Forem: Puppet Ecosystem

A Fond Farewell For Now to Community Day & Norman

Puppet Ecosystem — Wed, 20 Oct 2021 00:00:00 +0000

IAC Community Day

Background

The Infrastructure Automation Content (IAC) team formed from the merger of 4 core content-focused teams (Modules, Windows, Cloud & Containers, and Networking), maintaining forty-five open-source supported Puppet modules and over a dozen tools that help reduce the content maintenance and support costs.

A crucial part of Puppet’s success has always been the support of the community. The IAC team, like with all module teams before, would have had a dedicated engineer or engineers assigned to community triage, usually on a rotational basis.

The triage rota consumed 20% of the team’s engineering resources. It was challenging due to:

Lack of domain knowledge
Work spilling over either into or out of triage during rotation
Impact to other team members not on rotation
Engineers left feeling drained, low self-esteem
Engineers dreading rotating onto triage.

Community Day (Introduced in November 2020)

Community day came about as part of reviewing of our triaging commitments and chatting with the team listening to their concerns.

As mentioned, 20% of the team’s engineering resourcing and effort was already going into the triage rotation. So we asked ourselves the question:

What if we focused this 20% effort and had the whole team take part in a full day community triage?

Benefits:

Upskilling
Teamwork
Reduced distractions
Greater community focus
Starting the week off with a win
Productivity within the team increased (hard to believe even for us, at first)

Not only have we been able to address the backlog of community requests across forty-five supported open source modules (plus over a dozen tooling repos), the team have been able to focus on feature delivery.

Since switching to the new community day, over the last eleven months, the team have:

Handled† 1536 issues
Performed 205 module releases
Released 30 tooling updates

† Handled meaning a team member has either:

Closed a PR or Jira

Merged community a PR

or provided feedback on a community PR

By committing to community day and limiting distractions to 1 day, the team have also delivered:

A new Cloud CI
1. With multi-node testing support
2. New automated workflow
3. Internal developer environment support
Cisco Network device enhancement
New DSC builder generating >300 DSC PowerShell modules uploaded on the forge
3 OS certifications
Certified all the supported modules again Puppet 7, including:
1. Raising and testing fixes for numerous issues in Puppet 7 nightly agent builds prior to release
Rolled out the Trusted Contributor program
Improved our community communication with a weekly blog post, enhancing our community reporting

All in all, the IAC community day has not only enabled the team to reconnect with the community, address the content backlog, and upskill across the team; it has also improved team productivity by reducing distraction and increasing team morale. Mondays are, at the best of times, a tough day. Starting a week off with a win? Priceless.

Sadly, Community Day is coming to an end. Due to a significant reduction in resourcing, it is no longer possible to provide the technical support needed to run a dedicated community support day.

The content maintained by the IAC team is still of high importance to Puppet. Puppet would like to encourage our community to reach out via our public slack channels for assistance. Our PM team will help prioritize issues raised.

Farewell, Norman 💜

This week we have to say farewell to Norman, the Engineering Manager of the IAC and DevX Teams. This is a particularly sad goodbye as many of us, past and present, consider Norman one of the best leaders we have had the privilege of working with.

In just under three years, Norman led us to some fantastic achievements and kept us motivated and moving forward through turbulent times. Norman has shown unparalleled dedication to his team’s wellbeing, motivation, and personal development whilst still acting as a clarifying arbiter between the high-level vision and plans of the organisation. It was a tough balancing act that he seemed to be able to do, with his usual 110% dedication he never falters from.

Norman motivated and enabled us to become far better engineers and people than we were prior to being taken under his wing. The remit of the IAC team is a tough one, and one that can often be underappreciated, but Norman always fought our corner and sung our praises to anyone who stood still long enough to listen. Norman was great at suggesting and soliciting us to suggest new processes / ideas (Community Day being a prime example), that would make us more efficient and motivated, as a team. We benefited from his wealth of knowledge, experience (both technical and managerial) and genuine care for his colleagues and team.

We’d like to thank Norman for his hard work and support over these nearly three years. The IAC and DevX teams owe him a huge gratitude and we’ll miss him, as we bid farewell and good luck in your next venture!

