Jira (PUP-10965) Puppet noop mode is not noop for modules or facts

[Rune Darrud (Jira)]

Rune Darrud created an issue

Puppet / PUP-10965 Puppet noop mode is not noop for modules or facts Issue Type: Bug Affects Versions: PUP 6.21.1, PUP 7.4.1 Assignee: Unassigned Created: 2021/03/12 4:16 AM Priority: Normal Reporter: Rune Darrud Puppet Version: 7.4.1 / 6.21.1 Puppet Server Version: 7.0.2 OS Name/Version: Windows Server 2016, Debian Buster, RedHat 8.2 The "noop" option for the agent and servers does not do what it has described. It changes local files to actually report what configuration steps it needs to do. Desired Behavior: puppet agent -t --noop Reports what facts it will import, what modules are missing locally, actually does no changes. Actual Behavior:  puppet agent -t --noop Downloads any modified module files with their facts (rb), downloads any facts.d files, executes both the module facts and facts.d files. Thus modifies the system     Thoughts **It is impossible to fix this with the "noop" option itself, I suggest adding another switch to enforce the expected result of "noop" for those who needs the level of control. The reason for this is if one uses Puppet to configure different levels of trust servers, ie Windows Domain Controllers, LDAP servers, Kerberos Domains, Certificate Authorities, servers which handle login, etc. It is desirable to put them in a "noop" mode when in production to be alerted something wants to be updated, without actually modifying it. If one breaches Puppet, one owns everything an agent is on without such a mode, since one can in practice modify systems through the module facts and facts.d feature... Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-10965

Re: Puppet noop mode is not noop for modules or facts

It is desirable to put them in a "noop" mode when in production to be alerted something wants to be updated

Is the request to be alerted when there is "corrective" change (the system drifted from desired state and puppet would need to correct it), or when there is "intentional" change (the puppet code changed and puppet needs to update the system to match), or both?

Add Comment

[Rune Darrud (Jira)]

Rune Darrud commented on PUP-10965

Re: Puppet noop mode is not noop for modules or facts

The noop in place already alerts on a corrective change to the system when it has drifted from the system. What I am reporting is that you can modify the system even when the agent is in "noop" mode through the use of facts and changes to modules ruby code loaded during the phase where it looks for what to correctively change, thus it is not infact a true "noop". An example would be if I updated a module on the puppet master and it adds a new fact, that would be pulled by the agent on the next run and executed, not alerted as a change in a corrective sense via noop.

Add Comment

[Beth Glenfield (Jira)]

Beth Glenfield updated an issue

Puppet / PUP-10965

Puppet noop mode is not noop for modules or facts

Change By: Beth Glenfield Labels: community

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)