itself). This setting only makes sense when specified on the command line as `--genconfig`.", }, :genmanifest => { :default => false, :type => :boolean, :desc => "Whether to just print a manifest to stdout and exit. Only makes sense when specified on the command line as `--genmanifest`. Takes into account arguments specified on the CLI.", }, :configprint => { :default => "", :desc => "Print the value of a specific configuration setting. If the name of a setting is provided for this, then the value is printed and puppet exits. Comma-separate multiple values. For a list of all values, specify 'all'.", }, :color => { :default => "ansi", :type => :string, :desc => "Whether to use colors when logging to the console. Valid values are `ansi` (equivalent to `true`), `html`, and `false`, which produces no color. Defaults to false on Windows, as its console does not support ansi colors.", }, :mkusers => { :default => false, :type => :boolean, :desc => "Whether to create the necessary user and group that puppet agent will run as.", }, :manage_internal_file_permissions => { :default => true, :type => :boolean, :desc => "Whether Puppet should manage the owner, group, and mode of files it uses internally", }, :onetime => { :default => false, :type => :boolean, :desc => "Perform one configuration run and exit, rather than spawning a long-running daemon. This is useful for interactively running puppet agent, or running puppet agent from cron.", :short => 'o', }, :path => { :default => "none", :desc => "The shell search path. Defaults to whatever is inherited from the parent process.", :call_hook => :on_define_and_write, :hook => proc do |value| ENV["PATH"] = "" if ENV["PATH"].nil? ENV["PATH"] = value unless value == "none" paths = ENV["PATH"].split(File::PATH_SEPARATOR) Puppet::Util::Platform.default_paths.each do |path| ENV["PATH"] += File::PATH_SEPARATOR + path unless paths.include?(path) end value end }, :libdir => { :type => :directory, :default => "$vardir/lib", :desc => "An extra search path for Puppet. This is only useful for those files that Puppet will load on demand, and is only guaranteed to work for those cases. In fact, the autoload mechanism is responsible for making sure this directory is in Ruby's search path\n", :call_hook => :on_initialize_and_write, :hook => proc do |value| $LOAD_PATH.delete(@oldlibdir) if defined?(@oldlibdir) and $LOAD_PATH.include?(@oldlibdir) @oldlibdir = value $LOAD_PATH << value end }, :ignoreimport => { :default => false, :type => :boolean, :desc => "If true, allows the parser to continue without requiring all files referenced with `import` statements to exist. This setting was primarily designed for use with commit hooks for parse-checking.", }, :environment => { :default => "production", :desc => "The environment Puppet is running in. For clients (e.g., `puppet agent`) this determines the environment itself, which is used to find modules and much more. For servers (i.e., `puppet master`) this provides the default environment for nodes we know nothing about." }, :environmentpath => { :default => "", :desc => "A search path for directory environments, as a list of directories separated by the system path separator character. (The POSIX path separator is ':', and the Windows path separator is ';'.) This setting must have a value set to enable **directory environments.** The recommended value is `$confdir/environments`. For more details, see http://docs.puppetlabs.com/puppet/latest/reference/environments.html", :type => :path, }, :always_cache_features => { :type => :boolean, :default => false, :desc => <<-'EOT' Affects how we cache attempts to load Puppet 'features'. If false, then calls to `Puppet.features.?` will always attempt to load the feature (which can be an expensive operation) unless it has already been loaded successfully. This makes it possible for a single agent run to, e.g., install a package that provides the underlying capabilities for a feature, and then later load that feature during the same run (even if the feature had been tested earlier and had not been available). If this setting is set to true, then features will only be checked once, and if they are not available, the negative result is cached and returned for all subsequent attempts to load the feature. This behavior is almost always appropriate for the server, and can result in a significant performance improvement for features that are checked frequently. EOT }, :diff_args => { :default => lambda { default_diffargs }, :desc => "Which arguments to pass to the diff command when printing differences between files. The command to use can be chosen with the `diff` setting.", }, :diff => { :default => (Puppet.features.microsoft_windows? ? "" : "diff"), :desc => "Which diff command to use when printing differences between files. This setting has no default value on Windows, as standard `diff` is not available, but Puppet can use many third-party diff tools.", }, :show_diff => { :type => :boolean, :default => false, :desc => "Whether to log and report a contextual diff when files are being replaced. This causes partial file contents to pass through Puppet's normal logging and reporting system, so this setting should be used with caution if you are sending Puppet's reports to an insecure destination. This feature currently requires the `diff/lcs` Ruby library.", }, :daemonize => { :type => :boolean, :default => (Puppet.features.microsoft_windows? ? false : true), :desc => "Whether to send the process into the background. This defaults to true on POSIX systems, and to false on Windows (where Puppet currently cannot daemonize).", :short => "D", :hook => proc do |value| if value and Puppet.features.microsoft_windows? raise "Cannot daemonize on Windows" end end }, :maximum_uid => { :default => 4294967290, :desc => "The maximum allowed UID. Some platforms use negative UIDs but then ship with tools that do not know how to handle signed ints, so the UIDs show up as huge numbers that can then not be fed back into the system. This is a hackish way to fail in a slightly more useful way when that happens.", }, :route_file => { :default => "$confdir/routes.yaml", :desc => "The YAML file containing indirector route configuration.", }, :node_terminus => { :type => :terminus, :default => "plain", :desc => "Where to find information about nodes.", }, :node_cache_terminus => { :type => :terminus, :default => nil, :desc => "How to store cached nodes. Valid values are (none), 'json', 'msgpack', 'yaml' or write only yaml ('write_only_yaml'). The master application defaults to 'write_only_yaml', all others to none.", }, :data_binding_terminus => { :type => :terminus, :default => "hiera", :desc => "Where to retrive information about data.", }, :hiera_config => { :default => "$confdir/hiera.yaml", :desc => "The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet master every time you edit it.", :type => :file, }, :binder => { :default => false, :desc => "Turns the binding system on or off. This includes bindings in modules. The binding system aggregates data from modules and other locations and makes them available for lookup. The binding system is experimental and any or all of it may change.", :type => :boolean, }, :binder_config => { :default => nil, :desc => "The binder configuration file. Puppet reads this file on each request to configure the bindings system. If set to nil (the default), a $confdir/binder_config.yaml is optionally loaded. If it does not exists, a default configuration is used. If the setting :binding_config is specified, it must reference a valid and existing yaml file.", :type => :file, }, :catalog_terminus => { :type => :terminus, :default => "compiler", :desc => "Where to get node catalogs. This is useful to change if, for instance, you'd like to pre-compile catalogs and store them in memcached or some other easily-accessed store.", }, :catalog_cache_terminus => { :type => :terminus, :default => nil, :desc => "How to store cached catalogs. Valid values are 'json', 'msgpack' and 'yaml'. The agent application defaults to 'json'." }, :facts_terminus => { :default => 'facter', :desc => "The node facts terminus.", }, :default_file_terminus => { :type => :terminus, :default => "rest", :desc => "The default source for files if no server is given in a uri, e.g. puppet:///file. The default of `rest` causes the file to be retrieved using the `server` setting. When running `apply` the default is `file_server`, causing requests to be filled locally." }, :httplog => { :default => "$logdir/http.log", :type => :file, :owner => "root", :mode => "0640", :desc => "Where the puppet agent web server logs.", }, :http_proxy_host => { :default => "none", :desc => "The HTTP proxy host to use for outgoing connections. Note: You may need to use a FQDN for the server hostname when using a proxy. Environment variable http_proxy or HTTP_PROXY will override this value", }, :http_proxy_port => { :default => 3128, :desc => "The HTTP proxy port to use for outgoing connections", }, :http_proxy_user => { :default => "none", :desc => "The user name for an authenticated HTTP proxy. Requires the `http_proxy_host` setting.", }, :http_proxy_password =>{ :default => "none", :hook => proc do |value| if Puppet.settings[:http_proxy_password] =~ /[@!# \/]/ raise "Passwords set in the http_proxy_password setting must be valid as part of a URL, and any reserved characters must be URL-encoded. We received: #{value}" end end, :desc => "The password for the user of an authenticated HTTP proxy. Requires the `http_proxy_user` setting. Note that passwords must be valid when used as part of a URL. If a password contains any characters with special meanings in URLs (as specified by RFC 3986 section 2.2), they must be URL-encoded. (For example, `#` would become `%23`.)", }, :http_keepalive_timeout => { :default => "4s", :type => :duration, :desc => "The maximum amount of time a persistent HTTP connection can remain idle in the connection pool, before it is closed. This timeout should be shorter than the keepalive timeout used on the HTTP server, e.g. Apache KeepAliveTimeout directive. #{AS_DURATION}" }, :http_debug => { :default => false, :type => :boolean, :desc => "Whether to write HTTP request and responses to stderr. This should never be used in a production environment." }, :filetimeout => { :default => "15s", :type => :duration, :desc => "The minimum time to wait between checking for updates in configuration files. This timeout determines how quickly Puppet checks whether a file (such as manifests or templates) has changed on disk. #{AS_DURATION}", }, :environment_timeout => { :default => "unlimited", :type => :ttl, :desc => "The time to live for a cached environment. #{AS_DURATION} This setting can also be set to `unlimited`, which causes the environment to be cached until the master is restarted." }, :thin_storeconfigs => { :default => false, :type => :boolean, :desc => "Boolean; whether Puppet should store only facts and exported resources in the storeconfigs database. This will improve the performance of exported resources with the older `active_record` backend, but will disable external tools that search the storeconfigs database. Thinning catalogs is generally unnecessary when using PuppetDB to store catalogs.", :hook => proc do |value| Puppet.settings.override_default(:storeconfigs, true) if value end }, :config_version => { :default => "", :desc => "How to determine the configuration version. By default, it will be the time that the configuration is parsed, but you can provide a shell script to override how the version is determined. The output of this script will be added to every log message in the reports, allowing you to correlate changes on your hosts to the source version on the server. Setting a global value for config_version in puppet.conf is deprecated. Please set a per-environment value in environment.conf instead. For more info, see http://docs.puppetlabs.com/puppet/latest/reference/environments.html", :deprecated => :allowed_on_commandline, }, :prerun_command => { :default => "", :desc => "A command to run before every agent run. If this command returns a non-zero return code, the entire Puppet run will fail.", }, :postrun_command => { :default => "", :desc => "A command to run after every agent run. If this command returns a non-zero return code, the entire Puppet run will be considered to have failed, even though it might have performed work during the normal run.", }, :freeze_main => { :default => false, :type => :boolean, :desc => "Freezes the 'main' class, disallowing any code to be added to it. This essentially means that you can't have any code outside of a node, class, or definition other than in the site manifest.", }, :trusted_node_data => { :default => false, :type => :boolean, :desc => "Stores trusted node data in a hash called $trusted. When true also prevents $trusted from being overridden in any scope.", }, :immutable_node_data => { :default => '$trusted_node_data', :type => :boolean, :desc => "When true, also prevents $trusted and $facts from being overridden in any scope", } ) Puppet.define_settings(:module_tool, :module_repository => { :default => 'https://forgeapi.puppetlabs.com', :desc => "The module repository", }, :module_working_dir => { :default => '$vardir/puppet-module', :desc => "The directory into which module tool data is stored", }, :module_skeleton_dir => { :default => '$module_working_dir/skeleton', :desc => "The directory which the skeleton for module tool generate is stored.", }, :forge_authorization => { :default => nil, :desc => "The authorization key to connect to the Puppet Forge. Leave blank for unauthorized or license based connections", }, :module_groups => { :default => nil, :desc => "Extra module groups to request from the Puppet Forge", } ) Puppet.define_settings( :main, # We have to downcase the fqdn, because the current ssl stuff (as oppsed to in master) doesn't have good facilities for # manipulating naming. :certname => { :default => lambda { Puppet::Settings.default_certname.downcase }, :desc => "The name to use when handling certificates. When a node requests a certificate from the CA puppet master, it uses the value of the `certname` setting as its requested Subject CN. This is the name used when managing a node's permissions in [auth.conf](http://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html). In most cases, it is also used as the node's name when matching [node definitions](http://docs.puppetlabs.com/puppet/latest/reference/lang_node_definitions.html) and requesting data from an ENC. (This can be changed with the `node_name_value` and `node_name_fact` settings, although you should only do so if you have a compelling reason.) A node's certname is available in Puppet manifests as `$trusted['certname']`. (See [Facts and Built-In Variables](http://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html) for more details.) * For best compatibility, you should limit the value of `certname` to only use letters, numbers, periods, underscores, and dashes. (That is, it should match `/\A[a-z0-9._-]+\Z/`.) * The special value `ca` is reserved, and can't be used as the certname for a normal node. Defaults to the node's fully qualified domain name.", :hook => proc { |value| raise(ArgumentError, "Certificate names must be lower case; see #1168") unless value == value.downcase }}, :certdnsnames => { :default => '', :hook => proc do |value| unless value.nil? or value == '' then Puppet.warning < < { :default => '', :desc => < { :default => "$confdir/csr_attributes.yaml", :type => :file, :desc => < { :default => "$ssldir/certs", :type => :directory, :mode => "0755", :owner => "service", :group => "service", :desc => "The certificate directory." }, :ssldir => { :default => "$confdir/ssl", :type => :directory, :mode => "0771", :owner => "service", :group => "service", :desc => "Where SSL certificates are kept." }, :publickeydir => { :default => "$ssldir/public_keys", :type => :directory, :mode => "0755", :owner => "service", :group => "service", :desc => "The public key directory." }, :requestdir => { :default => "$ssldir/certificate_requests", :type => :directory, :mode => "0755", :owner => "service", :group => "service", :desc => "Where host certificate requests are stored." }, :privatekeydir => { :default => "$ssldir/private_keys", :type => :directory, :mode => "0750", :owner => "service", :group => "service", :desc => "The private key directory." }, :privatedir => { :default => "$ssldir/private", :type => :directory, :mode => "0750", :owner => "service", :group => "service", :desc => "Where the client stores private certificate information." }, :passfile => { :default => "$privatedir/password", :type => :file, :mode => "0640", :owner => "service", :group => "service", :desc => "Where puppet agent stores the password for its private key. Generally unused." }, :hostcsr => { :default => "$ssldir/csr_$certname.pem", :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Where individual hosts store and look for their certificate requests." }, :hostcert => { :default => "$certdir/$certname.pem", :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Where individual hosts store and look for their certificates." }, :hostprivkey => { :default => "$privatekeydir/$certname.pem", :type => :file, :mode => "0640", :owner => "service", :group => "service", :desc => "Where individual hosts store and look for their private key." }, :hostpubkey => { :default => "$publickeydir/$certname.pem", :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Where individual hosts store and look for their public key." }, :localcacert => { :default => "$certdir/ca.pem", :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Where each client stores the CA certificate." }, :ssl_client_ca_auth => { :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Certificate authorities who issue server certificates. SSL servers will not be considered authentic unless they possess a certificate issued by an authority listed in this file. If this setting has no value then the Puppet master's CA certificate (localcacert) will be used." }, :ssl_server_ca_auth => { :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Certificate authorities who issue client certificates. SSL clients will not be considered authentic unless they possess a certificate issued by an authority listed in this file. If this setting has no value then the Puppet master's CA certificate (localcacert) will be used." }, :hostcrl => { :default => "$ssldir/crl.pem", :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "Where the host's certificate revocation list can be found. This is distinct from the certificate authority's CRL." }, :certificate_revocation => { :default => true, :type => :boolean, :desc => "Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) to all clients. If enabled, CA chaining will almost definitely not work.", }, - :certificate_expire_warning => { - :default => "60d", - :type => :duration, - :desc => "The window of time leading up to a certificate's expiration that a notification - will be logged. This applies to CA, master, and agent certificates. #{AS_DURATION}" - }, :digest_algorithm => { :default => 'md5', :type => :enum, :values => ["md5", "sha256"], :desc => 'Which digest algorithm to use for file resources and the filebucket. Valid values are md5, sha256. Default is md5.', } ) define_settings( :ca, :ca_name => { :default => "Puppet CA: $certname", :desc => "The name to use the Certificate Authority certificate.", }, :cadir => { :default => "$ssldir/ca", :type => :directory, :owner => "service", :group => "service", :mode => "0755", :desc => "The root directory for the certificate authority." }, :cacert => { :default => "$cadir/ca_crt.pem", :type => :file, :owner => "service", :group => "service", :mode => "0644", :desc => "The CA certificate." }, :cakey => { :default => "$cadir/ca_key.pem", :type => :file, :owner => "service", :group => "service", :mode => "0640", :desc => "The CA private key." }, :capub => { :default => "$cadir/ca_pub.pem", :type => :file, :owner => "service", :group => "service", :mode => "0644", :desc => "The CA public key." }, :cacrl => { :default => "$cadir/ca_crl.pem", :type => :file, :owner => "service", :group => "service", :mode => "0644", :desc => "The certificate revocation list (CRL) for the CA. Will be used if present but otherwise ignored.", }, :caprivatedir => { :default => "$cadir/private", :type => :directory, :owner => "service", :group => "service", :mode => "0750", :desc => "Where the CA stores private certificate information." }, :csrdir => { :default => "$cadir/requests", :type => :directory, :owner => "service", :group => "service", :mode => "0755", :desc => "Where the CA stores certificate requests" }, :signeddir => { :default => "$cadir/signed", :type => :directory, :owner => "service", :group => "service", :mode => "0755", :desc => "Where the CA stores signed certificates." }, :capass => { :default => "$caprivatedir/ca.pass", :type => :file, :owner => "service", :group => "service", :mode => "0640", :desc => "Where the CA stores the password for the private key." }, :serial => { :default => "$cadir/serial", :type => :file, :owner => "service", :group => "service", :mode => "0644", :desc => "Where the serial number for certificates is stored." }, :autosign => { :default => "$confdir/autosign.conf", :type => :autosign, :desc => "Whether (and how) to autosign certificate requests. This setting is only relevant on a puppet master acting as a certificate authority (CA). Valid values are true (autosigns all certificate requests; not recommended), false (disables autosigning certificates), or the absolute path to a file. The file specified in this setting may be either a **configuration file** or a **custom policy executable.