IAC & DevX Team Updates; just cranking along

Puppet Ecosystem — Mon, 11 Oct 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-firewall#1019: “Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range”, thanks to cmd-ntrf
puppetlabs-firewall#1018: “Fedora 34 and iptables-compat fix; properly utilising iptables param.”, thanks to adamboutcher
puppetlabs-postgresql#1307: “Drop further code for Debian 6 and Ubuntu 10”, thanks to ekohl
puppetlabs-postgresql#1306: “MODULES-11201: add service_name for Ubuntu 18.04 and later”, thanks to moritz-makandra
puppetlabs-postgresql#1297: “Support target_role in default_privileges”, thanks to fish-face
facterdb#197: “Release 1.10.1”, thanks to bastelfreak
facterdb#196: “CI: Test if the gem builds”, thanks to bastelfreak
facterdb#195: “facter 4.0: Regenerate factsets with legacy facts”, thanks to bastelfreak
facterdb#194: “facter 4.1: Regenerate factsets with legacy facts”, thanks to bastelfreak
facterdb#193: “facter 4.2: Regenerate factsets with legacy facts”, thanks to bastelfreak
facterdb#192: “Remove EoL OSes from Vagrantfile”, thanks to bastelfreak
facterdb#191: “get_facts.sh: Collect legacy facts as well”, thanks to bastelfreak
facterdb#190: “get_facts.sh: Ignore facter 1.X/2.x”, thanks to bastelfreak
dropsonde#13: “Load Ruby’s CA certificates instead of using httpclient defaults”, thanks to Magisus
puppet_litmus#427: “Allow Litmus Functions to accept a target”, thanks to RandomNoun7

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

Mitigating the 0-day Apache path traversal vulnerability

Puppet Ecosystem — Tue, 05 Oct 2021 21:46:02 +0000

Apache has disclosed a critical actively exploited path traversal flaw in the popular Apache webserver, versions 2.4.49 and 2.4.50. This path traversal means that an attacker can trivially read the contents of any file on the server that the Apache process has access to. This could expose highly sensitive information, even as critical as the server's own private SSL certificates. See the Sonatype blog for more technical information on the vulnerability.

Update
The fix in Apache version 2.4.50 was incomplete. Please follow these instructions to upgrade your nodes to Apache version 2.4.51 from both 2.4.49 and 2.4.50.

Puppet Enterprise and Bolt both make it easy to identify vulnerable systems and mitigate the exposure by upgrading the Apache package.

Using Puppet Enterprise

Puppet Enterprise includes a feature called Package Inventory. This will allow you to quickly identify which nodes in your infrastructure are running the vulnerable version of Apache. It's disabled by default, so you'll need to turn it on first.

In the PE Console, find the PE Agent node group. Add the puppet_enterprise::profile::agent class if needed and then set the package_inventory_enabled parameter to true. Use the Run Puppet button to trigger a Puppet run on all nodes. The inventory collection will take effect on all subsequent Puppet runs, so once it's completed, trigger a second Puppet run.

Now use the Packages page to view your infrastructure's package inventory. Filter by the package name "httpd", then click into the package detail page and filter by the version "2.4.49". This now lists all nodes with the vulnerable version.

If the package is managed by Puppet, use the Instances selector to drill in and then click Copy path to quickly find the spot in your codebase you need to update with a newer version. Run Puppet on all nodes once the codebase has been updated.

If you have instances in which the package is not managed by Puppet, then use a Puppet Task to push a package update to these nodes. Create a list of the affected nodes, then use the Package task to force the package to be updated. See the docs for more information.

Since some distributions call the package "apache", repeat the above steps with that name too. And then given the second patch, check both package names for version "2.4.50" as well.

Find more information about the Package Inventory on its docs page.

Using Puppet Bolt

If you don't have Puppet Enterprise, Bolt allows you to use plans to gather information from nodes. Let's start by creating a new project by creating a directory called apache_mitigation. Now cd into that directory and turn it into a Bolt project by running bolt project init.

You'll want an inventory file so you can address all your nodes. If you don't have one already, then create one following instructions. We will use the implicit all target group, or you can create a more specific group if you want to limit the nodes to be inspected.

Then create a new plan to manage the package upgrade process. Run bolt plan new apache_mitigation::upgrade_vulnerable_packages --pp. Add the following content to your new plan file:

plan apache_mitigation::upgrade_vulnerable_packages (
  String     $package,
  String     $vulnerable_version,
  String     $target_version,
  TargetSpec $targets,
) {
  # Get status of package on each target
  $package_status = run_task('package', $targets, 
    'name'   => $package, 
    'action' => 'status'
  )

  # Select targets that have the vulnerable package installed
  $vulnerable_targets = $package_status.filter_set |$result| {
    $result['version'] == $vulnerable_version
  }.targets

  # Upgrade the package to a non-vulnerable version on each target
  $result = run_task('package', $vulnerable_targets,
    'name'    => $package, 
    'action'  => 'upgrade',
    'version' => $target_version
  )

  return $result
}

Since different distributions use different package names, run that plan for both httpd and apache.

bolt plan run apache_mitigation::upgrade_vulnerable_packages package=httpd vulnerable_version=2.4.49 target_version=2.4.51 --targets=all
bolt plan run apache_mitigation::upgrade_vulnerable_packages package=httpd vulnerable_version=2.4.50 target_version=2.4.51 --targets=all

bolt plan run apache_mitigation::upgrade_vulnerable_packages package=apache vulnerable_version=2.4.49 target_version=2.4.51 --targets=all
bolt plan run apache_mitigation::upgrade_vulnerable_packages package=apache vulnerable_version=2.4.50 target_version=2.4.51 --targets=all

Verifying the mitigation

Whether you choose to use Puppet Enterprise or Bolt to mitigate your exposure, once you're finished you can go back and verify that the vulnerable nodes have been upgraded. On Puppet Enterprise, you'd go back to the Packages page in the PE Console and drill down to the httpd or apache packages to validate versions. And if you used Bolt, you'd just run the apache_mitigation::upgrade_vulnerable_packages plan again and validate that the output is empty.

