Upgrade cautions
These are the major changes to PE since the last long-term support release, 2021.7. Review these recommendations and plan accordingly before upgrading to this version.
Update puppet_agent
module to support AIX
If you use the puppet_agent
module and have the agent
installed on any AIX nodes, then before you
upgrade to PE 2023.y, you must ensure that
you are using puppet_agent
module version 4.18.0 or
later. This ensures that the puppet_agent
module
identifies the correct directory for AIX
resources and your AIX agents function as
expected.
r10k upgrade in PE 2023.4 and later
In PE 2023.4 and later, r10k is updated to version 4.0, which
includes new dependencies for Puppet 8. Before
attempting upgrade, review the following information and make any necessary changes
to your settings, Puppetfile
Ruby code, local repo permissions, and
known_hosts
file.
- Starting in PE 2023.4, if you use Code Manager or r10k, with SSH protocol for remote Git
repository access, you must set up SSH host key verification. Important: Omitting to set up SSH host key verification for Code Manager or r10k causes code management and deployment processes to fail.
To manage the
known_hosts
file and enable host key verification for Code Manager or r10k, you must define thepuppet_enterprise::profile::master::r10k_known_hosts
parameter with an array of hashes specifying"name"
,"type"
, and"key"
with your hostname, key type, and public key, respectively.For more information about how to set up SSH host key verification, see the following topics:- If you use Code Manager, see Enable Code Manager.
- If you use r10k as your code deployment tool, see Configure r10k.
- Starting in version 4.0, r10k no longer
accesses repos on local file systems not owned by the
pe-puppet
user. If you use r10k on the local file system, ensure that your control repo and module repos are owned by thepe-puppet
user. - Git-based modules no longer have a default reference such as
master
. Now, when pointing to Git-based modules, you must specify the branches or revisions. Alternatively, you can use the globaldefault_ref
setting to manually set your default reference. - By default, the
exclude_spec
setting is now set totrue
so that spec directories are automatically deleted from Git-based sources. - If you use your own Ruby install, note that r10k 4.0 drops support for Ruby versions 2.3, 2.4, and 2.5.
- The
purge_whitelist
setting has been removed. Instead, you can usepurge_allowlist
when manually configuring r10k 4.0. - The protected method
basedir
is removed from the Puppetfile@librarian
instance. Protected methods should no longer be used in Puppetfile. However, if you require a temporary workaround, you can use theenvironment_name
accessor.
Logback upgrades in PE 2023.4 and later
In PE 2023.4, logback is upgraded to version 1.3.7,
and in PE 2023.6 and later, it is upgraded to version
1.3.14. Using a Java argument, the logappender
variable is now set by default to F1
for all
projects. If you customize this setting, to avoid disruptions in logging, ensure
that all logappender
variable references are
correctly defined. Using invalid appender references or omitting to use a reference
causes logback versions 1.3.7 and 1.3.14 to stop logging.
Java 17 upgrade in PE 2023.0 and later
PE 2023.0 and later includes an upgrade from Java version 11 to version 17. With this upgrade, PE uses the G1 garbage collector by default, instead of Parallel.
Thoroughly test PE 2023.y in a non-production environment before upgrading if you customized PE Java services or you use plug-ins that include Java code.
FIPS-enabled PE 2023.0 and later can't use the default system cert store
FIPS-compliant builds running PE 2023.0 and later
can't use the default system cert store, which is used automatically with some
reporting services. This setting is configured by the report_include_system_store
Puppet parameter that ships with PE.
Removing the puppet-cacerts
file (located at /opt/puppetlabs/puppet/ssl/puppet-cacerts
) can allow a
report processor that eagerly loads the system store to continue with a warning that
the file is missing.
If HTTP clients require external certs, we recommend using a custom cert store
containing only the necessary certs. You can create this cert store by concatenating
existing pem
files and configuring the ssl_trust_store
Puppet parameter to point to the new cert
store.
