Puppet 3.4.0 发布,系统管理工具

fei
 fei
发布于 2013年12月20日
收藏 13

Puppet,是基于Ruby的一个工具,可以集中管理每一个重要方面,使用的是跨平台的规范语言,管理所有单独的元素,通常聚集在不同的文件,如用户, CRON作业,和主机一起的离散元素,如包装,服务和文件。

Puppet的简单陈述规范语言的能力提供了强大的classing制定了主机之间的相似之处,同时使他们能够提供尽可能具体的必要的,它依赖的先决条件和对象之间的关系清楚而明确。

集中式系统管理工具Puppet发布3.4.0。这是新的产品系列。经过2个RC.增强windows支持,新的认证签名行为等。2013-12-20 上个版本是2013-11-12的3.3.2.其他产品线3.2.4 3.1.1 3.0.2 2.7.23。

完全改进:

Puppet 3.4.0

Released December 19, 2013. (RC1: Dec. 3. RC2: Dec. 10.)

3.4.0 is a backward-compatible feature and fix release in the Puppet 3 series. The main improvements of this release are:

  • Fixes for some high-profile bugs, including the “anchor pattern” issue and broken RDoc on Ruby 1.9+

  • New certificate autosigning behavior to help quickly and securely add new nodes in elastic environments

  • Windows improvements, especially forfileresources

  • Trusted node data in the compiler

It introduces one known regression, PUP-1015, for users who use Foreman’s provisioning tools. If you use Foreman for provisioning, you should wait and upgrade to 3.4.1.

NewcontainFunction Removes Need for “Anchor Pattern”

Puppet now includes acontainfunction to allow classes to contain other classes. It works similarly to theincludefunction, with the added effect of creating a containment relationship. For more information, see:

(Issue 8040)

Policy-Based Certificate Autosigning

Puppet can now use site-specific logic to decide which certificate signing requests (CSRs) should be autosigned. This feature is based on custom executables, which can examine each CSR as it arrives and use any decision-making criteria you choose.

Prior to 3.4, Puppet would accept a whitelist of nodes whose requests should be autosigned. This wasn’t very flexible, and didn’t allow things like using a preshared key to verify the legitimacy of a node. This is now very possible, and works especially well when combined with the next new feature (custom CSR attributes).

For details, see:

(Issue 7244)

Custom Data in CSRs and Certificates

It is now possible for puppet agent nodes to insert arbitrary data into their certificate signing requests (CSRs). This data can be used as verification for policy-based autosigning (see above), and may have more applications in the future.

Two kinds of custom data are available: “custom attributes,” which are discarded once the certificate is signed, and “certificate extensions,” which persist in the signed certificate.

For details on custom CSR data, see:

(Issue 7243)

Priority Level Can Be Set for Puppet Processes

Puppet’s processes, including puppet agent and puppet apply, can now lower or raise their own priority level using theprioritysetting. (Note that they can’t raise their priority unless they are running as a privileged user.)

This is especially useful for making sure resource-intensive Puppet runs don’t interfere with a machine’s real duties.

(Issue 21241)

Manifest Documentation (RDoc/Puppetdoc) Works on Ruby 1.9+

Puppet manifests can be documented with RDoc-formatted text in comments above each class or defined type, and you can runpuppet doc --outputdir /tmp/rdocto extract that documentation and generate HTML with it. However, this has never worked when running Puppet under Ruby 1.9 or higher.

As of this release, building documentation sites with puppet doc works under Ruby 1.9 and 2.0.

Note that any existing problems with the puppet doc command still apply — it sometimes skips certain classes with no clear reason, and there are various formatting glitches. We are still investigating more reliable and convenient ways to display Puppet code documentation, and will probably be using Geppetto as a foundation for future efforts.

(Issue 22180)

New$trustedHash With Trusted Node Data

A node’s certificate name is available to the Puppet compiler in the special$clientcertvariable. However, this variable was self-reported by the agent and was never verified by the puppet master, which meant it could contain more or less anything and couldn’t be trusted when deciding whether to insert sensitive information into the catalog.

