Puppet release notes
These are the new features, resolved issues, and deprecations in this version of Puppet.
Puppet 7.21.0
Released December 2022.
Enhancements
Allow legacy facts to be excluded
Added a Puppet setting include_legacy_facts
to
control whether legacy facts are sent to puppetserver when
requesting a catalog. By default, Puppet continues to
send legacy facts, but it can be disabled if all puppet
manifests, hiera.yaml and hiera configuration layers are
modified to no longer use legacy facts. PUP-11662
Allow omission of unchanged resources from reports
With the new setting exclude_unchanged_resources
, Puppet can omit data
about unchanged resources from reports. This can decrease
the size of reports significantly. PUP-11654
Resolved issues
Tasks are not listed when a single task in an environment has malformed metadata
Tasks containing invalid JSON metadata are skipped in the GET /tasks
endpoint rather
than the whole response returning 500. PUP-11683
Purging SSH keys on a user resource fails when alias is used
Catalog compilation no longer fails when using the purge_ssh_keys
parameter
on a user resource with an alias metaparameter. PUP-11631
puppet lookup –E
does not
execute the ENC
If you specify puppet lookup
with
an explicit environment ( --environment web
) then lookup did not
call to the classifier, causing any node parameters set in
the classifier to be omitted. This was because calling the
classifier assigns a different environment to the node by
default, returning a lookup result for a different
environment than was requested. This issue has been fixed.
It also affected open source (replace the word classifier
with ENC
). PUP-11527
Security
Bump puppet-
runtime
's Ruby to 2.7.7
Updates puppet-agent's Ruby to 2.7.7, addressing CVE-2021-33621. PA-4805
Update libxml2 to 2.10.3
Updates puppet-agent's vendored libxml2 from 2.9.8 to 2.10.3, which addresses CVE-2021-4541, CVE-2022-23308, CVE-2022-29824, CVE-2022-40303, and CVE-2022-40304. Also updates puppet-agent's vendored libxslt from 1.1.33 to 1.1.37, which addresses CVE-2021-30560. PA-4770
osx-10.15-x86_64 - NULL pointer dereference in Nokogiri
Updates Nokogiri to 1.13.9, which addresses CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303 in Nokogiri's vendored libxml2 and CVE-2022-37434 in Nokogiri's vendored zlib. PA-4767
Puppet 7.20.0
Released October 2022.
Enhancements
Tag and bump puppet-resource_api
in Puppet 7
Bumps resource-api
gem to 1.8.16.
PA-4702
Resolved issues
Puppet::Util::Json
raises an
error when reading an empty file
Puppet no longer errors when loading an empty task metadata file. PUP-11629
Augeas not working on M1 macOS Big Sur
Fixed a bug in the Augeas component of the puppet-agent platform on macOS. Contributed by Puppet community member h0tw1r3. PA-4704
Augtool packaged in puppet-agent 7.19.0 is broken
puppet-agent 7.19.0 had a broken Augeas packaged with it. This is fixed in puppet-agent 7.20.0. PA-4686
Deprecations and removals
Puppet 7.19.0
Released September 2022.
New versions of Puppet now release every six weeks rather than every four weeks.
Enhancements
Support for Fedora 36 (x86_64)
This release adds support for Fedora 36 (x86_64). PA-4668
Updated Augeas to 1.13.0
Bumped Augeas to 1.13.0 for all supported platforms except for Solaris and AIX. Those two platforms remain on 1.12.0, as Augeas 1.13.0 fails to compile due to a few readline function calls that are not on Solaris or AIX. PA-4494
Resolved issues
Puppet sends malformed PuppetDB reports with Oj
Reports sent to PuppetDB using the Oj JSON backend are now properly formatted. PUP-11620
puppet module list --render-as
json
does not report unmet
dependencies
puppet module list --render-as json
now includes information about unmet dependencies. PUP-11604
Puppet does not write SELinux labels on ZFS
Marked ZFS as an SELinux-capable filesystem. PUP-11603
Puppet::Util.safe_posix_fork
fails if /proc/self
is not a directory
Puppet now handles misconfigured
/proc
filesystems
correctly. PUP-11594
Puppet on Ruby 3.1 warns
about ERB passing safe_level
as non-keyword
argument
Puppet now passes ERB arguments as keywords. PUP-11552
Security
FIPS OpenSSL: disable c_rehash binary
Fixed CVE-2022-1292 and CVE-2022-2068. PA-4621
Puppet 7.18.0
Released August 2022.
Enhancements
Bump to openssl-fips-1.1.1k-6
Updated openssl-fips on RedHat to 1.1.1k-6. PA-4498
Update puppet-ca-bundle
Updated root certificate authority bundle included with puppet-agent
. PA-4496
Support for macOS 12 (M1)
This release adds support for macOS 12 (M1). PA-4457
Support for Windows 11 Enterprise (x86_64)
This release adds support for Windows 11 Enterprise (x86_64). PA-4249
Support for Ubuntu 22.04 (x86_64)
This release adds support for Ubuntu 22.04 (x86_64). PA-4233
Resolved issues
Sub-directory names returned as task names when listing tasks from a module
The puppet/v3/tasks
REST API only
returns files in the tasks
directory of each module and no longer includes the names of
subdirectories. PUP-11539
Puppet agent --disable
is ignored with
cron puppet agent
(splay).
Puppet agent now checks the disabled lock file after sleeping due to splay. PUP-9998
puppet-cacerts
keystore is
missing on Red Hat
9, SLES 15 and Ubuntu 20.04
If Puppet agent is installed, there is a java keystore file. PA-4440
Deprecations and removals
Support for Operating Systems removed
This release removes support for Fedora 32, CentOS 8, and Ubuntu 16.04. PA-4328
Security
Update puppet runtime's curl to 7.83.1
Updated runtime to fix CVE-2022-22576, CVE-2022-27774, and CVE-2022-27776. PA-4472
Puppet 7.17.0
Released May 2022.
We would like to thank the following Puppet community members for their contributions to this release: jplindquist, lollipopman, jps-help.
Enhancements
Resolve deferred values on demand instead of at catalog read time
It's now possible for deferred functions to be called on demand
instead of being preprocessed. This way other resources in
the catalog can serve as inputs to the deferred function. If
the deferred function fails, then only that resource fails,
while unrelated resources are still applied. To enable this
behavior, set Puppet[:preprocess_deferred] = false
or
use --no-preprocess_deferred
on the command line. PUP-9323
Add virt-what
and dmidecode
in Puppet
Agent
Adds virt-what
and
dmidecode
components to Puppet Agent.
PA-4423
Nokogiri security vulnerability fix
Fix for CVE-2022-29181. PA-4489
Resolved issues
Puppet::HTTP::Client
cannot
connect to a server requiring client cert authentication and
whose server cert is issued by a CA in the ssl_trust_store
Puppet's http client can now
establish a mutually authenticated TLS connection when
passing include_system_store:
true
such as when retrieving file content
from HTTPS servers. Previously Puppet did not add its
client certificate to the SSL context, so the connection
would fail if the HTTPS server required a client
certificate. PUP-11522
Remove compiler errors for deferred function mismatched types
Before, it was not possible to compile a catalog that used a
Deferred
value for
a typed parameter class. The compiler would give an error
message stating that the type expected did not match Deferred
. Now, the
compiler inspects the Deferred class's return type and
ensures it matches the class parameter type. If the Deferred
function has no return type, the compiler warns that it
cannot guarantee whether the type adheres to the type the
class specifies. PUP-11518
Yum provider does not properly update package using version range and install options
Yum provider now accepts disablerepo
, enablerepo
, and disableexcludes
install options if a
range is specified. PUP-11475
Legacy function error does not include the source ref
If a 3x function produces an error, the error message now includes the path to the file in which the function is defined. PUP-11472
Cannot login under user created by Puppet on macOS 12.1
On macOS, Puppet now validates
that the salt
parameter for
the user
resource is a hex
encoded string of length 64 exactly. PUP-11454
puppetserver_gem
doesn't
install gems when they are loaded by Facter
Fixed a bug that prevented the puppetserver_gem
provider from managing
gems that were first loaded by Facter. PUP-11452
Puppet Agent does not
automatically refresh CRLs on crl_refresh_interval
Puppet Agent now reloads its CA and CRL bundles every 30 minutes during each run. Previously it only loaded it when the process started, which meant the service had to be restarted if the CA/CRL files changed on disk. PUP-11428
systemd
: Puppet Agent starts
before network-online.target is reached
Puppet Agent now waits for network-online.target
and
does not attempt to contact Puppet Server before
having network connectivity. Previously, Puppet Agent on Ubuntu 15.04 started
with a multi-user.target
. If
using NetworkManager with DHCP, the agent tried to apply
configuration before the network connection was up,
resulting in printing several errors to the logs. PUP-5402
Puppet 7.16.0
Released April 2022.
