集中式系统管理工具Puppet发布3.4.0。这是新的产品系列。经过2个RC.增强windows支持，新的认证签名行为等。2013-12-20 上个版本是2013-11-12的3.3.2.其他产品线3.2.4 3.1.1 3.0.2 2.7.23。
Released December 19, 2013. (RC1: Dec. 3. RC2: Dec. 10.)
3.4.0 is a backward-compatible feature and fix release in the Puppet 3 series. The main improvements of this release are:
Fixes for some high-profile bugs, including the “anchor pattern” issue and broken RDoc on Ruby 1.9+
New certificate autosigning behavior to help quickly and securely add new nodes in elastic environments
Windows improvements, especially forfileresources
Trusted node data in the compiler
It introduces one known regression, PUP-1015, for users who use Foreman’s provisioning tools. If you use Foreman for provisioning, you should wait and upgrade to 3.4.1.
NewcontainFunction Removes Need for “Anchor Pattern”
Puppet now includes acontainfunction to allow classes to contain other classes. It works similarly to theincludefunction, with the added effect of creating a containment relationship. For more information, see:
The containment page of the language reference, for background information about class containment issues and an explanation of the anchor pattern.
The classes page of the language reference, for complete information on declaring classes withcontain,include, and more.
Policy-Based Certificate Autosigning
Puppet can now use site-specific logic to decide which certificate signing requests (CSRs) should be autosigned. This feature is based on custom executables, which can examine each CSR as it arrives and use any decision-making criteria you choose.
Prior to 3.4, Puppet would accept a whitelist of nodes whose requests should be autosigned. This wasn’t very flexible, and didn’t allow things like using a preshared key to verify the legitimacy of a node. This is now very possible, and works especially well when combined with the next new feature (custom CSR attributes).
For details, see:
Custom Data in CSRs and Certificates
It is now possible for puppet agent nodes to insert arbitrary data into their certificate signing requests (CSRs). This data can be used as verification for policy-based autosigning (see above), and may have more applications in the future.
Two kinds of custom data are available: “custom attributes,” which are discarded once the certificate is signed, and “certificate extensions,” which persist in the signed certificate.
For details on custom CSR data, see:
Priority Level Can Be Set for Puppet Processes
Puppet’s processes, including puppet agent and puppet apply, can now lower or raise their own priority level using theprioritysetting. (Note that they can’t raise their priority unless they are running as a privileged user.)
This is especially useful for making sure resource-intensive Puppet runs don’t interfere with a machine’s real duties.
Manifest Documentation (RDoc/Puppetdoc) Works on Ruby 1.9+
Puppet manifests can be documented with RDoc-formatted text in comments above each class or defined type, and you can runpuppet doc --outputdir /tmp/rdocto extract that documentation and generate HTML with it. However, this has never worked when running Puppet under Ruby 1.9 or higher.
As of this release, building documentation sites with puppet doc works under Ruby 1.9 and 2.0.
Note that any existing problems with the puppet doc command still apply — it sometimes skips certain classes with no clear reason, and there are various formatting glitches. We are still investigating more reliable and convenient ways to display Puppet code documentation, and will probably be using Geppetto as a foundation for future efforts.
New$trustedHash With Trusted Node Data
A node’s certificate name is available to the Puppet compiler in the special$clientcertvariable. However, this variable was self-reported by the agent and was never verified by the puppet master, which meant it could contain more or less anything and couldn’t be trusted when deciding whether to insert sensitive information into the catalog.
As of 3.4, you can configure the puppet master to verify each agent node’s certname and make it available to the compiler as$trusted['certname']. To do this, you must set thetrusted_node_datasetting totruein the master’s puppet.conf. See the language documentation about special variables for more details.
File Resources Can Opt Out of Source Permissions
Traditionally, iffileresources did not have theowner,group, and/ormodepermissions explicitly specified and were using asourcefile, they would set the permissions on the target system to match those of thesource. This could cause weirdness on Windows systems being managed by a Linux puppet master, and wasn’t always desired in all-*nix environments either.
As part of this, the previous default behavior (source_permissions => use) is now deprecated on Windows; the default for Windows is expected to change toignorein Puppet 4.0.
Puppet’s Windows support continues to get better, with improvements to resource types and packaging.
File Type Improvements
A permissions mode is no longer required when specifying the file owner and group. (Issue 11563)
Puppet will no longer create files it can’t edit. (Issue 15559)
Package Type Improvements
Group Type Improvements
You can now add domain users to the local Administrators group. (Issue 17031)
Exec Type Improvements
Puppet will now accurately capture exit codes from exec resources on Windows. (Previously, exit codes higher than 255 could get truncated.) (Issue 23124)
Packaging and Installer Improvements
The Windows Puppet installer has several new MSI properties for automated installation, which can set the service user and startup mode. See the docs on automated installation on Windows for details. (Issue 21243, Issue 18268)
The Windows installer now puts Puppet on the PATH, so a special command prompt is no longer necessary. (Issue 22700)
Windows installer options can now override existing settings. (Issue 20281)
Newpuppet cert reinventoryCommand
However, rebuilding the inventory can still be helpful, generally when you have a large inventory file with a high percentage of old revoked certificates. When necessary, it can now be done manually by runningpuppet cert reinventorywhen your puppet master is stopped.
RPM Package Provider Now Supportsinstall_options
Package resources using therpmpackage provider can now specify command-line flags to pass to the RPM binary. This is generally useful for specifying a--prefix, or for overriding macros likearch.