Ben is the Product Manager of Ecosystem and Developer Experience at Puppet.

Learn more

See the Sonatype blog for more technical information on the vulnerability.
Read more about Package Inventory.
Read more about Puppet Bolt.

IAC & DevX Updates; farewell Danny

Puppet Ecosystem — Mon, 04 Oct 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-apache#2195: “Allow docroot with mod_vhost_alias virtual_docroot”, thanks to yakatz
puppetlabs-apache#2191: “add double quote on scope parameter”, thanks to aba-rechsteiner
puppetlabs-apt#1007: “(MODULES-11173) Add per-host overrides for apt::proxy”, thanks to maturnbull
puppetlabs-chocolatey#269: “add support for version range”, thanks to rico89
puppetlabs-docker#774: “Prefer timeout to time_limit for Facter::Core::Execution”, thanks to smortex
puppetlabs-firewall#1019: “Bugfix MODULES-11203: error on second apply when uid or gid is specified as a range”, thanks to cmd-ntrf
puppetlabs-java#488: “Enabling Rocky Linux for Install”, thanks to pmjensen
puppetlabs-java_ks#378: “Fix “password” as Property”, thanks to cocker-cc
puppetlabs-postgresql#1307: “Drop further code for Debian 6 and Ubuntu 10”, thanks to ekohl
puppetlabs-postgresql#1306: “MODULES-11201: add service_name for Ubuntu 18.04 and later”, thanks to moritz-makandra
puppetlabs-postgresql#1299: “Inline file contents in the catalog”, thanks to ekohl
puppetlabs-postgresql#1296: “Fix changing default encoding”, thanks to smortex
puppetlabs-postgresql#1279: “Use Puppet-Datatype Sensitive for Passwords”, thanks to cocker-cc
puppetlabs-stdlib#1213: “stdlib::ensure: Add support for package resource”, thanks to david-caro and the following people who helped get it over the line (b4ldr)
puppetlabs-stdlib#1195: “(MODULES-11126) Replacing URI.escape with URI::DEFAULT_PARSER”, thanks to valleedelisle and the following people who helped get it over the line (karelyatin, b4ldr)
facterdb#189: “Release 1.10.0”, thanks to bastelfreak
facterdb#188: “Ubuntu 18.04/20.04, RedHat 8: Update factsets”, thanks to bastelfreak
rspec-puppet-facts#134: “Release 2.0.3”, thanks to bastelfreak
rspec-puppet-facts#133: “regenerate puppet_agent_components.json”, thanks to bastelfreak
iac#315: “Bump jekyll from 4.2.0 to 4.2.1”, thanks to [dependabot[bot]][dependabot[bot]]
puppet-module-gems#167: “(maint) Fix pry dependency issue.”, thanks to BobosilaVictor
puppet_litmus#427: “Allow Litmus Functions to accept a target”, thanks to RandomNoun7

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

Puppet Module Major Releases

Looking into the future, we only have a single major release planned, this being Apache v7.0.0. So if you use this module you should get ready for this to come on our next community day.

Farewell Danny

Finally, we have to end on a sad note 😢

This will be Danny’s last week on the IAC Team. Daniel was a founding member of the IAC team and has shown great professionalism, focus and drive, to help deliver true value to our customers and community.

Some of the major stand outs from Danny’s time on the IAC Team (and in Puppet), are the Cloud CI and Automated Release Tooling, which are invaluable, integral parts of the IAC Team’s process. Danny also lent his expertise to the Forge team, helping to design and implement functionality to facilitate the introduction of premium content.

We were very fortunate to have Danny’s considerable breadth of knowledge in Cloud technologies - he’s been instrumental in maintaining and enhancing the Docker and Kubernetes modules.

He has been a fantastic colleague, mentor and friend to us all. From all of us on the IAC team - the very best of luck for the future, and thanks for all you’ve done for us. 🍺 🚀

Malware Scanning on the Puppet Forge

Puppet Ecosystem — Wed, 29 Sep 2021 15:00:31 +0000

Another supply chain attack hit the news last week. This time it was a configuration management agent installed on most Azure images. I'm not bothering to link to it because it's just another in a long chain of attacks this year and, by the time this is published, there will likely be another one. Maybe this time it will be yet another background bitcoin miner hiding inside an innocuous NPM package.