Enhancements
Allow Puppet::HTTP::Client
to
connect to trusted server using the puppet certificate for
client authentication
You can now specify an https URL as the source
of a file
resource when the TLS server
requires a client certificate for authentication. PUP-11471
Ruby security fix
Bumped Ruby to 2.7.6 to fix CVE-2022-28739. PA-4364
Puppet 7.15.0
Released March 2022.
Resolved issues
puppet lookup
fails to
interpolate topscope variables when an environment is
specified
Fixed an issue where Puppet 6.26 and
7.14 failed to resolve toplevel facts in Hiera configs when
using the --environment
option for puppet lookup
.
PUP-11437
Rspec tests with custom facts fail on some modules
This release fixes an issue where rspec module tests would compile with the runner node’s facts instead of using the custom facts supplied by the test. PUP-11435
Puppet::Util::Windows
is
undefined on non-Windows
platforms
Fixed a bug that prevented pdk unit tests from working when trying to test a resource with a Windows provider, such as "service" resources. PUP-11459
No option to fail fast when agent-specified environment does not exist
When using strict_environment_mode=true
, a run now
fails early if the requested environment does not exist on
the server, or if the server does not allow the agent to
specify its own environment. PUP-11440
Nokigiri upgrade for macOS
Upgraded nokogiri gem to 1.13.2 on macOS due to upstream security fix. PA-4323
Some gemspecs are missing from puppet-agent
MSI
On Windows, it is now possible to install a gem that has a dependency on Facter or Hiera into Puppet's vendored ruby. PA-4313
Puppet 7.14.0
Released January 2022.
Enhancements
Resolved issues
Puppet uses deprecated psych features
Puppet is now compatible with psych 4.0. PUP-11405
Agent no longer calls the Puppet::Node
terminus to resolve the
environment during the run
Introduced a Puppet setting use_last_environment=true|false
and a
corresponding puppet agent -t
--no-use_last_environment
boolean command
line option that forces the agent to make a node request
like it did prior to 7.12 and 6.25. By default, the agent
does not make a node request. PUP-11379
Puppet user and service resources are slow on Mac OS X
Managing users and services on macOS is much faster. PUP-11332
Puppet::Node#environment_name
may return the wrong value
Puppet::Node#environment_name
now
always returns the symbolic name of the environment (if one
has been set on the node). PUP-11330
Puppet lookups failed due to missing certificates
The puppet lookup
command now works
if the agent does not have certificates available locally.
PUP-11402
Lockups on servers running in multithreaded mode
This change fixes a deadlock that occurred when running puppetserver
in
multi-threaded mode. PUP-11373
The generate types
command does
not handle errors correctly
If the generate types
command
failed to generate a custom type, it logged an error and
returned a 0 exit code instead of failing. The command now
correctly fails with a non-zero exit code if the command
cannot generate a type. PUP-11078
Puppet 7.13.1
Released December 2021.
Enhancements
ENC-enforced environment bypass for lookup
You can now bypass the ENC-enforced environment when performing a lookup. To bypass
the enforced environment, use lookup
with the
--environment
option to specify the desired
environment. Puppet always uses the environment you specified regardless of the
ENC-enforced environment. PUP-7479
Support for Windows Server 2022
This release includes support for Windows Server 2022. PUP-11238
Resolved issues
Puppet::FileSystem.chmod
does
not validate its arguments
Puppet::FileSystem.chmod
now
validates its arguments like other methods. PUP-11345
Warning:
#<Puppet::Transaction::Persistence
after upgrading to Puppet
agent 6.25.0
Fixes a regression introduced in 6.25.0 and 7.10.0 that caused a
Puppet::Transaction::Persistence
warning
during each agent run. PUP-11321
User resource tries to create rather than modify users created by a utility
This release moves the ssh_authorized_key
resource's creation
to the end of the user type flow, after all user properties
and parameters were resolved, to avoid order dependency
errors. PUP-11320
Puppet code merger using incorrect command
Reduces memory usage when parsing manifests. PUP-11318
Failure when using the names "apply" and "plan" within an
apply()
block in a
plan
The names "apply" and "plan" can now be used as resource parameter
names in all cases. Previously, using them within an apply()
block in a plan
would fail. PUP-11315
Puppet attempts to execute
directories from /etc/init.d/
Prevents Puppet from considering
directories from /etc/init.d/
as services. PUP-11313
Puppet creates excessive Pathname
instances
Reduces the number of Pathname
allocations when parsing Puppet manifests. PUP-11312
Pathname.absolute?
uses
excessive memory
Backported Ruby patch to
Pathname.absolute?
to reduce memory usage. PUP-11311
High memory consumption from lib/puppet/pops/parser/lexer2.rb
Reduced lexer2
memory usage. PUP-11236
versioncmp()
treats 11.0 as
greater than 11
versioncmp()
now strips redundant
numbers. PUP-11235
puppet lookup --facts
{filename}
fails if filename does not
contain a dot
Before this release, puppet lookup --facts
{filename}
failed early when the filename
given did not contain a dot. This fix removes the early
extensions check and adds a fallback instead: tries both
formats (JSON then YAML) to read the given facts file when
its path doesn't end with any of the expected extensions
(yaml/yml/json). Otherwise, it follows previous
implementation and respects the given extension. PUP-11204
Facts provided in a file cannot be used for classification
Fixed a bug where facts provided in a file were not being merged with the facts used for classification. This is because Puppet collected and merged the said facts after the classification happened. To fix this, we ensured that Puppet resolves the facts being used for classification before the node request. PUP-10435
Inconsistent handling of trusted facts in the lookup CLI
When using puppet lookup
with
--facts
, if the
facts file overrides any of hostname
, domain
, fqdn
, clientcert
, then it must override all of
them. Also, if a value for certname
is provided in a fact file for
the lookup application, use it when creating the trusted
information object. This makes it possible to override
trusted.certname
for classification. PUP-8220
Lookup ignores environment from the classifier when using a rule with trusted facts
Fixed an issue where trusted facts could not be used as rules for classification. This was fixed by gathering the trusted facts from the PuppetDB query result, and overriding the trusted facts context. PUP-8094
Misleading results when using --node
flag in puppet lookup
Fixed an issue where puppet lookup
would result in misleading results when using the --node
flag. This happened
because there can be cases where the target node does not
have any facts cached. To avoid this, the fix implemented
checks for the node facts/facts given in a fact file, and if
it doesn't find any it raises an error. PUP-7362
Files starting with "~" in recursive directories are evaluated as usernames
Puppet can now manage files whose names start with tilde "~" characters. PUP-5800
Puppet could not retrieve
attributes from fifo
and
socket
files
This release allows Puppet to
retrieve attributes for fifo
and socket
files and manage
them when the given manifest has a file
resource which is recursing over a
given path. PUP-4045
Noop changes to file ownership generate failures if required user or group does not exist
Puppet now correctly reports when a file's owner or group would change in noop mode, even if the owner or group would be created in the same run. PUP-3907
Puppet hangs trying to replace a FIFO
Puppet no longer hangs when trying to replace a fifo with a file, directory or symlink. PUP-1460
Puppet 7.13.0
This version of Puppet was never released.
