PE release notes

These are the new features, enhancements, resolved issues, and deprecations in this version of PE.

PE 2019.3


Java 11 upgrade

This version includes an upgrade from Java version 8 to version 11. If you've customized PE Java services, or use plug-ins that include Java code, test PE 2019.3 and later thoroughly in a non-production environment before upgrading.

Puppet ensures platform repositories aren't installed in order to prevent accidental agent upgrade

Previously, Bolt users who installed the Puppet 5 or 6 platform repositories could experience unsupported agent upgrades on managed nodes. With this release, Puppet ensures that the release packages for those platforms are not installed on managed nodes by enforcing ensure => 'absent' for the packages.

Windows install script optionally downloads a tarball of plug-ins

For Windows agents, the agent install script optionally downloads a tarball of plug-ins from the master before the agent runs for the first time. Depending on how many modules you have installed, bulk plug-in sync can speed agent installation significantly.

Note: If your master runs in a different environment from your agent nodes, you might see some reduced benefit from bulk plug-in sync. The plug-in tarball is created based on the plug-ins running on the master agent, which might not match the plug-ins required for agents in a different environment.

This feature is controlled by the setting pe_repo::enable_windows_bulk_pluginsync which you can configure in Hiera or in the console. The default setting for bulk plug-in sync is false (disabled).

puppet infrastructure run commands no longer require an authentication token

puppet infrastructure run commands that affect PuppetDB, including migrate_split_to_mono, convert_legacy_compiler, and enable_ha_failover, no longer require setting up token-based authentication as a prerequisite for running the command. By default, these commands use the master's PuppetDB certificate for authentication.

puppet infrastructure run commands provide more useful output

puppet infrastructure run commands, such as those for regenerating certificates or enabling high availability failover, provide more readable output, making them easier to troubleshoot.

Calculations for PostgreSQL settings are fine-tuned

The shared_buffers setting uses less RAM by default due to improvements in calculating PostgreSQL settings. Previously, PostgreSQL settings were based on the total RAM allocated to the node it was installed on. Settings are now calculated based on total RAM less the default RAM used by PE services. As a result, on an 8GB installation for example, the default shared_buffers setting is reduced from ~2GB to ~1GB.

PostgreSQL can optionally be cleaned up after upgrading

After upgrading, you can optionally remove packages and directories associated with older PostgreSQL versions with the command puppet infrastructure run remove_old_postgresql_versions. If applicable, the installer prompts you to complete this cleanup.

*nix command for regenerating agent certificates includes a parameter for CRL cleanup

The puppet infra run regenerate_agent_certificate command includes a clean_crl parameter. Setting clean_crl to true cleans up the local CRL bundle. When you regenerate certificates for *nix agents after recreating your certificate authority, you must include this parameter with the value set to true. If you're regenerating agent certificates without recreating the CA, you don't need to clean up the CRL.

puppetlabs-pe_bootstrap task supports Puppet agent on CentOS 8

The puppetlabs-pe_bootstrap task that ships in PE has been updated to support Puppet agent installation on CentOS 8.

New task targets API

Use the new task targets API to fine-tune task permissions automatically. See POST /command/task_target and Puppet orchestrator API: scopes endpoint.

Console enhancements

These are enhancements to the console in this release:
  • Plan metadata

    View plan metadata and parameters. To view them in the console, type in a name of a plan in the Plan field and click View plan metadata. To view metadata on the command line, run puppet plan show <PLAN NAME>.

  • Test connections option

    Test connections for nodes and devices before adding them to your inventory. This option is enabled by default on the Inventory page. If a connection fails, you can edit the node or device information and try again.

  • Custom PQL queries

    Add your own custom PQL queries to the console and use them for running Puppet and tasks. See Add custom PQL queries to the console for more information.

  • Breadcrumbs

    Pages in the console now have breadcrumbs, showing you where you are in the interface. The breadcrumbs are links you can use to move to parent pages.

  • Transport details

    View the transport mechanism, SSH or WinRM for example, for task runs in the Connections and Activity tabs on the Nodes page.

  • Run drop-down menu

    The Run Puppet on these nodes button has been replaced with a Run drop down menu so you can run Puppet or run a task for the nodes listed on the current page. The new option is available on the Overview, Events, and Packages pages.

  • Ability to select environment for tasks and plans

    When you run a task or a plan in the console, you can now specify an environment other than production.

  • Additional run options

    In addition to no-op, you can now specify debug, trace, and eval-trace run options when running Puppet.

Platform support

This version adds support for these platforms.

  • Fedora 31

Deprecations and removals

Deprecated platform support

Support for these platforms is deprecated in this release and will be removed in a future version of PE:

  • Enterprise Linux 6
  • Ubuntu 16.04

Razor deprecated

Razor, the provisioning application that deploys bare-metal systems, is deprecated in this release, and will be removed in a future version. If you want to continue using Razor, you can use the open source version of the tool.

Node graph removed

The node graph in the console has been removed due to infrequent use. The graph was used to view relationships between resources and classes within a node catalog. To generate a node graph now, use the Puppet VS Code extension.

Resolved issues

Console was inaccessible on macOS Catalina using default certificates

Enhanced security requirements in macOS Catalina prevented accessing the console using the default certificate generated during installation.

puppet infrastructure run commands could fail if the agent was run with cron

puppet infrastructure run commands, such as those used for certain installation, upgrade, and certificate management tasks, could fail if the Puppet agent was run with cron. The failure occurred if the command conflicted with a Puppet run.

Mismatch between classifier classification and matching nodes for regexp rules

PuppetDB’s regular expression matching had surprising behaviors for structured fact value comparisons. For example, the structured fact os is a rule that matches ["~", "os", ":"]. PuppetDB would unintentionally match every node that has the os structured fact because the regular expression was applied to the JSON encoded version of the fact value.

The classifier does not use PuppetDB for determining classification and regular expressions in the classifier rules syntax only support direct value comparisons for string types.

This caused issues in the console where the node list and counts for the "matching nodes" display sometimes indicated that nodes were matching even though the classifier would not consider them matching.

Now, the same criteria is applied to the displays and counts that the classifier uses. The output of the classifier’s rule translation endpoints makes queries that match the classifier behavior.
Note: This fix doesn't change the way nodes are classified, only how the console displays matching nodes.

Code manager could not deploy Forge modules with a proxy

The commands puppet code deploy and r10k failed when behind a proxy. The commands didn't use the configured proxy settings and using them would result in problems downloading modules from the Puppet Forge. This was due to an issue in a dependency gem.

Now, the commands work behind a proxy.

Orchestrator error message included Bolt command suggestions

When a plan or task was not found, the resulting error message gave a suggestion to run bolt {plan,task} show, which is unhelpful in PE. The error message no longer shows the Bolt command suggestion.

bolt.yaml plans did not work in PE

Plans with bolt.yaml in the root directory of the environment will no longer fail. Don't use the modulepath setting in bolt.yaml, because it may lead to unintended consequences when loading tasks and plans.

Ed25519 SSH keys couldn't be used to run task on agentless node

Running a task on an agentless node using an ed25519 SSH keys would result in an error.