I've been in the Puppet ecosystem for over a decade deploying Forge modules all over the world, but to tell the truth, the idea of running un-audited code has always bothered me just a bit. When you yum or apt install an open source package, you can trust that it went through an audit process with at least a few pairs of eyeballs on it before getting to the repositories. But now with the rise of peer-to-peer package repositories like NPM, PyPI, or RubyGems, that assumption is gone. And Golang effectively does away with the repository altogether! That's a lot of trust we put into the publishers of these packages.

The Puppet Forge Module Ecosystem

So far the Puppet ecosystem has not been attacked with malicious code injected into Forge modules. But we cannot assume this will always be the case. The Forge team has been hard at work for the past few months building out a malware scanning framework.

Now, to be clear, this doesn't replace your own security mitigations. You should still audit untrusted code. You should still run your own virus protections. There are many layers in a robust security profile, and this is only one of them. But what we can do is give you relatively high confidence that the Puppet modules you use are not introducing malware themselves.

We had to first put some thought into what it meant to be a secure Puppet module and balance that against what we could actually test for, programmatically. One of the challenges of scanning configuration management code is there's inherently so much overlap with malicious code already! It's a bit like the definition of a "weed" being an unwanted plant, no more and no less. It's all about context.

For example, downloading a tarball and running a shell command is exactly how a bunch of Tomcat modules work, so we can't quite eliminate that behavior. But we can identify when file resources use world-writable permissions, or wide open firewall rules, or known insecure Apache configurations, and we can flag when known malware files or URLs are included in a module itself.

Then we had to identify the value and the level of effort of writing checks for each of these cases then rank them to identify which would get us the most impact the soonest.

Quality Scores

Let's take a small detour and talk about the Forge quality scores for a moment. When we first introduced the automatic module quality analysis, it was implemented as a Jenkins pipeline, which obviously got more and more crufty as the years went by. Over the last year, we've been incrementally porting these pipelines to a more modern container-based workflow. These can be invoked anywhere with a container runtime or in any cloud service with a container orchestrator. Tangent: watch for another blog post showing you how to run these locally to predict your Forge quality score!

This workflow means that the cost of building new quality score analyses is now relatively low. Just update the backend and database schemas to accept the new scores, then build a frontend to present it, if needed. (And yes, this papers over a ton of work!)

But it also made it a perfect system for security analysis. Anything that we could build into a container could be turned into something that the Forge could use.

Building the Scanner

A bit of research indicated some prior art that we could build upon. Last year a team of students from the University of Pernambuco released a "security smell" scanner for Puppet code and prior to that, a student at FernUniversität in Hagen built a set of puppet-lint plugins to check for security issues. ClamAV, the popular malware scanner, also already had a container available.

Ultimately we decided that the malware scan would have the biggest impact for our users, and got to work. We quickly realized that while the ClamAV solution was useful, we'd get even more value with an enterprise subscription to VirusTotal — and our internal security team was stoked to get their hands on such a powerful tool.

VirusTotal provides an upload API. Although it doesn't know Puppet code natively, it knows how to uncompress the module tarball format and how to scan files and their contents for known malicious code. This meant that (again, papering over the gory details) that all we needed to do was upload the module itself and consume the results. VirusTotal aggregates scan results from over 70 antivirus scanners and URL blocklists, so as you can imagine, the results were quite — shall we say — "complete."

Rather than trying to parse the entire results object and trying to make sense of everything, we used the summary. If any of the scanners discovered malware, we flagged the module and marked it as passing the scan if no malware was detected by any scanner. We also link back to the VirusTotal results page so that users can see the details for themselves, if they'd like.

With the help of our Design team and some backend plumbing, we had a malware scanning solution to help you select modules that best fit your needs and security policies. Because we have thousands of module releases a year, we're starting small by scanning all of our Supported modules, then expanding to Partner Supported, and then Approved. But by the end of the year, we expect that every module release will be security scanned as it's published. To avoid zero-day vulnerabilities, we will not retroactively scan existing modules so be sure to look for the malware scan status when you're evaluating modules. See an example on our puppetlabs-postgresql module.

So what next?

The process of building the scanner identified a couple of interesting UX questions. At the top of that list was the realization that this was the first use of the quality scoring system that could actually block publication or put a module into an ambiguous state. Solving that problem means that we're now in a position to resolve some other outstanding feature requests. For example, users have been asking for the ability to "preview" module releases to check for rendering issues or quality scores prior to actually publishing a release and this is now a feature on our roadmap.

Revamping the quality scores themselves has also been on our roadmap for a bit. The security-focused lint checks we mentioned above will certainly play into that. It's still an open question whether we just roll all the lint checks in together or separate them out by topic. But the container-based workflow we talked about above means that either way we group them will be relatively easy to build.

In any case, we're excited to provide you another tool in your security arsenal and hope that it builds confidence in the content you use from the Puppet Forge. Watch this space for more exciting things coming down the line in the future.

Ben is the Forge and Ecosystem product manager at Puppet.
Nik is a Software Engineer on the Forge team at Puppet.