Puppet 7.12.1
Released November 2021.
Resolved issues
Puppet can leak credentials when following HTTP redirects
Previously, when Puppet followed HTTP redirects, the Authentication and Cookie headers were passed to different hosts, which could leak sensitive information. Now the Authentication and Cookie headers are only sent when redirecting to the same hosts. This fixes CVE-2021-27023. PUP-11188
Puppet agent silently skips unknown resources
Previously, all unknown resources were converted into a
component (Puppet::Type::Component
) by default and
skipped when applying a catalog. This release adds a new
resource attribute that specifies the type of resource —
this is used to differentiate between built-in types and
user defined types. Resources that are known and available
on the server node are also verified on the agent node,
which now fails when something unknown is found in the
received catalog. This fixes CVE-2021-27025. PUP-11209
Puppet gem and rspec-puppet
failures
This release moves the DEFAULT_TIMEOUT
constant from lib/puppet/util/windows/service.rb
to
lib/puppet/util/windows.rb
in a non-OS
guarded code area. This change avoids uninitialized constant
errors when
compiling catalogs on non-Windows operating
systems. PUP-11319
Puppet agent downloads all plugins after updating
Puppet 6.25.0 and 7.12.0 introduced a regression which caused a newly upgraded agent to download all of its plugins. Now the agent performs a single node request to resynchronize its environment with the server. PUP-11328
Puppet 7.12.0
Released October 2021.
We would like to thank the following Puppet community members for their contributions to this release: natemccurdy.
Enhancements
Support for AlmaLinux 8 (x86_64)
This release adds support for AlmaLinux 8 (x86_64). PUP-11242
Support for Rocky Linux 8 (x86_64)
This release adds support for Rocky Linux 8 (x86_64). PUP-11231
Faster iterative functions
This release speeds up the amount of time it takes to type check arguments passed to blocks of iterative functions, such as reduce and merge. (PUP-9561)
Resolved issues
The autoloader is confused by short Windows paths
This release fixes a regression that prevented Puppet from running when the current working directory was a short Windows path (8.3). PUP-11184
Superclass mismatch causes regression
A performance
patch and require_relative
caused a regression on
systems where Ruby paths
included symlinks. This release reverts the performance
patch on *nix systems. PA-4037
Default timeout ignores Windows services
Previously, default timeouts caused issues on Windows when services took longer than 10 seconds to change state. You can now specify the default timeout value for syncing service properties. PUP-10925
User attributes ignores forcelocal
This release fixes an issue where setting forcelocal => true
on a
user resource checked the resource's home
and shell
attributes against their values
from the directory service provider. Contributed by Puppet community member
natemccurdy. PUP-11241
Puppet fails to install packages
on Solaris if another pkg
install is
running
Installing packages on Solaris with the
pkg
command does
not work if another instance of pkg
is already running. Now Puppet tries the
install
command 5
times, and only fails if the package cannot be installed.
PUP-11208
The facter_interactive.bat
and
run_facter_interactive.bat
files are
missing
This release packages the missing facter_interactive.bat
and run_facter_interactive.bat
files on Windows. These files
already existed in the repository, but they were not
packaged in the MSI. PA-3700
The concat
module ignores the
ENC environment
This release fixes an issue where an ENC-specified environment was not pushed during a Puppet run. This caused indirector requests with no specified environment to default to using an incorrect environment. PUP-11265
Util::JSON.dump
receives
non-hash options
Previously, Puppet's /puppet/v3/file_metadatas
REST API
failed if the multi_json
gem
was uninstalled or when it was running puppetserver
from source.
PUP-11237
Puppet 7.11.0
Released September 2021.
New features
The write-catalog-summary
setting
This release adds the write_catalog_summary
setting to control whether the resources.txt
and
classes.txt
files are written to disk after
applying a catalog. By default, puppet agent
and
puppet apply
behave the same as before — puppet agent
writes the files, and puppet apply
does not. PUP-1042
Enhancements
Support for Ubuntu 18.04 aarch64
This release adds support for Ubuntu 18.04 aarch64. PUP-11162
Lower memory consumption in Ruby files
This release lowers memory consumption by 10%. PUP-11232
Support for multiple Facter implementations
You can now register a Facter implementation
when initializing Puppet via the Puppet.initialize_settings
. PUP-11216
Facter.value
replaced by
Puppet.runtime[:facter]
This release replaces calls to Facter.value
with calls to Puppet.runtime[:facter].
, and removes require
'facter'
. PUP-11217OpenSSL updates
-
On windowsfips-2012r2-x64), OpenSSL 1.0.2 has been patched for CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841 and CVE-2021-3712 - PA-3976
-
On redhatfips-7-x86_64, OpenSSL has been bumped to 1.1.1k and patched for CVE-2021-3712 and CVE-2021-3711 - PA-3974
-
On all other platforms, OpenSSL has been bumped to 1.1.1l - PA-3925
Resolved issues
Puppet agent does not save local copy of last_run_report.yaml
The agent now saves a local copy of its last run report, even if it fails to submit the report to the primary Puppet server. PUP-6708
A lookup fails if lookup_options is empty
Previously, when lookup_options were defined at the global or environment layer, and the module defined an empty hash, the compilation failed. This is now fixed and the empty hash is ignored. PUP-10890
User resource not removing password on AIX agents
This release fixes an issue where deleting an AIX user with Puppet would not clean up the user's password. PUP-11190
User resource unable to remove the home directory when set to absent in AIX
This release fixes an issue where the user home directory
was not removed when managehome
was set to true
. PUP-11170
Puppet sends warning for BOM and US-ASCII encoding
This release removes BOM for non-UTF encoding and its warnings. ASCII characters are single bytes, which means there is no need for a BOM to detect byte ordering (LSB/MSB). PUP-11196
The puppet resource --to_yaml
emits class tags
This release stops the resource
--to_yaml
command emitting Puppet class
tags, such as
Puppet::Util::Execution::ProcessOutput`
,
by ensuring that the PScalarDataType
only checks the instance
of String, and not other subclasses. PUP-10105
Puppet 7.10.0
Released August 2021.
Enhancements
Scripts file serving mount
When using Puppet APIs to load file content and
metadata, you can access files in the scripts/
directory of a module using the scripts
file mount.
