Puppet release notes
These are the new features, resolved issues, and deprecations in this version of Puppet.
Puppet 7.4.1
Released 16 February 2021.
Resolved issues
Puppet users with forcelocal
are no longer
idempotent
This release fixes a regression where setting the gid
parameter on a user
resource with forcelocal
was
not idempotent. PUP-10896
Puppet 7.4.0
Released 9 February 2021.
New features
--timing
option in puppet
facts show
This release adds a --timing
option in the
puppet facts show
command. This flag shows you
how much time it takes to resolve each fact. PUP-10858
Resolved issues
User resource with forcelocal
uses getent
for
groups
The useradd
provider now
checks the forcelocal
parameter and gets local information on the groups (from
/etc/groups
) and
gid (from etc/passwd
) of the
user when requested. PUP-10857
Slow Puppet agent run after upgrade to version 6
This release improves the performance of the apt package
provider when removing packages by reducing the calls to
apt-mark
showmanual
. PUP-10856
The apt
provider does not work
with local packages
The apt
package provider
now allows you to install packages from a local file using
source parameter. PUP-10854
The puppet facts show
--value-only
command displays a quoted
value
Previously, the puppet facts show
--value-only <fact>
command emitted
the value as a JSON string, which included quotes around the
value, such as {{"RedHat"}}. It now only emits the value.
PUP-10861
Puppet 7.3.0
Released 20 January 2021.
New features
New serverport
setting type
The serverport
setting is an alias for
masterport
. PUP-10725
Enhancements
Multiple logdest
locations in puppet.conf
accepted
You can set multiple logdest
locations
using a comma separated list. For example: /path/file1,console,/path/file2
. PUP-10795
The puppet module install
command lists
unsatisfiable dependencies
If the puppet module install
command fails,
Puppet returns a more detailed error, including
the unsatisfiable module(s) and its ranges. PUP-9176
New --no-legacy
option to disable legacy
facts
By default, puppet facts show
displays all
facts, including legacy facts. This release adds a --no-legacy
option to disable legacy facts when querying all facts.
PUP-10850
Resolved issues
The puppet apply
command creates warnings
This release eliminates Ruby 2.7.x warnings
when running puppet
apply
with node statements. PUP-10845
Remove Pathname#cleanpath
workaround
This release removes an unnecessary workaround when cleaning file paths, as Ruby 1.9 is no longer supported. PUP-10840
The allow
*
error message shown during PE
upgrade
Puppet
no longer prints an error if fileserver.conf
contains
allow *
rules. It
continues to print an error for all other rules,
as Puppet's legacy authorization is no longer
supported and is superseded by Puppetserver's
authorization. PUP-10851
3x functions cannot be called from deferred functions in Puppet agent
This release allows deferred 3.x
functions, like sprintf
, to be called during a Puppet agent run. PUP-10819
Cached catalog contains the result of deferred evaluation instead of the deferred function
Puppet 6.12.0 introduced a regression that caused the result of a deferred function to be stored in the cached catalog. As a result, an agent running with a cached catalog would not re-evaluate the deferred function. This is now fixed. PUP-10818
puppet facts show fact
output
differs from facter
fact
The output format is different between Facter and Puppet facts when a query for a single fact is provided. This is now fixed. PUP-10847
Issue with Puppet creating production folder when multiple environment paths are set
Previously, the production
environment folder was automatically created at every Puppet ran in the first
search path, if it did not already exist. This release
ensures Puppet searches all
the given paths before creating a new production
environment folder. PUP-10842
Puppet 7.2.0
This version of Puppet was never released.
Puppet 7.1.0
Released 15 December 2020.
