e
Behaviors
1. By default, apply_prep
will:
a. Run puppet_agent::version
in with default options for all targets
b. Run puppet_agent::install
in with default options for all targets that don't have a Puppet agent
2. By default, puppet_agent::install
will:
a. Attempt to install a puppet collection RPM
i. RPM installs from https://yum.puppet.com on the public internet
ii. The Yum repository contains the puppet-agent
RPM
b. Install the latest puppet-agent
package (currently 6.7+)
i. RPM installs from https://yum.puppet.com on the public internet
ii. Based on the puppet collection RPM and the RPMs available from the target's other Yum repos
c. NOT attempt to update an existing `puppet-agent` package (bolt#1208)
i. No matter how old it is.
ii. Even without defaults, this behavior cannot be changed
Implications
- Behavior 1 assumes installing software from the public internet is available, permissible, and desirable
- If successful, Behaviors 2a + 2b permanently modify the installed software and repositories on the target OS
- This potentially modifies an approved baseline without appropriate controls
- This potentially modifies an approved baseline without appropriate controls
- These default behaviors are especially problematic, because they are effectively impossible to reconfigure with system or user-level defaults:
- Settings from the "user project directory" (
~/.puppetlabs/bolt/bolt.yaml
) are completely ignored when Bolt is run from an embedded or local project directory, - There is no other mechanism to provide user-level default bolt configurations.
- There is no mechanism to provide system-level default bolt configurations at all.
- Settings from the "user project directory" (