HTTP API Documentation
Puppet’s HTTP API endpoints now have extensive documentation for the formatting of their requests and the objects they return. For version-specific endpoint documentation, see the HTTP API section of the developer docs.
Msgpack Serialization (Experimental)
Changes to Experimental Future Parser
Several changes were made to the experimental lambda and iteration support included in the future parser. The documentation has been updated to reflect the changes; see the “Experimental Features” section in the navigation sidebar to the left.
Remove alternative lambda syntaxes (Issue 22962)
Remove “foreach” function (Issue 22784)
Fix mixed naming of map/collect - reduce (Issue 22785)
Remove the iterative ‘reject’ function (Issue 22729)
Iterative function ‘select’ should be renamed to ‘filter’ (Issue 22792)
Future parser lexer does not handle all kinds of interpolated expressions (Issue 22593)
Variable names with uppercase letters are not allowed (Issue 22442)
Preparations for Syncing External Facts
Puppet can now pluginsync external facts to agent nodes… but it’s not very useful yet, since Facter can’t yet load those facts. End-to-end support is planned for next quarter, in Facter 2.0.
Allow profiling on puppet apply. Previously, the profiling features added for Puppet 3.2 were only available to puppet agent; now, puppet apply can log profiling information when run with--profileorprofile = truein puppet.conf. (Issue 22581)
Mount resources now autorequire parent mounts. (Issue 22665)
Class main now appears in containment paths in reports. Previously, it was represented by an empty string, which could be confusing. This is mostly useful for PuppetDB. (Issue 23131)
Puppet::Util.executenow offers a way to get the exit status of the command — the object it returns, which was previously a String containing the command’s output, is now a subclass of String with an#exitstatusmethod that returns the exit status. This can be useful for type and provider developers. (Issue 2538)
Fixed Race Condition in Certificate Serial Numbers
As part of improving certificate autosigning for elastic cloud environments, we found a series of bugs involving the certificate inventory — when too many certificates were being signed at once (impossible in manual signing, but easy when testing autosigning at large scales), the CA might assign a serial number to a node, start rebuilding the inventory, then assign the same number to another node (if it came in before the rebuild was finished).
This is now fixed, and the cert inventory is handled more safely. To accommodate the need to occasionally rebuild the inventory, apuppet cert reinventorycommand was added (see above).
Cached Catalogs Work Again
This was a regression from Puppet 3.0.0, as an unintended consequence of making the ENC authoritative for node environments. In many cases (generally when agents couldn’t reach the puppet master), it broke the puppet agent’s ability to use cached catalogs when it failed to retrieve one. The issue is now fixed, and agents will obey theusecacheonfailuresetting.
Errors from automatic class parameter lookups were not clearly indicating that Hiera was the source of the problem. This was made more informative. (Issue 19955)
Automatic class parameter lookups weren’t setting the specialcalling_module/calling_classvariables. This has been fixed. (Issue 21198)
Misc Bug Fixes
The usual grab bag of clean-ups and fixes. As of 3.4.0, Puppet will:
Manage the vardir’s owner and group. Before, not managing the vardir’s owner and group could sometimes cause the puppet master or CA tools to fail, if the ownership of the vardir got messed up.
Don’t overaggressively use resource-like class evaluation for ENCs that assign classes with the hash syntax. ENCs can use two methods for assigning classes to nodes, one of which allows class parameters to be specified. If class parameters ARE specified, the class has to be evaluated like a resource to prevent parameter conflicts. This fixed the problem that Puppet was being a little overeager and wasn’t checking whether parameters were actually present. (Issue 23096)
Make Puppet init scripts report run status correctly even if they aren’t configured to start. Previously, if the puppet master init script was configured to never run and a Puppet manifest was also ensuring the service was stopped, this could cause Puppet to try to stop the service every single run. (Issue 23033)
Skip module metadata that cannot be parsed. Previously, module metadata that couldn’t be parsed was not skipped and could cause the puppet master to fail catalog serving if a module with bad metadata was installed. (Issue 22818, Issue 20728, Issue 15856)
Use FFI native windows root certs code. This fix cleaned up some potential puppet agent crashes on Windows by using the Win32 APIs better. (Issue 23183)
Guard against duplicate Windows root certs. Previously, duplicates could cause unnecessary run failures. (Issue 21817)
Make Debian user/group resources report their proper containment path. Previously, Puppet events from Debian showed in Puppet Enterprise’s event inspector as “unclassified.” (Issue 22943)
Fix race condition in filebucket. Before the fix, there were unnecessary run failures when multiple nodes were trying to write to a puppet master’s filebucket. (Issue 22918)
Force encoding ofusercomment values to ASCII-8BIT. Previously, there were run failures under Ruby 1.9 and higher whenuserresources were present. (Issue 22703)
Don’t serialize transient vars in Puppet::Resource. Previously, Puppet would write YAML data that couldn’t be deserialized by other tools. (Issue 4506)
Validate thenameattribute for package resources to disallow arrays. Previously, there was inconsistent behavior between dpkg and the other package providers. (Issue 22557)
Use the most preferred supported serialization format over HTTP. Puppet had been choosing a format at random whenever there were multiple acceptable formats. (Issue 22891)
Setvalue_collectionfor boolean params. Before the fix, boolean resource attributes were displayed badly in the type reference. https://projects.puppetlabs.com/search?q=22699