As of 3.4, you can configure the puppet master to verify each agent node’s certname and make it available to the compiler as$trusted['certname']. To do this, you must set thetrusted_node_datasetting totruein the master’s puppet.conf. See the language documentation about special variables for more details.

(Issue 19514)

File Resources Can Opt Out of Source Permissions

Traditionally, iffileresources did not have theowner,group, and/ormodepermissions explicitly specified and were using asourcefile, they would set the permissions on the target system to match those of thesource. This could cause weirdness on Windows systems being managed by a Linux puppet master, and wasn’t always desired in all-*nix environments either.

Now, you can opt out of source permissions using thefiletype’ssource_permissionsattribute. This can be done per-resource, or globally with a resource default in site.pp.

As part of this, the previous default behavior (source_permissions => use) is now deprecated on Windows; the default for Windows is expected to change toignorein Puppet 4.0.

(Issue 5240, Issue 18931)

Windows Improvements

Puppet’s Windows support continues to get better, with improvements to resource types and packaging.

File Type Improvements

Package Type Improvements

Group Type Improvements

  • You can now add domain users to the local Administrators group. (Issue 17031)

Exec Type Improvements

  • Puppet will now accurately capture  exit codes from exec resources on Windows. (Previously, exit codes higher than 255 could get truncated.) (Issue 23124)

Packaging and Installer Improvements

Newpuppet cert reinventoryCommand

As part of the fix for issue 693/23074, the Puppet CA no longer rebuilds the certificate inventory for each new certificate.

However, rebuilding the inventory can still be helpful, generally when you have a large inventory file with a high percentage of old revoked certificates. When necessary, it can now be done manually by runningpuppet cert reinventorywhen your puppet master is stopped.

(Issue 23074)

RPM Package Provider Now Supportsinstall_options

Package resources using therpmpackage provider can now specify command-line flags to pass to the RPM binary. This is generally useful for specifying a--prefix, or for overriding macros likearch.

(Issue 22642)

HTTP API Documentation

Puppet’s HTTP API endpoints now have extensive documentation for the formatting of their requests and the objects they return. For version-specific endpoint documentation, see the HTTP API section of the developer docs.

Msgpack Serialization (Experimental)

Puppet agents and masters can now optionally use Msgpack for all communications. This is an experimental feature and is disabled by default; see the Msgpack experiment page for details about it.

(Issue 22849)

Changes to Experimental Future Parser

Several changes were made to the experimental lambda and iteration support included in the future parser. The documentation has been updated to reflect the changes; see the “Experimental Features” section in the navigation sidebar to the left.

  • Remove alternative lambda syntaxes (Issue 22962)

  • Remove “foreach” function (Issue 22784)

  • Fix mixed naming of map/collect - reduce (Issue 22785)

  • Remove the iterative ‘reject’ function (Issue 22729)

  • Iterative function ‘select’ should be renamed to ‘filter’ (Issue 22792)

  • Future parser lexer does not handle all kinds of interpolated expressions (Issue 22593)

  • Variable names with uppercase letters are not allowed (Issue 22442)

Preparations for Syncing External Facts

Puppet can now pluginsync external facts to agent nodes… but it’s not very useful yet, since Facter can’t yet load those facts. End-to-end support is planned for next quarter, in Facter 2.0.

(Issue 9546)

Miscellaneous Improvements

  • Allow profiling on puppet apply. Previously, the profiling features added for Puppet 3.2 were only available to puppet agent; now, puppet apply can log profiling information when run with--profileorprofile = truein puppet.conf. (Issue 22581)

  • Mount resources now autorequire parent mounts. (Issue 22665)

  • Class main now appears in containment paths in reports. Previously, it was represented by an empty string, which could be confusing. This is mostly useful for PuppetDB. (Issue 23131)

  • Puppet::Util.executenow offers a way to get the exit status of the command — the object it returns, which was previously a String containing the command’s output, is now a subclass of String with an#exitstatusmethod that returns the exit status. This can be useful for type and provider developers. (Issue 2538)

Bug Fixes

Fixed Race Condition in Certificate Serial Numbers

As part of improving certificate autosigning for elastic cloud environments, we found a series of bugs involving the certificate inventory — when too many certificates were being signed at once (impossible in manual signing, but easy when testing autosigning at large scales), the CA might assign a serial number to a node, start rebuilding the inventory, then assign the same number to another node (if it came in before the rebuild was finished).