PUP-11187
Load Task files from scripts
Tasks can now load files from the scripts mount. PUP-11200
Cleaned up ext/
directory
This release removes unused files from the ext/
directory used by upstream Linux
and Solaris packages. PUP-10685
Exec type's onlyif
and unless
in --noop
documented
This release documents the noop
behavior of
the onlyif
and unless
parameters of the exec
resource. PUP-11199
Option to enable long filename support in the Windows MSI installer
This release updates the MSI installer for Puppet
agent to enable long filenames either through a checkbox in the installer or by
setting the ENABLE_LONG_PATHS=true
option in the
command line. PA-3843
Settings to check fact limits
Each setting has a default limit, and if that is exceeded, Puppet emits a warning message. If the default limit is set to 0, Puppet does not emit a warning. The new settings include:
-
fact_name_length_soft_limit
(2560 bytes): The soft limit for the length of a fact name. -
fact_value_length_soft_limit
(4096 bytes): The soft limit for the length of a fact value. -
top_level_facts_soft_limit
(512): The soft limit for the number of top level facts -
number_of_facts_soft_limit
(2048): The soft limit for the total number of facts. -
payload_soft_limit
(16 MB): The soft limit for the size of the fact hash after its encoded. PUP-11088
RHEL9 support for services
Puppet now uses systemd as the default service provider for EL 9 variants, such as Red Hat or CentOS Stream. PUP-11168
Deprecations and removals
Support for Fedora 30 (x86_64) removed
This release removes support for Fedora 30 (x86_64). PUP-11092
Support for Fedora 31 (x86_64) removed
This release removes support for Fedora 31 (x86_64). PUP-11093
Support for MacOSX 10.14 (x86_64) removed
This release removes support for MacOSX 10.14 (x86_64). PUP-11094
Resolved issues
An environment reloaded during a single compilation could fail
Previously, Puppet Server could reload an environment while it was
being used to compile a catalog. If translations were
enabled (Puppet[:disable_i18n]
set to false
), compilation could
fail. Now Puppet Server prevents environments from being
reloaded while they are in use, and instead reloads the
environment the next time it is requested. PUP-11158
Catalog failure on first run due to pluginsync and environment switch
Previously, an agent failed its run if it switched to a new environment where the manifests relied on a fact that only existed in the new environment. Now the agent redirects to the server-specified environment and the run continues using that environment. PUP-9570
Changes to current working directory when listing modules
Puppet Server and agent no longer change their current working directories when listing modules in an environment directory. PUP-11166
Static catalogs not working for file resources when versioned_deploys
is
enabled
Previously, when :versioned_environment_dirs
was set to
true, catalog compilation failed to add metadata for static
catalog file resources; this meant that an agent receiving a
catalog would not attempt to request that static file
content. This has been fixed and the metadata is now
correctly added to the catalog when :versioned_environment_dirs
is set to
true
. PUP-11169
Agent cannot compile catalog if it specifies an non-existent
environment in puppet.conf
This release fixes an issue that caused the agent run to fail if the agent requested an environment that did not exist on the server — even when the classifier controlled the environment. PUP-6802
Rich data types can corrupt the transaction store
This release fixes an issue that prevented Puppet from reporting
corrective changes when using rich data types such as
Deferred
, Binary
, and Sensitive
. PUP-10820
Environment caches string and symbol environment names differently
This release fixes an issue that resulted in Puppet caching duplicate copies of an environment. PUP-10955
Failure to fetch node definition results in bad pluginsync and cascading failure
Previously, Puppet agents would make a node definition request to
the server to find out the correct environment to run in.
This request has now been removed, and the agent saves its
last used environment in the last_run_summary.yaml
file. If the
environment is not set in the CLI or config, agents attempt
to use the environment in last_run_summary.yaml
— only if the
previous run had an agent/server environment mismatch. PUP-10216
Puppet.lookup(:current_environment) is wrong if the environment changes during convergence
This release fixes an issue where an old environment could be used if the environment had changed due to pluginsync. PUP-10308
User resource exposes hashed password when changing password or adding a user
Previously, when managing passwords with the useradd
provider, the password hash
appeared when listing running processes. Now the password is
set with the chpasswd
command that uses stdin
to
receive the password from a temporary file, so it no longer
appears in the process list. PUP-3634
The launchd service provider fails if a parsable but invalid
LaunchAgent
or
LaunchDaemon
plist
file exists
This release fixes an issue where the launchd
service provider failed if a
parsable but invalid LaunchAgent
or LaunchDaemon
plist
file exists. PUP-11164
The pkg provider cannot unhold and update package in the same run
Previously, the pkg
package
provider was unable to handle manifests where a package was
updated and marked as unhold at the same time. This is now
fixed. PUP-10956
Undefined method '[]'
for
nil:NilClass
when
handling SemanticPuppet::Dependency::UnsatisfiableGraph
Previously, the puppet module
install
command broke when dependencies
could not be resolved. Puppet now emits an error message
instead. PUP-11172
Puppet 7.9.0
Released July 2021.
We would like to thank the following Puppet community members for their contributions to this release: cocker-cc
Enhancements
Support for HTTPS as a package source
Puppet now supports installing .exe
packages on Windows using HTTPS as
a package source. PUP-3317
The puppet ssl show
command prints custom object
identifiers (OID)
The puppet ssl show
command now shows the
names of certificate extensions containing custom OIDs — when the trusted_oid_mapping_file
exists. This functionality used
to exist in the puppet cert print
command. PUP-11120
Updated argument error message
If you call a function with an argument Puppet does not accept, the error message provides a list of acceptable function signatures. PUP-7792
Updated error message for incorrect module name
If the author component of a module name is omitted, the puppet module install <author-module>
command
provides a name suggestion in the error message. PUP-10641
Puppet reports the license gem on Apache
Puppet now reports the Apache 2.0 license when installed as a gem. PUP-11118
Support for Debian 11 Bullseye amd64
This release adds support for Debian 11 Bullseye amd64. PUP-11030
macOS
puppet-agent
code-signs executables
The macOS
puppet-agent
AIO packages now provide code-signed
executables for puppet
and pxp-agent
. PA-3756
Solaris OpenSSL patching replaced with compiler arguments
This release adds AES CTR-DRGB performance improvements to Puppet’s vendored OpenSSL. PA-3698
The empty
function accepts Sensitive
data types
The empty
function now accepts Sensitive
data types, which allows you to test a Sensitive
variable that is neither nil or empty. For
example, a variable in an ERB template. Contributed by Puppet community member cocker-cc. PUP-11124
The unwrap
function accepts Any
data type
The unwrap
function now accepts the Any
data type. This means that the component modules,
such as puppetlabs-postgresql
, can migrate to using
Sensitive
values, while still accepting
non-Sensitive values. You do not need to special case when unwrapping the value.
Contributed by Puppet community member cocker-cc. PUP-11123
The exec
provider supports commands as an
Array
When a command is an Array of Strings, passed as [cmdname, arg1, ...]
, it is now executed directly instead of being
passed to the standard shell. This is supported for the following exec parameters:
comand
, onlyif
,
unless
, refresh
.
Note that onlyif
and unless
already accept multiple commands as an Array — you need to pass
the value as an Array of Array to use this new behaviour. PUP-5704
Embedded Ruby (ERB) templates allow a leading Byte Order Mark (BOM)
Previously, when a template contained a BOM, it was preserved by the template
function and included in the resulting file or
PowerShell command. Puppet now passes the bom
option when reading the file, removing the BOM as it is read.
PUP-8243
Resolved issues
Puppet Module Tool (PMT) does
not install a module when module_working_dir
contains
backslashes
This release fixes an issue that prevented the puppet module install
command working on Windows
when module_working_dir
contained backslashes, for example, C:\modules
. PUP-4884
Node resource names are overlapping with other resources
Previously, if a node statement had the same name as the included class, Puppet ignored the class, as it thought it had already been included. This issue is now fixed. PUP-3995
Puppet fails if the setting value is numbers
Puppet settings can now
contain all numbers, for example, certname=000000000180
. PUP-7785
The Puppet
user
type does not honor
purge_ssh_keys:
false
Puppet no longer emits a
warning if the purge_ssh_keys
parameter for the user
type is set to false
(the default) and the sshkeys_core
module is not installed.
PUP-11131
The --extra cli
option is not
functional
The puppet help
command
no longer displays the --extra
command line option. PUP-8700
The parsedfile
provider
produces an undefined method each for nil:NilClass
Puppet now prints an error if a parsedfile
provider returns nil, for
example, when using the nagios_core
module. PUP-9369
Unclear error message if user
or group
providers are not
suitable
Puppet now prints a more
detailed error message if the user
or group
providers are not functional.
PUP-9825
The Puppet::Resources.search
method fails when conditions are provided
This release fixes an issue that prevented the Puppet::Resource.indirection.search
method from accepting conditions when filtering results.
PUP-7799
Repository error message URL is missing part of the path
Previously, the puppet
module
command reported an incorrect URL
in the error message when the module_repository
setting was
overridden. This is now fixed. PUP-8650
The desired_value
file mode is
reported without leading zeros
Puppet now reports file modes with a leading zero in the
desired_value
field — for example, 0755
— which is consistent with the previous_value
. PUP-7493
Filebucket fails when using a non-default environment from the server
The filebucket application no longer requires an environment to exist locally. PUP-10796
Unable to load PKey.read with private keys
Puppet agent now loads private keys in the PKCS#8 format. PUP-11082
Cached environments are not deleted when the directory is removed
Puppet now removes environments that are no longer on disk. PUP-11129
Unable to run the puppet
resource
command when the environment is
specified
Previously, running puppet
resource
on the agent with an invalid
environment would fail. With this release, the application
falls back to the default environment, if the specified one
does not exist. PUP-6554
Puppet prints unnecessary errors in debug
Puppet no longer prints an unnecessary error message when resolving account names to security identifiers on Windows. PUP-10967
Setting age=0
on a tidy
resource does not
remove all files
Previously, the age
parameter of the tidy
resource only removed files older than those specified. This
is now fixed and Puppet
removes all files. PUP-11079
The agent_specified_environment
fact is not populating
This release fixes an issue where the agent_specified_environment
fact did not
populate when the environment was set in the [agent]
section. This is
now fixed and populates in the following order: CLI, agent
section, main section. PUP-6801
pip ensure=>latest
fails with
pip>=20.3.0
In version 20.3b1, pip
removed the ability to list available versions of a package.