** Puppet will automatically determine what it is: If the Puppet user (see the `user` setting) can execute the file, it will be treated as a policy executable; otherwise, it will be treated as a config file. If a custom policy executable is configured, the CA puppet master will run it every time it receives a CSR. The executable will be passed the subject CN of the request _as a command line argument,_ and the contents of the CSR in PEM format _on stdin._ It should exit with a status of 0 if the cert should be autosigned and non-zero if the cert should not be autosigned. If a certificate request is not autosigned, it will persist for review. An admin user can use the `puppet cert sign` command to manually sign it, or can delete the request. For info on autosign configuration files, see [the guide to Puppet's config files](http://docs.puppetlabs.com/guides/configuring.html).", }, :allow_duplicate_certs => { :default => false, :type => :boolean, :desc => "Whether to allow a new certificate request to overwrite an existing certificate.", }, :ca_ttl => { :default => "5y", :type => :duration, :desc => "The default TTL for new certificates. #{AS_DURATION}" }, :req_bits => { :default => 4096, :desc => "The bit length of the certificates.", }, :keylength => { :default => 4096, :desc => "The bit length of keys.", }, :cert_inventory => { :default => "$cadir/inventory.txt", :type => :file, :mode => "0644", :owner => "service", :group => "service", :desc => "The inventory file. This is a text file to which the CA writes a complete listing of all certificates." } ) # Define the config default. define_settings(:application, :config_file_name => { :type => :string, :default => Puppet::Settings.default_config_file_name, :desc => "The name of the puppet config file.", }, :config => { :type => :file, :default => "$confdir/${config_file_name}", :desc => "The configuration file for the current puppet application.", }, :pidfile => { :type => :file, :default => "$rundir/${run_mode}.pid", :desc => "The file containing the PID of a running process. This file is intended to be used by service management frameworks and monitoring systems to determine if a puppet process is still in the process table.", }, :bindaddress => { :default => "0.0.0.0", :desc => "The address a listening server should bind to.", } ) define_settings(:master, :user => { :default => "puppet", :desc => "The user puppet master should run as.", }, :group => { :default => "puppet", :desc => "The group puppet master should run as.", }, :manifestdir => { :default => "$confdir/manifests", :type => :directory, :desc => "Used to build the default value of the `manifest` setting. Has no other purpose. This setting is deprecated.", :deprecated => :completely, }, :manifest => { :default => "$manifestdir/site.pp", :type => :file_or_directory, :desc => "The entry-point manifest for puppet master. This can be one file or a directory of manifests to be evaluated in alphabetical order. Puppet manages this path as a directory if one exists or if the path ends with a / or \\. Setting a global value for `manifest` in puppet.conf is deprecated. Please use directory environments instead. If you need to use something other than the environment's `manifests` directory as the main manifest, you can set `manifest` in environment.conf. For more info, see http://docs.puppetlabs.com/puppet/latest/reference/environments.html", :deprecated => :allowed_on_commandline, }, :default_manifest => { :default => "./manifests", :type => :string, :desc => "The default main manifest for directory environments. Any environment that doesn't set the `manifest` setting in its `environment.conf` file will use this manifest. This setting's value can be an absolute or relative path. An absolute path will make all environments default to the same main manifest; a relative path will allow each environment to use its own manifest, and Puppet will resolve the path relative to each environment's main directory. In either case, the path can point to a single file or to a directory of manifests to be evaluated in alphabetical order.", }, :disable_per_environment_manifest => { :default => false, :type => :boolean, :desc => "Whether to disallow an environment-specific main manifest. When set to `true`, Puppet will use the manifest specified in the `default_manifest` setting for all environments. If an environment specifies a different main manifest in its `environment.conf` file, catalog requests for that environment will fail with an error. This setting requires `default_manifest` to be set to an absolute path.", :hook => proc do |value| if value && !Pathname.new(Puppet[:default_manifest]).absolute? raise(Puppet::Settings::ValidationError, "The 'default_manifest' setting must be set to an absolute path when 'disable_per_environment_manifest' is true") end end, }, :code => { :default => "", :desc => "Code to parse directly. This is essentially only used by `puppet`, and should only be set if you're writing your own Puppet executable.", }, :masterhttplog => { :default => "$logdir/masterhttp.log", :type => :file, :owner => "service", :group => "service", :mode => "0660", :create => true, :desc => "Where the puppet master web server saves its access log. This is only used when running a WEBrick puppet master. When puppet master is running under a Rack server like Passenger, that web server will have its own logging behavior." }, :masterport => { :default => 8140, :desc => "The port for puppet master traffic. For puppet master, this is the port to listen on; for puppet agent, this is the port to make requests on. Both applications use this setting to get the port.", }, :node_name => { :default => "cert", :desc => "How the puppet master determines the client's identity and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest, in particular for determining which 'node' statement applies to the client. Possible values are 'cert' (use the subject's CN in the client's certificate) and 'facter' (use the hostname that the client reported in its facts)", }, :bucketdir => { :default => "$vardir/bucket", :type => :directory, :mode => "0750", :owner => "service", :group => "service", :desc => "Where FileBucket files are stored." }, :rest_authconfig => { :default => "$confdir/auth.conf", :type => :file, :desc => "The configuration file that defines the rights to the different rest indirections. This can be used as a fine-grained authorization system for `puppet master`.", }, :ca => { :default => true, :type => :boolean, :desc => "Whether the master should function as a certificate authority.", }, :trusted_oid_mapping_file => { :default => "$confdir/custom_trusted_oid_mapping.yaml", :type => :file, :desc => "File that provides mapping between custom SSL oids and user-friendly names" }, :basemodulepath => { :default => "$confdir/modules#{File::PATH_SEPARATOR}/usr/share/puppet/modules", :type => :path, :desc => "The search path for **global** modules. Should be specified as a list of directories separated by the system path separator character. (The POSIX path separator is ':', and the Windows path separator is ';'.) If you are using directory environments, these are the modules that will be used by _all_ environments. Note that the `modules` directory of the active environment will have priority over any global directories. For more info, see http://docs.puppetlabs.com/puppet/latest/reference/environments.html This setting also provides the default value for the deprecated `modulepath` setting, which is used when directory environments are disabled.", }, :modulepath => { :default => "$basemodulepath", :type => :path, :desc => "The search path for modules, as a list of directories separated by the system path separator character. (The POSIX path separator is ':', and the Windows path separator is ';'.) Setting a global value for `modulepath` in puppet.conf is deprecated. Please use directory environments instead. If you need to use something other than the default modulepath of `:$basemodulepath`, you can set `modulepath` in environment.conf. For more info, see http://docs.puppetlabs.com/puppet/latest/reference/environments.html", :deprecated => :allowed_on_commandline, }, :ssl_client_header => { :default => "HTTP_X_CLIENT_DN", :desc => "The header containing an authenticated client's SSL DN. This header must be set by the proxy to the authenticated client's SSL DN (e.g., `/CN=puppet.puppetlabs.com`). Puppet will parse out the Common Name (CN) from the Distinguished Name (DN) and use the value of the CN field for authorization. Note that the name of the HTTP header gets munged by the web server common gateway inteface: an `HTTP_` prefix is added, dashes are converted to underscores, and all letters are uppercased. Thus, to use the `X-Client-DN` header, this setting should be `HTTP_X_CLIENT_DN`.", }, :ssl_client_verify_header => { :default => "HTTP_X_CLIENT_VERIFY", :desc => "The header containing the status message of the client verification. This header must be set by the proxy to 'SUCCESS' if the client successfully authenticated, and anything else otherwise. Note that the name of the HTTP header gets munged by the web server common gateway inteface: an `HTTP_` prefix is added, dashes are converted to underscores, and all letters are uppercased. Thus, to use the `X-Client-Verify` header, this setting should be `HTTP_X_CLIENT_VERIFY`.", }, # To make sure this directory is created before we try to use it on the server, we need # it to be in the server section (#1138). :yamldir => { :default => "$vardir/yaml", :type => :directory, :owner => "service", :group => "service", :mode => "0750", :desc => "The directory in which YAML data is stored, usually in a subdirectory."}, :server_datadir => { :default => "$vardir/server_data", :type => :directory, :owner => "service", :group => "service", :mode => "0750", :desc => "The directory in which serialized data is stored, usually in a subdirectory."}, :reports => { :default => "store", :desc => "The list of report handlers to use. When using multiple report handlers, their names should be comma-separated, with whitespace allowed. (For example, `reports = http, tagmail`.) This setting is relevant to puppet master and puppet apply. The puppet master will call these report handlers with the reports it receives from agent nodes, and puppet apply will call them with its own report. (In all cases, the node applying the catalog must have `report = true`.) See the report reference for information on the built-in report handlers; custom report handlers can also be loaded from modules. (Report handlers are loaded from the lib directory, at `puppet/reports/NAME.rb`.)", }, :reportdir => { :default => "$vardir/reports", :type => :directory, :mode => "0750", :owner => "service", :group => "service", :desc => "The directory in which to store reports. Each node gets a separate subdirectory in this directory. This setting is only used when the `store` report processor is enabled (see the `reports` setting)."}, :reporturl => { :default => "http://localhost:3000/reports/upload", :desc => "The URL that reports should be forwarded to. This setting is only used when the `http` report processor is enabled (see the `reports` setting).", }, :fileserverconfig => { :default => "$confdir/fileserver.conf", :type => :file, :desc => "Where the fileserver configuration is stored.", }, :strict_hostname_checking => { :default => false, :desc => "Whether to only search for the complete hostname as it is in the certificate when searching for node information in the catalogs.", } ) define_settings(:device, :devicedir => { :default => "$vardir/devices", :type => :directory, :mode => "0750", :desc => "The root directory of devices' $vardir.", }, :deviceconfig => { :default => "$confdir/device.conf", :desc => "Path to the device config file for puppet device.", } ) define_settings(:agent, :node_name_value => { :default => "$certname", :desc => "The explicit value used for the node name for all requests the agent makes to the master. WARNING: This setting is mutually exclusive with node_name_fact. Changing this setting also requires changes to the default auth.conf configuration on the Puppet Master. Please see http://links.puppetlabs.com/node_name_value for more information." }, :node_name_fact => { :default => "", :desc => "The fact name used to determine the node name used for all requests the agent makes to the master. WARNING: This setting is mutually exclusive with node_name_value. Changing this setting also requires changes to the default auth.conf configuration on the Puppet Master. Please see http://links.puppetlabs.com/node_name_fact for more information.", :hook => proc do |value| if !value.empty? and Puppet[:node_name_value] != Puppet[:certname] raise "Cannot specify both the node_name_value and node_name_fact settings" end end }, :localconfig => { :default => "$statedir/localconfig", :type => :file, :owner => "root", :mode => "0660", :desc => "Where puppet agent caches the local configuration. An extension indicating the cache format is added automatically."}, :statefile => { :default => "$statedir/state.yaml", :type => :file, :mode => "0660", :desc => "Where puppet agent and puppet master store state associated with the running configuration. In the case of puppet master, this file reflects the state discovered through interacting with clients." }, :clientyamldir => { :default => "$vardir/client_yaml", :type => :directory, :mode => "0750", :desc => "The directory in which client-side YAML data is stored." }, :client_datadir => { :default => "$vardir/client_data", :type => :directory, :mode => "0750", :desc => "The directory in which serialized data is stored on the client." }, :classfile => { :default => "$statedir/classes.txt", :type => :file, :owner => "root", :mode => "0640", :desc => "The file in which puppet agent stores a list of the classes associated with the retrieved configuration. Can be loaded in the separate `puppet` executable using the `--loadclasses` option."}, :resourcefile => { :default => "$statedir/resources.txt", :type => :file, :owner => "root", :mode => "0640", :desc => "The file in which puppet agent stores a list of the resources associated with the retrieved configuration." }, :puppetdlog => { :default => "$logdir/puppetd.log", :type => :file, :owner => "root", :mode => "0640", :desc => "The fallback log file. This is only used when the `--logdest` option is not specified AND Puppet is running on an operating system where both the POSIX syslog service and the Windows Event Log are unavailable. (Currently, no supported operating systems match that description.) Despite the name, both puppet agent and puppet master will use this file as the fallback logging destination. For control over logging destinations, see the `--logdest` command line option in the manual pages for puppet master, puppet agent, and puppet apply. You can see man pages by running `puppet --help`, or read them online at http://docs.puppetlabs.com/references/latest/man/." }, :server => { :default => "puppet", :desc => "The puppet master server to which the puppet agent should connect." }, :use_srv_records => { :default => false, :type => :boolean, :desc => "Whether the server will search for SRV records in DNS for the current domain.", }, :srv_domain => { :default => lambda { Puppet::Settings.domain_fact }, :desc => "The domain which will be queried to find the SRV records of servers to use.", }, :ignoreschedules => { :default => false, :type => :boolean, :desc => "Boolean; whether puppet agent should ignore schedules. This is useful for initial puppet agent runs.", }, :default_schedules => { :default => true, :type => :boolean, :desc => "Boolean; whether to generate the default schedule resources. Setting this to false is useful for keeping external report processors clean of skipped schedule resources.", }, :noop => { :default => false, :type => :boolean, :desc => "Whether to apply catalogs in noop mode, which allows Puppet to partially simulate a normal run. This setting affects puppet agent and puppet apply. When running in noop mode, Puppet will check whether each resource is in sync, like it does when running normally. However, if a resource attribute is not in the desired state (as declared in the catalog), Puppet will take no action, and will instead report the changes it _would_ have made. These simulated changes will appear in the report sent to the puppet master, or be shown on the console if running puppet agent or puppet apply in the foreground. The simulated changes will not send refresh events to any subscribing or notified resources, although Puppet will log that a refresh event _would_ have been sent. **Important note:** [The `noop` metaparameter](http://docs.puppetlabs.com/references/latest/metaparameter.html#noop) allows you to apply individual resources in noop mode, and will override the global value of the `noop` setting. This means a resource with `noop => false` _will_ be changed if necessary, even when running puppet agent with `noop = true` or `--noop`. (Conversely, a resource with `noop => true` will only be simulated, even when noop mode is globally disabled.)", }, :runinterval => { :default => "30m", :type => :duration, :desc => "How often puppet agent applies the catalog. Note that a runinterval of 0 means \"run continuously\" rather than \"never run.\" If you want puppet agent to never run, you should start it with the `--no-client` option. #{AS_DURATION}", }, :ca_server => { :default => "$server", :desc => "The server to use for certificate authority requests. It's a separate server because it cannot and does not need to horizontally scale.", }, :ca_port => { :default => "$masterport", :desc => "The port to use for the certificate authority.", }, :preferred_serialization_format => { :default => "pson", :desc => "The preferred means of serializing ruby instances for passing over the wire. This won't guarantee that all instances will be serialized using this method, since not all classes can be guaranteed to support this format, but it will be used for all classes that support it.", }, :report_serialization_format => { :default => "pson", :type => :enum, :values => ["pson", "yaml"], :desc => "The serialization format to use when sending reports to the `report_server`. Possible values are `pson` and `yaml`. This setting affects puppet agent, but not puppet apply (which processes its own reports). This should almost always be set to `pson`. It can be temporarily set to `yaml` to let agents using this Puppet version connect to a puppet master running Puppet 3.0.0 through 3.2.x. Note that this is set to 'yaml' automatically if the agent detects an older master, so should never need to be set explicitly." }, :legacy_query_parameter_serialization => { :default => false, :type => :boolean, :desc => "The serialization format to use when sending file_metadata query parameters. Older versions of puppet master expect certain query parameters to be serialized as yaml, which is deprecated. This should almost always be false. It can be temporarily set to true to let agents using this Puppet version connect to a puppet master running Puppet 3.0.0 through 3.2.x. Note that this is set to true automatically if the agent detects an older master, so should never need to be set explicitly." }, :agent_catalog_run_lockfile => { :default => "$statedir/agent_catalog_run.lock", :type => :string, # (#2888) Ensure this file is not added to the settings catalog. :desc => "A lock file to indicate that a puppet agent catalog run is currently in progress. The file contains the pid of the process that holds the lock on the catalog run.", }, :agent_disabled_lockfile => { :default => "$statedir/agent_disabled.lock", :type => :file, :desc => "A lock file to indicate that puppet agent runs have been administratively disabled. File contains a JSON object with state information.", }, :usecacheonfailure => { :default => true, :type => :boolean, :desc => "Whether to use the cached configuration when the remote configuration will not compile. This option is useful for testing new configurations, where you want to fix the broken configuration rather than reverting to a known-good one.", }, :use_cached_catalog => { :default => false, :type => :boolean, :desc => "Whether to only use the cached catalog rather than compiling a new catalog on every run. Puppet can be run with this enabled by default and then selectively disabled when a recompile is desired.", }, :ignoremissingtypes => { :default => false, :type => :boolean, :desc => "Skip searching for classes and definitions that were missing during a prior compilation. The list of missing objects is maintained per-environment and persists until the environment is cleared or the master is restarted.", }, :ignorecache => { :default => false, :type => :boolean, :desc => "Ignore cache and always recompile the configuration. This is useful for testing new configurations, where the local cache may in fact be stale even if the timestamps are up to date - if the facts change or if the server changes.", }, :splaylimit => { :default => "$runinterval", :type => :duration, :desc => "The maximum time to delay before runs. Defaults to being the same as the run interval. #{AS_DURATION}", }, :splay => { :default => false, :type => :boolean, :desc => "Whether to sleep for a pseudo-random (but consistent) amount of time before a run.", }, :clientbucketdir => { :default => "$vardir/clientbucket", :type => :directory, :mode => "0750", :desc => "Where FileBucket files are stored locally." }, :configtimeout => { :default => "2m", :type => :duration, :desc => "How long the client should wait for the configuration to be retrieved before considering it a failure. This can help reduce flapping if too many clients contact the server at one time. #{AS_DURATION}", }, :report_server => { :default => "$server", :desc => "The server to send transaction reports to.", }, :report_port => { :default => "$masterport", :desc => "The port to communicate with the report_server.", }, :report => { :default => true, :type => :boolean, :desc => "Whether to send reports after every transaction.", }, :lastrunfile => { :default => "$statedir/last_run_summary.yaml", :type => :file, :mode => "0644", :desc => "Where puppet agent stores the last run report summary in yaml format." }, :lastrunreport => { :default => "$statedir/last_run_report.yaml", :type => :file, :mode => "0640", :desc => "Where puppet agent stores the last run report in yaml format." }, :graph => { :default => false, :type => :boolean, :desc => "Whether to create dot graph files for the different configuration graphs. These dot files can be interpreted by tools like OmniGraffle or dot (which is part of ImageMagick).", }, :graphdir => { :default => "$statedir/graphs", :type => :directory, :desc => "Where to store dot-outputted graphs.", }, :waitforcert => { :default => "2m", :type => :duration, :desc => "How frequently puppet agent should ask for a signed certificate. When starting for the first time, puppet agent will submit a certificate signing request (CSR) to the server named in the `ca_server` setting (usually the puppet master); this may be autosigned, or may need to be approved by a human, depending on the CA server's configuration. Puppet agent cannot apply configurations until its approved certificate is available. Since the certificate may or may not be available immediately, puppet agent will repeatedly try to fetch it at this interval. You can turn off waiting for certificates by specifying a time of 0, in which case puppet agent will exit if it cannot get a cert. #{AS_DURATION}", }, :ordering => { :type => :enum, :values => ["manifest", "title-hash", "random"], :default => "manifest", :desc => "How unrelated resources should be ordered when applying a catalog. Allowed values are `title-hash`, `manifest`, and `random`. This setting affects puppet agent and puppet apply, but not puppet master. * `manifest` (the default) will use the order in which the resources were declared in their manifest files. * `title-hash` (the default in 3.x) will order resources randomly, but will use the same order across runs and across nodes. It is only of value if you're migrating from 3.x and have errors running with `manifest`. * `random` will order resources randomly and change their order with each run. This can work like a fuzzer for shaking out undeclared dependencies. Regardless of this setting's value, Puppet will always obey explicit dependencies set with the before/require/notify/subscribe metaparameters and the `->`/`~>` chaining arrows; this setting only affects the relative ordering of _unrelated_ resources." } ) define_settings(:inspect, :archive_files => { :type => :boolean, :default => false, :desc => "During an inspect run, whether to archive files whose contents are audited to a file bucket.", }, :archive_file_server => { :default => "$server", :desc => "During an inspect run, the file bucket server to archive files to if archive_files is set.", } ) # Plugin information. define_settings( :main, :plugindest => { :type => :directory, :default => "$libdir", :desc => "Where Puppet should store plugins that it pulls down from the central server.", }, :pluginsource => { :default => "puppet://$server/plugins", :desc => "From where to retrieve plugins. The standard Puppet `file` type is used for retrieval, so anything that is a valid file source can be used here.", }, :pluginfactdest => { :type => :directory, :default => "$vardir/facts.d", :desc => "Where Puppet should store external facts that are being handled by pluginsync", }, :pluginfactsource => { :default => "puppet://$server/pluginfacts", :desc => "Where to retrieve external facts for pluginsync", }, :pluginsync => { :default => true, :type => :boolean, :desc => "Whether plugins should be synced with the central server.", }, :pluginsignore => { :default => ".svn CVS .git", :desc => "What files to ignore when pulling down plugins.", } ) # Central fact information. define_settings( :main, :factpath => { :type => :path, :default => "$vardir/lib/facter#{File::PATH_SEPARATOR}$vardir/facts", :desc => "Where Puppet should look for facts. Multiple directories should be separated by the system path separator character. (The POSIX path separator is ':', and the Windows path separator is ';'.)", :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter. :hook => proc do |value| paths = value.split(File::PATH_SEPARATOR) Facter.search(*paths) end } ) define_settings( :tagmail, :tagmap => { :default => "$confdir/tagmail.conf", :desc => "The mapping between reporting tags and email addresses.", }, :sendmail => { :default => which('sendmail') || '', :desc => "Where to find the sendmail binary with which to send email.", }, :reportfrom => { :default => lambda { "report@#{Puppet::Settings.default_certname.downcase}" }, :desc => "The 'from' email address for the reports.", }, :smtpserver => { :default => "none", :desc => "The server through which to send email reports.", }, :smtpport => { :default => 25, :desc => "The TCP port through which to send email reports.", }, :smtphelo => { :default => lambda { Facter.value 'fqdn' }, :desc => "The name by which we identify ourselves in SMTP HELO for reports. If you send to a smtpserver which does strict HELO checking (as with Postfix's `smtpd_helo_restrictions` access controls), you may need to ensure this resolves.", } ) define_settings( :rails, :dblocation => { :default => "$statedir/clientconfigs.sqlite3", :type => :file, :mode => "0660", :owner => "service", :group => "service", :desc => "The sqlite database file. #{STORECONFIGS_ONLY}" }, :dbadapter => { :default => "sqlite3", :desc => "The type of database to use. #{STORECONFIGS_ONLY}", }, :dbmigrate => { :default => false, :type => :boolean, :desc => "Whether to automatically migrate the database. #{STORECONFIGS_ONLY}", }, :dbname => { :default => "puppet", :desc => "The name of the database to use. #{STORECONFIGS_ONLY}", }, :dbserver => { :default => "localhost", :desc => "The database server for caching. Only used when networked databases are used.", }, :dbport => { :default => "", :desc => "The database password for caching. Only used when networked databases are used. #{STORECONFIGS_ONLY}", }, :dbuser => { :default => "puppet", :desc => "The database user for caching. Only used when networked databases are used. #{STORECONFIGS_ONLY}", }, :dbpassword => { :default => "puppet", :desc => "The database password for caching. Only used when networked databases are used. #{STORECONFIGS_ONLY}", }, :dbconnections => { :default => '', :desc => "The number of database connections for networked databases. Will be ignored unless the value is a positive integer. #{STORECONFIGS_ONLY}", }, :dbsocket => { :default => "", :desc => "The database socket location. Only used when networked databases are used. Will be ignored if the value is an empty string. #{STORECONFIGS_ONLY}", }, :railslog => { :default => "$logdir/rails.log", :type => :file, :mode => "0600", :owner => "service", :group => "service", :desc => "Where Rails-specific logs are sent. #{STORECONFIGS_ONLY}" }, :rails_loglevel => { :default => "info", :desc => "The log level for Rails connections. The value must be a valid log level within Rails. Production environments normally use `info` and other environments normally use `debug`. #{STORECONFIGS_ONLY}", } ) define_settings( :transaction, :tags => { :default => "", :desc => "Tags to use to find resources. If this is set, then only resources tagged with the specified tags will be applied. Values must be comma-separated.", }, :evaltrace => { :default => false, :type => :boolean, :desc => "Whether each resource should log when it is being evaluated. This allows you to interactively see exactly what is being done.", }, :summarize => { :default => false, :type => :boolean, :desc => "Whether to print a transaction summary.", } ) define_settings( :main, :external_nodes => { :default => "none", :desc => "An external command that can produce node information. The command's output must be a YAML dump of a hash, and that hash must have a `classes` key and/or a `parameters` key, where `classes` is an array or hash and `parameters` is a hash. For unknown nodes, the command should exit with a non-zero exit code. This command makes it straightforward to store your node mapping information in other data sources like databases.", } ) define_settings( :ldap, :ldapssl => { :default => false, :type => :boolean, :desc => "Whether SSL should be used when searching for nodes. Defaults to false because SSL usually requires certificates to be set up on the client side.", }, :ldaptls => { :default => false, :type => :boolean, :desc => "Whether TLS should be used when searching for nodes. Defaults to false because TLS usually requires certificates to be set up on the client side.", }, :ldapserver => { :default => "ldap", :desc => "The LDAP server. Only used if `node_terminus` is set to `ldap`.", }, :ldapport => { :default => 389, :desc => "The LDAP port. Only used if `node_terminus` is set to `ldap`.", }, :ldapstring => { :default => "(&(objectclass=puppetClient)(cn=%s))", :desc => "The search string used to find an LDAP node.", }, :ldapclassattrs => { :default => "puppetclass", :desc => "The LDAP attributes to use to define Puppet classes. Values should be comma-separated.", }, :ldapstackedattrs => { :default => "puppetvar", :desc => "The LDAP attributes that should be stacked to arrays by adding the values in all hierarchy elements of the tree. Values should be comma-separated.", }, :ldapattrs => { :default => "all", :desc => "The LDAP attributes to include when querying LDAP for nodes. All returned attributes are set as variables in the top-level scope. Multiple values should be comma-separated. The value 'all' returns all attributes.", }, :ldapparentattr => { :default => "parentnode", :desc => "The attribute to use to define the parent node.", }, :ldapuser => { :default => "", :desc => "The user to use to connect to LDAP. Must be specified as a full DN.", }, :ldappassword => { :default => "", :desc => "The password to use to connect to LDAP.", }, :ldapbase => { :default => "", :desc => "The search base for LDAP searches. It's impossible to provide a meaningful default here, although the LDAP libraries might have one already set. Generally, it should be the 'ou=Hosts' branch under your main directory.", } ) define_settings(:master, :storeconfigs => { :default => false, :type => :boolean, :desc => "Whether to store each client's configuration, including catalogs, facts, and related data. This also enables the import and export of resources in the Puppet language - a mechanism for exchange resources between nodes. By default this uses ActiveRecord and an SQL database to store and query the data; this, in turn, will depend on Rails being available. You can adjust the backend using the storeconfigs_backend setting.", # Call our hook with the default value, so we always get the libdir set. :call_hook => :on_initialize_and_write, :hook => proc do |value| require 'puppet/node' require 'puppet/node/facts' if value Puppet::Resource::Catalog.indirection.cache_class = :store_configs Puppet.settings.override_default(:catalog_cache_terminus, :store_configs) Puppet::Node::Facts.indirection.cache_class = :store_configs Puppet::Resource.indirection.terminus_class = :store_configs end end }, :storeconfigs_backend => { :type => :terminus, :default => "active_record", :desc => "Configure the backend terminus used for StoreConfigs. By default, this uses the ActiveRecord store, which directly talks to the database from within the Puppet Master process." } ) define_settings(:parser, :templatedir => { :default => "$vardir/templates", :type => :directory, :desc => "Where Puppet looks for template files. Can be a list of colon-separated directories. This setting is deprecated. Please put your templates in modules instead.", :deprecated => :completely, }, :allow_variables_with_dashes => { :default => false, :desc => <<-'EOT' Permit hyphens (`-`) in variable names and issue deprecation warnings about them. This setting **should always be `false`;** setting it to `true` will cause subtle and wide-ranging bugs. It will be removed in a future version. Hyphenated variables caused major problems in the language, but were allowed between Puppet 2.7.3 and 2.7.14. If you used them during this window, we apologize for the inconvenience --- you can temporarily set this to `true` in order to upgrade, and can rename your variables at your leisure. Please revert it to `false` after you have renamed all affected variables. EOT }, :parser => { :default => "current", :desc => <<-'EOT' Selects the parser to use for parsing puppet manifests (in puppet DSL language/'.pp' files). Available choices are `current` (the default) and `future`. The `current` parser means that the released version of the parser should be used. The `future` parser is a "time travel to the future" allowing early exposure to new language features. What these features are will vary from release to release and they may be invididually configurable. Available Since Puppet 3.2. EOT }, :max_errors => { :default => 10, :desc => <<-'EOT' Sets the max number of logged/displayed parser validation errors in case multiple errors have been detected. A value of 0 is the same as a value of 1; a minimum of one error is always raised. The count is per manifest. EOT }, :max_warnings => { :default => 10, :desc => <<-'EOT' Sets the max number of logged/displayed parser validation warnings in case multiple warnings have been detected. A value of 0 blocks logging of warnings. The count is per manifest. EOT }, :max_deprecations => { :default => 10, :desc => <<-'EOT' Sets the max number of logged/displayed parser validation deprecation warnings in case multiple deprecation warnings have been detected. A value of 0 blocks the logging of deprecation warnings. The count is per manifest. EOT }, :strict_variables => { :default => false, :type => :boolean, :desc => <<-'EOT' Makes the parser raise errors when referencing unknown variables. (This does not affect referencing variables that are explicitly set to undef). EOT } ) define_settings(:puppetdoc, :document_all => { :default => false, :type => :boolean, :desc => "Whether to document all resources when using `puppet doc` to generate manifest documentation.", } ) end diff --git a/lib/puppet/network/authentication.rb b/lib/puppet/network/authentication.rb deleted file mode 100644 index c7f9ace87..000000000 --- a/lib/puppet/network/authentication.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'puppet/ssl/certificate_authority' -require 'puppet/util/log/rate_limited_logger' - -# Place for any authentication related bits -module Puppet::Network::Authentication - # Create a rate-limited logger for the expiration warning that uses the run interval - # as the minimum amount of time before a warning about the same cert can be logged again. - # This is a class variable so that all classes that include the module share the same logger. - @@logger = Puppet::Util::Log::RateLimitedLogger.new(Puppet[:runinterval]) - - # Check the expiration of known certificates and optionally any that are specified as part of a request - def warn_if_near_expiration(*certs) - # Check CA cert if we're functioning as a CA - certs << Puppet::SSL::CertificateAuthority.instance.host.certificate if Puppet::SSL::CertificateAuthority.ca? - - # Depending on the run mode, the localhost certificate will be for the - # master or the agent. Don't load the certificate if the CA cert is not - # present: infinite recursion will occur as another authenticated request - # will be spawned to download the CA cert. - if [Puppet[:hostcert], Puppet[:localcacert]].all? {|path| Puppet::FileSystem.exist?(path) } - certs << Puppet::SSL::Host.localhost.certificate - end - - # Remove nil values for caller convenience - certs.compact.each do |cert| - # Allow raw OpenSSL certificate instances or Puppet certificate wrappers to be specified - cert = Puppet::SSL::Certificate.from_instance(cert) if cert.is_a?(OpenSSL::X509::Certificate) - raise ArgumentError, "Invalid certificate '#{cert.inspect}'" unless cert.is_a?(Puppet::SSL::Certificate) - - if cert.near_expiration? - @@logger.warning("Certificate '#{cert.unmunged_name}' will expire on #{cert.expiration.strftime('%Y-%m-%dT%H:%M:%S%Z')}") - end - end - end -end diff --git a/lib/puppet/network/http/connection.rb b/lib/puppet/network/http/connection.rb index 8ffb1dda1..ff4baf533 100644 --- a/lib/puppet/network/http/connection.rb +++ b/lib/puppet/network/http/connection.rb @@ -1,240 +1,233 @@ require 'net/https' require 'puppet/ssl/host' require 'puppet/ssl/configuration' require 'puppet/ssl/validator' -require 'puppet/network/authentication' require 'puppet/network/http' require 'uri' module Puppet::Network::HTTP # This will be raised if too many redirects happen for a given HTTP request class RedirectionLimitExceededException < Puppet::Error ; end # This class provides simple methods for issuing various types of HTTP # requests. It's interface is intended to mirror Ruby's Net::HTTP # object, but it provides a few important bits of additional # functionality. Notably: # # * Any HTTPS requests made using this class will use Puppet's SSL # certificate configuration for their authentication, and # * Provides some useful error handling for any SSL errors that occur # during a request. # @api public class Connection - include Puppet::Network::Authentication OPTION_DEFAULTS = { :use_ssl => true, :verify => nil, :redirect_limit => 10, } # Creates a new HTTP client connection to `host`:`port`. # @param host [String] the host to which this client will connect to # @param port [Fixnum] the port to which this client will connect to # @param options [Hash] options influencing the properties of the created # connection, # @option options [Boolean] :use_ssl true to connect with SSL, false # otherwise, defaults to true # @option options [#setup_connection] :verify An object that will configure # any verification to do on the connection # @option options [Fixnum] :redirect_limit the number of allowed # redirections, defaults to 10 passing any other option in the options # hash results in a Puppet::Error exception # # @note the HTTP connection itself happens lazily only when {#request}, or # one of the {#get}, {#post}, {#delete}, {#head} or {#put} is called # @note The correct way to obtain a connection is to use one of the factory # methods on {Puppet::Network::HttpPool} # @api private def initialize(host, port, options = {}) @host = host @port = port unknown_options = options.keys - OPTION_DEFAULTS.keys raise Puppet::Error, "Unrecognized option(s): #{unknown_options.map(&:inspect).sort.join(', ')}" unless unknown_options.empty? options = OPTION_DEFAULTS.merge(options) @use_ssl = options[:use_ssl] @verify = options[:verify] @redirect_limit = options[:redirect_limit] @site = Puppet::Network::HTTP::Site.new(@use_ssl ? 