Enhancements
Reduced query time for system user groups
The time it takes to query groups of a system user has been reduced on Linux operating systems with FFI. The getgrouplist
method is also available. PUP-10774
Log rotation for Windows based platforms
You can now configure the pxp-agent to use the Windows Event Log service by setting
thelogfile
value to eventlog
. PA-3492
Log rotation for macOS based platforms
This release enables log rotation for the pxp-agent on OSX platforms. PA-3491
Added server
alias for routes.yaml
When routes.yaml
is parsed, it accepts either server
or master
applications. PUP-10773
OpenSSL bumped to 1.1.1i
This release bumps OpenSSL to 1.1.1i. PA-3513
Curl bumped to 7.74.0
This release bumps Curl to 7.74.0. PA-3512
Resolved issues
The Puppet 7 gem is missing runtime dependency on scanf
This is fixed and you can now run module tests against the Puppet gem on Ruby 2.7. PUP-10797
The puppet node clean
action
LoggerIO needs to implement warn
In Puppet 7.0.0, the puppet node
clean
action failed if you had cadir
in the legacy
location or inside the ssldir
. This was a regression and is now
fixed. PUP-10786
Calling scope#tags
results in
undefined method
Previously, calling the tags
method within an ERB template
resulted in a confusing error message. The error message now
makes it clear that this method is not supported. PUP-10779
User resource is not idempotent on AIX
The AIX user resource now
allows for password
lines
with arbitrary whitespace in the passwd
file. PUP-10778
Fine grained environment timeout issues
Previously, if the environment.conf
for an environment was
updated and the environment was cleared, puppetserver
used old
values for per-environment settings. This happened if the
environment timed out or if the environment was explicitly
cleared using puppetserver
's
environment cache REST API. With this fix, if an environment
is cleared, Puppet reloads
the per-environment settings from the updated environment.conf
. PUP-10713
FIPS compliant nodes are returning an error
This release fixes an issue on Windows FIPS where
Leatherman libraries loaded at the predefined address of the
OpenSSL library. This caused the OpenSSL library to relocate
to a different address, failing the FIPS validation. This is
fixed and leatherman compiled with dynamicbase
is disabled on Windows. PA-3474
User provider with uid/gid as Integer raises warning
This release fixes a warning introduced in Ruby 2.7 that checked invalid objects (such as Integer) against a regular expression. PUP-10790
Puppet 7.0.0
Released 19 November 2020.
For a list of major changes, see What's new since Puppet 7.
New features
The puppet facts show
command
You can use the puppet facts show
command
to retrieve a list of facts. By default, it does not return legacy facts, but you
can enable it to with the --show legacy
option. This
command replaces puppet facts find
as the default
Puppet facts action. PUP-10644 and PUP-10715
JSON terminus for node and report
This release implements JSON termini for node and report indirection. The
format of the last_run_report.yaml
report can be
affected by the cache
setting key of the report
terminus in the routes.yaml
file. To ensure the file extension matches the content,
update the lastrunreport
configuration to
reflect the terminus changes (lastrunreport = $statedir/last_run_report.json
). PUP-10712
JSON terminus for facts
This release adds a new JSON terminus for facts, allowing them to be stored
and loaded as JSON. Puppet agents continue to default
to YAML, but you can use JSON by configuring the agent application in routes.yaml
. Puppet Server 7 also caches facts as JSON
instead of YAML by default. You can re-enable the old YAML terminus in routes.yaml
. PUP-10656
Public folder
There is a new folder with 0755 access rights named public
, which is now the default location for the last_run_summary.yaml
report. It has 640
file permissions. This makes it possible for a
non-privileged process to read the file. To relax permissions on the last run
summary, set the group
permission on the file in
puppet.conf
to the following PUP-10627: lastrunsummary = $publicdir/last_run_summary.yaml {
owner = root, group = monitoring, mode = 0640 }
The settings_catalog
setting
To load Puppet more quickly, you can set the
settings_catalog
setting to false to skip applying
the settings catalog. The setting defaults to true. PUP-8682
New numeric and port setting types
This release adds a new port
setting type,
which turns the given value to an integer, and validates it if the value is in the
range of 0-65535. Puppet port can use this setting
type. PUP-10711
MSI PUPPET_SERVER
and alias
This release adds a new Windows Installer
property called PUPPET_SERVER
. You can use this as
an alias to the existing PUPPET_MASTER_SERVER
property. PA-3440
New GPG signing key
Puppet has a new GPG signing key. See verify packages for the new key.
Enhancements
Ruby version bumped to 2.7
The default version of Ruby is now 2.7. The minimum Ruby version required to run Puppet 7 is now 2.5. After upgrading to Puppet 7, you may need to use the
puppet_gem
provider to ensure all your gems are installed.