This release adds the --use-deprecated=legacy-resolver
argument
so that you can query available
versions. PUP-11029
The pxp-agent
does not use the
wrapper script
The pxp-agent
service
script on the AIX, OSX, and Solaris platforms now
manipulates the service using the wrapper script located in
/opt/puppetlabs/bin/pxp-agent
, which
cleans up the linker environment before calling the actual
environment. This prevent failures due to incompatible
libraries being loaded. To modify the pxp-agent
linker environment, directly
call the pxp-agent
binary,
for example, /opt/puppetlabs/puppet/bin/pxp-agent
.
PCP-890
Puppet 7.8.0
Released June 2021.
Enhancements
Support for Ruby 3
Puppet adds experimental support for Ruby 3 and is now tested in CI. PUP-11076
Improve enable=delayed_start
error message
This release improves an error message to properly convey that you cannot set a
systemd
service to delayed_start
on operating
systems other than Windows. PUP-11062
Ruby support long paths on Windows
This release adds the following patch into the Puppet Agent vendored Ruby. The patch implements long path support on Windows. PA-3759
Bump semantic_puppet
version to 1.0.4
This release bumps semantic_puppet
to version 1.0.4 in order to
support Ruby 3. PA-3827
Bump curl to 7.77.0
This release bumps the curl dependency to 7.77.0. PA-3762
Support for Fedora 34 FOSS
This release adds support for Fedora 34 (64-bit package) FOSS. PA-3600
Resolved issues
NIM provider used very restrictive regular expressions
Previously, the NIM provider only allowed numbers when parsing RPM
release tags and didn't accept bff
(installp)
packages marked as security
updates in the header. In this release, Puppet allows
installation of such packages. PUP-3631
Sensitive instances shared the same value yet weren’t equal
Previously, two type Sensitive instances failed to compare as
equal—despite sharing the same underlying strings. In this
release, comparisons such as $a =
Sensitive("secret"); $b = Sensitive("secret");
notice($a == $b)
now return as true.
PUP-11061
User keychains were inaccessible to Puppet Agent
Previously, user keychains were inaccessible to Puppet Agent if you ran Puppet Agent through the macOS daemon. This bug is now fixed. PUP-11081
SemVer
datatype components failed to pass as
hash or argument list
Previously, the build
or
prerelease
components of the
SemVer
datatype failed to pass as
a hash or list of arguments. This bug is now fixed. PUP-11077
Nil vertices caused resource management errors
Previously, managing resources that call the
generate
method — failed when
using the puppet resource
subcommand— due
to the presence of a nil vertex in the catalog. To fix this
bug, Puppet can no longer add
nil vertices to the catalog. PUP-11074
Puppet returned an error when
specifying the purge_ssh_keys
parameter
Previously, Puppet returned an error
if you specified the purge_ssh_keys
parameter for a user resource that didn’t previously exist.
To fix this bug, Puppet
prioritizes the ensure
property of a user
before the purge_ssh_keys
parameter. PUP-11067
Puppet cannot change/set new user passwords on macOS Big Sur
Previously, you could not set or change the password of a new user
created on macOS Big Sur.
This bug is now fixed by ensuring the
ApplicationAuthority
field exists
whenever you create a new user. PUP-11026
Puppet returned an error when creating new users on macOS 10.14
Previously, if you created a new user on macOS 10.14, Puppet returned an
Operation not permitted @
rb_sysopen
error. This bug is now
fixed.PUP-11095
Masking service failed
Previously, Puppet failed to mask a systemd
service that did not exist. This bug is now fixed. PUP-10974
Puppet 7.7.0
Released June 2021.
We would like to thank the following Puppet community members for their contributions to this release: tobias-urdin and nmaludy.
Enhancements
Puppet loads internal files using the
require_relative
method
When loading internal files, Puppet now uses the
require_relative
method, eliminating thousands of file system
calls. This accounts for between 5 to 15% of the total number of file system calls
for different platforms. PUP-11055
Case sensitive parameter for the fqdn_rand()
function
The fqdn_rand()
function now accepts an optional parameter to
downcase the FQDN fact, so that the function's result is not case sensitive. You
must pass the parameter after the seed
string, for example,
fqdn_rand(100, 'expensive job 1', true)
. By default, the
function remains case-sensitive. PUP-10922
File limit with the max_files
parameter
By default, the file
and tidy
resource types
generate a warning on the Puppet Enterprise (PE) console and
report when Puppet tries to manage more than 1000
files with the recurse
parameter set to true
. The
file
and tidy
resource types now support a new
parameter — max_files
— that enforces a hard limit. If the number
of recursive files is greater than the limit, the agent run fails. You can set the
max_files
parameter to -1
to disable the
warning. PUP-10946
Improved Ruby performance
This release improves the performance of Ruby, resulting in the follow changes:
Support for macOS 11 and Red Hat 8 Power
This release adds support for macOS 11 Big Sur (64-bit packages only) and Red Hat 8 on IBM Power. PA-3529, PA-3612.
Resolved issues
Ruby 3 freezes
CHILD_STATUS
and cannot be
stubbed
This release eliminates the usage of the
$CHILD_STATUS
global variable in
the built-in service and package providers. PUP-11048
Ruby 3 removed
URI.escape/unescape
This release eliminates calls to
URI.escape/unescape
, which was
deprecated in Ruby 2.x and
removed in Ruby 3. PUP-11046
Agent failures with server_list
Previously, when Puppet processed
server_list
and tried to find a
functional server, it threw an error if it could not
connect, causing the agent to fail. This is now fixed. PUP-10844
Puppet does not specify SELinux filetype when getting the default context
Previously, Puppet created files with the wrong default SELinux context, which was only corrected after a subsequent Puppet run. This is now fixed. Contributed by Puppet community member tobias-urdin. PUP-7559
Unable to mask a static systemd
service
This release fixes an issue where the systemd
provider did not mask static systemd
services. Contributed by Puppet community member nmaludy. PUP-11034
Unable to update UserRightAssignment
Previously, validating the logonaccount
and
logonpassword
parameters for the
service
resource on Windows
failed too early. This release moves the parameters further
down the catalog compilation order list to avoid early
errors. PUP-10999
PUPPET_SERVER
MSI install property does not
work
Previously, using PUPPET_SERVER
as an MSI property
did not set the server
setting. This is now
fixed. PA-3667
Puppet 7.6.1
Released April 2021.
We would like to thank the following Puppet community members for their contributions to this release: gcampbell12.
Enhancements
Puppet module type scripts
directory
This release adds a new subdirectory to the scripts/
module class. It automatically generates the functions in the
class and retrieves the available scripts. This helps to standardize specific file
loading from either the files
directory or scripts
directory. PUP-10996
Backport logic to detect migrated CA directory location
After migrating the CA directory, Puppet now
reports the correct cadir
setting value. PUP-11004
Curl bumped to 7.76.0
This release bumps Curl to 7.76.0, fixing the following CVEs:Ruby bumped to 2.7.3
This release bumps Ruby to 2.7.3, fixing the following CVEs:
Resolved issues
Race condition with agent_disabled_lockfile
This release fixes a race condition that caused the agent to become disabled and no longer enforce desired state. Contributed by Puppet community member gcampbell12. PUP-11000
User resource with forcelocal
and groups
attributes set
fails if /etc
/group
contains empty
lines
This release fixes an issue where Puppet failed when
applying user resources with forcelocal
if there were empty lines in
/etc
/group
. PUP-10997
Unable to install gems with the puppet_gem
provider on Windows
Previously, if you used Puppet as a library,
environment.bat
was not sourced and led to an unset PUPPET_DIR
. As puppet_gem
relied on this to build the
gem.bat
path, it
used a non-existing path, making this provider unsuitable.
