CHANGELOG.md

@@ -2,6 +2,15 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.6.1] - 2021-04-27
+
+### Summary
+Fix upgrades when files from /tmp directory cannot be executed
+
+### Bug fixes
+
+- ([MODULES-11057](https://tickets.puppetlabs.com/browse/MODULES-11057)) Do not use /tmp directory for executables ([#557](https://github.com/puppetlabs/puppetlabs-puppet_agent/pull/557))
+
 ## [4.6.0] - 2021-04-22
 
 ### Summary

README.markdown

@@ -47,11 +47,14 @@
         - [`msi_move_locked_files`](#msi_move_locked_files)
         - [`wait_for_pxp_agent_exit`](#wait_for_pxp_agent_exit)
         - [`wait_for_puppet_run`](#wait_for_puppet_run)
+        - [`config`](#config)
     - [Plans](#plans)
       - [`puppet_agent::run`](#puppet_agentrun)
     - [Tasks](#tasks)
       - [`puppet_agent::version`](#puppet_agentversion)
       - [`puppet_agent::install`](#puppet_agentinstall)
+      - [`puppet_agent::facts_diff`](#puppet_agentfacts_diff)
+      - [`puppet_agent::delete_local_filebucket`](#puppet_agentdelete_local_filebucket)
   - [Limitations](#limitations)
     - [Known issues](#known-issues)
   - [Development](#development)

acceptance/tests/test_upgrade_puppet5_to_puppet6.rb

@@ -30,7 +30,7 @@ class { puppet_agent:
   end
 
   agents_only.each do |agent|
-    set_up_initial_agent_on(agent, 'puppet5-nightly') do
+    set_up_initial_agent_on(agent, 'puppet5') do
       step '(Agent) Change agent environment to testing environment' do
         on(agent, puppet("config --section agent set environment #{puppet_testing_environment}"))
         on(agent, puppet("config --section user set environment production"))

manifests/osfamily/redhat.pp

@@ -83,6 +83,28 @@
     $gpg_keys = "file://${legacy_gpg_path}
   file://${gpg_path}"
 
+    $script = @(SCRIPT/L)
+ACTION=$0
+GPG_HOMEDIR=$1
+GPG_KEY_PATH=$2
+GPG_ARGS="--homedir $GPG_HOMEDIR --with-colons"
+GPG_BIN=$(command -v gpg || command -v gpg2)
+if [ -z "${GPG_BIN}" ]; then
+  echo Could not find a suitable gpg command, exiting...
+  exit 1
+fi
+GPG_PUBKEY=gpg-pubkey-$("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}" 2>&1 | grep ^pub | cut -d: -f5 | cut --characters=9-16 | tr "[:upper:]" "[:lower:]")
+if [ "${ACTION}" = "check" ]; then
+  # This will return 1 if there are differences between the key imported in the
+  # RPM database and the local keyfile. This means we need to purge the key and
+  # reimport it.
+  diff <(rpm -qi "${GPG_PUBKEY}" | "${GPG_BIN}" ${GPG_ARGS}) <("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}")
+elif [ "${ACTION}" = "import" ]; then
+  (rpm -q "${GPG_PUBKEY}" && rpm -e --allmatches "${GPG_PUBKEY}") || true
+  rpm --import "${GPG_KEY_PATH}"
+fi
+| SCRIPT
+
     if $::puppet_agent::manage_pki_dir == true {
       file { ['/etc/pki', '/etc/pki/rpm-gpg']:
         ensure => directory,
@@ -105,22 +127,17 @@
       source => "puppet:///modules/puppet_agent/${keyname}",
     }
 
-    file { "${::env_temp_variable}/rpm_gpg_import_check.sh":
-      ensure => file,
-      source => 'puppet:///modules/puppet_agent/rpm_gpg_import_check.sh',
-      mode   => '0755',
-    }
-    -> exec { "import-${legacy_keyname}":
+    exec { "import-${legacy_keyname}":
       path      => '/bin:/usr/bin:/sbin:/usr/sbin',
-      command   => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${legacy_gpg_path}",
-      unless    => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${legacy_gpg_path}",
+      command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${legacy_gpg_path}",
+      unless    => "/bin/bash -c '${script}' check ${gpg_homedir} ${legacy_gpg_path}",
       require   => File[$legacy_gpg_path],
       logoutput => 'on_failure',
     }
-    -> exec { "import-${keyname}":
+    exec { "import-${keyname}":
       path      => '/bin:/usr/bin:/sbin:/usr/sbin',
-      command   => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${gpg_path}",
-      unless    => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${gpg_path}",
+      command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${gpg_path}",
+      unless    => "/bin/bash -c '${script}' check ${gpg_homedir} ${gpg_path}",
       require   => File[$gpg_path],
       logoutput => 'on_failure',
     }

manifests/osfamily/suse.pp

@@ -63,6 +63,28 @@
         $gpg_path        = "/etc/pki/rpm-gpg/RPM-${keyname}"
         $gpg_homedir     = '/root/.gnupg'
 