IAC & DevX Team Updates; platform support strategy

Puppet Ecosystem — Mon, 20 Sep 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-apache#2193: “Restore Ubuntu 14.04 support in suphp”, thanks to ekohl
puppetlabs-apache#2191: “add double quote on scope parameter”, thanks to aba-rechsteiner
puppetlabs-apache#2189: “Drop Debian < 8 and Ubuntu < 14.04 code”, thanks to ekohl
puppetlabs-apt#1007: “(MODULES-11173) Add per-host overrides for apt::proxy”, thanks to maturnbull
puppetlabs-apt#999: “(maint) Set DEBIAN_FRONTEND=noninteractive on upgrade”, thanks to smortex
puppetlabs-docker#774: “Prefer timeout to time_limit for Facter::Core::Execution”, thanks to smortex
puppetlabs-haproxy#498: “Adding chroot_dir_manage parameter.”, thanks to Tamerz
puppetlabs-java#488: “Enabling Rocky Linux for Install”, thanks to pmjensen
puppetlabs-postgresql#1299: “Inline file contents in the catalog”, thanks to ekohl
puppetlabs-postgresql#1296: “Fix changing default encoding”, thanks to smortex
puppetlabs-postgresql#1279: “Use Puppet-Datatype Sensitive for Passwords”, thanks to cocker-cc
puppetlabs-stdlib#1209: “Added to_toml function”, thanks to nmaludy

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

puppetlabs-java (7.2.0)
puppet-lint (2.5.2)

The dropping of support

Due to the large amount of major releases that were made during the last time we removed support for an OS from our supported modules and following discussion within the team, it has been decided that going forward metadata changes, i.e. a drop in support, will no longer result in a major release. In cases where code necessary for said OS to function is removed, i.e. a drop in compatibility, this will still result in a major release, however we will attempt to pair this type of change with other similar major changes in order to keep the amount of major releases down. This may be subject to change however so please keep in touch and come forward with any questions that you may have.

DevX Team Updates

As some of you are probably aware of, the PCT tool has been the main focus of the DevX team for the past few months. It is the first part of a suite of tools that will replace the PDK. To help clarify our strategy and vision, Dave wrote a blog post that was published to puppet.com, last week - check it out here.

PCT 0.4.0

We released version 0.4.0 of the PCT tool on Friday, which brings a number of significant new features:

pct install can now install remote tar.gz templates via HTTP/S
pct new now handles templates in the new 0.4.0 format

As highlighted, PCT templates are now in a new format that is not backwards compatible with earlier formats.

Check out the 0.4.0 README entry for full details.

`puppet-lint 2.5.2`

There is also a new release of the puppet-lint gem which resolves an issue with a F+ in the double_quoted_strings check when the string literal \s was used in a manfest. Thanks to [optiz0r][https://github.com/optiz0r] for highlighting.

IAC & DevX Team Status; module updates

Puppet Ecosystem — Mon, 13 Sep 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-apache#2193: “Restore Ubuntu 14.04 support in suphp”, thanks to ekohl
puppetlabs-apache#2189: “Drop Debian < 8 and Ubuntu < 14.04 code”, thanks to ekohl
puppetlabs-apt#999: “(maint) Set DEBIAN_FRONTEND=noninteractive on upgrade”, thanks to smortex
puppetlabs-docker#773: “Fix facts gathering”, thanks to smortex
puppetlabs-firewall#1010: “Fix “undefined method gsub for nil:NilClass” when changing existing rule UID from absent to any present”, thanks to onyxmaster
puppetlabs-firewall#1006: “Replace travis link in README.md with GHA”, thanks to bastelfreak
puppetlabs-haproxy#498: “Adding chroot_dir_manage parameter.”, thanks to Tamerz
puppetlabs-java#493: “Allow archive 6.x”, thanks to smortex
puppetlabs-package#265: “Expose package manager options to task”, thanks to MartyEwings
puppetlabs-stdlib#1209: “Added to_toml function”, thanks to nmaludy
pdk-templates#451: “Remove env from GitHub template if all sub-keys are unset”, thanks to thebeanogamer
pdk-templates#446: “Don’t append a tag to image name if one already exists”, thanks to silug
pdksync#156: “Remove reference to non existent branch”, thanks to attachmentgenie

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

puppetlabs-firewall (3.2.0)
puppetlabs-kubernetes (6.3.0)

puppetlabs-apache module droppped code for Debian < 8 and Ubuntu < 14.04

Removed the Debian < 8 and Ubuntu < 14.04 code from the apache module with the following PRs. Thanks to ekohl

puppetlabs-apache#2189: “Drop Debian < 8 and Ubuntu < 14.04 code”.
puppetlabs-apache#2193: “Restore Ubuntu 14.04 support in suphp”.

This will be a backward incompatible changes and the next release will be major version bump v7.0.0.