This release updates the puppet_gem
provider to use Gem.default_bindir
, which
determines the location of the executables. To avoid
accidental usage of the puppet_gem
provider with system Ruby, we have also
added a confine to the aio_agent_version
fact. PUP-10964
Changing a Puppet setting in a catalog invalidates the environment cache in multithreaded mode
You can now change the value of Puppet's rich_data
setting at
runtime, without it invalidating the environment cache.
PUP-10952
Puppet cannot parse systemd
instances when
list-unit-files
output has an additional column
This release fixes an issue affecting the parsing of
systemd
service
instances caused by a change in the systemctl list-unit-files
command
output. PUP-10949
Cannot ensure dnfmodule
with no
default profile
Previously, using the dnfmodule
provider to install a module
with no default profile — without passing the enable_only
parameter —
failed with newer versions of DNF. PUP-11024
Puppet 7.5.0
Released March 2021.
New features
The puppet ssl show
command
The puppet ssl show
command prints the
full-text version of a host's certificate, including extensions. PUP-10888
The ciphers
setting
The ciphers
setting configures which TLS
ciphersuites the agent supports. The default set of ciphersuites is the same, but
you can now make the list of ciphersuites more restricted, for example, to only
accept TLS v1.2 or greater ciphersuites. PUP-10889
The GlobalSignRoot
CA R3
This release adds the GlobalSignRoot
CA R3
certificate for rubygems.org
. PA-3525
Resolved issues
The splat operator in a virtual query is not supported
This release fixes a regression in Puppet 7.x that prevented the splat operator from being used to override resource attributes in a resource collector. PUP-10951
Windows package provider
continues to read DisplayVersion
key after it is embedded
NULL
Previously, Puppet would
not stop reading the registry at the correct WCHAR_NULL
because it was
encoded to UTF-16LE, causing Puppet to read bad data
and fail. This is now fixed. PUP-10943
Listing environments during code deploys prevents environment cache invalidation
Previously, catalog compilations for a newly created
environment directory could fail if the environment was
listed while the directory was being created. This issue
only occurred when using an environment_timeout
value greater than
0
and less than
unlimited
. This is
now fixed. PUP-10942
Syntax error in previously valid Puppet code due to removal of keywords
The application
, consumes
, produces
and site
application
orchestration keywords were previously removed from the
reserved keywords list, causing syntax errors in Puppet code. This is
now fixed. PUP-10929
Retrieve SID for users under APPLICATION
PACKAGE AUTHORITY
A known issue with LookupAccountNameW
caused Puppet to fail when
managing Windows users under
APPLICATION PACKAGE
AUTHORITY
with fully qualified names.
This is now fixed and an account name sanitization step has
been added to prevent faulty queries. PUP-10899
Retrieving the current user with the fully-qualified username fails on Windows
Previously, retrieving the current username SID on Windows caused Puppet to fail in certain scenarios, for example, when the user was a secondary domain controller. This release adds a fallback mechanism that uses the fully qualified domain name for lookup. PUP-10898
Puppet 7.4.1
Released February 2021.
Resolved issues
Puppet users with forcelocal
are no longer
idempotent
This release fixes a regression where setting the gid
parameter on a user
resource with forcelocal
was
not idempotent. PUP-10896
Puppet 7.4.0
Released February 2021.
New features
New --timing
option in puppet facts show
This release adds a --timing
option in the
puppet facts show
command. This flag shows you
how much time it takes to resolve each fact. PUP-10858
Resolved issues
User resource with forcelocal
uses getent
for
groups
The useradd
provider now
checks the forcelocal
parameter and gets local information on the groups (from
/etc/groups
) and
gid (from etc/passwd
) of the
user when requested. PUP-10857
Slow Puppet agent run after upgrade to version 6
This release improves the performance of the apt package
provider when removing packages by reducing the calls to
apt-mark
showmanual
. PUP-10856
The apt
provider does not work
with local packages
The apt
package provider
now allows you to install packages from a local file using
source parameter. PUP-10854
The puppet facts show
--value-only
command displays a quoted
value
Previously, the puppet facts show
--value-only <fact>
command emitted
the value as a JSON string, which included quotes around the
value, such as {{"RedHat"}}. It now only emits the value.
PUP-10861
Puppet 7.3.0
Released January 2021.
New features
The serverport
setting
The serverport
setting is an alias for
masterport
. PUP-10725
Enhancements
Multiple logdest
locations in puppet.conf
accepted
You can set multiple logdest
locations
using a comma separated list. For example: /path/file1,console,/path/file2
. PUP-10795
The puppet module install
command lists
unsatisfiable dependencies
If the puppet module install
command fails,
Puppet returns a more detailed error, including
the unsatisfiable module(s) and its ranges. PUP-9176
New --no-legacy
option to disable legacy
facts
By default, puppet facts show
displays all
facts, including legacy facts. This release adds a --no-legacy
option to disable legacy facts when querying all facts.
PUP-10850
Resolved issues
The puppet apply
command
creates warnings
This release eliminates Ruby 2.7.x warnings when running puppet
apply
with node statements. PUP-10845
Remove Pathname#cleanpath
workaround
This release removes an unnecessary workaround when cleaning file paths, as Ruby 1.9 is no longer supported. PUP-10840
The allow *
error message
shown during PE upgrade
Puppet no longer prints an
error if fileserver.conf
contains allow *
rules. It
continues to print an error for all other rules, as Puppet's
legacy authorization is no longer supported and is
superseded by Puppetserver's authorization. PUP-10851
3x functions cannot be called from deferred functions in Puppet agent
This release allows deferred 3.x functions, like sprintf
, to be called
during a Puppet agent run.
PUP-10819
Cached catalog contains the result of deferred evaluation instead of the deferred function
Puppet 6.12.0 introduced a regression that caused the result of a deferred function to be stored in the cached catalog. As a result, an agent running with a cached catalog would not re-evaluate the deferred function. This is now fixed. PUP-10818
puppet facts show fact
output
differs from facter
fact
The output format is different between Facter and Puppet facts when a query for a single fact is provided. This is now fixed. PUP-10847
Issue with Puppet creating production folder when multiple environment paths are set
Previously, the production
environment folder was automatically created at every Puppet ran in the first
search path, if it did not already exist. This release
ensures Puppet searches all
the given paths before creating a new production
environment folder. PUP-10842
Puppet 7.2.0
This version of Puppet was never released.
Puppet 7.1.0
Released December 2020.