'https' : 'http', host, port) @pool = Puppet.lookup(:http_pool) end # @!macro [new] common_options # @param options [Hash] options influencing the request made # @option options [Hash{Symbol => String}] :basic_auth The basic auth # :username and :password to use for the request # @param path [String] # @param headers [Hash{String => String}] # @!macro common_options # @api public def get(path, headers = {}, options = {}) request_with_redirects(Net::HTTP::Get.new(path, headers), options) end # @param path [String] # @param data [String] # @param headers [Hash{String => String}] # @!macro common_options # @api public def post(path, data, headers = nil, options = {}) request = Net::HTTP::Post.new(path, headers) request.body = data request_with_redirects(request, options) end # @param path [String] # @param headers [Hash{String => String}] # @!macro common_options # @api public def head(path, headers = {}, options = {}) request_with_redirects(Net::HTTP::Head.new(path, headers), options) end # @param path [String] # @param headers [Hash{String => String}] # @!macro common_options # @api public def delete(path, headers = {'Depth' => 'Infinity'}, options = {}) request_with_redirects(Net::HTTP::Delete.new(path, headers), options) end # @param path [String] # @param data [String] # @param headers [Hash{String => String}] # @!macro common_options # @api public def put(path, data, headers = nil, options = {}) request = Net::HTTP::Put.new(path, headers) request.body = data request_with_redirects(request, options) end def request(method, *args) self.send(method, *args) end # TODO: These are proxies for the Net::HTTP#request_* methods, which are # almost the same as the "get", "post", etc. methods that we've ported above, # but they are able to accept a code block and will yield to it, which is # necessary to stream responses, e.g. file content. For now # we're not funneling these proxy implementations through our #request # method above, so they will not inherit the same error handling. In the # future we may want to refactor these so that they are funneled through # that method and do inherit the error handling. def request_get(*args, &block) with_connection(@site) do |connection| connection.request_get(*args, &block) end end def request_head(*args, &block) with_connection(@site) do |connection| connection.request_head(*args, &block) end end def request_post(*args, &block) with_connection(@site) do |connection| connection.request_post(*args, &block) end end # end of Net::HTTP#request_* proxies # The address to connect to. def address @site.host end # The port to connect to. def port @site.port end # Whether to use ssl def use_ssl? @site.use_ssl? end private def request_with_redirects(request, options) current_request = request current_site = @site response = nil 0.upto(@redirect_limit) do |redirection| return response if response with_connection(current_site) do |connection| apply_options_to(current_request, options) current_response = execute_request(connection, current_request) if [301, 302, 307].include?(current_response.code.to_i) # handle the redirection location = URI.parse(current_response['location']) current_site = current_site.move_to(location) # update to the current request path current_request = current_request.class.new(location.path) current_request.body = request.body request.each do |header, value| current_request[header] = value end else response = current_response end end # and try again... end raise RedirectionLimitExceededException, "Too many HTTP redirections for #{@host}:#{@port}" end def apply_options_to(request, options) if options[:basic_auth] request.basic_auth(options[:basic_auth][:user], options[:basic_auth][:password]) end end def execute_request(connection, request) - response = connection.request(request) - - # Check the peer certs and warn if they're nearing expiration. - warn_if_near_expiration(*@verify.peer_certs) - - response + connection.request(request) end def with_connection(site, &block) response = nil @pool.with_connection(site, @verify) do |conn| response = yield conn end response rescue OpenSSL::SSL::SSLError => error if error.message.include? "certificate verify failed" msg = error.message msg << ": [" + @verify.verify_errors.join('; ') + "]" raise Puppet::Error, msg, error.backtrace elsif error.message =~ /hostname.*not match.*server certificate/ leaf_ssl_cert = @verify.peer_certs.last valid_certnames = [leaf_ssl_cert.name, *leaf_ssl_cert.subject_alt_names].uniq msg = valid_certnames.length > 1 ? "one of #{valid_certnames.join(', ')}" : valid_certnames.first msg = "Server hostname '#{site.host}' did not match server certificate; expected #{msg}" raise Puppet::Error, msg, error.backtrace else raise end end end end diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb index a8aa1aaeb..01fea73e7 100644 --- a/lib/puppet/network/http/handler.rb +++ b/lib/puppet/network/http/handler.rb @@ -1,186 +1,184 @@ module Puppet::Network::HTTP end require 'puppet/network/http' require 'puppet/network/http/api/v1' -require 'puppet/network/authentication' require 'puppet/network/rights' require 'puppet/util/profiler' require 'puppet/util/profiler/aggregate' require 'resolv' module Puppet::Network::HTTP::Handler - include Puppet::Network::Authentication include Puppet::Network::HTTP::Issues # These shouldn't be allowed to be set by clients # in the query string, for security reasons. DISALLOWED_KEYS = ["node", "ip"] def register(routes) # There's got to be a simpler way to do this, right? dupes = {} routes.each { |r| dupes[r.path_matcher] = (dupes[r.path_matcher] || 0) + 1 } dupes = dupes.collect { |pm, count| pm if count > 1 }.compact if dupes.count > 0 raise ArgumentError, "Given multiple routes with identical path regexes: #{dupes.map{ |rgx| rgx.inspect }.join(', ')}" end @routes = routes Puppet.debug("Routes Registered:") @routes.each do |route| Puppet.debug(route.inspect) end end # Retrieve all headers from the http request, as a hash with the header names # (lower-cased) as the keys def headers(request) raise NotImplementedError end def format_to_mime(format) format.is_a?(Puppet::Network::Format) ? format.mime : format end # handle an HTTP request def process(request, response) new_response = Puppet::Network::HTTP::Response.new(self, response) request_headers = headers(request) request_params = params(request) request_method = http_method(request) request_path = path(request) new_request = Puppet::Network::HTTP::Request.new(request_headers, request_params, request_method, request_path, request_path, client_cert(request), body(request)) response[Puppet::Network::HTTP::HEADER_PUPPET_VERSION] = Puppet.version profiler = configure_profiler(request_headers, request_params) Puppet::Util::Profiler.profile("Processed request #{request_method} #{request_path}", [:http, request_method, request_path]) do if route = @routes.find { |route| route.matches?(new_request) } route.process(new_request, new_response) else raise Puppet::Network::HTTP::Error::HTTPNotFoundError.new("No route for #{new_request.method} #{new_request.path}", HANDLER_NOT_FOUND) end end rescue Puppet::Network::HTTP::Error::HTTPError => e Puppet.info(e.message) new_response.respond_with(e.status, "application/json", e.to_json) rescue Exception => e http_e = Puppet::Network::HTTP::Error::HTTPServerError.new(e) Puppet.err(http_e.message) new_response.respond_with(http_e.status, "application/json", http_e.to_json) ensure if profiler remove_profiler(profiler) end cleanup(request) end # Set the response up, with the body and status. def set_response(response, body, status = 200) raise NotImplementedError end # Set the specified format as the content type of the response. def set_content_type(response, format) raise NotImplementedError end # resolve node name from peer's ip address # this is used when the request is unauthenticated def resolve_node(result) begin return Resolv.getname(result[:ip]) rescue => detail Puppet.err "Could not resolve #{result[:ip]}: #{detail}" end result[:ip] end private # methods to be overridden by the including web server class def http_method(request) raise NotImplementedError end def path(request) raise NotImplementedError end def request_key(request) raise NotImplementedError end def body(request) raise NotImplementedError end def params(request) raise NotImplementedError end def client_cert(request) raise NotImplementedError end def cleanup(request) # By default, there is nothing to cleanup. end def decode_params(params) params.select { |key, _| allowed_parameter?(key) }.inject({}) do |result, ary| param, value = ary result[param.to_sym] = parse_parameter_value(param, value) result end end def allowed_parameter?(name) not (name.nil? || name.empty? || DISALLOWED_KEYS.include?(name)) end def parse_parameter_value(param, value) case value when /^---/ Puppet.debug("Found YAML while processing request parameter #{param} (value: <#{value}>)") Puppet.deprecation_warning("YAML in network requests is deprecated and will be removed in a future version. See http://links.puppetlabs.com/deprecate_yaml_on_network") YAML.load(value, :safe => true, :deserialize_symbols => true) when Array value.collect { |v| parse_primitive_parameter_value(v) } else parse_primitive_parameter_value(value) end end def parse_primitive_parameter_value(value) case value when "true" true when "false" false when /^\d+$/ Integer(value) when /^\d+\.\d+$/ value.to_f else value end end def configure_profiler(request_headers, request_params) if (request_headers.has_key?(Puppet::Network::HTTP::HEADER_ENABLE_PROFILING.downcase) or Puppet[:profile]) Puppet::Util::Profiler.add_profiler(Puppet::Util::Profiler::Aggregate.new(Puppet.method(:debug), request_params.object_id)) end end def remove_profiler(profiler) profiler.shutdown Puppet::Util::Profiler.remove_profiler(profiler) end end diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/http/rack/rest.rb index 3ca79c8ae..23d73bf93 100644 --- a/lib/puppet/network/http/rack/rest.rb +++ b/lib/puppet/network/http/rack/rest.rb @@ -1,138 +1,136 @@ require 'openssl' require 'cgi' require 'puppet/network/http/handler' require 'puppet/util/ssl' class Puppet::Network::HTTP::RackREST include Puppet::Network::HTTP::Handler ContentType = 'Content-Type'.freeze CHUNK_SIZE = 8192 class RackFile def initialize(file) @file = file end def each while chunk = @file.read(CHUNK_SIZE) yield chunk end end def close @file.close end end def initialize(args={}) super() register([Puppet::Network::HTTP::API::V2.routes, Puppet::Network::HTTP::API::V1.routes]) end def set_content_type(response, format) response[ContentType] = format_to_mime(format) end # produce the body of the response def set_response(response, result, status = 200) response.status = status unless result.is_a?(File) response.write result else response["Content-Length"] = result.stat.size.to_s response.body = RackFile.new(result) end end # Retrieve all headers from the http request, as a map. def headers(request) headers = request.env.select {|k,v| k.start_with? 'HTTP_'}.inject({}) do |m, (k,v)| m[k.sub(/^HTTP_/, '').gsub('_','-').downcase] = v m end headers['content-type'] = request.content_type headers end # Return which HTTP verb was used in this request. def http_method(request) request.request_method end # Return the query params for this request. def params(request) if request.post? params = request.params else # rack doesn't support multi-valued query parameters, # e.g. ignore, so parse them ourselves params = CGI.parse(request.query_string) convert_singular_arrays_to_value(params) end result = decode_params(params) result.merge(extract_client_info(request)) end # what path was requested? (this is, without any query parameters) def path(request) request.path end # return the request body def body(request) request.body.read end def client_cert(request) # This environment variable is set by mod_ssl, note that it # requires the `+ExportCertData` option in the `SSLOptions` directive cert = request.env['SSL_CLIENT_CERT'] # NOTE: The SSL_CLIENT_CERT environment variable will be the empty string # when Puppet agent nodes have not yet obtained a signed certificate. if cert.nil? || cert.empty? nil else - cert = Puppet::SSL::Certificate.from_instance(OpenSSL::X509::Certificate.new(cert)) - warn_if_near_expiration(cert) - cert + Puppet::SSL::Certificate.from_instance(OpenSSL::X509::Certificate.new(cert)) end end # Passenger freaks out if we finish handling the request without reading any # part of the body, so make sure we have. def cleanup(request) request.body.read(1) nil end def extract_client_info(request) result = {} result[:ip] = request.ip # if we find SSL info in the headers, use them to get a hostname from the CN. # try this with :ssl_client_header, which defaults should work for # Apache with StdEnvVars. subj_str = request.env[Puppet[:ssl_client_header]] subject = Puppet::Util::SSL.subject_from_dn(subj_str || "") if cn = Puppet::Util::SSL.cn_from_subject(subject) result[:node] = cn result[:authenticated] = (request.env[Puppet[:ssl_client_verify_header]] == 'SUCCESS') else result[:node] = resolve_node(result) result[:authenticated] = false end result end def convert_singular_arrays_to_value(hash) hash.each do |key, value| if value.size == 1 hash[key] = value.first end end end end diff --git a/lib/puppet/network/http/webrick/rest.rb b/lib/puppet/network/http/webrick/rest.rb index ae0867dfb..64c859a10 100644 --- a/lib/puppet/network/http/webrick/rest.rb +++ b/lib/puppet/network/http/webrick/rest.rb @@ -1,104 +1,102 @@ require 'puppet/network/http/handler' require 'resolv' require 'webrick' require 'puppet/util/ssl' class Puppet::Network::HTTP::WEBrickREST < WEBrick::HTTPServlet::AbstractServlet include Puppet::Network::HTTP::Handler def self.mutex @mutex ||= Mutex.new end def initialize(server) raise ArgumentError, "server is required" unless server register([Puppet::Network::HTTP::API::V2.routes, Puppet::Network::HTTP::API::V1.routes]) super(server) end # Retrieve the request parameters, including authentication information. def params(request) params = request.query || {} params = Hash[params.collect do |key, value| all_values = value.list [key, all_values.length == 1 ? value : all_values] end] params = decode_params(params) params.merge(client_information(request)) end # WEBrick uses a service method to respond to requests. Simply delegate to # the handler response method. def service(request, response) self.class.mutex.synchronize do process(request, response) end end def headers(request) result = {} request.each do |k, v| result[k.downcase] = v end result end def http_method(request) request.request_method end def path(request) request.path end def body(request) request.body end def client_cert(request) if cert = request.client_cert - cert = Puppet::SSL::Certificate.from_instance(cert) - warn_if_near_expiration(cert) - cert + Puppet::SSL::Certificate.from_instance(cert) else nil end end # Set the specified format as the content type of the response. def set_content_type(response, format) response["content-type"] = format_to_mime(format) end def set_response(response, result, status = 200) response.status = status if status >= 200 and status != 304 response.body = result response["content-length"] = result.stat.size if result.is_a?(File) end end # Retrieve node/cert/ip information from the request object. def client_information(request) result = {} if peer = request.peeraddr and ip = peer[3] result[:ip] = ip end # If they have a certificate (which will almost always be true) # then we get the hostname from the cert, instead of via IP # info result[:authenticated] = false if cert = request.client_cert and cn = Puppet::Util::SSL.cn_from_subject(cert.subject) result[:node] = cn result[:authenticated] = true else result[:node] = resolve_node(result) end result end end diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb index a8ed118fa..c72988bdb 100644 --- a/lib/puppet/ssl/certificate.rb +++ b/lib/puppet/ssl/certificate.rb @@ -1,65 +1,58 @@ require 'puppet/ssl/base' # Manage certificates themselves. This class has no # 'generate' method because the CA is responsible # for turning CSRs into certificates; we can only # retrieve them from the CA (or not, as is often # the case). class Puppet::SSL::Certificate < Puppet::SSL::Base # This is defined from the base class wraps OpenSSL::X509::Certificate extend Puppet::Indirector indirects :certificate, :terminus_class => :file, :doc => < 'pp_uuid', 'value' => 'abcd'}] # # @return [Array String}>] An array of two element hashes, # with key/value pairs for the extension's oid, and its value. def custom_extensions custom_exts = content.extensions.select do |ext| Puppet::SSL::Oids.subtree_of?('ppRegCertExt', ext.oid) or Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid) end custom_exts.map { |ext| {'oid' => ext.oid, 'value' => ext.value} } end end diff --git a/lib/puppet/util/log/rate_limited_logger.rb b/lib/puppet/util/log/rate_limited_logger.rb deleted file mode 100644 index 73ebc536b..000000000 --- a/lib/puppet/util/log/rate_limited_logger.rb +++ /dev/null @@ -1,40 +0,0 @@ -require 'puppet/util/logging' - -# Logging utility class that limits the frequency of identical log messages -class Puppet::Util::Log::RateLimitedLogger - include Puppet::Util::Logging - - def initialize(interval) - raise ArgumentError, "Logging rate-limit interval must be an integer" unless interval.is_a?(Integer) - @interval = interval - @log_record = {} - end - - # Override the logging entry point to rate-limit it - def send_log(level, message) - Puppet::Util::Log.create({:level => level, :message => message}) if should_log?(level, message) - end - - private - - def should_log?(level, message) - # Initialize separate records for different levels, and only when needed - record = (@log_record[level] ||= {}) - last_log = record[message] - - # Skip logging if the time interval since the last logging hasn't elapsed yet - return false if last_log and within_interval?(last_log) - - # Purge stale entries; do this after the interval check to reduce passes through the cache - record.delete_if { |key, time| !within_interval?(time) } - - # Reset the beginning of the interval to the current time - record[message] = Time.now - - true - end - - def within_interval?(time) - time + @interval > Time.now - end -end diff --git a/man/man5/puppet.conf.5 b/man/man5/puppet.conf.5 index 492ed2ca2..576be79f5 100644 --- a/man/man5/puppet.conf.5 +++ b/man/man5/puppet.conf.5 @@ -1,1985 +1,1982 @@ .\" generated with Ronn/v0.7.3 .\" http://github.com/rtomayko/ronn/tree/0.7.3 . .TH "PUPPETCONF" "5" "October 2014" "Puppet Labs, LLC" "Puppet manual" \fBThis page is autogenerated; any changes will get overwritten\fR \fI(last generated on 2014\-10\-16 00:42:14 +0200)\fR . .SH "Configuration Settings" . .IP "\(bu" 4 Each of these settings can be specified in \fBpuppet\.conf\fR or on the command line\. . .IP "\(bu" 4 When using boolean settings on the command line, use \fB\-\-setting\fR and \fB\-\-no\-setting\fR instead of \fB\-\-setting (true|false)\fR\. . .IP "\(bu" 4 Settings can be interpolated as \fB$variables\fR in other settings; \fB$environment\fR is special, in that puppet master will interpolate each agent node\'s environment instead of its own\. . .IP "\(bu" 4 Multiple values should be specified as comma\-separated lists; multiple directories should be separated with the system path separator (usually a colon)\. . .IP "\(bu" 4 Settings that represent time intervals should be specified in duration format: an integer immediately followed by one of the units \'y\' (years of 365 days), \'d\' (days), \'h\' (hours), \'m\' (minutes), or \'s\' (seconds)\. The unit cannot be combined with other units, and defaults to seconds when omitted\. Examples are \'3600\' which is equivalent to \'1h\' (one hour), and \'1825d\' which is equivalent to \'5y\' (5 years)\. . .IP "\(bu" 4 Settings that take a single file or directory can optionally set the owner, group, and mode for their value: \fBrundir = $vardir/run { owner = puppet, group = puppet, mode = 644 }\fR . .IP "\(bu" 4 The Puppet executables will ignore any setting that isn\'t relevant to their function\. . .IP "" 0 . .P See the configuration guide \fIhttp://docs\.puppetlabs\.com/guides/configuring\.html\fR for more details\. . .SS "agent_catalog_run_lockfile" A lock file to indicate that a puppet agent catalog run is currently in progress\. The file contains the pid of the process that holds the lock on the catalog run\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/agent_catalog_run\.lock . .IP "" 0 . .SS "agent_disabled_lockfile" A lock file to indicate that puppet agent runs have been administratively disabled\. File contains a JSON object with state information\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/agent_disabled\.lock . .IP "" 0 . .SS "allow_duplicate_certs" Whether to allow a new certificate request to overwrite an existing certificate\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "allow_variables_with_dashes" Permit hyphens (\fB\-\fR) in variable names and issue deprecation warnings about them\. This setting \fBshould always be \fBfalse\fR;\fR setting it to \fBtrue\fR will cause subtle and wide\-ranging bugs\. It will be removed in a future version\. . .P Hyphenated variables caused major problems in the language, but were allowed between Puppet 2\.7\.3 and 2\.7\.14\. If you used them during this window, we apologize for the inconvenience \-\-\- you can temporarily set this to \fBtrue\fR in order to upgrade, and can rename your variables at your leisure\. Please revert it to \fBfalse\fR after you have renamed all affected variables\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "always_cache_features" Affects how we cache attempts to load Puppet \'features\'\. If false, then calls to \fBPuppet\.features\.?