Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10965

Puppet noop mode is not noop for modules or facts



    • Bug
    • Status: Needs Information
    • Normal
    • Resolution: Unresolved
    • PUP 7.4.1, PUP 6.21.1
    • None
    • None
    • Needs Assessment
    • Needs Assessment


      Puppet Version: 7.4.1 / 6.21.1
      Puppet Server Version: 7.0.2
      OS Name/Version: Windows Server 2016, Debian Buster, RedHat 8.2

      The "noop" option for the agent and servers does not do what it has described. It changes local files to actually report what configuration steps it needs to do.

      Desired Behavior:

      puppet agent -t --noop

      Reports what facts it will import, what modules are missing locally, actually does no changes.

      Actual Behavior: 

      puppet agent -t --noop

      Downloads any modified module files with their facts (rb), downloads any facts.d files, executes both the module facts and facts.d files. Thus modifies the system




      **It is impossible to fix this with the "noop" option itself, I suggest adding another switch to enforce the expected result of "noop" for those who needs the level of control.

      The reason for this is if one uses Puppet to configure different levels of trust servers, ie Windows Domain Controllers, LDAP servers, Kerberos Domains, Certificate Authorities, servers which handle login, etc. It is desirable to put them in a "noop" mode when in production to be alerted something wants to be updated, without actually modifying it. If one breaches Puppet, one owns everything an agent is on without such a mode, since one can in practice modify systems through the module facts and facts.d feature...




            Unassigned Unassigned
            TheFlyingCorpse Rune Darrud
            0 Vote for this issue
            3 Start watching this issue



              Zendesk Support