Issue #20679 has been updated by Sean Millichamp.
I actually depend on the ability to override the global setting for "known-safe" resources to that I can properly present a more usable "noop" run to the engineers who are using it. It is a fundamental design that threads through (just about) every Puppet module we have. For example, I use a concat file-style module that uses defines to assemble files client-side (which is a pretty common design pattern it seems). The concat module overrides noop to false on all of its resources to ensure that the final file is "built" properly client side so that when the noop run is done and Puppet shows a diff of the staged concat-built file and the currently running file, allowing the engineer to easily evaluate in diff format what the changes would look like. This DOES cause real changes, but we ensure that those changes are confined to a "Puppet owned" directory where the concat file module does its work and not a real config file. If you "fix" this it will destroy one of our fundamental workflows. I've also, in the past, used it to centrally force a set of systems that had been intentionally set to noop mode to apply a very specific set of resources to take them out of noop mode. ---------------------------------------- Bug #20679: puppet agent --noop command line option does not guarantee a fully dry run https://projects.puppetlabs.com/issues/20679#change-92213 * Author: Nick Moriarty * Status: Needs Decision * Priority: High * Assignee: eric sorenson * Category: agent * Target version: * Affected Puppet version: 2.7.11 * Keywords: noop simulation dry-run dryrun simulate test backlog * Branch: ---------------------------------------- According to some documentation (including man pages), and common sense, specifying --noop should cause Puppet agent to run in 'dry-run' mode, and make no changes. However, it seems that this actually just changes the global resource default for 'noop' to true. If a resource is defined which determines noop itself (for example, based on a parameter), this will escape what would reasonably be expected to be a simulation run, as it will override the global noop with 'false'. I noticed this while testing a development branch and noting that it actually affected a file mode somewhere. If not implemented via the 'noop' mechanism, a proper simulation mode should be provided which will show exactly what will happen, but with the guarantee that nothing will be done. The current --noop flag certainly doesn't provide that guarantee. This issue may cause us to internally ban the use of 'noop' in manifests, as it leaves us with no way of guaranteeing a proper dry run. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