\fR will always attempt to load the feature (which can be an expensive operation) unless it has already been loaded successfully\. This makes it possible for a single agent run to, e\.g\., install a package that provides the underlying capabilities for a feature, and then later load that feature during the same run (even if the feature had been tested earlier and had not been available)\. . .P If this setting is set to true, then features will only be checked once, and if they are not available, the negative result is cached and returned for all subsequent attempts to load the feature\. This behavior is almost always appropriate for the server, and can result in a significant performance improvement for features that are checked frequently\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "archive_file_server" During an inspect run, the file bucket server to archive files to if archive_files is set\. . .IP "\(bu" 4 \fIDefault\fR: $server . .IP "" 0 . .SS "archive_files" During an inspect run, whether to archive files whose contents are audited to a file bucket\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "autoflush" Whether log files should always flush to disk\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "autosign" Whether (and how) to autosign certificate requests\. This setting is only relevant on a puppet master acting as a certificate authority (CA)\. . .P Valid values are true (autosigns all certificate requests; not recommended), false (disables autosigning certificates), or the absolute path to a file\. . .P The file specified in this setting may be either a \fBconfiguration file\fR or a \fBcustom policy executable\.\fR Puppet will automatically determine what it is: If the Puppet user (see the \fBuser\fR setting) can execute the file, it will be treated as a policy executable; otherwise, it will be treated as a config file\. . .P If a custom policy executable is configured, the CA puppet master will run it every time it receives a CSR\. The executable will be passed the subject CN of the request \fIas a command line argument,\fR and the contents of the CSR in PEM format \fIon stdin\.\fR It should exit with a status of 0 if the cert should be autosigned and non\-zero if the cert should not be autosigned\. . .P If a certificate request is not autosigned, it will persist for review\. An admin user can use the \fBpuppet cert sign\fR command to manually sign it, or can delete the request\. . .P For info on autosign configuration files, see the guide to Puppet\'s config files \fIhttp://docs\.puppetlabs\.com/guides/configuring\.html\fR\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/autosign\.conf . .IP "" 0 . .SS "basemodulepath" The search path for \fBglobal\fR modules\. Should be specified as a list of directories separated by the system path separator character\. (The POSIX path separator is \':\', and the Windows path separator is \';\'\.) . .P If you are using directory environments, these are the modules that will be used by \fIall\fR environments\. Note that the \fBmodules\fR directory of the active environment will have priority over any global directories\. For more info, see http://docs\.puppetlabs\.com/puppet/latest/reference/environments\.html . .P This setting also provides the default value for the deprecated \fBmodulepath\fR setting, which is used when directory environments are disabled\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/modules:/usr/share/puppet/modules . .IP "" 0 . .SS "bindaddress" The address a listening server should bind to\. . .IP "\(bu" 4 \fIDefault\fR: 0\.0\.0\.0 . .IP "" 0 . .SS "binder" Turns the binding system on or off\. This includes bindings in modules\. The binding system aggregates data from modules and other locations and makes them available for lookup\. The binding system is experimental and any or all of it may change\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "binder_config" The binder configuration file\. Puppet reads this file on each request to configure the bindings system\. If set to nil (the default), a $confdir/binder_config\.yaml is optionally loaded\. If it does not exists, a default configuration is used\. If the setting :binding_config is specified, it must reference a valid and existing yaml file\. . .TP \fIDefault\fR: . .SS "bucketdir" Where FileBucket files are stored\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/bucket . .IP "" 0 . .SS "ca" Whether the master should function as a certificate authority\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "ca_name" The name to use the Certificate Authority certificate\. . .IP "\(bu" 4 \fIDefault\fR: Puppet CA: $certname . .IP "" 0 . .SS "ca_port" The port to use for the certificate authority\. . .IP "\(bu" 4 \fIDefault\fR: $masterport . .IP "" 0 . .SS "ca_server" The server to use for certificate authority requests\. It\'s a separate server because it cannot and does not need to horizontally scale\. . .IP "\(bu" 4 \fIDefault\fR: $server . .IP "" 0 . .SS "ca_ttl" The default TTL for new certificates\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: 5y . .IP "" 0 . .SS "cacert" The CA certificate\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/ca_crt\.pem . .IP "" 0 . .SS "cacrl" The certificate revocation list (CRL) for the CA\. Will be used if present but otherwise ignored\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/ca_crl\.pem . .IP "" 0 . .SS "cadir" The root directory for the certificate authority\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/ca . .IP "" 0 . .SS "cakey" The CA private key\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/ca_key\.pem . .IP "" 0 . .SS "capass" Where the CA stores the password for the private key\. . .IP "\(bu" 4 \fIDefault\fR: $caprivatedir/ca\.pass . .IP "" 0 . .SS "caprivatedir" Where the CA stores private certificate information\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/private . .IP "" 0 . .SS "capub" The CA public key\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/ca_pub\.pem . .IP "" 0 . .SS "catalog_cache_terminus" How to store cached catalogs\. Valid values are \'json\', \'msgpack\' and \'yaml\'\. The agent application defaults to \'json\'\. . .TP \fIDefault\fR: . .SS "catalog_terminus" Where to get node catalogs\. This is useful to change if, for instance, you\'d like to pre\-compile catalogs and store them in memcached or some other easily\-accessed store\. . .IP "\(bu" 4 \fIDefault\fR: compiler . .IP "" 0 . .SS "cert_inventory" The inventory file\. This is a text file to which the CA writes a complete listing of all certificates\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/inventory\.txt . .IP "" 0 . .SS "certdir" The certificate directory\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/certs . .IP "" 0 . .SS "certdnsnames" The \fBcertdnsnames\fR setting is no longer functional, after CVE\-2011\-3872\. We ignore the value completely\. . .P For your own certificate request you can set \fBdns_alt_names\fR in the configuration and it will apply locally\. There is no configuration option to set DNS alt names, or any other \fBsubjectAltName\fR value, for another nodes certificate\. . .P Alternately you can use the \fB\-\-dns_alt_names\fR command line option to set the labels added while generating your own CSR\. . -.SS "certificate_expire_warning" -The window of time leading up to a certificate\'s expiration that a notification will be logged\. This applies to CA, master, and agent certificates\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. -. .IP "\(bu" 4 \fIDefault\fR: 60d . .IP "" 0 . .SS "certificate_revocation" Whether certificate revocation should be supported by downloading a Certificate Revocation List (CRL) to all clients\. If enabled, CA chaining will almost definitely not work\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "certname" The name to use when handling certificates\. When a node requests a certificate from the CA puppet master, it uses the value of the \fBcertname\fR setting as its requested Subject CN\. . .P This is the name used when managing a node\'s permissions in auth\.conf \fIhttp://docs\.puppetlabs\.com/puppet/latest/reference/config_file_auth\.html\fR\. In most cases, it is also used as the node\'s name when matching node definitions \fIhttp://docs\.puppetlabs\.com/puppet/latest/reference/lang_node_definitions\.html\fR and requesting data from an ENC\. (This can be changed with the \fBnode_name_value\fR and \fBnode_name_fact\fR settings, although you should only do so if you have a compelling reason\.) . .P A node\'s certname is available in Puppet manifests as \fB$trusted[\'certname\']\fR\. (See Facts and Built\-In Variables \fIhttp://docs\.puppetlabs\.com/puppet/latest/reference/lang_facts_and_builtin_vars\.html\fR for more details\.) . .IP "\(bu" 4 For best compatibility, you should limit the value of \fBcertname\fR to only use letters, numbers, periods, underscores, and dashes\. (That is, it should match \fB/A[a\-z0\-9\._\-]+Z/\fR\.) . .IP "\(bu" 4 The special value \fBca\fR is reserved, and can\'t be used as the certname for a normal node\. . .IP "" 0 . .P Defaults to the node\'s fully qualified domain name\. . .IP "\(bu" 4 \fIDefault\fR: henriks\-macbook\-pro\.local . .IP "" 0 . .SS "cfacter" Whether or not to use the native facter (cfacter) implementation instead of the Ruby one (facter)\. Defaults to false\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "classfile" The file in which puppet agent stores a list of the classes associated with the retrieved configuration\. Can be loaded in the separate \fBpuppet\fR executable using the \fB\-\-loadclasses\fR option\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/classes\.txt . .IP "" 0 . .SS "client_datadir" The directory in which serialized data is stored on the client\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/client_data . .IP "" 0 . .SS "clientbucketdir" Where FileBucket files are stored locally\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/clientbucket . .IP "" 0 . .SS "clientyamldir" The directory in which client\-side YAML data is stored\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/client_yaml . .IP "" 0 . .SS "code" Code to parse directly\. This is essentially only used by \fBpuppet\fR, and should only be set if you\'re writing your own Puppet executable\. . .SS "color" Whether to use colors when logging to the console\. Valid values are \fBansi\fR (equivalent to \fBtrue\fR), \fBhtml\fR, and \fBfalse\fR, which produces no color\. Defaults to false on Windows, as its console does not support ansi colors\. . .IP "\(bu" 4 \fIDefault\fR: ansi . .IP "" 0 . .SS "confdir" The main Puppet configuration directory\. The default for this setting is calculated based on the user\. If the process is running as root or the user that Puppet is supposed to run as, it defaults to a system directory, but if it\'s running as any other user, it defaults to being in the user\'s home directory\. . .IP "\(bu" 4 \fIDefault\fR: /etc/puppet . .IP "" 0 . .SS "config" The configuration file for the current puppet application\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/${config_file_name} . .IP "" 0 . .SS "config_file_name" The name of the puppet config file\. . .IP "\(bu" 4 \fIDefault\fR: puppet\.conf . .IP "" 0 . .SS "config_version" How to determine the configuration version\. By default, it will be the time that the configuration is parsed, but you can provide a shell script to override how the version is determined\. The output of this script will be added to every log message in the reports, allowing you to correlate changes on your hosts to the source version on the server\. . .P Setting a global value for config_version in puppet\.conf is deprecated\. Please set a per\-environment value in environment\.conf instead\. For more info, see http://docs\.puppetlabs\.com/puppet/latest/reference/environments\.html . .SS "configprint" Print the value of a specific configuration setting\. If the name of a setting is provided for this, then the value is printed and puppet exits\. Comma\-separate multiple values\. For a list of all values, specify \'all\'\. . .SS "configtimeout" How long the client should wait for the configuration to be retrieved before considering it a failure\. This can help reduce flapping if too many clients contact the server at one time\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: 2m . .IP "" 0 . .SS "csr_attributes" An optional file containing custom attributes to add to certificate signing requests (CSRs)\. You should ensure that this file does not exist on your CA puppet master; if it does, unwanted certificate extensions may leak into certificates created with the \fBpuppet cert generate\fR command\. . .P If present, this file must be a YAML hash containing a \fBcustom_attributes\fR key and/or an \fBextension_requests\fR key\. The value of each key must be a hash, where each key is a valid OID and each value is an object that can be cast to a string\. . .P Custom attributes can be used by the CA when deciding whether to sign the certificate, but are then discarded\. Attribute OIDs can be any OID value except the standard CSR attributes (i\.e\. attributes described in RFC 2985 section 5\.4)\. This is useful for embedding a pre\-shared key for autosigning policy executables (see the \fBautosign\fR setting), often by using the \fB1\.2\.840\.113549\.1\.9\.7\fR ("challenge password") OID\. . .P Extension requests will be permanently embedded in the final certificate\. Extension OIDs must be in the "ppRegCertExt" (\fB1\.3\.6\.1\.4\.1\.34380\.1\.1\fR) or "ppPrivCertExt" (\fB1\.3\.6\.1\.4\.1\.34380\.1\.2\fR) OID arcs\. The ppRegCertExt arc is reserved for four of the most common pieces of data to embed: \fBpp_uuid\fR (\fB\.1\fR), \fBpp_instance_id\fR (\fB\.2\fR), \fBpp_image_name\fR (\fB\.3\fR), and \fBpp_preshared_key\fR (\fB\.4\fR) \-\-\- in the YAML file, these can be referred to by their short descriptive names instead of their full OID\. The ppPrivCertExt arc is unregulated, and can be used for site\-specific extensions\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/csr_attributes\.yaml . .IP "" 0 . .SS "csrdir" Where the CA stores certificate requests . .IP "\(bu" 4 \fIDefault\fR: $cadir/requests . .IP "" 0 . .SS "daemonize" Whether to send the process into the background\. This defaults to true on POSIX systems, and to false on Windows (where Puppet currently cannot daemonize)\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "data_binding_terminus" Where to retrive information about data\. . .IP "\(bu" 4 \fIDefault\fR: hiera . .IP "" 0 . .SS "dbadapter" The type of database to use\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: sqlite3 . .IP "" 0 . .SS "dbconnections" The number of database connections for networked databases\. Will be ignored unless the value is a positive integer\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .SS "dblocation" The sqlite database file\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/clientconfigs\.sqlite3 . .IP "" 0 . .SS "dbmigrate" Whether to automatically migrate the database\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "dbname" The name of the database to use\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: puppet . .IP "" 0 . .SS "dbpassword" The database password for caching\. Only used when networked databases are used\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: puppet . .IP "" 0 . .SS "dbport" The database password for caching\. Only used when networked databases are used\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .SS "dbserver" The database server for caching\. Only used when networked databases are used\. . .IP "\(bu" 4 \fIDefault\fR: localhost . .IP "" 0 . .SS "dbsocket" The database socket location\. Only used when networked databases are used\. Will be ignored if the value is an empty string\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .SS "dbuser" The database user for caching\. Only used when networked databases are used\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: puppet . .IP "" 0 . .SS "default_file_terminus" The default source for files if no server is given in a uri, e\.g\. puppet:///file\. The default of \fBrest\fR causes the file to be retrieved using the \fBserver\fR setting\. When running \fBapply\fR the default is \fBfile_server\fR, causing requests to be filled locally\. . .IP "\(bu" 4 \fIDefault\fR: rest . .IP "" 0 . .SS "default_manifest" The default main manifest for directory environments\. Any environment that doesn\'t set the \fBmanifest\fR setting in its \fBenvironment\.conf\fR file will use this manifest\. . .P This setting\'s value can be an absolute or relative path\. An absolute path will make all environments default to the same main manifest; a relative path will allow each environment to use its own manifest, and Puppet will resolve the path relative to each environment\'s main directory\. . .P In either case, the path can point to a single file or to a directory of manifests to be evaluated in alphabetical order\. . .IP "\(bu" 4 \fIDefault\fR: \./manifests . .IP "" 0 . .SS "default_schedules" Boolean; whether to generate the default schedule resources\. Setting this to false is useful for keeping external report processors clean of skipped schedule resources\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "deviceconfig" Path to the device config file for puppet device\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/device\.conf . .IP "" 0 . .SS "devicedir" The root directory of devices\' $vardir\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/devices . .IP "" 0 . .SS "diff" Which diff command to use when printing differences between files\. This setting has no default value on Windows, as standard \fBdiff\fR is not available, but Puppet can use many third\-party diff tools\. . .IP "\(bu" 4 \fIDefault\fR: diff . .IP "" 0 . .SS "diff_args" Which arguments to pass to the diff command when printing differences between files\. The command to use can be chosen with the \fBdiff\fR setting\. . .IP "\(bu" 4 \fIDefault\fR: \-u . .IP "" 0 . .SS "digest_algorithm" Which digest algorithm to use for file resources and the filebucket\. Valid values are md5, sha256\. Default is md5\. . .IP "\(bu" 4 \fIDefault\fR: md5 . .IP "" 0 . .SS "disable_per_environment_manifest" Whether to disallow an environment\-specific main manifest\. When set to \fBtrue\fR, Puppet will use the manifest specified in the \fBdefault_manifest\fR setting for all environments\. If an environment specifies a different main manifest in its \fBenvironment\.conf\fR file, catalog requests for that environment will fail with an error\. . .P This setting requires \fBdefault_manifest\fR to be set to an absolute path\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "disable_warnings" A comma\-separated list of warning types to suppress\. If large numbers of warnings are making Puppet\'s logs too large or difficult to use, you can temporarily silence them with this setting\. . .P If you are preparing to upgrade Puppet to a new major version, you should re\-enable all warnings for a while\. . .P Valid values for this setting are: . .IP "\(bu" 4 \fBdeprecations\fR \-\-\- disables deprecation warnings\. . .IP "\(bu" 4 \fIDefault\fR: [] . .IP "" 0 . .SS "dns_alt_names" The comma\-separated list of alternative DNS names to use for the local host\. . .P When the node generates a CSR for itself, these are added to the request as the desired \fBsubjectAltName\fR in the certificate: additional DNS labels that the certificate is also valid answering as\. . .P This is generally required if you use a non\-hostname \fBcertname\fR, or if you want to use \fBpuppet kick\fR or \fBpuppet resource \-H\fR and the primary certname does not match the DNS name you use to communicate with the host\. . .P This is unnecessary for agents, unless you intend to use them as a server for \fBpuppet kick\fR or remote \fBpuppet resource\fR management\. . .P It is rarely necessary for servers; it is usually helpful only if you need to have a pool of multiple load balanced masters, or for the same master to respond on two physically separate networks under different names\. . .SS "document_all" Whether to document all resources when using \fBpuppet doc\fR to generate manifest documentation\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "environment" The environment Puppet is running in\. For clients (e\.g\., \fBpuppet agent\fR) this determines the environment itself, which is used to find modules and much more\. For servers (i\.e\., \fBpuppet master\fR) this provides the default environment for nodes we know nothing about\. . .IP "\(bu" 4 \fIDefault\fR: production . .IP "" 0 . .SS "environment_timeout" The time to live for a cached environment\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. This setting can also be set to \fBunlimited\fR, which causes the environment to be cached until the master is restarted\. . .IP "\(bu" 4 \fIDefault\fR: unlimited . .IP "" 0 . .SS "environmentpath" A search path for directory environments, as a list of directories separated by the system path separator character\. (The POSIX path separator is \':\', and the Windows path separator is \';\'\.) . .P This setting must have a value set to enable \fBdirectory environments\.