Installation and upgrade known issues

This version is out of date. For current versions, see Puppet Enterprise support lifecycle.

This page lists known issues for installations and upgrades in Puppet Enterprise.

Java 1.8.181 can cause directory services to fail in upgrade

Because of changes to LDAP support in Java 8 Update 181, Puppet Enterprise might be unable to connect to external directory services (DS) when you upgrade to PE 2016.4.14 or later. This occurs when the hostname PE uses to communicate with the directory service does not match the CN or one DNS altname of the certificate presented by the directory service.

As a workaround, disable the stricter endpoint verification that is the default in Java.

  1. In the console, click Classification.

  2. In the PE Infrastructure node group, select PE Console.

  3. Click Configuration and scroll down to the class puppet_enterprise::profile::console.

  4. Click the Parameter name list and select java_args.

  5. Add the variable to disable endpoint identification (and keep any existing heap settings):

    {"Xmx": "256m", "Xms": "256m", "Dcom.sun.jndi.ldap.object.disableEndpointIdentification=" : "true" }

  6. Click Add Parameter and then commit changes.
  7. Run Puppet on the appropriate nodes to apply the change.

Removed manage_kernel_shmmax parameter

The puppet_enterprise::profile::database::manage_kernel_shmmax parameter is no longer used and has been removed. If you are upgrading and have this parameter set in your PE PuppetDB node group, you will receive an error message on your database node when you run the Puppet agent after the upgrade. You can safely remove this parameter from the classifier.

Installer can fail due to SSL errors with AmazonAWS

In some cases when attempting to install PE, some master platforms have received SSL errors when attempting to connect to, and thus have been unable retrieve puppet-agent packages needed for installation. In most cases, you should be able to properly install after updating the CA cert bundle on the master platform. To update the bundle, run the following commands:

rm /etc/ssl/certs/ca-bundle.crt
yum reinstall ca-certificates

After updating the CA bundle, run the PE installer again.

Incorrect credentials for console databases will cause split upgrade to fail

If, during a split upgrade, you supply incorrect database credentials (specifically, incorrect database names, user names, or passwords for the databases associated with the PE console), the upgrade process will fail with a confusing error message. In most cases, ensure you have the correct database credentials and rerun the upgrader. The credentials can be found on the PuppetDB node at /etc/puppetlabs/installer/database_info.install.

Web-based installer fails to acknowledge failed installs due to low RAM

When a PE installation fails because a system is not provisioned with adequate RAM, the web-based installer stops responding when verifying that PE is functioning on the server, but the installation appears to have succeeded, as the Start using Puppet Enterprise button is available. Note that in such cases, the command line shows an “out of memory: Kill process” error.

We recommend provisioning the system with adequate RAM and re-running the installation. Refer to the hardware recommendations.

Hard tabs for indentation in Hiera YAML files cause errors after upgrading

If you’re upgrading, ensure that any Hiera YAML files do not include hard tabs for indentation. Hard tabs in these files will cause errors after upgrading.

Incorrect umask value can cause upgrade/installation to fail

To prevent potential failures, you should set an umask value of 0022 on your Puppet master.

Before upgrading, correct invalid entries in autosign.conf

Any entries in /etc/puppetlabs/puppet/autosign.conf that don’t conform to the autosign requirements will cause the upgrade to fail to configure the PE console. Please correct any invalid entries before upgrading.

Install agents with different OS when Puppet master is behind a proxy

If your Puppet master uses a proxy server to access the internet, you may not be able to download the pe_repo packages for the agent. In the case that you’re using a proxy, follow this workaround:

Tip: The following steps should be performed on your Puppet master (and, if you have a large environment installation, on all your compile masters as well).

  1. From your Puppet master, navigate to /etc/sysconfig/, and create a file called puppet.
  2. In puppet add the following lines:

    export http_proxy <YOUR_PROXY_SERVER>
    export https_proxy <YOUR_PROXY_SERVER>
  3. Save and exit the file.
  4. Restart the puppet service with the following commands:

    puppet resource service puppet ensure=stopped
    puppet resource service puppet ensure=running

database_host cannot be an alt name for upgrades or installs

PostgreSQL does not support alt names when set to verify_full. If you are upgrading or installing in text-mode, make sure puppet_enterprise::database_host is set as the Puppet agent certname for the database node and not set as an alt name.

See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.