Posts Tagged ‘release’

Introducing Scaffold

May 4th, 2010

I’ve just written and released Scaffold – a very simple Puppet scaffolding templating tool. It integrates with Puppet to create a variety of Puppet configuration and objects.

You can install it via a gem currently:

$ sudo gem install scaffold

It requires Puppet and will install the templater gem as a dependency.

You can then use it like so:

* Basic Puppet configuration (creates site.pp, fileserver.conf and supporting material in the Puppet configuration directory):

$ scaffold puppet

* Modules (it checks the Puppet module path and creates the module in the first module path it finds):

$ scaffold module module_name

* Nodes (assumes you’ve created the basic Puppet configuration and creates nodes in Puppet configuration directory):

$ scaffold node node_name

* Classes and Definitions:

$ scaffold class module_name class_name

$ scaffold define module_name define_name

* Functions:

$ scaffold function module_name function_name function_type

The function type can be statement or rvalue and defaults to statement if omitted.

* Types and providers:

$ scaffold type module_name type_name

I’d welcome feedback and ideas (and code!) on how to extend it. The idea is that once we’ve got a strong working tool we’ll look to integrate the result into Puppet mainline as a provisioning and templating system.

1 comment »

Posted in Blog, devops, open source, puppet

Tags:

Puppet 0.25.4 released!

January 29th, 2010

You wanted “release early, release often” and the Puppet team has delivered!
The 0.25.4 release is a maintenance release (with one important feature – pre/post transaction hooks – discussed below) in the 0.25.x branch.  The release primarily addresses a regression introduced in 0.25.3 that caused issues with creating cron jobs.

The release is available at:

http://reductivelabs.com/downloads/puppet/puppet-0.25.4.tar.gz

http://reductivelabs.com/downloads/gems/puppet-0.25.4.gem

http://gemcutter.org/gems/puppet

Please note that all final releases of Puppet are signed with the Reductive Labs key – http://reductivelabs.com/trac/puppet/wiki/DownloadingPuppet#verifying…

Please report feedback via the Reductive Labs Redmine site: http://projects.reductivelabs.com

Please select an affected version of 0.25.4

RELEASE NOTES

Pre/Post Transaction hooks

There is a new feature in this release: pre and post transaction hooks.  These hooks allow you to specify commands that should be run pre and post a Puppet configuration transaction.   They are set with the prerun_command and postrun_command settings in the puppet.conf configuration file.

prerun_command = /bin/runbeforetransaction
postrun_command = /bin/runaftertransaction

The command must exit with 0, i.e. succeed, otherwise the transaction will fail – if the pre command fails before the transaction is run and if the post command fails at the end of the transaction.


*  Bug #2845: Cron entries using “special” parameter lose their title when changed
* Bug #3001: Can’t manage broken links
* Bug #3039: 0.25.3 gem spec specifies the executables incorrectly
* Bug #3075: sshkey host aliases broken by fix for #2813
* Bug #3088: Puppetd fails to stop after receiving SIGTERM
* Bug #3089: puppetlast gsub! error
* Bug #3093: Blastwave provider broken in 0.25.3
* Bug #3104: Test failed: Puppet::Network::XMLRPCClient when performing the rpc call and an exception is  raised.should log and raise XMLRPCClientError if Timeout::Error is raised
* Bug #3112: Problem with adding and removing crons
* Bug #3122: Uncharacterized failure in fileserving under OS X
* Bug #3125: Dpkg tests failing
* Feature #2914: Transactions should have before and after hooks

No comments »

Posted in Blog, open source, puppet

Tags:

Puppet 0.25.3 – “Clifford” released!

January 12th, 2010

CliffordPuppet 0.25.3 – code-named “Clifford”

The 0.25.3 release is a maintenance release in the 0.25.x branch.  The release addresses a regression introduced in that caused issues with command execution.

The release is available at:

http://reductivelabs.com/downloads/puppet/puppet-0.25.3.tar.gz

http://reductivelabs.com/downloads/puppet/puppet-0.25.3.gem

http://gemcutter.org/gems/puppet

Please note that all final releases of Puppet are signed with the Reductive Labs key.

http://reductivelabs.com/trac/puppet/wiki/DownloadingPuppet#verifying-puppet-downloads

Please report feedback via the Reductive Labs Redmine site:

http://projects.reductivelabs.com

Please select an affected version of 0.25.3.