This is now fixed, and the cert inventory is handled more safely. To accommodate the need to occasionally rebuild the inventory, apuppet cert reinventorycommand was added (see above).

(Issue 693, Issue 23074)

Cached Catalogs Work Again

This was a regression from Puppet 3.0.0, as an unintended consequence of making the ENC authoritative for node environments. In many cases (generally when agents couldn’t reach the puppet master), it broke the puppet agent’s ability to use cached catalogs when it failed to retrieve one. The issue is now fixed, and agents will obey theusecacheonfailuresetting.

(Issue 22925)

Hiera Bugs

  • Errors from automatic class parameter lookups were not clearly indicating that Hiera was the source of the problem. This was made more informative. (Issue 19955)

  • Automatic class parameter lookups weren’t setting the specialcalling_module/calling_classvariables. This has been fixed. (Issue 21198)

Misc Bug Fixes

The usual grab bag of clean-ups and fixes. As of 3.4.0, Puppet will:

  • Manage the vardir’s owner and group. Before, not managing the vardir’s owner and group could sometimes cause the puppet master or CA tools to fail, if the ownership of the vardir got messed up.

  • Don’t overaggressively use resource-like class evaluation for ENCs that assign classes with the hash syntax. ENCs can use two methods for assigning classes to nodes, one of which allows class parameters to be specified. If class parameters ARE specified, the class has to be evaluated like a resource to prevent parameter conflicts. This fixed the problem that Puppet was being a little overeager and wasn’t checking whether parameters were actually present. (Issue 23096)

  • Make Puppet init scripts report run status correctly even if they aren’t configured to start. Previously, if the puppet master init script was configured to never run and a Puppet manifest was also ensuring the service was stopped, this could cause Puppet to try to stop the service every single run. (Issue 23033)

  • Skip module metadata that cannot be parsed. Previously, module metadata that couldn’t be parsed was not skipped and could cause the puppet master to fail catalog serving if a module with bad metadata was installed.  (Issue 22818, Issue 20728, Issue 15856)

  • Use FFI native windows root certs code. This fix cleaned up some potential puppet agent crashes on Windows by using the Win32 APIs better. (Issue 23183)

  • Guard against duplicate Windows root certs. Previously, duplicates could cause unnecessary run failures. (Issue 21817)

  • Make Debian user/group resources report their proper containment path. Previously, Puppet events from Debian showed in Puppet Enterprise’s event inspector as “unclassified.” (Issue 22943)

  • Fix race condition in filebucket. Before the fix, there were unnecessary run failures when multiple nodes were trying to write to a puppet master’s filebucket. (Issue 22918)

  • Force encoding ofusercomment values to ASCII-8BIT. Previously, there were run failures under Ruby 1.9 and higher whenuserresources were present. (Issue 22703)

  • Don’t serialize transient vars in Puppet::Resource. Previously, Puppet would write YAML data that couldn’t be deserialized by other tools.  (Issue 4506)

  • Validate thenameattribute for package resources to disallow arrays. Previously, there was inconsistent behavior between dpkg and the other package providers. (Issue 22557)

  • Use the most preferred supported serialization format over HTTP. Puppet had been choosing a format at random whenever there were multiple acceptable formats. (Issue 22891)

  • Setvalue_collectionfor boolean params. Before the fix, boolean resource attributes were displayed badly in the type reference. https://projects.puppetlabs.com/search?q=22699

下载:http://downloads.puppetlabs.com/puppet/puppet-3.4.0.tar.gz

本站文章除注明转载外,均为本站原创或编译。欢迎任何形式的转载,但请务必注明出处,尊重他人劳动共创开源社区。
转载请注明:文章转载自 OSCHINA 社区 [http://www.oschina.net]
本文标题:Puppet 3.4.0 发布,系统管理工具
加载中

最新评论(2

fei
fei

引用来自“高榕”的评论

现在改用salt了,很方便!!

支持saltstack.我也喜欢这个
高榕
高榕
现在改用salt了,很方便!!
返回顶部
顶部