+        $script = @(SCRIPT/L)
+ACTION=$0
+GPG_HOMEDIR=$1
+GPG_KEY_PATH=$2
+GPG_ARGS="--homedir $GPG_HOMEDIR --with-colons"
+GPG_BIN=$(command -v gpg || command -v gpg2)
+if [ -z "${GPG_BIN}" ]; then
+  echo Could not find a suitable gpg command, exiting...
+  exit 1
+fi
+GPG_PUBKEY=gpg-pubkey-$("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}" 2>&1 | grep ^pub | cut -d: -f5 | cut --characters=9-16 | tr "[:upper:]" "[:lower:]")
+if [ "${ACTION}" = "check" ]; then
+  # This will return 1 if there are differences between the key imported in the
+  # RPM database and the local keyfile. This means we need to purge the key and
+  # reimport it.
+  diff <(rpm -qi "${GPG_PUBKEY}" | "${GPG_BIN}" ${GPG_ARGS}) <("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}")
+elif [ "${ACTION}" = "import" ]; then
+  (rpm -q "${GPG_PUBKEY}" && rpm -e --allmatches "${GPG_PUBKEY}") || true
+  rpm --import "${GPG_KEY_PATH}"
+fi
+| SCRIPT
+
         if getvar('::puppet_agent::manage_pki_dir') == true {
           file { ['/etc/pki', '/etc/pki/rpm-gpg']:
             ensure => directory,
@@ -85,22 +107,17 @@
           source => "puppet:///modules/puppet_agent/${legacy_keyname}",
         }
 
-        file { "${::env_temp_variable}/rpm_gpg_import_check.sh":
-          ensure => file,
-          source => 'puppet:///modules/puppet_agent/rpm_gpg_import_check.sh',
-          mode   => '0755',
-        }
-        -> exec { "import-${legacy_keyname}":
+        exec { "import-${legacy_keyname}":
           path      => '/bin:/usr/bin:/sbin:/usr/sbin',
-          command   => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${legacy_gpg_path}",
-          unless    => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${legacy_gpg_path}",
+          command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${legacy_gpg_path}",
+          unless    => "/bin/bash -c '${script}' check ${gpg_homedir} ${legacy_gpg_path}",
           require   => File[$legacy_gpg_path],
           logoutput => 'on_failure',
         }
-        -> exec { "import-${keyname}":
+        exec { "import-${keyname}":
           path      => '/bin:/usr/bin:/sbin:/usr/sbin',
-          command   => "${::env_temp_variable}/rpm_gpg_import_check.sh import ${gpg_homedir} ${gpg_path}",
-          unless    => "${::env_temp_variable}/rpm_gpg_import_check.sh check ${gpg_homedir} ${gpg_path}",
+          command   => "/bin/bash -c '${script}' import ${gpg_homedir} ${gpg_path}",
+          unless    => "/bin/bash -c '${script}' check ${gpg_homedir} ${gpg_path}",
           require   => File[$gpg_path],
           logoutput => 'on_failure',
         }

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "puppetlabs-puppet_agent",
-  "version": "4.6.0",
+  "version": "4.6.1",
   "author": "puppetlabs",
   "summary": "Upgrades All-In-One Puppet Agents",
   "license": "Apache-2.0",

spec/classes/puppet_agent_osfamily_redhat_spec.rb

@@ -24,19 +24,40 @@
       let(:facts) do
         super().merge(:operatingsystem  => os, :operatingsystemmajrelease => osmajor)
       end
+      script = <<-SCRIPT
+ACTION=$0
+GPG_HOMEDIR=$1
+GPG_KEY_PATH=$2
+GPG_ARGS="--homedir $GPG_HOMEDIR --with-colons"
+GPG_BIN=$(command -v gpg || command -v gpg2)
+if [ -z "${GPG_BIN}" ]; then
+  echo Could not find a suitable gpg command, exiting...
+  exit 1
+fi
+GPG_PUBKEY=gpg-pubkey-$("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}" 2>&1 | grep ^pub | cut -d: -f5 | cut --characters=9-16 | tr "[:upper:]" "[:lower:]")
+if [ "${ACTION}" = "check" ]; then
+  # This will return 1 if there are differences between the key imported in the
+  # RPM database and the local keyfile. This means we need to purge the key and
+  # reimport it.
+  diff <(rpm -qi "${GPG_PUBKEY}" | "${GPG_BIN}" ${GPG_ARGS}) <("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}")
+elif [ "${ACTION}" = "import" ]; then
+  (rpm -q "${GPG_PUBKEY}" && rpm -e --allmatches "${GPG_PUBKEY}") || true
+  rpm --import "${GPG_KEY_PATH}"
+fi
+SCRIPT
 