IAC & DevX Updates; Trusted Contributors

Puppet Ecosystem — Mon, 06 Sep 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past 2 weeks:

puppetlabs-apache#2188: “Various spec cleanups”, thanks to ekohl
puppetlabs-apache#2186: “Debian 11: fix typo in versioncmp() / set default php to 7.4”, thanks to bastelfreak
puppetlabs-apache#2184: “(maint) Allow stdlib 8.0.0”, thanks to smortex
puppetlabs-apt#1001: “(maint) Add support for Debian 11”, thanks to smortex
puppetlabs-apt#1000: “(main) Allow stdlib 8.0.0”, thanks to smortex
puppetlabs-concat#716: “(maint) Allow stdlib 8.0.0”, thanks to smortex and the following people who helped get it over the line (bastelfreak)
puppetlabs-firewall#1010: “Fix “undefined method `gsub’ for nil:NilClass” when changing existing rule UID from absent to any present”, thanks to onyxmaster
puppetlabs-firewall#1009: “(IAC-1739) Fix CI with stdlib 8.0.0”, thanks to smortex
puppetlabs-java#493: “Allow archive 6.x”, thanks to smortex
puppetlabs-kubernetes#531: “Support Kubernetes 1.22 and kubeadm v1beta3 configurations”, thanks to treydock
puppetlabs-ntp#633: “(maint) Allow stdlib 8.0.0”, thanks to smortex
puppetlabs-package#265: “Expose package manager options to task”, thanks to MartyEwings
puppetlabs-postgresql#1293: “(maint) Allow stdlib 8.0.0”, thanks to smortex
puppetlabs-postgresql#1290: “drop code for Debian 6/7 and Ubuntu 10.04/12.04”, thanks to evgeni and the following people who helped get it over the line (ekohl)
puppetlabs-registry#254: “Add possibility to produce a detailed error message “, thanks to reidmv
puppetlabs-stdlib#1207: “os_version_gte: fix version comparison logic”, thanks to kenyon
puppetlabs-stdlib#1204: “max, lstrip: fix deprecated message”, thanks to b4ldr
puppetlabs-stdlib#1200: “New function to_python() / to_ruby()”, thanks to smortex
facterdb#186: “Release 1.9.0”, thanks to bastelfreak
pdk-templates#453: “(GH-327) Fix rubocop “off” & “hardcore” profiles”, thanks to russellshackleford
pdk-templates#446: “Don’t append a tag to image name if one already exists”, thanks to silug
pdksync#156: “Remove reference to non existent branch”, thanks to attachmentgenie

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released over the past 2 weeks:

The following gem was released this week:

puppet_litmus (0.29.0)

Holidays

The teams have had a couple bank holidays, but you'd hardly notice by all the updates from our Trusted Contributors. Thanks for helping us make the ecosystem better for everyone!

IAC & DevX updates; sharing PCT templates

Puppet Ecosystem — Mon, 23 Aug 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-postgresql#1291: “[IAC-1735] Fix test suite”, thanks to ekohl and the following people who helped get it over the line (smortex, bastelfreak)
puppetlabs-reboot#305: “(MODULES-11149) Modify result of ‘last’ to remove current time”, thanks to nmburgan
facterdb#185: “Add Debian 11 facts”, thanks to smortex
facterdb#184: “Add more FreeBSD facts”, thanks to smortex
facterdb#183: “Add Oracle Linux 8 facts”, thanks to as0bu
facterdb#181: “Adding puppet7 facter4.2 facts for centos7/8 and debian9/10”, thanks to jacobmw and the following people who helped get it over the line (kenyon)
facterdb#176: “Adds Rocky Linux vagrant image, facts and get_facts.sh support”, thanks to fuero and the following people who helped get it over the line (ghoneycutt, smortex)
puppet_litmus#425: “Added options to idempotent_apply”, thanks to ZloeSabo

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

DevX Updates

We released version 0.3.0 of the PCT tool last Friday. This introduces the ability to package up and share content templates.

Instructions on how to install the PCT tool can be found here.

Community Day

As no summer can end without a holiday, some of our our team members are on a short PTO . Next Monday is a bank holiday in EMEA, therefore community day will be quieter.

Debian 11 Support

We added support for Debian 11 across all our supported modules and started releasing the modules with Debian 11 support.