PUP-10625
Default digest algorithm changed to sha256
Puppet 7 now uses sha256 as the default digest algorithm. PUP-10583
Gem provider installs gems in Ruby
The gem provider now installs gems in Ruby
by default. Use the puppet_gem
provider to reinstall
gems in the Ruby distribution vendored in Puppet. For example, if custom providers or deferred
functions require gems during catalog application.
PUP-10677
FFI functions, structs and constants moved to a separate Windows module
To increase speed, we have moved FFI functions, constants and structures out of
Puppet::Util::Windows
. PUP-10606
Default value of ignore_plugin_errors
changed
from true to false
The default value for ignore_plugin_errors
is now
false. This stops Puppet agents failing to
pluginsync. PUP-10598
Interpolation of sensitive values in EPP templates
Previously, if you interpolated a sensitive value in a template, you were required to
unwrap the sensitive value and rewrap the result. Now the epp
and inline_epp
functions
automatically return a Sensitive
value if any
interpolated variables are sensitive. For example: inline_epp("Password is <%= Sensitive('opensesame') %>"
). Note
that these changes just apply to EPP templates, not ERB templates. PUP-8969
shkeys_core
module bumped to 2.2.0
Puppet 7 bumps the sshkeys_core
modules to 2.2.0 in the Puppet agent. PA-3473
Call simple server status endpoint
Puppet updates the endpoint for checking the server
status to /status/v1/simple/server
. If the call
returns a 404, it makes a new call to /status/v1/simple/master
, and ensures backwards compatibility. PUP-10673
Default value of disable_i18n
changed from
false to true
The default value for the disable_i18n
setting has changed from false to true and locales are not
pluginsynced when i18n is disabled. PUP-10610
Pathspec
no longer vendored
The pathspec
Ruby library is no longer vendored in Puppet. If you require this functionality, you need
to install the pathspec
Ruby gem. PUP-10107
Deprecations and removals
func3x_check
setting removed
The func3x_check
setting has been removed.
PUP-10724
master_used
report parameter
removed
The deprecated master_used
parameter has
been removed. Instead use server_used
. PUP-10714
facterng
feature flag removed
The facterng
feature flag has been removed.
It is not needed anymore as Puppet 7 uses Facter 4 by default. PUP-10605
held
removed from apt provider
The apt provider no longer accepts deprecated ensure=held
. Use the mark
attribute
instead. PUP-10597
Method from DirectoryService
removed
The deprecated DirectoryService#write_to_file
method has been removed. PUP-10489
Method from Puppet::Provider::NameService
removed
The deprecated Puppet::Provider::NameService#listbyname
method has been removed.
PUP-10488
Methods from TypeCalculator
removed
The deprecated TypeCalculator.enumerable
has been removed, and the functionality has been moved to Iterable
. PUP-10487
Enumeration
type removed
The deprecated Enumeration
class has been
removed, and its functionality has been moved to Iterable
. PUP-10486
Puppet::Util::Yaml.load_file
removed
The deprecated Puppet::Util::Yaml.load_file
method has been removed. PUP-10475
Puppet::Resource
methods removed
The following deprecated Puppet::Resource
methods have been removed:
Puppet::Resource.set_default_parameters
Puppet::Resource.validate_complete
-
Puppet::Resource::Type.assign_parameter_values
. PUP-10474
legacy auth.conf
support removed
The legacy auth.conf
has been deprecated
for several major releases. Puppet 7 removes all
support for legacy auth.conf. Instead, authorization to Puppet REST APIs is controlled by puppetserver
auth.conf
. In addition, the allow
and deny
rules in fileserver.conf
are now ignored and Puppet logs an error for each entry. The rest_authconfig
setting has also been removed. PUP-10473
Puppet.define_settings
removed
The deprecated Puppet.define_settings
method has been removed. PUP-10472
Application orchestration language features removed
The deprecated application orchestration language features have been
removed. The keywords application
, site
, consumes
and
produces
, and the export
and consume
metaparameters, now
raise errors. The keywords are still reserved, but can’t be used as a custom
resource type or attribute name. The environment catalog REST API has also been
removed, along with supporting classes, such as the environment compiler and
validators. PUP-10446
Puppet::Network::HTTP::ConnectionAdapter
removed
The Puppet::Network::HTTP::ConnectionAdapter
has been removed, and
contains the following breaking changes:
- The Client networking code has been moved to
Puppet::HTTP
. - The
Puppet::Network::HttpPool.http_instance
method has been removed. - The
Puppet.lookup(:http_pool)
has been removed. - The deprecated
Puppet::Network::HttpPool.http_instance
and connection methods have been preserved. PUP-10439
environment_timeout_mode
setting
removed
The environment_timeout_mode
setting has
been removed. Puppet no longer supports environment
timeouts based on when the environment was created. In Puppet 7, the environment_timeout
setting is always interpreted as 0
(never cache), unlimited
(always cache), or from when the environment was last used.