       it { is_expected.to contain_exec('import-GPG-KEY-puppet-20250406').with({
         'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-        'command'   => '/tmp/rpm_gpg_import_check.sh import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
-        'unless'    => '/tmp/rpm_gpg_import_check.sh check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
+        'command'   => "/bin/bash -c '#{script}' import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
+        'unless'    => "/bin/bash -c '#{script}' check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
         'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
         'logoutput' => 'on_failure',
       }) }
 
       it { is_expected.to contain_exec('import-GPG-KEY-puppet').with({
         'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-        'command'   => '/tmp/rpm_gpg_import_check.sh import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
-        'unless'    => '/tmp/rpm_gpg_import_check.sh check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
+        'command'   => "/bin/bash -c '#{script}' import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
+        'unless'    => "/bin/bash -c '#{script}' check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
         'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet]',
         'logoutput' => 'on_failure',
       }) }

spec/classes/puppet_agent_osfamily_suse_spec.rb

@@ -50,25 +50,40 @@
                 :package_version => package_version,
               }
             end
-
-            it { is_expected.to contain_file('/tmp/rpm_gpg_import_check.sh').with({
-              'ensure'    => 'file',
-              'source'    => 'puppet:///modules/puppet_agent/rpm_gpg_import_check.sh',
-              'mode'      => '0755',
-            }) }
+            script = <<-SCRIPT
+ACTION=$0
+GPG_HOMEDIR=$1
+GPG_KEY_PATH=$2
+GPG_ARGS="--homedir $GPG_HOMEDIR --with-colons"
+GPG_BIN=$(command -v gpg || command -v gpg2)
+if [ -z "${GPG_BIN}" ]; then
+  echo Could not find a suitable gpg command, exiting...
+  exit 1
+fi
+GPG_PUBKEY=gpg-pubkey-$("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}" 2>&1 | grep ^pub | cut -d: -f5 | cut --characters=9-16 | tr "[:upper:]" "[:lower:]")
+if [ "${ACTION}" = "check" ]; then
+  # This will return 1 if there are differences between the key imported in the
+  # RPM database and the local keyfile. This means we need to purge the key and
+  # reimport it.
+  diff <(rpm -qi "${GPG_PUBKEY}" | "${GPG_BIN}" ${GPG_ARGS}) <("${GPG_BIN}" ${GPG_ARGS} "${GPG_KEY_PATH}")
+elif [ "${ACTION}" = "import" ]; then
+  (rpm -q "${GPG_PUBKEY}" && rpm -e --allmatches "${GPG_PUBKEY}") || true
+  rpm --import "${GPG_KEY_PATH}"
+fi
+SCRIPT
 
             it { is_expected.to contain_exec('import-GPG-KEY-puppet').with({
               'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-              'command'   => '/tmp/rpm_gpg_import_check.sh import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
-              'unless'    => '/tmp/rpm_gpg_import_check.sh check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet',
+              'command'   => "/bin/bash -c '#{script}' import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
+              'unless'    => "/bin/bash -c '#{script}' check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet",
               'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet]',
               'logoutput' => 'on_failure',
             }) }
 
             it { is_expected.to contain_exec('import-GPG-KEY-puppet-20250406').with({
               'path'      => '/bin:/usr/bin:/sbin:/usr/sbin',
-              'command'   => '/tmp/rpm_gpg_import_check.sh import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
-              'unless'    => '/tmp/rpm_gpg_import_check.sh check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406',
+              'command'   => "/bin/bash -c '#{script}' import /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
+              'unless'    => "/bin/bash -c '#{script}' check /root/.gnupg /etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406",
               'require'   => 'File[/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406]',
               'logoutput' => 'on_failure',
             }) }
@@ -219,12 +234,6 @@
 
             it { is_expected.to contain_class("puppet_agent::osfamily::suse") }
 
-            it { is_expected.to contain_file('/tmp/rpm_gpg_import_check.sh').with({
-              'ensure'    => 'file',
-              'source'    => 'puppet:///modules/puppet_agent/rpm_gpg_import_check.sh',
-              'mode'      => '0755',
-            }) }
-
             it { is_expected.to contain_file('/etc/pki/rpm-gpg/RPM-GPG-KEY-puppet-20250406').with({
               'ensure' => 'present',
               'owner'  => '0',