\fR The recommended value is \fB$confdir/environments\fR\. For more details, see http://docs\.puppetlabs\.com/puppet/latest/reference/environments\.html . .SS "evaltrace" Whether each resource should log when it is being evaluated\. This allows you to interactively see exactly what is being done\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "external_nodes" An external command that can produce node information\. The command\'s output must be a YAML dump of a hash, and that hash must have a \fBclasses\fR key and/or a \fBparameters\fR key, where \fBclasses\fR is an array or hash and \fBparameters\fR is a hash\. For unknown nodes, the command should exit with a non\-zero exit code\. . .P This command makes it straightforward to store your node mapping information in other data sources like databases\. . .IP "\(bu" 4 \fIDefault\fR: none . .IP "" 0 . .SS "factpath" Where Puppet should look for facts\. Multiple directories should be separated by the system path separator character\. (The POSIX path separator is \':\', and the Windows path separator is \';\'\.) . .IP "\(bu" 4 \fIDefault\fR: $vardir/lib/facter:$vardir/facts . .IP "" 0 . .SS "facts_terminus" The node facts terminus\. . .IP "\(bu" 4 \fIDefault\fR: facter . .IP "" 0 . .SS "fileserverconfig" Where the fileserver configuration is stored\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/fileserver\.conf . .IP "" 0 . .SS "filetimeout" The minimum time to wait between checking for updates in configuration files\. This timeout determines how quickly Puppet checks whether a file (such as manifests or templates) has changed on disk\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: 15s . .IP "" 0 . .SS "forge_authorization" The authorization key to connect to the Puppet Forge\. Leave blank for unauthorized or license based connections . .TP \fIDefault\fR: . .SS "freeze_main" Freezes the \'main\' class, disallowing any code to be added to it\. This essentially means that you can\'t have any code outside of a node, class, or definition other than in the site manifest\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "genconfig" When true, causes Puppet applications to print an example config file to stdout and exit\. The example will include descriptions of each setting, and the current (or default) value of each setting, incorporating any settings overridden on the CLI (with the exception of \fBgenconfig\fR itself)\. This setting only makes sense when specified on the command line as \fB\-\-genconfig\fR\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "genmanifest" Whether to just print a manifest to stdout and exit\. Only makes sense when specified on the command line as \fB\-\-genmanifest\fR\. Takes into account arguments specified on the CLI\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "graph" Whether to create dot graph files for the different configuration graphs\. These dot files can be interpreted by tools like OmniGraffle or dot (which is part of ImageMagick)\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "graphdir" Where to store dot\-outputted graphs\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/graphs . .IP "" 0 . .SS "group" The group puppet master should run as\. . .IP "\(bu" 4 \fIDefault\fR: puppet . .IP "" 0 . .SS "hiera_config" The hiera configuration file\. Puppet only reads this file on startup, so you must restart the puppet master every time you edit it\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/hiera\.yaml . .IP "" 0 . .SS "hostcert" Where individual hosts store and look for their certificates\. . .IP "\(bu" 4 \fIDefault\fR: $certdir/$certname\.pem . .IP "" 0 . .SS "hostcrl" Where the host\'s certificate revocation list can be found\. This is distinct from the certificate authority\'s CRL\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/crl\.pem . .IP "" 0 . .SS "hostcsr" Where individual hosts store and look for their certificate requests\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/csr_$certname\.pem . .IP "" 0 . .SS "hostprivkey" Where individual hosts store and look for their private key\. . .IP "\(bu" 4 \fIDefault\fR: $privatekeydir/$certname\.pem . .IP "" 0 . .SS "hostpubkey" Where individual hosts store and look for their public key\. . .IP "\(bu" 4 \fIDefault\fR: $publickeydir/$certname\.pem . .IP "" 0 . .SS "http_debug" Whether to write HTTP request and responses to stderr\. This should never be used in a production environment\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "http_keepalive_timeout" The maximum amount of time a persistent HTTP connection can remain idle in the connection pool, before it is closed\. This timeout should be shorter than the keepalive timeout used on the HTTP server, e\.g\. Apache KeepAliveTimeout directive\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: 4s . .IP "" 0 . .SS "http_proxy_host" The HTTP proxy host to use for outgoing connections\. Note: You may need to use a FQDN for the server hostname when using a proxy\. Environment variable http_proxy or HTTP_PROXY will override this value . .IP "\(bu" 4 \fIDefault\fR: none . .IP "" 0 . .SS "http_proxy_password" The password for the user of an authenticated HTTP proxy\. Requires the \fBhttp_proxy_user\fR setting\. . .P Note that passwords must be valid when used as part of a URL\. If a password contains any characters with special meanings in URLs (as specified by RFC 3986 section 2\.2), they must be URL\-encoded\. (For example, \fB#\fR would become \fB%23\fR\.) . .IP "\(bu" 4 \fIDefault\fR: none . .IP "" 0 . .SS "http_proxy_port" The HTTP proxy port to use for outgoing connections . .IP "\(bu" 4 \fIDefault\fR: 3128 . .IP "" 0 . .SS "http_proxy_user" The user name for an authenticated HTTP proxy\. Requires the \fBhttp_proxy_host\fR setting\. . .IP "\(bu" 4 \fIDefault\fR: none . .IP "" 0 . .SS "httplog" Where the puppet agent web server logs\. . .IP "\(bu" 4 \fIDefault\fR: $logdir/http\.log . .IP "" 0 . .SS "ignorecache" Ignore cache and always recompile the configuration\. This is useful for testing new configurations, where the local cache may in fact be stale even if the timestamps are up to date \- if the facts change or if the server changes\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "ignoreimport" If true, allows the parser to continue without requiring all files referenced with \fBimport\fR statements to exist\. This setting was primarily designed for use with commit hooks for parse\-checking\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "ignoremissingtypes" Skip searching for classes and definitions that were missing during a prior compilation\. The list of missing objects is maintained per\-environment and persists until the environment is cleared or the master is restarted\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "ignoreschedules" Boolean; whether puppet agent should ignore schedules\. This is useful for initial puppet agent runs\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "immutable_node_data" When true, also prevents $trusted and $facts from being overridden in any scope . .IP "\(bu" 4 \fIDefault\fR: $trusted_node_data . .IP "" 0 . .SS "keylength" The bit length of keys\. . .IP "\(bu" 4 \fIDefault\fR: 4096 . .IP "" 0 . .SS "lastrunfile" Where puppet agent stores the last run report summary in yaml format\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/last_run_summary\.yaml . .IP "" 0 . .SS "lastrunreport" Where puppet agent stores the last run report in yaml format\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/last_run_report\.yaml . .IP "" 0 . .SS "ldapattrs" The LDAP attributes to include when querying LDAP for nodes\. All returned attributes are set as variables in the top\-level scope\. Multiple values should be comma\-separated\. The value \'all\' returns all attributes\. . .IP "\(bu" 4 \fIDefault\fR: all . .IP "" 0 . .SS "ldapbase" The search base for LDAP searches\. It\'s impossible to provide a meaningful default here, although the LDAP libraries might have one already set\. Generally, it should be the \'ou=Hosts\' branch under your main directory\. . .SS "ldapclassattrs" The LDAP attributes to use to define Puppet classes\. Values should be comma\-separated\. . .IP "\(bu" 4 \fIDefault\fR: puppetclass . .IP "" 0 . .SS "ldapparentattr" The attribute to use to define the parent node\. . .IP "\(bu" 4 \fIDefault\fR: parentnode . .IP "" 0 . .SS "ldappassword" The password to use to connect to LDAP\. . .SS "ldapport" The LDAP port\. Only used if \fBnode_terminus\fR is set to \fBldap\fR\. . .IP "\(bu" 4 \fIDefault\fR: 389 . .IP "" 0 . .SS "ldapserver" The LDAP server\. Only used if \fBnode_terminus\fR is set to \fBldap\fR\. . .IP "\(bu" 4 \fIDefault\fR: ldap . .IP "" 0 . .SS "ldapssl" Whether SSL should be used when searching for nodes\. Defaults to false because SSL usually requires certificates to be set up on the client side\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "ldapstackedattrs" The LDAP attributes that should be stacked to arrays by adding the values in all hierarchy elements of the tree\. Values should be comma\-separated\. . .IP "\(bu" 4 \fIDefault\fR: puppetvar . .IP "" 0 . .SS "ldapstring" The search string used to find an LDAP node\. . .IP "\(bu" 4 \fIDefault\fR: (&(objectclass=puppetClient)(cn=%s)) . .IP "" 0 . .SS "ldaptls" Whether TLS should be used when searching for nodes\. Defaults to false because TLS usually requires certificates to be set up on the client side\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "ldapuser" The user to use to connect to LDAP\. Must be specified as a full DN\. . .SS "legacy_query_parameter_serialization" The serialization format to use when sending file_metadata query parameters\. Older versions of puppet master expect certain query parameters to be serialized as yaml, which is deprecated\. . .P This should almost always be false\. It can be temporarily set to true to let agents using this Puppet version connect to a puppet master running Puppet 3\.0\.0 through 3\.2\.x\. . .P Note that this is set to true automatically if the agent detects an older master, so should never need to be set explicitly\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "libdir" An extra search path for Puppet\. This is only useful for those files that Puppet will load on demand, and is only guaranteed to work for those cases\. In fact, the autoload mechanism is responsible for making sure this directory is in Ruby\'s search path . .IP "\(bu" 4 \fIDefault\fR: $vardir/lib . .IP "" 0 . .SS "listen" Whether puppet agent should listen for connections\. If this is true, then puppet agent will accept incoming REST API requests, subject to the default ACLs and the ACLs set in the \fBrest_authconfig\fR file\. Puppet agent can respond usefully to requests on the \fBrun\fR, \fBcertificate\fR, and \fBresource\fR endpoints\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "localcacert" Where each client stores the CA certificate\. . .IP "\(bu" 4 \fIDefault\fR: $certdir/ca\.pem . .IP "" 0 . .SS "localconfig" Where puppet agent caches the local configuration\. An extension indicating the cache format is added automatically\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/localconfig . .IP "" 0 . .SS "log_level" Default logging level for messages from Puppet\. Allowed values are: . .IP "\(bu" 4 debug . .IP "\(bu" 4 info . .IP "\(bu" 4 notice . .IP "\(bu" 4 warning . .IP "\(bu" 4 err . .IP "\(bu" 4 alert . .IP "\(bu" 4 emerg . .IP "\(bu" 4 crit . .IP "\(bu" 4 \fIDefault\fR: notice . .IP "" 0 . .SS "logdir" The directory in which to store log files . .TP \fIDefault\fR: . .SS "manage_internal_file_permissions" Whether Puppet should manage the owner, group, and mode of files it uses internally . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "manifest" The entry\-point manifest for puppet master\. This can be one file or a directory of manifests to be evaluated in alphabetical order\. Puppet manages this path as a directory if one exists or if the path ends with a / or \. . .P Setting a global value for \fBmanifest\fR in puppet\.conf is deprecated\. Please use directory environments instead\. If you need to use something other than the environment\'s \fBmanifests\fR directory as the main manifest, you can set \fBmanifest\fR in environment\.conf\. For more info, see http://docs\.puppetlabs\.com/puppet/latest/reference/environments\.html . .IP "\(bu" 4 \fIDefault\fR: $manifestdir/site\.pp . .IP "" 0 . .SS "manifestdir" Used to build the default value of the \fBmanifest\fR setting\. Has no other purpose\. . .P This setting is deprecated\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/manifests . .IP "" 0 . .SS "masterhttplog" Where the puppet master web server saves its access log\. This is only used when running a WEBrick puppet master\. When puppet master is running under a Rack server like Passenger, that web server will have its own logging behavior\. . .IP "\(bu" 4 \fIDefault\fR: $logdir/masterhttp\.log . .IP "" 0 . .SS "masterport" The port for puppet master traffic\. For puppet master, this is the port to listen on; for puppet agent, this is the port to make requests on\. Both applications use this setting to get the port\. . .IP "\(bu" 4 \fIDefault\fR: 8140 . .IP "" 0 . .SS "max_deprecations" Sets the max number of logged/displayed parser validation deprecation warnings in case multiple deprecation warnings have been detected\. A value of 0 blocks the logging of deprecation warnings\. The count is per manifest\. . .IP "\(bu" 4 \fIDefault\fR: 10 . .IP "" 0 . .SS "max_errors" Sets the max number of logged/displayed parser validation errors in case multiple errors have been detected\. A value of 0 is the same as a value of 1; a minimum of one error is always raised\. The count is per manifest\. . .IP "\(bu" 4 \fIDefault\fR: 10 . .IP "" 0 . .SS "max_warnings" Sets the max number of logged/displayed parser validation warnings in case multiple warnings have been detected\. A value of 0 blocks logging of warnings\. The count is per manifest\. . .IP "\(bu" 4 \fIDefault\fR: 10 . .IP "" 0 . .SS "maximum_uid" The maximum allowed UID\. Some platforms use negative UIDs but then ship with tools that do not know how to handle signed ints, so the UIDs show up as huge numbers that can then not be fed back into the system\. This is a hackish way to fail in a slightly more useful way when that happens\. . .IP "\(bu" 4 \fIDefault\fR: 4294967290 . .IP "" 0 . .SS "mkusers" Whether to create the necessary user and group that puppet agent will run as\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "module_groups" Extra module groups to request from the Puppet Forge . .TP \fIDefault\fR: . .SS "module_repository" The module repository . .IP "\(bu" 4 \fIDefault\fR: https://forgeapi\.puppetlabs\.com . .IP "" 0 . .SS "module_skeleton_dir" The directory which the skeleton for module tool generate is stored\. . .IP "\(bu" 4 \fIDefault\fR: $module_working_dir/skeleton . .IP "" 0 . .SS "module_working_dir" The directory into which module tool data is stored . .IP "\(bu" 4 \fIDefault\fR: $vardir/puppet\-module . .IP "" 0 . .SS "modulepath" The search path for modules, as a list of directories separated by the system path separator character\. (The POSIX path separator is \':\', and the Windows path separator is \';\'\.) . .P Setting a global value for \fBmodulepath\fR in puppet\.conf is deprecated\. Please use directory environments instead\. If you need to use something other than the default modulepath of \fB:$basemodulepath\fR, you can set \fBmodulepath\fR in environment\.conf\. For more info, see http://docs\.puppetlabs\.com/puppet/latest/reference/environments\.html . .IP "\(bu" 4 \fIDefault\fR: $basemodulepath . .IP "" 0 . .SS "name" The name of the application, if we are running as one\. The default is essentially $0 without the path or \fB\.rb\fR\. . .TP \fIDefault\fR: . .SS "node_cache_terminus" How to store cached nodes\. Valid values are (none), \'json\', \'msgpack\', \'yaml\' or write only yaml (\'write_only_yaml\')\. The master application defaults to \'write_only_yaml\', all others to none\. . .TP \fIDefault\fR: . .SS "node_name" How the puppet master determines the client\'s identity and sets the \'hostname\', \'fqdn\' and \'domain\' facts for use in the manifest, in particular for determining which \'node\' statement applies to the client\. Possible values are \'cert\' (use the subject\'s CN in the client\'s certificate) and \'facter\' (use the hostname that the client reported in its facts) . .IP "\(bu" 4 \fIDefault\fR: cert . .IP "" 0 . .SS "node_name_fact" The fact name used to determine the node name used for all requests the agent makes to the master\. WARNING: This setting is mutually exclusive with node_name_value\. Changing this setting also requires changes to the default auth\.conf configuration on the Puppet Master\. Please see http://links\.puppetlabs\.com/node_name_fact for more information\. . .SS "node_name_value" The explicit value used for the node name for all requests the agent makes to the master\. WARNING: This setting is mutually exclusive with node_name_fact\. Changing this setting also requires changes to the default auth\.conf configuration on the Puppet Master\. Please see http://links\.puppetlabs\.com/node_name_value for more information\. . .IP "\(bu" 4 \fIDefault\fR: $certname . .IP "" 0 . .SS "node_terminus" Where to find information about nodes\. . .IP "\(bu" 4 \fIDefault\fR: plain . .IP "" 0 . .SS "noop" Whether to apply catalogs in noop mode, which allows Puppet to partially simulate a normal run\. This setting affects puppet agent and puppet apply\. . .P When running in noop mode, Puppet will check whether each resource is in sync, like it does when running normally\. However, if a resource attribute is not in the desired state (as declared in the catalog), Puppet will take no action, and will instead report the changes it \fIwould\fR have made\. These simulated changes will appear in the report sent to the puppet master, or be shown on the console if running puppet agent or puppet apply in the foreground\. The simulated changes will not send refresh events to any subscribing or notified resources, although Puppet will log that a refresh event \fIwould\fR have been sent\. . .P \fBImportant note:\fR The \fBnoop\fR metaparameter \fIhttp://docs\.puppetlabs\.com/references/latest/metaparameter\.html#noop\fR allows you to apply individual resources in noop mode, and will override the global value of the \fBnoop\fR setting\. This means a resource with \fBnoop => false\fR \fIwill\fR be changed if necessary, even when running puppet agent with \fBnoop = true\fR or \fB\-\-noop\fR\. (Conversely, a resource with \fBnoop => true\fR will only be simulated, even when noop mode is globally disabled\.) . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "onetime" Perform one configuration run and exit, rather than spawning a long\-running daemon\. This is useful for interactively running puppet agent, or running puppet agent from cron\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "ordering" How unrelated resources should be ordered when applying a catalog\. Allowed values are \fBtitle\-hash\fR, \fBmanifest\fR, and \fBrandom\fR\. This setting affects puppet agent and puppet apply, but not puppet master\. . .IP "\(bu" 4 \fBtitle\-hash\fR (the default) will order resources randomly, but will use the same order across runs and across nodes\. . .IP "\(bu" 4 \fBmanifest\fR will use the order in which the resources were declared in their manifest files\. . .IP "\(bu" 4 \fBrandom\fR will order resources randomly and change their order with each run\. This can work like a fuzzer for shaking out undeclared dependencies\. . .IP "" 0 . .P Regardless of this setting\'s value, Puppet will always obey explicit dependencies set with the before/require/notify/subscribe metaparameters and the \fB\->\fR/\fB~>\fR chaining arrows; this setting only affects the relative ordering of \fIunrelated\fR resources\. . .IP "\(bu" 4 \fIDefault\fR: manifest . .IP "" 0 . .SS "parser" Selects the parser to use for parsing puppet manifests (in puppet DSL language/\'\.pp\' files)\. Available choices are \fBcurrent\fR (the default) and \fBfuture\fR\. . .P The \fBcurrent\fR parser means that the released version of the parser should be used\. . .P The \fBfuture\fR parser is a "time travel to the future" allowing early exposure to new language features\. What these features are will vary from release to release and they may be invididually configurable\. . .P Available Since Puppet 3\.2\. . .IP "\(bu" 4 \fIDefault\fR: current . .IP "" 0 . .SS "passfile" Where puppet agent stores the password for its private key\. Generally unused\. . .IP "\(bu" 4 \fIDefault\fR: $privatedir/password . .IP "" 0 . .SS "path" The shell search path\. Defaults to whatever is inherited from the parent process\. . .IP "\(bu" 4 \fIDefault\fR: none . .IP "" 0 . .SS "pidfile" The file containing the PID of a running process\. This file is intended to be used by service management frameworks and monitoring systems to determine if a puppet process is still in the process table\. . .IP "\(bu" 4 \fIDefault\fR: $rundir/${run_mode}\.pid . .IP "" 0 . .SS "plugindest" Where Puppet should store plugins that it pulls down from the central server\. . .IP "\(bu" 4 \fIDefault\fR: $libdir . .IP "" 0 . .SS "pluginfactdest" Where Puppet should store external facts that are being handled by pluginsync . .IP "\(bu" 4 \fIDefault\fR: $vardir/facts\.d . .IP "" 0 . .SS "pluginfactsource" Where to retrieve external facts for pluginsync . .IP "\(bu" 4 \fIDefault\fR: puppet://$server/pluginfacts . .IP "" 0 . .SS "pluginsignore" What files to ignore when pulling down plugins\. . .IP "\(bu" 4 \fIDefault\fR: \.svn CVS \.git . .IP "" 0 . .SS "pluginsource" From where to retrieve plugins\. The standard Puppet \fBfile\fR type is used for retrieval, so anything that is a valid file source can be used here\. . .IP "\(bu" 4 \fIDefault\fR: puppet://$server/plugins . .IP "" 0 . .SS "pluginsync" Whether plugins should be synced with the central server\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "postrun_command" A command to run after every agent run\. If this command returns a non\-zero return code, the entire Puppet run will be considered to have failed, even though it might have performed work during the normal run\. . .SS "preferred_serialization_format" The preferred means of serializing ruby instances for passing over the wire\. This won\'t guarantee that all instances will be serialized using this method, since not all classes can be guaranteed to support this format, but it will be used for all classes that support it\. . .IP "\(bu" 4 \fIDefault\fR: pson . .IP "" 0 . .SS "prerun_command" A command to run before every agent run\. If this command returns a non\-zero return code, the entire Puppet run will fail\. . .SS "priority" The scheduling priority of the process\. Valid values are \'high\', \'normal\', \'low\', or \'idle\', which are mapped to platform\-specific values\. The priority can also be specified as an integer value and will be passed as is, e\.g\. \-5\. Puppet must be running as a privileged user in order to increase scheduling priority\. . .TP \fIDefault\fR: . .SS "privatedir" Where the client stores private certificate information\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/private . .IP "" 0 . .SS "privatekeydir" The private key directory\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/private_keys . .IP "" 0 . .SS "profile" Whether to enable experimental performance profiling . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "publickeydir" The public key directory\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/public_keys . .IP "" 0 . .SS "puppetdlog" The fallback log file\. This is only used when the \fB\-\-logdest\fR option is not specified AND Puppet is running on an operating system where both the POSIX syslog service and the Windows Event Log are unavailable\. (Currently, no supported operating systems match that description\.) . .P Despite the name, both puppet agent and puppet master will use this file as the fallback logging destination\. . .P For control over logging destinations, see the \fB\-\-logdest\fR command line option in the manual pages for puppet master, puppet agent, and puppet apply\. You can see man pages by running \fBpuppet \-\-help\fR, or read them online at http://docs\.puppetlabs\.com/references/latest/man/\. . .IP "\(bu" 4 \fIDefault\fR: $logdir/puppetd\.log . .IP "" 0 . .SS "puppetport" Which port puppet agent listens on\. . .IP "\(bu" 4 \fIDefault\fR: 8139 . .IP "" 0 . .SS "rails_loglevel" The log level for Rails connections\. The value must be a valid log level within Rails\. Production environments normally use \fBinfo\fR and other environments normally use \fBdebug\fR\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: info . .IP "" 0 . .SS "railslog" Where Rails\-specific logs are sent\. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated\. . .IP "\(bu" 4 \fIDefault\fR: $logdir/rails\.log . .IP "" 0 . .SS "report" Whether to send reports after every transaction\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "report_port" The port to communicate with the report_server\. . .IP "\(bu" 4 \fIDefault\fR: $masterport . .IP "" 0 . .SS "report_serialization_format" The serialization format to use when sending reports to the \fBreport_server\fR\. Possible values are \fBpson\fR and \fByaml\fR\. This setting affects puppet agent, but not puppet apply (which processes its own reports)\. . .P This should almost always be set to \fBpson\fR\. It can be temporarily set to \fByaml\fR to let agents using this Puppet version connect to a puppet master running Puppet 3\.0\.0 through 3\.2\.x\. . .P Note that this is set to \'yaml\' automatically if the agent detects an older master, so should never need to be set explicitly\. . .IP "\(bu" 4 \fIDefault\fR: pson . .IP "" 0 . .SS "report_server" The server to send transaction reports to\. . .IP "\(bu" 4 \fIDefault\fR: $server . .IP "" 0 . .SS "reportdir" The directory in which to store reports\. Each node gets a separate subdirectory in this directory\. This setting is only used when the \fBstore\fR report processor is enabled (see the \fBreports\fR setting)\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/reports . .IP "" 0 . .SS "reportfrom" The \'from\' email address for the reports\. . .IP "\(bu" 4 \fIDefault\fR: report@henriks\-macbook\-pro\.local . .IP "" 0 . .SS "reports" The list of report handlers to use\. When using multiple report handlers, their names should be comma\-separated, with whitespace allowed\. (For example, \fBreports = http, tagmail\fR\.) . .P This setting is relevant to puppet master and puppet apply\. The puppet master will call these report handlers with the reports it receives from agent nodes, and puppet apply will call them with its own report\. (In all cases, the node applying the catalog must have \fBreport = true\fR\.) . .P See the report reference for information on the built\-in report handlers; custom report handlers can also be loaded from modules\. (Report handlers are loaded from the lib directory, at \fBpuppet/reports/NAME\.rb\fR\.) . .IP "\(bu" 4 \fIDefault\fR: store . .IP "" 0 . .SS "reporturl" The URL that reports should be forwarded to\. This setting is only used when the \fBhttp\fR report processor is enabled (see the \fBreports\fR setting)\. . .IP "\(bu" 4 \fIDefault\fR: http://localhost:3000/reports/upload . .IP "" 0 . .SS "req_bits" The bit length of the certificates\. . .IP "\(bu" 4 \fIDefault\fR: 4096 . .IP "" 0 . .SS "requestdir" Where host certificate requests are stored\. . .IP "\(bu" 4 \fIDefault\fR: $ssldir/certificate_requests . .IP "" 0 . .SS "resourcefile" The file in which puppet agent stores a list of the resources associated with the retrieved configuration\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/resources\.txt . .IP "" 0 . .SS "rest_authconfig" The configuration file that defines the rights to the different rest indirections\. This can be used as a fine\-grained authorization system for \fBpuppet master\fR\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/auth\.conf . .IP "" 0 . .SS "route_file" The YAML file containing indirector route configuration\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/routes\.yaml . .IP "" 0 . .SS "rundir" Where Puppet PID files are kept\. . .TP \fIDefault\fR: . .SS "runinterval" How often puppet agent applies the catalog\. Note that a runinterval of 0 means "run continuously" rather than "never run\." If you want puppet agent to never run, you should start it with the \fB\-\-no\-client\fR option\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: 30m . .IP "" 0 . .SS "sendmail" Where to find the sendmail binary with which to send email\. . .IP "\(bu" 4 \fIDefault\fR: /usr/sbin/sendmail . .IP "" 0 . .SS "serial" Where the serial number for certificates is stored\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/serial . .IP "" 0 . .SS "server" The puppet master server to which the puppet agent should connect\. . .IP "\(bu" 4 \fIDefault\fR: puppet . .IP "" 0 . .SS "server_datadir" The directory in which serialized data is stored, usually in a subdirectory\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/server_data . .IP "" 0 . .SS "show_diff" Whether to log and report a contextual diff when files are being replaced\. This causes partial file contents to pass through Puppet\'s normal logging and reporting system, so this setting should be used with caution if you are sending Puppet\'s reports to an insecure destination\. This feature currently requires the \fBdiff/lcs\fR Ruby library\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "signeddir" Where the CA stores signed certificates\. . .IP "\(bu" 4 \fIDefault\fR: $cadir/signed . .IP "" 0 . .SS "smtphelo" The name by which we identify ourselves in SMTP HELO for reports\. If you send to a smtpserver which does strict HELO checking (as with Postfix\'s \fBsmtpd_helo_restrictions\fR access controls), you may need to ensure this resolves\. . .IP "\(bu" 4 \fIDefault\fR: Henriks\-MacBook\-Pro\.local . .IP "" 0 . .SS "smtpport" The TCP port through which to send email reports\. . .IP "\(bu" 4 \fIDefault\fR: 25 . .IP "" 0 . .SS "smtpserver" The server through which to send email reports\. . .IP "\(bu" 4 \fIDefault\fR: none . .IP "" 0 . .SS "splay" Whether to sleep for a pseudo\-random (but consistent) amount of time before a run\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "splaylimit" The maximum time to delay before runs\. Defaults to being the same as the run interval\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: $runinterval . .IP "" 0 . .SS "srv_domain" The domain which will be queried to find the SRV records of servers to use\. . .IP "\(bu" 4 \fIDefault\fR: local . .IP "" 0 . .SS "ssl_client_ca_auth" Certificate authorities who issue server certificates\. SSL servers will not be considered authentic unless they possess a certificate issued by an authority listed in this file\. If this setting has no value then the Puppet master\'s CA certificate (localcacert) will be used\. . .TP \fIDefault\fR: . .SS "ssl_client_header" The header containing an authenticated client\'s SSL DN\. This header must be set by the proxy to the authenticated client\'s SSL DN (e\.g\., \fB/CN=puppet\.puppetlabs\.com\fR)\. Puppet will parse out the Common Name (CN) from the Distinguished Name (DN) and use the value of the CN field for authorization\. . .P Note that the name of the HTTP header gets munged by the web server common gateway inteface: an \fBHTTP_\fR prefix is added, dashes are converted to underscores, and all letters are uppercased\. Thus, to use the \fBX\-Client\-DN\fR header, this setting should be \fBHTTP_X_CLIENT_DN\fR\. . .IP "\(bu" 4 \fIDefault\fR: HTTP_X_CLIENT_DN . .IP "" 0 . .SS "ssl_client_verify_header" The header containing the status message of the client verification\. This header must be set by the proxy to \'SUCCESS\' if the client successfully authenticated, and anything else otherwise\. . .P Note that the name of the HTTP header gets munged by the web server common gateway inteface: an \fBHTTP_\fR prefix is added, dashes are converted to underscores, and all letters are uppercased\. Thus, to use the \fBX\-Client\-Verify\fR header, this setting should be \fBHTTP_X_CLIENT_VERIFY\fR\. . .IP "\(bu" 4 \fIDefault\fR: HTTP_X_CLIENT_VERIFY . .IP "" 0 . .SS "ssl_server_ca_auth" Certificate authorities who issue client certificates\. SSL clients will not be considered authentic unless they possess a certificate issued by an authority listed in this file\. If this setting has no value then the Puppet master\'s CA certificate (localcacert) will be used\. . .TP \fIDefault\fR: . .SS "ssldir" Where SSL certificates are kept\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/ssl . .IP "" 0 . .SS "statedir" The directory where Puppet state is stored\. Generally, this directory can be removed without causing harm (although it might result in spurious service restarts)\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/state . .IP "" 0 . .SS "statefile" Where puppet agent and puppet master store state associated with the running configuration\. In the case of puppet master, this file reflects the state discovered through interacting with clients\. . .IP "\(bu" 4 \fIDefault\fR: $statedir/state\.yaml . .IP "" 0 . .SS "storeconfigs" Whether to store each client\'s configuration, including catalogs, facts, and related data\. This also enables the import and export of resources in the Puppet language \- a mechanism for exchange resources between nodes\. . .P By default this uses ActiveRecord and an SQL database to store and query the data; this, in turn, will depend on Rails being available\. . .P You can adjust the backend using the storeconfigs_backend setting\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "storeconfigs_backend" Configure the backend terminus used for StoreConfigs\. By default, this uses the ActiveRecord store, which directly talks to the database from within the Puppet Master process\. . .IP "\(bu" 4 \fIDefault\fR: active_record . .IP "" 0 . .SS "strict_hostname_checking" Whether to only search for the complete hostname as it is in the certificate when searching for node information in the catalogs\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "strict_variables" Makes the parser raise errors when referencing unknown variables\. (This does not affect referencing variables that are explicitly set to undef)\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "summarize" Whether to print a transaction summary\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "syslogfacility" What syslog facility to use when logging to syslog\. Syslog has a fixed list of valid facilities, and you must choose one of those; you cannot just make one up\. . .IP "\(bu" 4 \fIDefault\fR: daemon . .IP "" 0 . .SS "tagmap" The mapping between reporting tags and email addresses\. . .IP "\(bu" 4 \fIDefault\fR: $confdir/tagmail\.conf . .IP "" 0 . .SS "tags" Tags to use to find resources\. If this is set, then only resources tagged with the specified tags will be applied\. Values must be comma\-separated\. . .SS "templatedir" Where Puppet looks for template files\. Can be a list of colon\-separated directories\. . .P This setting is deprecated\. Please put your templates in modules instead\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/templates . .IP "" 0 . .SS "thin_storeconfigs" Boolean; whether Puppet should store only facts and exported resources in the storeconfigs database\. This will improve the performance of exported resources with the older \fBactive_record\fR backend, but will disable external tools that search the storeconfigs database\. Thinning catalogs is generally unnecessary when using PuppetDB to store catalogs\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "trace" Whether to print stack traces on some errors . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "trusted_node_data" Stores trusted node data in a hash called $trusted\. When true also prevents $trusted from being overridden in any scope\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "trusted_oid_mapping_file" File that provides mapping between custom SSL oids and user\-friendly names . .IP "\(bu" 4 \fIDefault\fR: $confdir/custom_trusted_oid_mapping\.yaml . .IP "" 0 . .SS "use_cached_catalog" Whether to only use the cached catalog rather than compiling a new catalog on every run\. Puppet can be run with this enabled by default and then selectively disabled when a recompile is desired\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "use_srv_records" Whether the server will search for SRV records in DNS for the current domain\. . .IP "\(bu" 4 \fIDefault\fR: false . .IP "" 0 . .SS "usecacheonfailure" Whether to use the cached configuration when the remote configuration will not compile\. This option is useful for testing new configurations, where you want to fix the broken configuration rather than reverting to a known\-good one\. . .IP "\(bu" 4 \fIDefault\fR: true . .IP "" 0 . .SS "user" The user puppet master should run as\. . .IP "\(bu" 4 \fIDefault\fR: puppet . .IP "" 0 . .SS "vardir" Where Puppet stores dynamic and growing data\. The default for this setting is calculated specially, like \fBconfdir\fR_\. . .IP "\(bu" 4 \fIDefault\fR: /var/lib/puppet . .IP "" 0 . .SS "waitforcert" How frequently puppet agent should ask for a signed certificate\. . .P When starting for the first time, puppet agent will submit a certificate signing request (CSR) to the server named in the \fBca_server\fR setting (usually the puppet master); this may be autosigned, or may need to be approved by a human, depending on the CA server\'s configuration\. . .P Puppet agent cannot apply configurations until its approved certificate is available\. Since the certificate may or may not be available immediately, puppet agent will repeatedly try to fetch it at this interval\. You can turn off waiting for certificates by specifying a time of 0, in which case puppet agent will exit if it cannot get a cert\. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y)\. . .IP "\(bu" 4 \fIDefault\fR: 2m . .IP "" 0 . .SS "yamldir" The directory in which YAML data is stored, usually in a subdirectory\. . .IP "\(bu" 4 \fIDefault\fR: $vardir/yaml . .IP "" 0 . .P \fIThis page autogenerated on 2014\-10\-16 00:42:14 +0200\fR diff --git a/spec/unit/network/authentication_spec.rb b/spec/unit/network/authentication_spec.rb deleted file mode 100755 index 5e2f2de87..000000000 --- a/spec/unit/network/authentication_spec.rb +++ /dev/null @@ -1,104 +0,0 @@ -#! /usr/bin/env ruby -require 'spec_helper' -load 'puppet/network/authentication.rb' - -class AuthenticationTest - include Puppet::Network::Authentication -end - -describe Puppet::Network::Authentication do - subject { AuthenticationTest.new } - let(:now) { Time.now } - let(:cert) { Puppet::SSL::Certificate.new('cert') } - let(:host) { stub 'host', :certificate => cert } - - # this is necessary since the logger is a class variable, and it needs to be stubbed - def reload_module - load 'puppet/network/authentication.rb' - end - - describe "when warning about upcoming expirations" do - before do - Puppet::SSL::CertificateAuthority.stubs(:ca?).returns(false) - Puppet::FileSystem.stubs(:exist?).returns(false) - end - - it "should check the expiration of the CA certificate" do - ca = stub 'ca', :host => host - Puppet::SSL::CertificateAuthority.stubs(:ca?).returns(true) - Puppet::SSL::CertificateAuthority.stubs(:instance).returns(ca) - cert.expects(:near_expiration?).returns(false) - subject.warn_if_near_expiration - end - - context "when examining the local host" do - before do - Puppet::SSL::Host.stubs(:localhost).returns(host) - Puppet::FileSystem.stubs(:exist?).with(Puppet[:hostcert]).returns(true) - end - - it "should not load the localhost certificate if the local CA certificate is missing" do - # Redmine-21869: Infinite recursion occurs if CA cert is missing. - Puppet::FileSystem.stubs(:exist?).with(Puppet[:localcacert]).returns(false) - host.unstub(:certificate) - host.expects(:certificate).never - subject.warn_if_near_expiration - end - - it "should check the expiration of the localhost certificate if the local CA certificate is present" do - Puppet::FileSystem.stubs(:exist?).with(Puppet[:localcacert]).returns(true) - cert.expects(:near_expiration?).returns(false) - subject.warn_if_near_expiration - end - end - - it "should check the expiration of any certificates passed in as arguments" do - cert.expects(:near_expiration?).twice.returns(false) - subject.warn_if_near_expiration(cert, cert) - end - - it "should accept instances of OpenSSL::X509::Certificate" do - raw_cert = stub 'cert' - raw_cert.stubs(:is_a?).with(OpenSSL::X509::Certificate).returns(true) - Puppet::SSL::Certificate.stubs(:from_instance).with(raw_cert).returns(cert) - cert.expects(:near_expiration?).returns(false) - subject.warn_if_near_expiration(raw_cert) - end - - it "should use a rate-limited logger for expiration warnings that uses `runinterval` as its interval" do - Puppet::Util::Log::RateLimitedLogger.expects(:new).with(Puppet[:runinterval]) - reload_module - end - - context "in the logs" do - let(:logger) { stub 'logger' } - - before do - Puppet::Util::Log::RateLimitedLogger.stubs(:new).returns(logger) - reload_module - cert.stubs(:near_expiration?).returns(true) - cert.stubs(:expiration).returns(now) - cert.stubs(:unmunged_name).returns('foo') - end - - after(:all) do - reload_module - end - - it "should log a warning if a certificate's expiration is near" do - logger.expects(:warning) - subject.warn_if_near_expiration(cert) - end - - it "should use the certificate's unmunged name in the message" do - logger.expects(:warning).with { |message| message.include? 