* Bug #1464: Mount resource complains about missing options field
* Bug #2845: Cron entries using “special” parameter lose their title when changed
* Bug #2887: Service (init) does not seem to work with require properly
* Bug #3013: util.rb:execute broken on <1.8.3
* Bug #3025: apt and aptitude providers dont work on Debian Lenny puppet from gems

No comments »

Posted in Blog, open source, puppet

Tags:

Puppet 0.25.2 “Zoe” released!

January 5th, 2010

Zoe the Muppet

Puppet – code-named "Zoe"

The release is a significant maintenance release (123 tickets closed!) in the 0.25.x branch.

Thanks to all who contributed to the release and tested fixes – especially (but not limited to!) Peter Meier (duritong), R.I. Pienaar (Volcane), Mark Plaskin, Dan Bode, Alan Harder, Ricky Zhou, Christian Hofstaedtler, Todd Zullinger, Till Mass, Nigel Kersten, and especially Markus Roberts and Jesse Wolfe who worked around the clock to get the release out the door.

The release is available at:

http://reductivelabs.com/downloads/puppet/puppet-.tar.gz
http://reductivelabs.com/downloads/puppet/puppet-.gem

Please note that all future final releases of Puppet will be signed with the Reductive Labs key.  Unfortunately, I am travelling and unable to access to the box with the release key on it or its backup.  A signature will be generated for this release early next week when I return to Australia.

http://reductivelabs.com/trac/puppet/wiki/DownloadingPuppet#verifying-puppet-downloads

Please report feedback via the Reductive Labs Redmine site:

http://projects.reductivelabs.com

Please select an affected version of .

RELEASE NOTES

* When setting aliases using the host type now use the host_alias attribute rather than alias.

* Puppet now has the "manage_internal_file_permissions" option which allows you to enable or disable Puppet management of internal files, for example those in /var/lib/puppet.  When "false" Puppet will NOT manage these files.  Default is "true".

* Cron type now supported on AIX

* Mailist type is now working again

* File serving permissions error messages enhanced

* SELinux now supports contexts with upper case titles

* When running the tests you no longer need to use RSpec version 1.2.2 but rather versions including and newer than.

* The debug format message has been changed and clarified from:

debug: Format s not supported for Puppet::FileServing::Metadata; has not implemented method 'from_s'

to:

debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson

* Puppetdoc now works with Regex node names

* There are now valid and proper OIDs in the LDAP puppet.schema that are unique and registered for Puppet.

* Packagers please note updated man pages including a new page for puppetqd

*    Fix for temporary file issues (https://bugzilla.redhat.com/show_bug.cgi?id=502881)

Full list of closed tickets.

 

No comments »

Posted in Blog, open source, puppet

Tags:

Puppet 0.25.2 Release Candidate 3 out!

January 1st, 2010

We've pounced on a few more bugs and Puppet release candidate 3 is a go.  Please test hard.  The production release should be in a few days barring any more bugs being found.

No comments »

Posted in Blog, open source, puppet

Tags:

Puppet 0.25.2 – release candidate 2 is out!

December 23rd, 2009

We've powered our way through 118 tickets to get to and have a release candidate in the wild – we actually have RC2 out because of a missing commit in RC1. 

No comments »

Posted in Blog, open source, puppet

Tags:

Puppet 0.25.1 Released!

November 22nd, 2009

This post is a little late… but.

Puppet – code name “zoot” – is now available. The release is a maintenance release in the 0.25.x branch.

The release is available via tarball and gem.

Please report issues and feedback via the Reductive Labs Redmine site:

Please select an affected version of .

RELEASE NOTES

* We’ve clarified that the new ‘require’ function only works for 0.25.x clients. If the function is specified with 0.24.x or earlier clients the class will be included but the inherent dependency will not be created. A warning message will be generated informing you of this.

* Node regular expression matching rules have been clarified.