Puppet upgrade in 2023.4 and later
PE 2023.4 introduced a new major version of Puppet. Consider the information presented here about changes in Puppet 8 that might impact your Puppet Enterprise installation, and plan accordingly before upgrading.
Legacy facts no longer collected or sent to Puppet Server
Puppet 8 completes the transition away from legacy facts, which were deprecated in Puppet 7. Starting in Puppet 8, legacy facts are no longer collected or sent to the Puppet Server. Instead of using legacy facts, which were written as key-value pairs, Puppet 8 now uses structured facts, which are array and hash data structures.
- If you have Puppet code containing legacy
facts, you can use the legacy_facts plugin in the
puppet-lint
tool to automatically convert any legacy facts that map to an exact equivalent structured fact. - If legacy facts are referenced in your Embedded Ruby (ERB) templates, your Embedded Puppet (EPP) templates, or in your Hiera configuration file, you must manually find those legacy facts and either remove them or replace them with exact or close equivalent structured facts.
- If you plan to use any of the
/v*/classified/nodes
endpoints, you must enter structured facts to obtain accurate results. - If unmappable legacy facts are included in any of your PE node group rules or in any Puppet code you use, you must manually remove those legacy facts or replace them with close equivalent structured facts. See the table below for more information.
The following table lists the unmappable legacy facts that cannot be automatically
converted by the PE classifier or the
legacy_facts
plugin in the puppet-lint
tool.
You can manually replace these unmappable legacy facts with their respective close
equivalent structured facts.
Unmappable legacy fact | Close equivalent structured facts |
---|---|
memoryfree_mb Returned a double specifying the size of the free system memory, in mebibytes. |
or
|
memorysize_mb Returned a double specifying the size of the total system memory, in mebibytes. |
or
|
swapfree_mb Returned a string specifying the size of the free swap memory, in mebibytes. |
or
|
swapsize_mb Returned a string specifying the size of the total swap memory, in mebibytes. |
or
|
blockdevices Returned a string containing all block devices separated by a comma. |
Can be replicated using puppetlabs/stdlib
and the following:
|
interfaces Returned a string containing all interfaces separated by a comma. |
Can be replicated using puppetlabs/stdlib
and the following:
|
zones Returned a string containing all zone names separated by a comma. |
Can be replicated using puppetlabs/stdlib
and the following:
|
sshfp_dsa Returned a string containing both the SHA1 and SHA256 fingerprint for the DSA algorithm. |
Can be replicated using the following string:
|
sshfp_ecdsa Returned a string containing both the SHA1 and SHA256 fingerprint for the ECDSA algorithm. |
Can be replicated using the following string:
|
sshfp_ed25519 Returned a string containing both the SHA1 and SHA256 fingerprint for the Ed25519 algorithm. |
Can be replicated using the following string:
|
sshfp_rsa Returned a string containing both the SHA1 and SHA256 fingerprint for the RSA algorithm. |
Can be replicated using the following string:
|
Strict mode enabled by default
strict=error
and strict_variables=true
settings in puppet.conf
. With these default settings, if your Puppet code does not
conform to strict rules, then catalog compilation fails with an error. To avoid
disruption, consider the following points and manually update your code where necessary.- Automatic type coercion is not allowed in strict mode. For example, a string
such as
“1”+1
in your Puppet code cannot be automatically converted to a numeric. For more information about automatic type coercion see, Automatic coercion in the Open Source Puppet documentation. - Unknown variables are not permitted with the default strict mode settings in
Puppet 8. For example, if you use modules
that contain unknown variables, catalog compilations will fail. Before
upgrading PE, review your
puppetserver.log
files and address the issues identified in any existing warnings about unknown variables. Resolving issues helps ensure that existing warnings do not become fatal errors after you run the upgrade. - If your Hiera code references legacy facts in top-level variables, then
those variables cannot be defined because Puppet agents no longer collect or send
legacy facts. When top-level variables are undefined, strict validation
causes Hiera lookups to fail. For example, when strict mode is enabled, a
lookup error occurs with the following
hierarchy:
To avoid Hiera lookup failures, replace the legacy fact with the equivalent structured fact as follows:hierarchy: - name: "osfamily" path: "%{osfamily}.yaml"
If a hierarchy currently references an optional fact, you must use thehierarchy: - name: "osfamily" path: "%{facts.os.family}.yaml".
facts
hash as follows to ensure that the Hiera lookup proceeds to the common layer when agents omit the fact:hierarchy: - name: "optional" path: "%{facts.optional}.yaml" - name: "common" path: "common.yaml".