PUP-10619
Networking code from the parent REST terminus removed
The Networking code from the parent REST terminus has been removed, and is a breaking change for any REST terminus that relies on the parent REST terminus to perform the network request and process the response. The REST termini must implement the find, search, save and destroy methods for their indirected model. PUP-10440
Dependency on http-client
gem
removed
The dependency on the http-client
gem has
been removed. If you have a Puppet provider that relies on this gem, you must
install it. PUP-10490
HTTP file content terminus removed
The HTTP file content terminus has been removed. It is no longer possible
to retrieve HTTP file content using the indirector. Instead, use Puppet's builtin HTTP client instead: response = Puppet.runtime[:http].get(URI("http://example.com/path"))
.
PUP-10442
Puppet::Util::HttpProxy.request_with_redirects
removed
The Puppet::Util::HttpProxy.request_with_redirects
method has been
removed, and moves the Puppet::Util::HttpProxy
class to Puppet::HTTP::Proxy
. The old constant is
backwards compatible. PUP-10441
Puppet::Rest
removed
Puppet::Rest
removed and Puppet::Network::HTTP::Compression
have been removed.
This change moves Puppet::Network::Resolver
to
Puppet::HTTP::DNS
and deprecates Puppet::Network::HttpPool
methods. PUP-10438
Remove strict_hostname_checking
removed
The deprecated strict_hostname_checking
and
node_name
settings have been removed. The
functionality of these settings is possible using explicit constructs within a
site.pp
or fully featured enc. PUP-10436
puppet module build
, generate
and search
actions
removed
The puppet module build
, generate
and search
actions have been removed. Use Puppet Development Kit
(PDK)
instead.PUP-10387
puppet status
application has been
removed
The deprecated puppet status
application has been
removed. PUP-10386
The puppet cert
and key
commands removed
The non-functioning puppet cert
and puppet key
commands have been removed. Instead use
puppet ssl
on the agent node and puppetserver ca
on the CA server. PUP-10369
SSL code, termini and settings removed
The following SSL code, termini and settings have been removed:
-
Puppet::SSL::Host
-
Puppet::SSL::Key
-
Puppet::SSL::{Certificate,CertificateRequest}.indirection
-
Puppet::SSL::Validator*
-
ssl_client_ca_auth
-
ssl_server_ca_auth
PUP-10252
The func3x_check
setting has been removed
The setting to turn off func
3x API validation has
been removed. Now all 3x functions are validated. PUP-9469
The future_features
logic has been
removed
The unused future_features
setting has been removed.
PUP-9426
The puppet man
application has been
removed
The puppet man
application is no longer
needed and has been removed. The agent package now installs man pages so that
man puppet
produces useful results. Puppet's help system (puppet
help
) is also available. PUP-8446
The execfail
method from util/execution
has been removed
The following deprecated methods have been removed:
Puppet::Provider#execfail
-
Puppet::Util::Execution.execfail.
PUP-7584
The win32-process has been removed
The Puppet dependency on the win32-process gem has been removed. You can implement the functionality using FFI. PUP-7445
The win32-service gem has been removed
The dependency on the win32-service gem has been removed and uses the Daemon class in Puppet instead. PUP-5758
The win32-security gem has been removed from Puppet
To improve Puppet's handling of Unicode user and group names on Windows, some of the code interacting with the Windows API has been rewritten to ensure wide character (UTF-16LE) API variants are called. As a result, Puppet no longer needs the win32-security gem. Any code based references to the gem have been removed. The gem currently remains for backward compatibility, but is to be removed in a future release. PUP-5735
The capability to install an agent on Windows 2008 and 2008 R2 has been removed
You can no longer install Puppet 7 agents on Windows versions lower than 2012. PA-3364
Support for Ruby versions older than 2.5 removed
Support for Ruby versions older than 2.5 has been removed, and Fixnum and Bignum have been replaced with Integer. PUP-10509
dir monkey-patch
removed
This external dependency on the win32/dir gem has been removed and replaces CSIDL constants with environment variables. PUP-10653
Master removed from docs
Documentation for this release replaces the term master with primary server. This change is part of a company-wide effort to remove harmful terminology from our products. For the immediate future, you’ll continue to encounter master within the product, for example in parameters, commands, and preconfigured node groups. Where documentation references these codified product elements, we’ve left the term as-is. As a result of this update, if you’ve bookmarked or linked to specific sections of a docs page that include master in the URL, you’ll need to update your link.
Resolved issues
Puppet agent installation fails when msgpack
is enabled on puppetserver
Previously, the agent failed to deserialize the catalog
and fail the run if the msgpack
gem was enabled but not
installed. Now the agent only supports that format when the
msgpack
gem is
installed in the agents vendored Ruby. PUP-10772
Puppet feature detection leaves Ruby gems in a bad state
This release fixes a Ruby gem caching issue that prevented the agent from applying a catalog if a gem was managed using the native package manager, such as yum or apt. PUP-10719
Puppet 6 agents do not honor
the usecacheonfailure
setting when using
server_list
Previously, when server_list
was used when there was no
server accessible, the Puppet
run failed even if usecacheonfailure
was set to true. Now
Puppet only fails
if usecacheonfailure
is set
to false. PUP-10648
Setting certname in multiple sections bypasses validation
Previously, Puppet only validated the certname setting when specified in the main setting, but not if the value was in a non-global setting like agent. As a result, it was possible to set the certname setting to a value containing uppercase letters and prevent the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in. PUP-9481
Issues caused by backup to the local filebucket
By default, Puppet won’t
backup files it overwrites or deletes to the local filebucket
, due to issues
where it became unbounded. You can re-enable the local
filebucket
by
setting File { backup => 'puppet'
}
as a resource default. PUP-9407
Remove future feature flag for prefetch_failed_providers
in transaction.rb
If a provider prefetch method raises a LoadError or StandardError,
the resources associated with the provider are marked as
failed, but unrelated resources are applied. Previously this
behavior was controlled by the future_features
flag, and disabled by
default. PUP-9405
Change default value of hostcsr
setting
The default value of the hostcsr
setting has been updated to
match where Puppet stores the
certificate request (CSR) when waiting for the CA to issue a
certificate. PUP-9346
Refactor the SMF provider to implement enableable semantics
Previously, the SMF provider did not properly implement
enableable semantics. Now enable
and ensure
are independent operations where
enable
handles
whether a service starts or stops at boot time, and ensure
handles whether a
service starts or stops in the current running instance.
PUP-9051
The list of reserved type names known to the parser validator is incomplete
A class or defined type in top scope can no longer be
named init
, object
, sensitive
, semver
, semverrange
, string
, timestamp
, timespan
or typeset
. You can continue
to use these names in other scopes such as mymodule::object
. PUP-7843
Export or virtualize class error
Previously, Puppet returned a warning or error if it encountered a virtual class or an exported class, but it still included resources from the virtual class in the catalog. Now Puppet always error on virtual and exported classes. PUP-7582
Puppet::Util::Windows::String.wide_string
embeds a NULL char
This release removes a Ruby workaround for wide character strings on Windows. PUP-3970
puppet config set
certname
accepts upper-case names
Previously, the puppet config
set
command could set a value that was
invalid, causing Puppet to
fail the next time it ran or the service was restarted. Now
the command validates the value before committing the change
to puppet.conf
.
PUP-2173
Unable to read last_run_summary.yaml
from
user
Puppet agent code now
aligns with the new last_run_summary.yaml
location. PA-3253