When /tmp is mounted noexec, users will running puppet agent -t will begin to receive a disconcerting error message from facter on every puppet run.
Expected result
Mounting /tmp as noexec is recommended by the OS vendor and many independent hardening guides. Puppet should work without error or warning in such environments.
Actual result
Users receive a warning message on every puppet run:
[root@localhost tmp]# puppet facts > /dev/null
Warning: Could not match *** LOCAL GEMS ***
Analysis
The error is caused by the puppetserver gem list command outputting *** LOCAL GEMS *** when executed, in spite of the notes in the gem provider's gemsplit function:
def self.gemsplit(desc)
# `gem list` when output console has a line like:
# *** LOCAL GEMS ***
# but when it's not to the console that line
# and all blank lines are stripped
# so we don't need to check for them
Invoking puppetserver gem list on the commandline also gives another message about stty that doesn't seem to impact things:
[root@localhost puppetserver_gem]# puppetserver gem list
io/console on JRuby shells out to stty for most operations
*** LOCAL GEMS ***
To fix the error, we just need to reject the *** LOCAL GEMS *** message and lines consisting of only whitespace in the module's provider.
Overview
When
/tmp
is mountednoexec
, users will runningpuppet agent -t
will begin to receive a disconcerting error message from facter on every puppet run.Expected result
Mounting
/tmp
asnoexec
is recommended by the OS vendor and many independent hardening guides. Puppet should work without error or warning in such environments.Actual result
Users receive a warning message on every puppet run:
Analysis
The error is caused by the
puppetserver gem list
command outputting*** LOCAL GEMS ***
when executed, in spite of the notes in thegem
provider'sgemsplit
function:/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/provider/package/gem.rb
Invoking
puppetserver gem list
on the commandline also gives another message aboutstty
that doesn't seem to impact things:To fix the error, we just need to reject the
*** LOCAL GEMS ***
message and lines consisting of only whitespace in the module's provider.User impact
Annoying message
Workaround
Hotfix