- Click PE Agent.
- Select the Classes tab and locate the
puppet_enterprise::profile::agent
class. - From the Parameter name dropdown, select
and enterstrict
"warning"
as the value. - Click Add to node group and commit your changes.
- On the Puppet Server host, run
puppet config set strict warning --section main
. - Restart the
pe-puppetserver
service by runningsystemctl restart pe-puppetserver
.
strict_variables
setting to false
on all nodes that run pe-puppetserver
. You can do this by running the following tasks on the
Puppet Server
host:puppet task run puppet_conf \
--params '{"action":"set","setting":"strict_variables","value":"false"}' \
--query 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Master" }
puppet task run service name=pe-puppetserver action=restart \
--query 'resources[certname] { type = "Class" and title = "Puppet_enterprise::Profile::Master" }'
hiera.yaml
files.
Otherwise, Hiera lookups will return corrupted data to compilers.Lazy resolution of deferred data types
In Puppet 7, Deferred
data types were
resolved eagerly at the beginning of the agent run. However, in Puppet 8, the Deferred
data type
instructs the agent to call functions dynamically during the Puppet run. This
functionality is particularly useful for tasks like retrieving a password from a
secret store over HTTPS and saving it in a configuration file.
During the Puppet run in Puppet 8, the agent sequentially executes deferred functions based on their order within resource declarations. If a deferred function requires any resources, like an SDK necessary to interact with a secret store, these dependencies can be automatically managed before the deferred function is executed.
After upgrading to Puppet 8, if you encounter Puppet run errors due to resource compatibility
issues in your Puppet code, you can turn on the
preprocess_deferred
setting so the agent calls
deferred functions and identifies dependency errors before a Puppet run starts.
To turn on the preprocess_deferred
setting:
- In the PE console, click PE Agent.
- Select the Classes tab and locate the
puppet_enterprise::profile::agent
class. - From the Parameter name dropdown, select
preprocess_deferred
and entertrue
as the value. - Click Add to node group and commit your changes.
Ruby version upgrade
The upgrade to Ruby 3.2 in Puppet 8 might result in compatibility issues that affect Puppet extensions in your code. To check compatibility, use the latest version of PDK to update and test your modules.
OpenSSL version upgrade
Puppet 8 includes OpenSSL 3.0. This upgrade might result in compatibility issues when the agent is connecting to other servers in your environment. To avoid SSL errors, ensure that the OpenSSL version used by your servers is updated to OpenSSL 3.0.
Hiera 3 gem removed
All deprecated Hiera 3 functionality is implemented in Hiera 5, which is included in Puppet 8. If your PE infrastructure relies on a custom Hiera 3 backend, you must manually install the Hiera 3 gem on all Puppet Server hosts or convert your backend to Hiera 5. For further information, see Upgrading to Hiera 5.
PSON removed
In previous releases, Pure JavaScript Open Notation (PSON) was used in Puppet to serialize data for transmission. PSON was deprecated in Puppet 7 and is removed in Puppet 8.
Platforms removed in 2023.0 and later
Platforms that were previously deprecated have been removed in PE 2023.0 and later.
Before upgrading, remove the pe_repo::platform
class for
these operating systems from the PE Master node group in the
console, and from your code and Hiera.
- Platforms removed in 2023.0
- Removed primary server platforms
- CentOS 8
- Removed agent platforms
- CentOS 8
- Removed client tools platforms
- No client tools platforms removed.
- Removed patching platforms
- Debian 9