Enhancements
Reduced query time for system user groups
The time it takes to query groups of a system user has been reduced on Linux operating systems with FFI. The getgrouplist
method is also available. PUP-10774
Log rotation for Windows based platforms
You can now configure the pxp-agent to use the Windows Event Log service by setting
thelogfile
value to eventlog
. PA-3492
Log rotation for macOS based platforms
This release enables log rotation for the pxp-agent on OSX platforms. PA-3491
Added server
alias for routes.yaml
When routes.yaml
is parsed, it accepts either server
or master
applications. PUP-10773
OpenSSL bumped to 1.1.1i
This release bumps OpenSSL to 1.1.1i. PA-3513
Curl bumped to 7.74.0
This release bumps Curl to 7.74.0. PA-3512
Resolved issues
The Puppet 7 gem is missing runtime dependency on scanf
This is fixed and you can now run module tests against the Puppet gem on Ruby 2.7. PUP-10797
The puppet node clean
action
LoggerIO needs to implement warn
In Puppet 7.0.0, the puppet node
clean
action failed if you had cadir
in the legacy
location or inside the ssldir
. This was a regression and is now
fixed. PUP-10786
Calling scope#tags
results in
undefined method
Previously, calling the tags
method within an ERB template
resulted in a confusing error message. The error message now
makes it clear that this method is not supported. PUP-10779
User resource is not idempotent on AIX
The AIX user resource now
allows for password
lines
with arbitrary whitespace in the passwd
file. PUP-10778
Fine grained environment timeout issues
Previously, if the environment.conf
for an environment was
updated and the environment was cleared, puppetserver
used old
values for per-environment settings. This happened if the
environment timed out or if the environment was explicitly
cleared using puppetserver
's
environment cache REST API. With this fix, if an environment
is cleared, Puppet reloads
the per-environment settings from the updated environment.conf
. PUP-10713
FIPS compliant nodes are returning an error
This release fixes an issue on Windows FIPS where
Leatherman libraries loaded at the predefined address of the
OpenSSL library. This caused the OpenSSL library to relocate
to a different address, failing the FIPS validation. This is
fixed and leatherman compiled with dynamicbase
is disabled on Windows. PA-3474
User provider with uid/gid as Integer raises warning
This release fixes a warning introduced in Ruby 2.7 that checked invalid objects (such as Integer) against a regular expression. PUP-10790
Puppet 7.0.0
Released November 2020.
New features
The puppet facts show
command
You can use the puppet facts show
command
to retrieve a list of facts. By default, it does not return legacy facts, but you
can enable it to with the --show legacy
option. This
command replaces puppet facts find
as the default
Puppet facts action. PUP-10644 and PUP-10715
JSON terminus for node and report
This release implements JSON termini for node and report indirection. The
format of the last_run_report.yaml
report can be
affected by the cache
setting key of the report
terminus in the routes.yaml
file. To ensure the file extension matches the content,
update the lastrunreport
configuration to reflect
the terminus changes (lastrunreport =
$statedir/last_run_report.json
). PUP-10712
JSON terminus for facts
This release adds a new JSON terminus for facts, allowing them to be stored
and loaded as JSON. Puppet agents continue to default
to YAML, but you can use JSON by configuring the agent application in routes.yaml
. Puppet Server 7 also caches facts as JSON
instead of YAML by default. You can re-enable the old YAML terminus in routes.yaml
. PUP-10656
Public folder (default location for last_run_summary.yaml
)
There is a new folder with 0755 access rights named public
, which is now the default location for the last_run_summary.yaml
report. It has 640
file permissions. This makes it possible for a
non-privileged process to read the file. To relax permissions on the last run
summary, set the group
permission on the file in
puppet.conf
to the following: lastrunsummary = $publicdir/last_run_summary.yaml { owner = root,
group = monitoring, mode = 0640 }
. Note that if you use tools that
expect to find last_run_summary.yaml
in vardir
instead of publicdir
, you might experience breaking changes.PUP-10627
The settings_catalog
setting
To load Puppet more quickly, you can set the settings_catalog
setting to false to skip applying the
settings catalog. The setting defaults to true. PUP-8682
New numeric and port setting types
This release adds a new port
setting type,
which turns the given value to an integer, and validates it if the value is in the
range of 0-65535. Puppet port can use this setting
type. PUP-10711
MSI PUPPET_SERVER
and alias
This release adds a new Windows Installer
property called PUPPET_SERVER
. You can use this as
an alias to the existing PUPPET_MASTER_SERVER
property. PA-3440
New GPG signing key
Puppet has a new GPG signing key. See verify packages for the new key.
Enhancements
Ruby version bumped to 2.7
The default version of Ruby is now 2.7. The minimum Ruby version required to run Puppet 7 is now 2.5. After upgrading to Puppet 7, you may need to use the
puppet_gem
provider to ensure all your gems are installed.
PUP-10625
Default digest algorithm changed to sha256
Puppet 7 now uses sha256 as the default digest algorithm. PUP-10583
Gem provider installs gems in Ruby
The gem provider now installs gems in Ruby
by default. Use the puppet_gem
provider to reinstall
gems in the Ruby distribution vendored in Puppet. For example, if custom providers or deferred
functions require gems during catalog application. PUP-10677
FFI functions, structs and constants moved to a separate Windows module
To increase speed, we have moved FFI functions, constants and structures out of
Puppet::Util::Windows
. PUP-10606
Default value of ignore_plugin_errors
changed
from true to false
The default value for ignore_plugin_errors
is now
false. This stops Puppet agents failing to
pluginsync. PUP-10598
Interpolation of sensitive values in EPP templates
Previously, if you interpolated a sensitive value in a template, you were required to
unwrap the sensitive value and rewrap the result. Now the epp
and inline_epp
functions
automatically return a Sensitive
value if any
interpolated variables are sensitive. For example: inline_epp("Password is <%= Sensitive('opensesame') %>"
). Note
that these changes just apply to EPP templates, not ERB templates. PUP-8969
shkeys_core
module bumped to 2.2.0
Puppet 7 bumps the sshkeys_core
modules to 2.2.0 in the Puppet agent. PA-3473
Call simple server status endpoint
Puppet updates the endpoint for checking the server
status to /status/v1/simple/server
. If the call
returns a 404, it makes a new call to /status/v1/simple/master
, and ensures backwards compatibility. PUP-10673
Default value of disable_i18n
changed from false to true
The default value for the disable_i18n
setting has changed from false to true and locales are not
pluginsynced when i18n is disabled. PUP-10610
Pathspec
no longer vendored
The pathspec
Ruby library is no longer vendored in Puppet. If you require this functionality, you need
to install the pathspec
Ruby gem. PUP-10107
Deprecations and removals
func3x_check
setting removed
The func3x_check
setting has been removed.
PUP-10724
master_used
report parameter
removed
The deprecated master_used
parameter has
been removed. Instead use server_used
. PUP-10714
facterng
feature flag removed
The facterng
feature flag has been removed.
It is not needed anymore as Puppet 7 uses Facter 4 by default. PUP-10605
held
removed from apt provider
The apt provider no longer accepts deprecated ensure=held
. Use the mark
attribute
instead. PUP-10597
Method from DirectoryService
removed
The deprecated DirectoryService#write_to_file
method has been removed. PUP-10489
Method from Puppet::Provider::NameService
removed
The deprecated Puppet::Provider::NameService#listbyname
method has been removed.
PUP-10488
Methods from TypeCalculator
removed
The deprecated TypeCalculator.enumerable
has been removed, and the functionality has been moved to Iterable
. PUP-10487
Enumeration
type removed
The deprecated Enumeration
class has been
removed, and its functionality has been moved to Iterable
. PUP-10486
Puppet::Util::Yaml.load_file
removed
The deprecated Puppet::Util::Yaml.load_file
method has been removed. PUP-10475
Puppet::Resource
methods removed
The following deprecated Puppet::Resource
methods have been removed:
Puppet::Resource.set_default_parameters
Puppet::Resource.validate_complete
-
Puppet::Resource::Type.assign_parameter_values
. PUP-10474
legacy auth.conf
support removed
The legacy auth.conf
has been deprecated
for several major releases. Puppet 7 removes all
support for legacy auth.conf. Instead, authorization to Puppet REST APIs is controlled by puppetserver
auth.conf
. In addition, the allow
and deny
rules in fileserver.conf
are now ignored and Puppet logs an error for each entry. The rest_authconfig
setting has also been removed. PUP-10473
Puppet.define_settings
removed
The deprecated Puppet.define_settings
method has been removed. PUP-10472
Application orchestration language features removed
The deprecated application orchestration language features have been
removed. The keywords application
, site
, consumes
and
produces
, and the export
and consume
metaparameters, now
raise errors. The keywords are still reserved, but can’t be used as a custom
resource type or attribute name. The environment catalog REST API has also been
removed, along with supporting classes, such as the environment compiler and
validators. PUP-10446
Puppet::Network::HTTP::ConnectionAdapter
removed
The Puppet::Network::HTTP::ConnectionAdapter
has been removed, and
contains the following breaking changes:
- The Client networking code has been moved to
Puppet::HTTP
. - The
Puppet::Network::HttpPool.http_instance
method has been removed. - The
Puppet.lookup(:http_pool)
has been removed. - The deprecated
Puppet::Network::HttpPool.http_instance
and connection methods have been preserved. PUP-10439
environment_timeout_mode
setting
removed
The environment_timeout_mode
setting has
been removed. Puppet no longer supports environment
timeouts based on when the environment was created. In Puppet 7, the environment_timeout
setting is always interpreted as 0
(never cache), unlimited
(always cache), or from when the environment was last used.
