Bolt: Problematic default `apply_prep` behaviors
This article was written about Bolt 1.X
- The technical information in this article was last updated on Dec 02, 2019 and described Bolt 1.X.
- Technical details may have changed in Bolt 3.X
- they should be re-validated before using this article for guidance.
Behaviors
1. By default, apply_prep will:
a. Run puppet_agent::version in with default options for all targets
b. Run puppet_agent::install in with default options for all targets that don't have a Puppet agent
2. By default, puppet_agent::install will:
a. Attempt to install a puppet collection RPM
i. RPM installs from https://yum.puppet.com on the public internet
ii. The Yum repository contains the puppet-agent RPM
b. Install the latest puppet-agent package (currently 6.7+)
i. RPM installs from https://yum.puppet.com on the public internet
ii. Based on the puppet collection RPM and the RPMs available from the target's other Yum repos
c. NOT attempt to update an existing `puppet-agent` package (bolt#1208)
i. No matter how old it is.
ii. Even without defaults, this behavior cannot be changed
Implications
- Behavior 1 assumes installing software from the public internet is available, permissible, and desirable
- If successful, Behaviors 2a + 2b permanently modify the installed software and repositories on the target OS
- This potentially modifies an approved baseline without appropriate controls
- This potentially modifies an approved baseline without appropriate controls
- These default behaviors are especially problematic, because they are effectively impossible to reconfigure with system or user-level defaults:
- Settings from the "user project directory" (
~/.puppetlabs/bolt/bolt.yaml) are completely ignored when Bolt is run from an embedded or local project directory, - There is no other mechanism to provide user-level default bolt configurations.
- There is no mechanism to provide system-level default bolt configurations at all.
- Settings from the "user project directory" (