* The Nagios serviceescalation type now supports the use of the servicegroup_name attribute.

* The Puppet gem now installs all binaries to the ‘bin’ directory because Gems lack support for both a ‘bin’ and ‘sbin’ directory. Facter (version later than 1.5.1) is now also a dependency for the gem.

* The zone type now works with OpenSolaris

* You can now specify null values for environment variables in the cron type

* The Vim syntax highlighting now identifies new regex structures

* Bug #1538: Yumrepo sets permissions wrongly on files in /etc/yum.repos.d

* Bug #1719: Puppetd runtime increase dramaticilly after upgrading to 24.6

* Bug #1742: –color accepts parameters other than true, false, ansi,html – but produces “nil” output

* Bug #1900: Parsing of quoted $ in stdin

* Bug #1908: cron environment does not allow empty values

* Bug #2508: misleading error about ActiveRecord versions

* Bug #2534: Parser should raise an error if you specify the same property twice

* Bug #2600: Master under mongrel wrong number of arguments (3 for 2)

* Bug #2601: fqdn_rand raises exception when passed a seed

* Bug #2605: 1.8.1 compatibility – #1963 fix uses method not in 1.8.1

* Bug #2606: Gems can’t handle binaries in the sbin directory

* Bug #2607: 0.25 gem does not have facter as a dependency

* Bug #2608: install.rb will not run on 1.9.1 due to ftools being deprecated

* Bug #2612: vim syntax highlighting of new regex language features

* Bug #2613: Autorequire fails when a directory’s path has a trailing /

* Bug #2615: YAML sometimes modifies the contents of string data

* Bug #2616: Locking error in tagmail

* Bug #2618: Spurious test falures when testing redhat service providers on debian varients

* Bug #2619: Fresh 0.25.0 client cannot ‘authenticate’ to 0.25.0 puppetmaster.

* Bug #2620: Regex problem in puppetmaster auth.conf

* Bug #2621: possible JSon serialization issue (on debian/lenny/amd64)

* Bug #2622: puppetdoc returns undefined method ‘[]‘

* Bug #2626: Unhelpful error message

* Bug #2627: Node regular expressions only work in some cases

* Bug #2632: require doesnt seem to work

* Bug #2634: nagios type serviceescalation should support servicegroup_name

* Bug #2637: SSL socket race condition under webrick

* Bug #2638: inconsistent behaviour when more than one “node /foo/ { }” stanza matches.

* Bug #2639: Fail to store reports in simple default config

* Bug #2640: runit service provider does not create symlinks

* Bug #2642: runit service provider doesn’t have a restart command

* Bug #2648: macauthorization provider spuriously changes values when not needed.

* Bug #2651: Directory permissions on man pages can be incorrect

* Bug #2652: syntax error in lib/puppet/util/selinux.rb according to Fedora 11 1.8.6

* Bug #2654: Confusing error message when a provider lacks a feature

* Bug #2656: Puppet –parseonly tests hang forever

* Bug #2661: puppetd exits if the master is unreachable.

* Bug #2664: regexp parse error

* Bug #2665: regex problem with package names containing ++

* Bug #2668: Too many facts: request-URI Too Large

* Bug #2672: Cannot have underscores in node name

* Bug #2674: createpackage.sh: problem finding install.rb

* Bug #2676: lib/puppet/agent.rb apparent typo

* Bug #2679: Possible regression

* Bug #2681: “Duplicate generated resource;skipping” for each managed resource

* Bug #2685: Got an uncaught exception of type TypeError

* Bug #2686: ActiveSupport >= 2.3.3 forces use of defective JSON library

* Bug #2688: macauthorization provider now doesn’t deal with booleans correctly.

* Bug #2689: Running puppet as non-root => getting rid of all those ownership warnings

* Bug #2691: “Could not retrieve catalog: HTTP-Error: 500 Internal Server Error” with tagged exported resources

* Bug #2697: provider/portage.rb: update-eix is deprecated

* Bug #2698: provider/portage.rb: format string has changed (again)

* Bug #2699: Configurable port in the included Red Hat init script is broken

* Bug #2702: puppetdoc rdoc mode fails if outputdir not specified

* Bug #2707: ‘config_version’ should behave better on failure

* Bug #2711: Storeconfigs don’t work with puppet command

* Bug #2734: classfile is only 1 byte big

* Bug #2735: External node classes aren’t added to the class list on compile startup

* Bug #2736: Ssh_authorized_key target changed?