IAC & DevX Updates; brace yourselves, Debian 11 is coming

Puppet Ecosystem — Mon, 16 Aug 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-accounts#388: “MODULES-11100 - Add sk-ecdsa public key support, and implement tests for sk-ecdsa and ecdsa keys”, thanks to vollmerk
puppetlabs-kubernetes#530: “Enable live-restore for Docker daemon.”, thanks to peteroruba
puppetlabs-mysql#1427: “MODULES-8373 Fix mysql_grant resource to be idempodent on MySQL 8+”, thanks to theq86
puppetlabs-postgresql#1291: “[IAC-1735] Fix test suite”, thanks to ekohl and the following people who helped get it over the line (smortex, bastelfreak)
puppetlabs-stdlib#1196: “Flip installed and present in Function ensure_packages”, thanks to cocker-cc and the following people who helped get it over the line (bastelfreak, ekohl)
pdk-templates#443: “Only auto release if the changelog is updated”, thanks to jarretlavallee
metadata-json-lint#118: “release 3.0.1”, thanks to bastelfreak and the following people who helped get it over the line (ekohl)

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

puppetlabs-java (7.1.0)
puppetlabs-accounts (7.1.0)
puppetlabs-package (2.1.0)
pdksync (0.6.0)

Debian 11 Support

We are currently adding support for Debian 11 across our modules and will release them over the next few weeks.

IAC & DevX Updates; best of luck to James 🎉

Puppet Ecosystem — Mon, 09 Aug 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-docker#764: “Remove stderr empty check to avoid docker_params_changed failures when warnings appear”, thanks to cedws
puppetlabs-docker#763: “Duplicate declaration statement: docker_params_changed is already declared”, thanks to basti-nis
puppetlabs-mysql#1420: “Set ordering of acceptance tests”, thanks to ghoneycutt
puppetlabs-stdlib#1196: “Fix ensure_packages”, thanks to cocker-cc
facterdb#180: “release 1.8.0”, thanks to bastelfreak
pdk-docker#34: “(MAINT) Update bionic image tag to use date-based tag”, thanks to nkanderson
rspec-puppet#11: “Add Ruby 3 support”, thanks to bastelfreak
metadata-json-lint#117: “Update rubocop requirement from ~> 0.50.0 to ~> 0.57.2”, thanks to dependabot[bot]
metadata-json-lint#116: “Add GitHub actions + badges”, thanks to bastelfreak

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

puppetlabs-apache (6.4.0)
puppetlabs-postgresql (7.3.0)

DevX Team Update

PDK 2.2.0

PDK 2.2.0 was released earlier in the week. This update brings two significant new features:

Support for OSX 11, Debian 11, Fedora 32 & 34
Ability to configure skipping validation on certain files within a project

We have also bumped the version of Ruby the PDK is running on from 2.4 -> 2.5. Please note, Ruby 2.4 is still available for testing against Puppet 5 environments.

There are also a number of bug fixes and improvements. Full details can be found here.

Goodbye James

Unfortunately we have to say goodbye to James who is leaving Puppet next Tuesday. No doubt, many of you will be aware of the huge amount of contributions James has made to the Puppet ecosystem: James was the architect behind our IIS and DSC modules as well as the new autogenerated DSC modules; he touched nearly every part of Puppet that interacted with Windows across modules, Bolt, Puppet, and tooling; he co-designed and implemented the VSCode extension and language server, vastly improving the lives of everyone writing Puppet code; for the last four months he’s led this team, providing guidance and unifying our vision around what developing and maintaining Puppet content can be. Whether it be Windows content, improving the functionality and experience of Puppet’s products on Windows, the Puppet VSCode Plugin, - it’s no exaggeration to say that his contributions have been many and significant.

We’d like to thank James for his contributions, support and leadership and wish him the very best of luck in the next chapter of his career!

github-changelog-generator moved to puppetlabs namespace

We have forked github-changelog-generator to puppetlabs namespace .

This will give more control on adding features and bug fixes which will help us with the supported module release process in the future.

IAC & DevX Updates; tons of community fixes

Puppet Ecosystem — Mon, 02 Aug 2021 00:00:00 +0000

Community Contributions

We’d like to thank the following people in the Puppet Community for their contributions over this past week:

puppetlabs-apache#2174: “(MODULES-11075) Improve future version handling for RHEL”, thanks to mwhahaha and the following people who helped get it over the line (ekohl)
puppetlabs-apache#2165: “(maint) Fix puppet-strings docs on apache::vhost”, thanks to ekohl
puppetlabs-apache#2164: “Allow custom userdir directives”, thanks to hunner and the following people who helped get it over the line (ekohl)
puppetlabs-apache#2157: “Add feature to reload apache service when content of ssl files has changed”, thanks to timdeluxe and the following people who helped get it over the line (ekohl)
puppetlabs-apt#993: “apt::source: pass the weak_ssl param to apt::key”, thanks to kenyon
puppetlabs-apt#991: “[MODULES-9695] - Add support for signed-by in source entries”, thanks to johanfleury
puppetlabs-firewall#998: “add compatibility with Rocky Linux”, thanks to vchepkov
puppetlabs-kubernetes#528: “Support for kubernetes dashboard version 2.0.0 and onwards”, thanks to danifr
puppetlabs-postgresql#1282: “Do not add version component to repo definition”, thanks to weastur and x1e
puppetlabs-tomcat#454: “Accept Datatype Sensitive for Secrets”, thanks to cocker-cc
facterdb#175: “Release 1.7.0”, thanks to bastelfreak and the following people who helped get it over the line (ekohl)
facterdb#174: “Fixes #173 - Add AlmaLinux”, thanks to maccelf
facterdb#171: “Introduce cache to speed things up and cleanup method”, thanks to lzap and the following people who helped get it over the line (ekohl, bastelfreak)
rspec-puppet-facts#131: “Move facterversion_obj declaration out of the loop”, thanks to ekohl
rspec-puppet-facts#130: “release 2.0.2”, thanks to bastelfreak
rspec-puppet-facts#129: “Implement github action testing and codecov coverage reporting”, thanks to bastelfreak
iac#286: “Bump addressable from 2.7.0 to 2.8.0”, thanks to [dependabot[bot]][dependabot[bot]]
litmus#24: “Bump addressable from 2.7.0 to 2.8.0”, thanks to [dependabot[bot]][dependabot[bot]]
litmusimage#33: “Adds Rocky Linux & Alma Linux”, thanks to fuero
pdk-templates#441: “Run validation steps prior to the matrix build”, thanks to ekohl
puppet-strings#285: “(FIXUP) Check for nil before injecting provider param into Types”, thanks to scotje
puppetlabs_spec_helper#340: “Use Rubocop’s Github Actions formatter if possible”, thanks to ekohl and the following people who helped get it over the line (bastelfreak)

Check all the ways to reach us if you want to directly contact us about anything module related.

New Module / Gem Releases

The following modules were released this week:

The following gems were released this week:

puppet-lint (2.5.0)
rspec-puppet (2.10.0)
puppetlabs_spec_helper (4.0.0)

Puppet.Dsc Stable Release!

This week we pushed our Puppet.Dsc PowerShell module to the PowerShell Gallery at version 1.0.0! This represents more than a year of work bringing us confidence and stability in the auto-generated modules which Puppetize PowerShell DSC Resources. That done, not much actually changed in this release - a ton of added testing and validation, but the features were already very solid. As always we’ll continue to take bug reports and address them but our attention turns now to the long-promised automation; We’re working through the auto-publishing of PowerShell modules with DSC Resources to the Puppet Forge! Very soon, there will be less than a 24 hour delay between when a new module (or new version of an existing module) with DSC Resources lands on the PowerShell Gallery and when it arrives, Puppetized, on the Forge!

`rpsec-puppet`, `puppet-lint` moved to `puppetlabs` namespace

We have moved puppet-lint, rspec-puppet to the namespace and released puppet-lint 2.5.0 and rspec-puppet 2.10.0. This will help facilitate more frequent releases of these gems in the future.

Dropsonde update

The IAC team have completed all development tasks on both the Dropsonde module and Gem. Next, the team will be working on getting both module and gem package up as part of Puppet server. Read about our content telemetry story and how it can improve the ecosystem, then see some more examples of ways to use our existing module data already.

Forem: Puppet Ecosystem

A Fond Farewell For Now to Community Day & Norman

IAC Community Day

Background

Community Day (Introduced in November 2020)

Farewell, Norman 💜

IAC & DevX Team Updates; just cranking along

Community Contributions

New Module / Gem Releases

Mitigating the 0-day Apache path traversal vulnerability

Using Puppet Enterprise

Using Puppet Bolt

Verifying the mitigation

Learn more

IAC & DevX Updates; farewell Danny

Community Contributions

New Module / Gem Releases

Puppet Module Major Releases

Farewell Danny

Malware Scanning on the Puppet Forge

The Puppet Forge Module Ecosystem

Quality Scores

Building the Scanner

So what next?

IAC & DevX Team Updates; platform support strategy

Community Contributions

New Module / Gem Releases

The dropping of support

DevX Team Updates

PCT 0.4.0

puppet-lint 2.5.2

IAC & DevX Team Status; module updates

Community Contributions

New Module / Gem Releases

puppetlabs-apache module droppped code for Debian < 8 and Ubuntu < 14.04

IAC & DevX Updates; Trusted Contributors

Community Contributions

New Module / Gem Releases

Holidays

IAC & DevX updates; sharing PCT templates

Community Contributions

New Module / Gem Releases

DevX Updates

Community Day

Debian 11 Support

IAC & DevX Updates; brace yourselves, Debian 11 is coming

Community Contributions

New Module / Gem Releases

Debian 11 Support

IAC & DevX Updates; best of luck to James 🎉

Community Contributions

New Module / Gem Releases

DevX Team Update

PDK 2.2.0

Goodbye James

github-changelog-generator moved to puppetlabs namespace

IAC & DevX Updates; tons of community fixes

Community Contributions

New Module / Gem Releases

Puppet.Dsc Stable Release!

rpsec-puppet, puppet-lint moved to puppetlabs namespace

Dropsonde update

`puppet-lint 2.5.2`

`rpsec-puppet`, `puppet-lint` moved to `puppetlabs` namespace