Details
-
Bug
-
Status: Needs Information
-
Normal
-
Resolution: Unresolved
-
PUP 7.4.1, PUP 6.21.1
-
None
-
None
-
Needs Assessment
-
Needs Assessment
Description
Puppet Version: 7.4.1 / 6.21.1
Puppet Server Version: 7.0.2
OS Name/Version: Windows Server 2016, Debian Buster, RedHat 8.2
The "noop" option for the agent and servers does not do what it has described. It changes local files to actually report what configuration steps it needs to do.
Desired Behavior:
puppet agent -t --noop
|
Reports what facts it will import, what modules are missing locally, actually does no changes.
Actual Behavior:
puppet agent -t --noop
|
Downloads any modified module files with their facts (rb), downloads any facts.d files, executes both the module facts and facts.d files. Thus modifies the system
Thoughts
**It is impossible to fix this with the "noop" option itself, I suggest adding another switch to enforce the expected result of "noop" for those who needs the level of control.
The reason for this is if one uses Puppet to configure different levels of trust servers, ie Windows Domain Controllers, LDAP servers, Kerberos Domains, Certificate Authorities, servers which handle login, etc. It is desirable to put them in a "noop" mode when in production to be alerted something wants to be updated, without actually modifying it. If one breaches Puppet, one owns everything an agent is on without such a mode, since one can in practice modify systems through the module facts and facts.d feature...