* Bug #2737: The zone provider needs to get acquainted with OpenSolaris

* Bug #2739: puppetmasterd 0.25.1rc2 is not logging anywhere

* Bug #2745: fakedata iteration in specs is borked.

* Bug #2750: puppetd: setting the :cacrl to ‘false’ is deprecated

* Bug #2751: Red Hat initscripts kill an independently started puppetd/puppetmasterd

* Bug #2752: require function does not work in ‘puppet’

* Bug #2753: fileserver.conf allow/deny directives not honored for [modules], [plugins]

* Feature #2393: We should maintain a dynamically-built ‘next’ branch

No comments »

Posted in Blog, open source, puppet

Tags:

CIS Security Metrics Available

June 27th, 2009

The CIS has released a collection of metrics – CIS Security Metrics Guide (v. 1.0.0).  The project goal is to “develop a balanced combination of unambiguous and logically defensible outcome and practice metrics measuring” and to “utilize data commonly available in most enterprises.”

The following metrics are proposed and documented:

  • Application Security
    • Number of Applications
    • Percentage of Critical Applications
    • Risk Assessment Coverage
    • Security Testing Coverage
  • Configuration Change Management
    • Mean-Time to Complete Changes
    • Percent of Changes with Security Review
    • Percent of Changes with Security Exceptions
  • Financial
    • Information Security Budget as % of IT Budget
    • Information Security Budget Allocation
  • Incident Management
    • Mean-Time to Incident Discovery
    • Incident Rate
    • Percentage of Incidents Detected by Internal Controls
    • Mean-Time Between Security Incidents
    • Mean-Time to Recovery
  • Management
  • Vulnerability Management
    • Vulnerability Scan Coverage
    • Percent of Systems Without Known Severe Vulnerabilities
    • Mean-Time to Mitigate Vulnerabilities
    • Number of Known Vulnerability Instance”

Download the metrics here or via direct PDF link.

No comments »

Posted in Blog

Tags:

Puppet 0.25.0beta1 released!

May 4th, 2009

The beta1 release of Puppet 0.25.0 has been released!

This is a big woot!  This represents a mountain of work for Luke and a number of contributors to Puppet (including me! :P ).  It’s been about 18-24 months in the making since Luke first started tossing ideas around and cutting code.

We’re not fully there yet.  This is a release after all but it’s well on the way and with sufficient testing we should get a release candidate out within the month I hope.

For those of you who are interested the tarball is available here and here are some notes about it:

Puppet 0.25.0beta1

This is not production ready code – it is a release for testing. The is largely feature complete and the extent of testing and issues will determine how soon we move to a release candidate. So we would ask everyone to test and report issues with the .

Please log any issues found during testing here.

Please select the Affected Version as 0.25.0.

Please email any other specific questions, comments or feedback to the puppet-user list.

What’s Changed?

There are substantial changes in Puppet 0.25.0 and more changes to come in the future. Most of the changes in 0.25.0 are internal refactoring rather than behavioural. The 0.25.0 release should be fully backwards compatible behaviourally with the 0.24.x branch. This means a 0.25.0 master will be able to manage 0.24.x clients. You will need, however, to upgrade both your master and your clients to take advantage of all the new features and the substantial gains in performance offered by 0.25.0.

The principal change is the introduction of Indirected REST to replace XML-RPC as the underlying Puppet communications mechanism. This is a staged change with some functions migrated in this release and some in the next release. In the first stage of the Indirected REST implementation the following functions have been migrated:

- Certificates
- Catalogue
- Reports
- Files

In 0.26.0 (the next release) the following remaining functions will be migrated:

- Filebucket
- Resource handler
- Runner handler
- Status handler

The new REST implementation also comes with authorisation configuration in a similar style to the namespaceauth used for XML-RPC. This new authorisation is managed through the auth.conf file (there is an example file in the conf directory of the tarball). This does not yet fully replace the namespaceauth.conf file but will when the remaining handlers are migrated to REST. It works in a similar way to the namespaceauth.conf file and the example file contains additional documentation.