'foo' } - subject.warn_if_near_expiration(cert) - end - - it "should show certificate's expiration date in the message using ISO 8601 format" do - logger.expects(:warning).with { |message| message.include? now.strftime('%Y-%m-%dT%H:%M:%S%Z') } - subject.warn_if_near_expiration(cert) - end - end - end -end diff --git a/spec/unit/network/http/connection_spec.rb b/spec/unit/network/http/connection_spec.rb index ef6ca65d6..79956d7e7 100755 --- a/spec/unit/network/http/connection_spec.rb +++ b/spec/unit/network/http/connection_spec.rb @@ -1,306 +1,303 @@ #! /usr/bin/env ruby require 'spec_helper' require 'puppet/network/http/connection' -require 'puppet/network/authentication' describe Puppet::Network::HTTP::Connection do let (:host) { "me" } let (:port) { 54321 } subject { Puppet::Network::HTTP::Connection.new(host, port, :verify => Puppet::SSL::Validator.no_validator) } let (:httpok) { Net::HTTPOK.new('1.1', 200, '') } context "when providing HTTP connections" do context "when initializing http instances" do it "should return an http instance created with the passed host and port" do conn = Puppet::Network::HTTP::Connection.new(host, port, :verify => Puppet::SSL::Validator.no_validator) expect(conn.address).to eq(host) expect(conn.port).to eq(port) end it "should enable ssl on the http instance by default" do conn = Puppet::Network::HTTP::Connection.new(host, port, :verify => Puppet::SSL::Validator.no_validator) expect(conn).to be_use_ssl end it "can disable ssl using an option" do conn = Puppet::Network::HTTP::Connection.new(host, port, :use_ssl => false, :verify => Puppet::SSL::Validator.no_validator) expect(conn).to_not be_use_ssl end it "can enable ssl using an option" do conn = Puppet::Network::HTTP::Connection.new(host, port, :use_ssl => true, :verify => Puppet::SSL::Validator.no_validator) expect(conn).to be_use_ssl end it "should raise Puppet::Error when invalid options are specified" do expect { Puppet::Network::HTTP::Connection.new(host, port, :invalid_option => nil) }.to raise_error(Puppet::Error, 'Unrecognized option(s): :invalid_option') end end end context "when methods that accept a block are called with a block" do let (:host) { "my_server" } let (:port) { 8140 } let (:subject) { Puppet::Network::HTTP::Connection.new(host, port, :use_ssl => false, :verify => Puppet::SSL::Validator.no_validator) } before :each do httpok.stubs(:body).returns "" # This stubbing relies a bit more on knowledge of the internals of Net::HTTP # than I would prefer, but it works on ruby 1.8.7 and 1.9.3, and it seems # valuable enough to have tests for blocks that this is probably warranted. socket = stub_everything("socket") TCPSocket.stubs(:open).returns(socket) Net::HTTP::Post.any_instance.stubs(:exec).returns("") Net::HTTP::Head.any_instance.stubs(:exec).returns("") Net::HTTP::Get.any_instance.stubs(:exec).returns("") Net::HTTPResponse.stubs(:read_new).returns(httpok) end [:request_get, :request_head, :request_post].each do |method| context "##{method}" do it "should yield to the block" do block_executed = false subject.send(method, "/foo", {}) do |response| block_executed = true end block_executed.should == true end end end end class ConstantErrorValidator def initialize(args) @fails_with = args[:fails_with] @error_string = args[:error_string] || "" @peer_certs = args[:peer_certs] || [] end def setup_connection(connection) connection.stubs(:start).raises(OpenSSL::SSL::SSLError.new(@fails_with)) end def peer_certs @peer_certs end def verify_errors [@error_string] end end class NoProblemsValidator def initialize(cert) @cert = cert end def setup_connection(connection) end def peer_certs [@cert] end def verify_errors [] end end shared_examples_for 'ssl verifier' do include PuppetSpec::Files let (:host) { "my_server" } let (:port) { 8140 } it "should provide a useful error message when one is available and certificate validation fails", :unless => Puppet.features.microsoft_windows? do connection = Puppet::Network::HTTP::Connection.new( host, port, :verify => ConstantErrorValidator.new(:fails_with => 'certificate verify failed', :error_string => 'shady looking signature')) expect do connection.get('request') end.to raise_error(Puppet::Error, "certificate verify failed: [shady looking signature]") end it "should provide a helpful error message when hostname was not match with server certificate", :unless => Puppet.features.microsoft_windows? do Puppet[:confdir] = tmpdir('conf') connection = Puppet::Network::HTTP::Connection.new( host, port, :verify => ConstantErrorValidator.new( :fails_with => 'hostname was not match with server certificate', :peer_certs => [Puppet::SSL::CertificateAuthority.new.generate( 'not_my_server', :dns_alt_names => 'foo,bar,baz')])) expect do connection.get('request') end.to raise_error(Puppet::Error) do |error| error.message =~ /Server hostname 'my_server' did not match server certificate; expected one of (.+)/ $1.split(', ').should =~ %w[DNS:foo DNS:bar DNS:baz DNS:not_my_server not_my_server] end end it "should pass along the error message otherwise" do connection = Puppet::Network::HTTP::Connection.new( host, port, :verify => ConstantErrorValidator.new(:fails_with => 'some other message')) expect do connection.get('request') end.to raise_error(/some other message/) end it "should check all peer certificates for upcoming expiration", :unless => Puppet.features.microsoft_windows? do Puppet[:confdir] = tmpdir('conf') cert = Puppet::SSL::CertificateAuthority.new.generate( 'server', :dns_alt_names => 'foo,bar,baz') connection = Puppet::Network::HTTP::Connection.new( host, port, :verify => NoProblemsValidator.new(cert)) Net::HTTP.any_instance.stubs(:start) Net::HTTP.any_instance.stubs(:request).returns(httpok) - connection.expects(:warn_if_near_expiration).with(cert) - connection.get('request') end end context "when using single use HTTPS connections" do it_behaves_like 'ssl verifier' do end end context "when using persistent HTTPS connections" do around :each do |example| pool = Puppet::Network::HTTP::Pool.new Puppet.override(:http_pool => pool) do example.run end pool.close end it_behaves_like 'ssl verifier' do end end context "when response is a redirect" do let (:site) { Puppet::Network::HTTP::Site.new('http', 'my_server', 8140) } let (:other_site) { Puppet::Network::HTTP::Site.new('http', 'redirected', 9292) } let (:other_path) { "other-path" } let (:verify) { Puppet::SSL::Validator.no_validator } let (:subject) { Puppet::Network::HTTP::Connection.new(site.host, site.port, :use_ssl => false, :verify => verify) } let (:httpredirection) do response = Net::HTTPFound.new('1.1', 302, 'Moved Temporarily') response['location'] = "#{other_site.addr}/#{other_path}" response.stubs(:read_body).returns("This resource has moved") response end def create_connection(site, options) options[:use_ssl] = site.use_ssl? Puppet::Network::HTTP::Connection.new(site.host, site.port, options) end it "should redirect to the final resource location" do http = stub('http') http.stubs(:request).returns(httpredirection).then.returns(httpok) seq = sequence('redirection') pool = Puppet.lookup(:http_pool) pool.expects(:with_connection).with(site, anything).yields(http).in_sequence(seq) pool.expects(:with_connection).with(other_site, anything).yields(http).in_sequence(seq) conn = create_connection(site, :verify => verify) conn.get('/foo') end def expects_redirection(conn, &block) http = stub('http') http.stubs(:request).returns(httpredirection) pool = Puppet.lookup(:http_pool) pool.expects(:with_connection).with(site, anything).yields(http) pool end def expects_limit_exceeded(conn) expect { conn.get('/') }.to raise_error(Puppet::Network::HTTP::RedirectionLimitExceededException) end it "should not redirect when the limit is 0" do conn = create_connection(site, :verify => verify, :redirect_limit => 0) pool = expects_redirection(conn) pool.expects(:with_connection).with(other_site, anything).never expects_limit_exceeded(conn) end it "should redirect only once" do conn = create_connection(site, :verify => verify, :redirect_limit => 1) pool = expects_redirection(conn) pool.expects(:with_connection).with(other_site, anything).once expects_limit_exceeded(conn) end it "should raise an exception when the redirect limit is exceeded" do conn = create_connection(site, :verify => verify, :redirect_limit => 3) pool = expects_redirection(conn) pool.expects(:with_connection).with(other_site, anything).times(3) expects_limit_exceeded(conn) end end it "allows setting basic auth on get requests" do expect_request_with_basic_auth subject.get('/path', nil, :basic_auth => { :user => 'user', :password => 'password' }) end it "allows setting basic auth on post requests" do expect_request_with_basic_auth subject.post('/path', 'data', nil, :basic_auth => { :user => 'user', :password => 'password' }) end it "allows setting basic auth on head requests" do expect_request_with_basic_auth subject.head('/path', nil, :basic_auth => { :user => 'user', :password => 'password' }) end it "allows setting basic auth on delete requests" do expect_request_with_basic_auth subject.delete('/path', nil, :basic_auth => { :user => 'user', :password => 'password' }) end it "allows setting basic auth on put requests" do expect_request_with_basic_auth subject.put('/path', 'data', nil, :basic_auth => { :user => 'user', :password => 'password' }) end def expect_request_with_basic_auth Net::HTTP.any_instance.expects(:request).with do |request| expect(request['authorization']).to match(/^Basic/) end.returns(httpok) end end diff --git a/spec/unit/network/http/handler_spec.rb b/spec/unit/network/http/handler_spec.rb index 25df9d270..8a114942e 100755 --- a/spec/unit/network/http/handler_spec.rb +++ b/spec/unit/network/http/handler_spec.rb @@ -1,232 +1,231 @@ #! /usr/bin/env ruby require 'spec_helper' require 'puppet/indirector_testing' require 'puppet/network/authorization' -require 'puppet/network/authentication' require 'puppet/network/http' describe Puppet::Network::HTTP::Handler do before :each do Puppet::IndirectorTesting.indirection.terminus_class = :memory end let(:indirection) { Puppet::IndirectorTesting.indirection } def a_request(method = "HEAD", path = "/production/#{indirection.name}/unknown") { :accept_header => "pson", :content_type_header => "text/yaml", :http_method => method, :path => path, :params => {}, :client_cert => nil, :headers => {}, :body => nil } end let(:handler) { TestingHandler.new() } describe "the HTTP Handler" do def respond(text) lambda { |req, res| res.respond_with(200, "text/plain", text) } end it "hands the request to the first route that matches the request path" do handler = TestingHandler.new( Puppet::Network::HTTP::Route.path(%r{^/foo}).get(respond("skipped")), Puppet::Network::HTTP::Route.path(%r{^/vtest}).get(respond("used")), Puppet::Network::HTTP::Route.path(%r{^/vtest/foo}).get(respond("ignored"))) req = a_request("GET", "/vtest/foo") res = {} handler.process(req, res) expect(res[:body]).to eq("used") end it "raises an error if multiple routes with the same path regex are registered" do expect do handler = TestingHandler.new( Puppet::Network::HTTP::Route.path(%r{^/foo}).get(respond("ignored")), Puppet::Network::HTTP::Route.path(%r{^/foo}).post(respond("also ignored"))) end.to raise_error(ArgumentError) end it "raises an HTTP not found error if no routes match" do handler = TestingHandler.new req = a_request("GET", "/vtest/foo") res = {} handler.process(req, res) res_body = JSON(res[:body]) expect(res[:content_type_header]).to eq("application/json") expect(res_body["issue_kind"]).to eq("HANDLER_NOT_FOUND") expect(res_body["message"]).to eq("Not Found: No route for GET /vtest/foo") expect(res[:status]).to eq(404) end it "returns a structured error response with a stacktrace when the server encounters an internal error" do handler = TestingHandler.new( Puppet::Network::HTTP::Route.path(/.*/).get(lambda { |_, _| raise Exception.new("the sky is falling!")})) req = a_request("GET", "/vtest/foo") res = {} handler.process(req, res) res_body = JSON(res[:body]) expect(res[:content_type_header]).to eq("application/json") expect(res_body["issue_kind"]).to eq(Puppet::Network::HTTP::Issues::RUNTIME_ERROR.to_s) expect(res_body["message"]).to eq("Server Error: the sky is falling!") expect(res_body["stacktrace"].is_a?(Array) && !res_body["stacktrace"].empty?).to be_true expect(res_body["stacktrace"][0]).to match("spec/unit/network/http/handler_spec.rb") expect(res[:status]).to eq(500) end end describe "when processing a request" do let(:response) do { :status => 200 } end before do handler.stubs(:check_authorization) handler.stubs(:warn_if_near_expiration) end it "should setup a profiler when the puppet-profiling header exists" do request = a_request request[:headers][Puppet::Network::HTTP::HEADER_ENABLE_PROFILING.downcase] = "true" p = HandlerTestProfiler.new Puppet::Util::Profiler.expects(:add_profiler).with { |profiler| profiler.is_a? Puppet::Util::Profiler::WallClock }.returns(p) Puppet::Util::Profiler.expects(:remove_profiler).with { |profiler| profiler == p } handler.process(request, response) end it "should not setup profiler when the profile parameter is missing" do request = a_request request[:params] = { } Puppet::Util::Profiler.expects(:add_profiler).never handler.process(request, response) end it "should raise an error if the request is formatted in an unknown format" do handler.stubs(:content_type_header).returns "unknown format" lambda { handler.request_format(request) }.should raise_error end it "should still find the correct format if content type contains charset information" do request = Puppet::Network::HTTP::Request.new({ 'content-type' => "text/plain; charset=UTF-8" }, {}, 'GET', '/', nil) request.format.should == "s" end it "should deserialize YAML parameters" do params = {'my_param' => [1,2,3].to_yaml} decoded_params = handler.send(:decode_params, params) decoded_params.should == {:my_param => [1,2,3]} end it "should ignore tags on YAML parameters" do params = {'my_param' => "--- !ruby/object:Array {}"} decoded_params = handler.send(:decode_params, params) decoded_params[:my_param].should be_a(Hash) end end describe "when resolving node" do it "should use a look-up from the ip address" do Resolv.expects(:getname).with("1.2.3.4").returns("host.domain.com") handler.resolve_node(:ip => "1.2.3.4") end it "should return the look-up result" do Resolv.stubs(:getname).with("1.2.3.4").returns("host.domain.com") handler.resolve_node(:ip => "1.2.3.4").should == "host.domain.com" end it "should return the ip address if resolving fails" do Resolv.stubs(:getname).with("1.2.3.4").raises(RuntimeError, "no such host") handler.resolve_node(:ip => "1.2.3.4").should == "1.2.3.4" end end class TestingHandler include Puppet::Network::HTTP::Handler def initialize(* routes) register(routes) end def set_content_type(response, format) response[:content_type_header] = format end def set_response(response, body, status = 200) response[:body] = body response[:status] = status end def http_method(request) request[:http_method] end def path(request) request[:path] end def params(request) request[:params] end def client_cert(request) request[:client_cert] end def body(request) request[:body] end def headers(request) request[:headers] || {} end end class HandlerTestProfiler def start(metric, description) end def finish(context, metric, description) end def shutdown() end end end diff --git a/spec/unit/ssl/certificate_spec.rb b/spec/unit/ssl/certificate_spec.rb index c8f9930f3..0a2acf9e3 100755 --- a/spec/unit/ssl/certificate_spec.rb +++ b/spec/unit/ssl/certificate_spec.rb @@ -1,193 +1,169 @@ #! /usr/bin/env ruby require 'spec_helper' require 'puppet/ssl/certificate' describe Puppet::SSL::Certificate do before do @class = Puppet::SSL::Certificate end after do @class.instance_variable_set("@ca_location", nil) end it "should be extended with the Indirector module" do @class.singleton_class.should be_include(Puppet::Indirector) end it "should indirect certificate" do @class.indirection.name.should == :certificate end it "should only support the text format" do @class.supported_formats.should == [:s] end describe "when converting from a string" do it "should create a certificate instance with its name set to the certificate subject and its content set to the extracted certificate" do cert = stub 'certificate', :subject => OpenSSL::X509::Name.parse("/CN=Foo.madstop.com"), :is_a? => true OpenSSL::X509::Certificate.expects(:new).with("my certificate").returns(cert) mycert = stub 'sslcert' mycert.expects(:content=).with(cert) @class.expects(:new).with("Foo.madstop.com").returns mycert @class.from_s("my certificate") end it "should create multiple certificate instances when asked" do cert1 = stub 'cert1' @class.expects(:from_s).with("cert1").returns cert1 cert2 = stub 'cert2' @class.expects(:from_s).with("cert2").returns cert2 @class.from_multiple_s("cert1\n---\ncert2").should == [cert1, cert2] end end describe "when converting to a string" do before do @certificate = @class.new("myname") end it "should return an empty string when it has no certificate" do @certificate.to_s.should == "" end it "should convert the certificate to pem format" do certificate = mock 'certificate', :to_pem => "pem" @certificate.content = certificate @certificate.to_s.should == "pem" end it "should be able to convert multiple instances to a string" do cert2 = @class.new("foo") @certificate.expects(:to_s).returns "cert1" cert2.expects(:to_s).returns "cert2" @class.to_multiple_s([@certificate, cert2]).should == "cert1\n---\ncert2" end end describe "when managing instances" do def build_cert(opts) key = Puppet::SSL::Key.new('quux') key.generate csr = Puppet::SSL::CertificateRequest.new('quux') csr.generate(key, opts) raw_cert = Puppet::SSL::CertificateFactory.build('client', csr, csr.content, 14) @class.from_instance(raw_cert) end before do @certificate = @class.new("myname") end it "should have a name attribute" do @certificate.name.should == "myname" end it "should convert its name to a string and downcase it" do @class.new(:MyName).name.should == "myname" end it "should have a content attribute" do @certificate.should respond_to(:content) end describe "#subject_alt_names" do it "should list all alternate names when the extension is present" do certificate = build_cert(:dns_alt_names => 'foo, bar,baz') certificate.subject_alt_names. should =~ ['DNS:foo', 'DNS:bar', 'DNS:baz', 'DNS:quux'] end it "should return an empty list of names if the extension is absent" do certificate = build_cert({}) certificate.subject_alt_names.should be_empty end end describe "custom extensions" do it "returns extensions under the ppRegCertExt" do exts = {'pp_uuid' => 'abcdfd'} cert = build_cert(:extension_requests => exts) expect(cert.custom_extensions).to include('oid' => 'pp_uuid', 'value' => 'abcdfd') end it "returns extensions under the ppPrivCertExt" do exts = {'1.3.6.1.4.1.34380.1.2.1' => 'x509 :('} cert = build_cert(:extension_requests => exts) expect(cert.custom_extensions).to include('oid' => '1.3.6.1.4.1.34380.1.2.1', 'value' => 'x509 :(') end it "doesn't return standard extensions" do cert = build_cert(:dns_alt_names => 'foo') expect(cert.custom_extensions).to be_empty end end it "should return a nil expiration if there is no actual certificate" do @certificate.stubs(:content).returns nil @certificate.expiration.should be_nil end it "should use the expiration of the certificate as its expiration date" do cert = stub 'cert' @certificate.stubs(:content).returns cert cert.expects(:not_after).returns "sometime" @certificate.expiration.should == "sometime" end it "should be able to read certificates from disk" do path = "/my/path" File.expects(:read).with(path).returns("my certificate") certificate = mock 'certificate' OpenSSL::X509::Certificate.expects(:new).with("my certificate").returns(certificate) @certificate.read(path).should equal(certificate) @certificate.content.should equal(certificate) end it "should have a :to_text method that it delegates to the actual key" do real_certificate = mock 'certificate' real_certificate.expects(:to_text).returns "certificatetext" @certificate.content = real_certificate @certificate.to_text.should == "certificatetext" end end - - describe "when checking if the certificate's expiration is approaching" do - before do - @days = 24*60*60 - @certificate = @class.new("myname") - @certificate.stubs(:expiration).returns(Time.now.utc() + 30*@days) - end - - it "should be true if the expiration is within the given interval from now" do - @certificate.near_expiration?(31*@days).should be_true - end - - it "should be false if there is no expiration" do - @certificate.stubs(:expiration).returns(nil) - @certificate.near_expiration?.should be_false - end - - it "should default to using the `certificate_expire_warning` setting as the interval" do - Puppet[:certificate_expire_warning] = 31*@days - @certificate.near_expiration?.should be_true - Puppet[:certificate_expire_warning] = 29*@days - @certificate.near_expiration?.should be_false - end - end end diff --git a/spec/unit/util/log/rate_limited_logger_spec.rb b/spec/unit/util/log/rate_limited_logger_spec.rb deleted file mode 100755 index fa21146a2..000000000 --- a/spec/unit/util/log/rate_limited_logger_spec.rb +++ /dev/null @@ -1,51 +0,0 @@ -#! /usr/bin/env ruby -require 'spec_helper' -require 'puppet/util/log/rate_limited_logger' - -describe Puppet::Util::Log::RateLimitedLogger do - - subject { Puppet::Util::Log::RateLimitedLogger.new(60) } - - before do - Time.stubs(:now).returns(0) - end - - it "should be able to log all levels" do - Puppet::Util::Log.eachlevel do |level| - subject.should respond_to(level) - end - end - - it "should fail if given an invalid time interval" do - expect { Puppet::Util::Log::RateLimitedLogger.new('foo') }.to raise_error(ArgumentError) - end - - it "should not log the same message more than once within the given interval" do - Puppet::Util::Log.expects(:create).once - subject.info('foo') - subject.info('foo') - end - - it "should allow the same message to be logged after the given interval has passed" do - Puppet::Util::Log.expects(:create).twice - subject.info('foo') - Time.stubs(:now).returns(60) - subject.info('foo') - end - - it "should rate-limit different message strings separately" do - Puppet::Util::Log.expects(:create).times(3) - subject.info('foo') - subject.info('bar') - subject.info('baz') - subject.info('foo') - subject.info('bar') - subject.info('baz') - end - - it "should limit the same message in different log levels independently" do - Puppet::Util::Log.expects(:create).twice - subject.info('foo') - subject.warning('foo') - end -end