PUP-10619
Networking code from the parent REST terminus removed
The Networking code from the parent REST terminus has been removed, and is a breaking change for any REST terminus that relies on the parent REST terminus to perform the network request and process the response. The REST termini must implement the find, search, save and destroy methods for their indirected model. PUP-10440
Dependency on http-client
gem
removed
The dependency on the http-client
gem has
been removed. If you have a Puppet provider that relies on this gem, you must
install it. PUP-10490
HTTP file content terminus removed
The HTTP file content terminus has been removed. It is no longer possible
to retrieve HTTP file content using the indirector. Instead, use Puppet's builtin HTTP client instead: response =
Puppet.runtime[:http].get(URI("http://example.com/path"))
. PUP-10442
Puppet::Util::HttpProxy.request_with_redirects
removed
The Puppet::Util::HttpProxy.request_with_redirects
method has been
removed, and moves the Puppet::Util::HttpProxy
class to Puppet::HTTP::Proxy
. The old constant is
backwards compatible. PUP-10441
Puppet::Rest
removed
Puppet::Rest
removed and Puppet::Network::HTTP::Compression
have been removed.
This change moves Puppet::Network::Resolver
to
Puppet::HTTP::DNS
and deprecates Puppet::Network::HttpPool
methods. PUP-10438
Remove strict_hostname_checking
removed
The deprecated strict_hostname_checking
and
node_name
settings have been removed. The
functionality of these settings is possible using explicit constructs within a
site.pp
or fully featured enc. PUP-10436
puppet module build
, generate
and search
actions
removed
The puppet module build
, generate
and search
actions have been removed. Use Puppet Development Kit (PDK)
instead.PUP-10387
puppet status
application has been
removed
The deprecated puppet status
application has been
removed. PUP-10386
The puppet cert
and key
commands removed
The non-functioning puppet cert
and puppet key
commands have been removed. Instead use
puppet ssl
on the agent node and puppetserver ca
on the CA server. PUP-10369
SSL code, termini and settings removed
The following SSL code, termini and settings have been removed:
-
Puppet::SSL::Host
-
Puppet::SSL::Key
-
Puppet::SSL::{Certificate,CertificateRequest}.indirection
-
Puppet::SSL::Validator*
-
ssl_client_ca_auth
-
ssl_server_ca_auth
PUP-10252
The func3x_check
setting has been removed
The setting to turn off func
3x API validation has
been removed. Now all 3x functions are validated. PUP-9469
The future_features
logic has been
removed
The unused future_features
setting has been removed.
PUP-9426
The puppet man
application has been
removed
The puppet man
application is no longer
needed and has been removed. The agent package now installs man pages so that
man puppet
produces useful results. Puppet's help system (puppet
help
) is also available. PUP-8446
The execfail
method from util/execution
has been removed
The following deprecated methods have been removed:
Puppet::Provider#execfail
-
Puppet::Util::Execution.execfail.
PUP-7584
The win32-process has been removed
The Puppet dependency on the win32-process gem has been removed. You can implement the functionality using FFI. PUP-7445
The win32-service gem has been removed
The dependency on the win32-service gem has been removed and uses the Daemon class in Puppet instead. PUP-5758
The win32-security gem has been removed from Puppet
To improve Puppet's handling of Unicode user and group names on Windows, some of the code interacting with the Windows API has been rewritten to ensure wide character (UTF-16LE) API variants are called. As a result, Puppet no longer needs the win32-security gem. Any code based references to the gem have been removed. The gem currently remains for backward compatibility, but is to be removed in a future release. PUP-5735
The capability to install an agent on Windows 2008 and 2008 R2 has been removed
You can no longer install Puppet 7 agents on Windows versions lower than 2012. PA-3364
Support for Ruby versions older than 2.5 removed
Support for Ruby versions older than 2.5 has been removed, and Fixnum and Bignum have been replaced with Integer. PUP-10509
dir monkey-patch
removed
This external dependency on the win32/dir gem has been removed and replaces CSIDL constants with environment variables. PUP-10653
Master removed from docs
Documentation for this release replaces the term master with primary server. This change is part of a company-wide effort to remove harmful terminology from our products. For the immediate future, you’ll continue to encounter master within the product, for example in parameters, commands, and preconfigured node groups. Where documentation references these codified product elements, we’ve left the term as-is. As a result of this update, if you’ve bookmarked or linked to specific sections of a docs page that include master in the URL, you’ll need to update your link.
Resolved issues
Puppet agent installation
fails when msgpack
is enabled on puppetserver
Previously, the agent failed to deserialize the catalog
and fail the run if the msgpack
gem was enabled but not
installed. Now the agent only supports that format when the
msgpack
gem is
installed in the agents vendored Ruby. PUP-10772
Puppet feature detection leaves Ruby gems in a bad state
This release fixes a Ruby gem caching issue that prevented the agent from applying a catalog if a gem was managed using the native package manager, such as yum or apt. PUP-10719
Puppet 6 agents do not honor
the usecacheonfailure
setting when using
server_list
Previously, when server_list
was used when there was no
server accessible, the Puppet
run failed even if usecacheonfailure
was set to true. Now
Puppet only fails
if usecacheonfailure
is set
to false. PUP-10648
Setting certname in multiple sections bypasses validation
Previously, Puppet only validated the certname setting when specified in the main setting, but not if the value was in a non-global setting like agent. As a result, it was possible to set the certname setting to a value containing uppercase letters and prevent the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in. PUP-9481
Issues caused by backup to the local filebucket
By default, Puppet won’t
backup files it overwrites or deletes to the local filebucket
, due to issues
where it became unbounded. You can re-enable the local
filebucket
by
setting File { backup => 'puppet'
}
as a resource default. PUP-9407
Remove future feature flag for prefetch_failed_providers
in transaction.rb
If a provider prefetch method raises a LoadError or StandardError,
the resources associated with the provider are marked as
failed, but unrelated resources are applied. Previously this
behavior was controlled by the future_features
flag, and disabled by
default. PUP-9405
Change default value of hostcsr
setting
The default value of the hostcsr
setting has been updated to
match where Puppet stores the
certificate request (CSR) when waiting for the CA to issue a
certificate. PUP-9346
Refactor the SMF provider to implement enableable semantics
Previously, the SMF provider did not properly implement
enableable semantics. Now enable
and ensure
are independent operations where
enable
handles
whether a service starts or stops at boot time, and ensure
handles whether a
service starts or stops in the current running instance.
PUP-9051
The list of reserved type names known to the parser validator is incomplete
A class or defined type in top scope can no longer be
named init
, object
, sensitive
, semver
, semverrange
, string
, timestamp
, timespan
or typeset
. You can continue
to use these names in other scopes such as mymodule::object
. PUP-7843
Export or virtualize class error
Previously, Puppet returned a warning or error if it encountered a virtual class or an exported class, but it still included resources from the virtual class in the catalog. Now Puppet always error on virtual and exported classes. PUP-7582
Puppet::Util::Windows::String.wide_string
embeds a NULL char
This release removes a Ruby workaround for wide character strings on Windows. PUP-3970
puppet config set
certname
accepts upper-case names
Previously, the puppet config
set
command could set a value that was
invalid, causing Puppet to
fail the next time it ran or the service was restarted. Now
the command validates the value before committing the change
to puppet.conf
.
PUP-2173
Unable to read last_run_summary.yaml
from
user
Puppet agent code now
aligns with the new last_run_summary.yaml
location. PA-3253