As a result of the introduction of REST and other changes you should see substantial performance improvements in this release. These particularly include improvements in:

- File serving
- The performance of large graphs with lots of edges
- Stored configuration (see also Puppet Queuing below)

Other new features include (this is not a complete list – please see the Roadmap for all tickets closed in this release):

Puppet Queuing

There is a new binary called puppetqd that supports queuing for stored configurations. You can read about how it works and how to implement it here.

Further documentation is in the README.queuing file in the tarball.

Application Controller

All the logic has been moved out of the binary commands and added to an Application Controller. You can see the controller code at lib/puppet/application.rb and the logic for each application at lib/puppet/application/binaryname.rb.

Binary Location Move

To bring Puppet more in line with general packaging standards the puppetd, puppetca, puppetrun, puppetmasterd, and puppetqd binaries now reside in the sbin directory rather than the bin directory when installed from the source package.

Version Compare function

There is a new function called versioncmp

Other features

You can find a full list of the tickets closed thus far for version 0.25.0 here.

No comments »

Posted in Blog

Tags:

Google Chrome

September 13th, 2008

I downloaded Google’s new Chrome browser (http://www.google.com/chrome) this morning. I installed it and I played with it for about an hour. I read the release notes and watched several of Google’s videos. Overall, it looks cool, seemed to be snappy and quick to respond. I was particularly taken with the focus on tabs. I also thought the multi-, multi-tab sandbox idea is a really interesting idea – initially from a useability perspective but potentially also from a security perspective. Though there isn’t anywhere near enough information yet to make a proper assessment. I did try to break some tabs and see how effective the sand-boxing was (it seems to hold up from a very brief look but it’ll take some code review from someone with more code-fu than me to determine actually how secure the concept is – see below).

A few things didn’t inspire me – the border decoration was a little … unintegrated. And I am always loath to pass judgement on an application that by its very nature needs to be examined in a cross-platform context and I would want to see running on all of Microsoft Windows, OSX, and Linux. This is particularly true of OSX where the graphical environment can make an enormous difference to how an application engages you.

But after my play I closed Chrome down with a big sigh to get on with my actual day job. Why the sigh? Did I think the new Chrome browser wasn’t very good? Nope. But my first thought was “I wonder how many people in my enterprise have downloaded and installed Chrome over the last few days”. This was quickly followed by me asking two questions:

1. What is the change in the enterprise’s risk profile of adding this new application?

2. What’s the operational impact of some, many or all of my users downloading and installing this application?

Obviously (and hopefully) it is only an incremental change in risk profile and not much at that. The browser will probably only be downloaded by power users and innovators in the enterprise, initially at least. On the threat landscape in most enterprises however browsers punch well above their weight in terms of attack surface, are a common source of malware infection and browser exploits are a popular target for hackers. Indeed a (the first?) Chrome vulnerability has already been discovered AND exploited (see http://www.readwriteweb.com/archives/security_flaw_in_google_chrome.php) literally hours after Chrome was released. So Chrome’s potential as a source of compromise and attacks needs to be carefully considered.

The answer to the second question is also ambiguous but finding out can add a lot of work for a security team. With any new application, but especially ones like browsers that are such rich sources of malware attack, there is now a potential need to:

• Track bugs and vulnerabilities for the application;
• Add it to software profiles for vulnerability ;
• Investigate its behaviour for network behaviour and IDS/IPS;
• Profile it for our Security Event and Incident Management ; and
• Specifically for this application ascertain if its Incognito “stealth” browsing capability impacts our ability to investigate and gather evidence in incidents.

So most important to me right now is not whether Chrome will outshine Firefox or IE or whether it represents the future of the browser. But rather how much work is this new browser going to create for me… :)

P.S. If you’re interested in look at it you can find Chrome’s source code at http://code.google.com/chromium/. There are also build instructions (for which you will probably need to have some developer skills) for OSX and Linux.

No comments »

Posted in chrome, google, security

Tags: