Puppet 5.5 Release Notes
This page lists the changes in Puppet 5.5 and its patch releases. You can also view known issues in this release.
Puppet’s version numbers use the format X.Y.Z, where:
- X must increase for major backward-incompatible changes
- Y can increase for backward-compatible new functionality or significant bug fixes
- Z can increase for bug fixes
If you’re upgrading from Puppet 4.x
Read the Puppet 5.0.0 release notes, because they cover breaking changes since Puppet 4.10.
Read the Puppet 5.1, Puppet 5.2, Puppet 5.3, and Puppet 5.4 release notes, because they cover important new features and changes since Puppet 5.0.
Also of interest: the Puppet 4.10 release notes and Puppet 4.9 release notes.
Puppet 5.5.22
Released 20 October 2020
Resolved issues
-
Performance regression with large hashes using lookup This release fixes a performance regression in 5.5.x and 6.0x which affected Hiera lookups in large hashes. PUP-10628
-
Puppet::Util.default_env method unintentionally removed in 6.17.0 Testing modules using rspec-puppet versions earlier than 2.7.10 resulted in an undefined local variable error or method ‘default_env’ for Puppet::Util:Module. This is now fixed. PUP-10586.
-
**An error is logged during an agent run if Puppet Server does not have at least one
/lib dir in its modules directory** If Puppet Server does not have at least one modules directory, the `file_metadatas` REST API for the plugins, pluginfacts and locales mounts returns file metadata for `/etc/puppetlabs/code`, instead of returning HTTP 404. [PUP-2608](https://tickets.puppetlabs.com/browse/PUP-2608) -
Puppet run continues despite failed Pluginsync Previously, Puppet agents ignored pluginsync errors and applied the catalog with incorrect facts and plugin versions, leading to obscure errors or data corruption. This release adds a new setting —
ignore_plugin_errors
. If set to false, the agent aborts the run if pluginsync fails. The setting defaults totrue
so the old behavior is preserved. PUP-1763 -
Puppet agent fails to install on a Windows VM if the Windows installer is not used This release fixes a regression introduced in 6.17.0. You can now install packages when
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
does not exist. PA-3351 -
Upgrade on AIX nodes does not trigger a second Puppet run This release fixes an issue where the Puppet service stopped running after upgrading on SysV-based RPM distributions and AIX. PA-3405
-
Data type casts cause Puppet Server to retain compiler instances This issue is now fixed when running under JRuby. PUP-10659
-
Resource collector overrides cause Puppet Server to retain compiler instances This issue is now fixed when running under JRuby. PUP-10657
Puppet 5.5.21
Released 14 July 2020
New features
-
Updated permissions for files in
/cache/state/
. This release updates the permission forstate.yaml
andtransactionstore.yaml
to remove the group write access. PUP-8922 -
New disabled value in dnfmodule package provider. This release adds a disabled value to the ensure field in the dnf module provider. PUP-10419
-
Improved error message when a file resource requires a non-existent directory. This release improves the error message that occurs when trying to manage a file resource whose parent directory does not exist. PUP-4442
-
Zypper provider does not recognize
--no-gpg-checks
as a global option. This release allows--no-gpg-checks
to be passed as an item toinstall_options
property for the zypper package provider. Note that for backward compatibility--no-gpg-check
was not removed. PUP-10433 -
Boost and
yaml-cpp
in the SLES 15 puppet-agent package. The boost and yaml-cpp dependencies are now vendored in the SLES 15 agent build. PA-3006
Resolved issues
-
Puppet agent fails to restart with configuration changes or updates. Previously, when two agent runs were taking place at the same time, the Puppet agent could get in a
restart_requested
state. This is now fixed. PUP-10351 -
An “unable to set ownership” error with logdest on agents running as root. Puppet no longer generates an error when using a log file destination. PUP-10407
-
Installer switch
service-enable true
reports wrong actions in certain conditions. Previously, the Puppet resource command wrongly reporting the enabled state of a systemd service when the ensure parameter was also specified. This is now fixed. PUP-10479 -
The
pip
package provider does not handlepip
executable paths with spaces. Paths containing spaces will now be quoted in thepip
package providers. PUP-10485 -
The
purge_ssh_keys
parameter requires you to set the home directory in the manifest. The release fixes an issue where Puppet required you to manage the home directory when purging SSH keys withpurge_ssh_keys
. PUP-10506 -
Puppet resource service does not return all active services on Ubuntu. This release fixes an inconsistency in Puppet’s behaviour when listing information about a specific service. PUP-10378
-
Ensure Windows wide character strings have a wide terminator. This release improves memory safety when Puppet converts Ruby strings to wide character strings on Windows. PUP-10254
-
“HTTP 406 Not Acceptable” error message should contain format names. This release prints the MIME types, instead of format objects, from the Accept header, in cases where puppetserver cannot generate a catalog in the requested format. PUP-10549
-
Puppet Windows package provider fails if there are garbage characters after an embedded NULL. This release fixes a bug in the Windows package provider when reading package version form registry. This happened if there were garbage characters after the wide NULL terminator. PUP-10536
-
Sensitive data type lost when declaring multiple resources using title arrays. This release fixes support of sensitive data type parameters when declaring multiple resources using title arrays. PUP-10511
-
Agent runs failing with
Invalid
orunsupported charset:ANSI_X3.4-1968
. Previously, agent runs failed when the locale settings where unrecognised or in an error state because leatherman logging expects a working locale. This release implements a defense for the leatherman logging function. PA-3254 -
Running
remove_old_postgresql_versions
after upgrade fails. This release fixes an issue in Puppet’s behaviour when listing information about a single specific service and all available ones by showing services in a static state. PUP-10437 -
Puppet does not add correct command flags. This release fixes an issue where Puppet would not add the correct command flags when ensuring a
user
resource withmanagehome
enabled. PUP-8897. -
The
systemd
provider does not honor documented enabled states. Previously, enabling indirect services caused an idempotency issue in Puppet. This has been fixed by not allowing users to enable/disable these services and to print a debug log instead. PUP-7163 -
User resource expiry incorrect on SLES 11. On SLES 11, setting a user resource expiry to absent resulted in disabling the user instead. This is now fixed. PUP-7663
-
Puppet agent should ignore
nssm.exe
during an upgrade. Previously, if a puppet-agent upgrade on Windows happened whennssm.exe
was loaded by EventLog service, certain services were restarted, leading to unreachable machines. This release includes annssm
executable for pxp-agent (nssm-pxp-agent.exe
) and we have remove Windows registry references to the old nssm.exe. PA-3263 -
Puppet should ignore system Ruby settings. Running Puppet using a wrapper script from the puppet-agent package will now ignore the following ruby related environment variables:
GEM_HOME
,GEM_PATH
,DLN_LIBRARY_PATH
,RUBYLIB
,RUBYLIB_PREFIX
,RUBYOPT
,RUBYPATH
,RUBYSHELL
. PA-3248
Puppet 5.5.20
Released 30 April 2020
New features
- Improved performance on the
selmodule
provider. Previously, theselmodule
provider called/usr/sbin/semodule -list
once or twice per resource. This resulted in a heavy duplication of effort and increased apply time. In this release, a new cache improves the performance. PUP-10313
Resolved issues
- This release fixes an issue where Puppet did not report broken AIX packages during install. PUP-8937
- In macOS 10.15, the
-noidme
flag caused.dmg
package installation to fail. This release removes the-noidme
flag withhdiutil
when using thepkgdmg
package provider. PUP-10408 - This release upgrades Ruby to 2.4.10 to address security issues: CVE-2020-10663. PA-3179
- An issue where RedHat Subscription Manager updates caused
ensure => latest
to do nothing is now fixed. PUP-10432 - The
pkgng
provider now supportsinstall_options
. PUP-10380 - The
pkgng
provider now correctly parses the latest versions for packages. PUP-10382 - Previously, 5.5.17 agents were failing on interval runs. There were various paths in a Puppet run that did not explicitly return exit code, leading to a
TypeError
exception. With this release, theexit
argument fromrun_in_fork
is unaffected by these errors. PUP-10366. - Previously, if an Active Directory user was added as member of a local group and then deleted, Puppet did not manage the respective group members. With this release, Puppet will manage the group by showing SID instead of the account name for non-resolvable users. PUP-10303
- Previously, Windows pidlock could raise access denied. With this release, you can use
SeDebugPrivilege
on Windows when opening a lockfile PID to determine whether the process is a Puppet process. PUP-10248 - This version upgrades the OpenSSL version to 1.1.1g on non-fips platforms to address security issues: CVE-2020-1967. PA-3186
- Previously, Windows components (such as DHCP Client) restarted after Puppet agent upgrades. This was a result of nssm.exe being registered as the EventMessageFile, which got loaded and locked into svchost.exe when viewing events raised by pxp-agent. The agent upgrade tried to replace nssm.exe, but failed as it was loaded, and the only way to unload it was to restart. This fix removes the usage of nssm.exe for events and replaces it with EventCreate.exe when generating event messages, so now the EventCreate.exe will get loaded and locked by svchost.exe when viewing Puppet events. This will no longer interfere with the agent upgrade. PA-3175
Puppet 5.5.19
Released 10 March 2020
New features
-
When managing a user or group resource with a forcelocal set, Puppet reads
/etc/passwd
or/etc/group
for each parameter of the resource. Files are read once per managed resource. PUP-10117 -
Previously, when
puppetserver
returned a 429 or 503 to an agent after the agent tried to make an HTTP request, the agent would keep the HTTP connection open during the sleep. Now the connection closes before the sleep, and retries the connection after, to reduce the resource load on thepuppetserver
. PUP-10227 -
The
flavor
package parameter has been changed into a property and can now be changed after it’s initially set. Supported providers arednfmodule
andopenbsd
. PUP-10171 -
If a
/opt/puppetlabs/server/pe_version
file exists on an agent, the file will be read and added to the server facts under the namepe_serverversion
. PUP-9750 -
Puppet Agent now ships FFI on AIX packages. PA-3061
-
The RedHat 7 FIPS package now ships OpenSSL 1.1.1, instead of relying on the version provided by the operating system. PA-3027
-
FIPS mode is now enforced on OpenSSL, vendored in Windows FIPS platform. PA-3025
-
The installer package for the Windows Puppet agent has a new installation option. PA-2253
-
This release of the
puppet-agent
package removes support for macOS 10.12, macOS 10.13 and Fedora 28. PUP-10244, PUP-10245, PUP-10242.
Resolved issues
-
This release fixes CVE-2020-7942 by defaulting to
strict_hostname_checking=true
. To return to the previous behavior, set the Puppet setting to false. PUP-10238. -
This release updates OpenSSL to 1.0.2u, as a result of CVE-2019-1551. PA-306
-
Due to Apple changing user management in macOS 10.15, Puppet could no longer manage user passwords on that version. Puppet now uses the
dsimport
utility to manage passwords on macOS 10.15 or higher. PUP-10246 -
This release fixes an issue where Puppet would try to parse an XML property list file as ASCII instead of UTF-8. PUP-10241
-
This commit adds the missing
ppAuthCertExt
oid and updates docs to reference it. PUP-10234 -
The Yum package provider now accepts an array of strings to be specified for the
install_options
parameter, in addition to the previous implementation which only accepted an array of hashes. This fix was provided by community contributor Corey Osman. PUP-10177 -
The Puppet language supports calling functions using prefix or chained syntax, for example,
each($var)
and$var.each
. Using the latter syntax is now much faster, especially when$var
is a large hash, such as$facts
from the node. PUP-10113 -
This release fixes an issue with large environment blocks on Windows, which caused a Ruby error.. PA-3113.
-
This release adds the
mark
property with Debian and Solaris instead of setting the ensure attribute to held. Theheld
value forensure
is deprecated. Allowed values formark
arehold
ornone
, and it defaults tonone
. You can specifymark
along with ensure. If ensure is missing,mark
defaults topresent
. You cannot use themark
property together withpurged
,absent
, orheld
values forensure
. PUP-1537. -
To avoid the Puppet changing the
mailalias
resource, do not use comma in themailalias
record field separator when surrounded by double quotes. PUP-10287
Puppet 5.5.18
Released 14 January 2020
New features
-
Puppet now supports managing DNF modules, which are groups of packages that represent an application, a language runtime, or any logical group.
Modules can be available in multiple streams, usually representing a major version of the software they include. Profiles are package subsets representing a specific use case of the module (these are handled by the flavor parameter of the package type).
Due to the significant difference between a package and a module,
dnfmodule
is an opt-in provider and should be explicitly specified in the manifest. PUP-9978 -
This release removes a dependency on .bat files when running Puppet as a service on Windows. PUP-9940
-
This release introduces a new setting,
puppet_trace
, which prints the Puppet stack without the Ruby frames interleaved. If thetrace
setting is enabled, it overrides the value ofpuppet_trace
. PUP-10150 -
Resubmit facts after an agent’s run.
Puppet submits facts when requesting a catalog, but if the agent modifies the system while applying the catalog, then the facts in PuppetDB won’t be refreshed until the agent runs again, which may be 30 minutes (or however
runinterval
is configured). This feature makes it possible to submit facts again at the end of the agent’s run, after the catalog has been applied. To enable this feature, setresubmit_facts=true
in the agent’spuppet.conf
. Resubmitting facts doubles the fact submission load on PuppetDB, since each agent submits facts twice per run. This feature is disabled by default. PUP-5934
Resolved issues
-
This version of the
puppet-agent
package upgrades OpenSSL to version 1.1.1d. PA-3029 -
This release includes improvements to the evaluator, meaning some compilation warnings now take less time to compute. PUP-10213
-
The HP-UX provider forced command line arguments to
usermod
to be in a specific order. This is now fixed. PUP-9391 -
This release fixes a bug where stacktraces from errors no longer had the Ruby stack frames interleaved with the Puppet stack frames when using
trace
. PUP-10150 -
Performance of manifests that use the
PuppetStack.top_of_stack
function have been greatly improved. This includes manifests that use the puppetlabs-stdlibdeprecation
function or the pseudo keywordsbreak
,return
, andnext
. PUP-10170 -
Previously, Puppet agents might fail to apply a catalog if the agent switched environments based on node classification and those environments contained different versions of a module. With this fix, an agent converges to its server-assigned environment more quickly, loads types and providers only once, and updates its cached catalog only after the environment converges. PUP-10160
-
Puppet agent packages for Debian and Ubuntu now include Ruby SELinux libraries. PA-2985
-
Puppet no longer checks for domain users or groups when managing local resources on Windows. This fixes a local user management issue where an Active Directory account existed with the same name as the local user. PUP-10057
-
Previously, when Puppet encountered a connection error, it created a new exception with additional contextual information around what was causing the error. However, this new exception could cause an additional “Wrong number of arguments” error. Puppet now raises the original error and logs it with any additional contextual information. PUP-10121
-
This release fixes a bug where Puppet would attempt to use a proxy specified in the
http_proxy
environment variable, even thoughPuppet[:no_proxy]
was set to bypass the proxy. PUP-10112 -
Previously, Puppet would only bypass a proxy if
no_proxy
had a leading wildcard or period. For example,*.example.com
or.example.com
. Puppet now bypasses the HTTP proxy if theno_proxy
environment variable or Puppet setting is a suffix of the destination server FQDN. PUP-10106 -
If an
exec
resource’s command is not executable or cannot be resolved into a fully qualified path, Puppet now only prints the command, and not the potentially sensitive arguments passed to the command. Puppet also redacts the output of sensitive commands when thelogoutput
parameter is set totrue
, or the parameter ison_failure
(the default) and the command fails. PUP-10100 -
Puppet now correctly installs dpkg sub-packages and sets them to
held
ifensure
is set toheld
. PUP-10059” -
Puppet can now manage pip resources in directories containing spaces, such as
C:\Program Files\Python27
on Windows. PUP-9647 -
Prior to this release, the
notify
resource leaked data if the message was asensitive
datatype with a raw value, not encapsulated in quotes. Now sensitive values are redacted when they are interpolated in anotify
resource’s message. PUP-9295 -
Previously, the pip provider failed if
pip --version
did not emit the version on the first line of output. PUP-8986 -
The
systemd
service provider can now manage services whose names start with a dash. Contributed by j-collier PUP-7218 -
Previously, if the
cwd
parameter was not specified, puppet would change its working directory to the current working directory, which was redundant and could fail if the current working directory was not accessible. Now,wxec
resources only change the current working directory if thecwd
parameter is specified in a manifest. PUP-5915
Puppet 5.5.17
Released 15 October 2019
This is a bug-fix and new feature release.
New features
-
The
exec
type’sonlyif
andunless
checks now return redacted output if it is marked sensitive. PUP-9956 -
You can now specify
no_proxy
as a Puppet setting, consistent with otherhttp_proxy_*
Puppet settings. TheNO_PROXY
environment variable takes precedence over theno_proxy
Puppet setting. PUP-9316 -
Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with this fsync option turned off by default. PUP-10013
-
Puppet can now set Windows service startup type to Auto-Start (Delayed). To set a service to use this setting, set the
enable
parameter of theservice
resource to “delayed”. PUP-6382 -
When running in daemon mode, Puppet logs the configuration used on agent startup at the debug level. The log is sent to the output specified by the
--logdest
option. Configuration is reloaded and also logged on SIGHUP. PUP-9754
Resolved issues
- This version upgrades the Ruby version to 2.4.9 to address the following security issues:
- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
- CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication
- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
- RDoc vulnerabilities.
-
This version upgrades OpenSSL to 1.0.2t to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.
-
This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.
-
Previously, the
puppet resource --to_yaml
andpuppet device --to_yaml
commands did not generate valid YAML if the output contained special characters such as a single quote. PUP-7808 -
Prior to this release, Puppet silently ignored truncated file downloads, such as when using a file resource whose source parameter contained a
puppet://
,http://
, orhttps://
URL. This issue was caused by a Ruby issue and is fixed in this release. PA-2849 -
The
puppet plugin download
command now reuses HTTPS connections. This significantly speeds up the download process. PUP-8662 -
If the agent is configured to use an HTTP proxy, and it attempts to connect to a host that matches an entry in the
NO_PROXY
environment variable, then Puppet connects directly to the host instead of using the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942 -
Agents could not connect through an authenticating HTTP proxy when making REST requests to Puppet infrastructure, such as when requesting a catalog. Now agents will observe the
http_proxy_user
andhttp_proxy_password
settings orHTTP_PROXY_USER/PASSWORD
environment variables when making those requests. PUP-4470 - If an HTTP proxy is configured either in Puppet settings or the
HTTP_PROXY_*
environment variables, then Puppet does not use the proxy when connecting to localhost or 127.0.0.1. This behavior can be modified by changing theno_proxy
setting in puppet.conf or theNO_PROXY
environment variable. PUP-2172
Puppet 5.5.16
Released 16 July 2019
This is a bug-fix and new feature release.
New features
Previously, using config print
to view your server list output a nested array that was difficult to read. Using config print
now outputs the text in the same human-readable format as its entry in the puppet.conf
file. Puppet uses the same human-readable output for errors you receive from being unable to connect to a server in server_list
`. PUP-9495
- When the agent is configured with a list of servers, with the
server_list
setting, it now requests server status from the “status” endpoint instead of the “node” endpoint. PUP-9698
Resolved issues
-
Some Puppet commands, such as
puppet-infra
, might not be found in the system PATH. This fix ensures that the relevant directory,opt/puppetlabs/bin
, is available in the PATH. PA-2750 -
Custom MSI actions did not correctly log
STDERR
to the MSI log. PA-2691 -
If
LD_LIBRARY_PATH
is set on an AIX 7.y node, running Puppet might fail with the following error:libfacter was not found. Please make sure it was installed to the expected location.
This is now fixed. PA-2668 -
Previously, Puppet agent failed to run if the Regional language was changed to Arabic (United Arab Emirates). Now if the code page is not available in Ruby, the handler reverts to UTF-8 and the agent does not fail. PA-2191
-
This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. PA-2670
For facterdb this means facter 2.5.1 would be installed which then tries to overwrite the bin/facter binary upon installation because facter is a dependency of facterdb (regardless of version).- Prior to this release, Puppet agent required find, but didn’t correctly declare it as a dependency. The agent now requires findutils
as a dependency. PA-2629
-
Fixed reading of crontabs using Puppet for Solaris 11. Now crontabs for all users are listed when running ‘puppet resource cron’. PUP-9697
-
Update Augeas to 1.12.0, which includes the
always_query_group_plugin
keyword. PA-2562 -
This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem. PUP-9691
-
This release fixes an issue where trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706
-
If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with
convert_to
, you’d get an error: “undefined method 'call_function' for Hiera::Scope
” PUP-9693. -
Conversions from a string to an integer would result in an error when asking for conversion of a decimal string with leading zeros. For example, converting
Integer("08", 10)
would result in an error. PUP-9689 -
This release includes an update to curl to address security issues. See CVE-2019-5435 and CVE-2019-5436 for information about the CVEs. [PA-2689](((https://tickets.puppetlabs.com/browse/PA-2689))
-
When initialising new device certificates,
puppet device
would sometimes set permissions in a way that prevented thepe-puppet
user from reading some directories. PUP-9642 -
This release updates the Windows registry
read
method to replace null byte sequences with a space. This issue was causing PuppetDB to discard updated facts from affected nodes. PUP-9639 -
Prior to this release, if you set a Debian package on hold with
ensure => held
and the package had a pending upgrade, Puppet would install the upgrade before locking the package PUP-9564. -
This release fixes an issue where the
gem update --system
command used in the Puppet agent caused conflicts with software that depends on gems in Puppet’s vendored Ruby directory, such as r10k. Now gem paths always contain the path for this directory, even after updating. PA-2628
Puppet 5.5.15
This version of Puppet was never released.
Puppet 5.5.14
Released 30 April 2019
This is a security and bug-fix release.
Resolved issues
-
This release updates the
libxslt
version packaged inpuppet-runtime
to version 1.11.33 . This update patches a critical security issue inlibxslt
. See CVE-2019-11068 for details about this vulnerability. PA-2667 -
To address security fixes, Open SSL has been updated to 1.0.2r.
-
This release fixes an issue where you could no longer specify multiple logging destinations on the command line with the
--logdest
option. This feature was temporarily broken when we added the ability to specify a logging destination inpuppet.conf
. PUP-9565 -
Because parameters for task execution may be sensitive, the
pxp-agent
no longer logs or writes parameter values to disk. PCP-814 -
Puppet now uses the
--no-document
option to exclude documentation when installing gems, instead of the deprecated--no-rdoc
and--no-ri
options. This change allows compatibility withrubygems
3.0 and greater. PUP-9395
Puppet 5.5.13
Released 16 April 2019
This is a bug-fix and new feature release.
New features
This release of the puppet-agent
package removes support for Cumulus-2.2-amd64 and Debian 7 (Wheezy). PA-2574, PA-2567
Resolved issues
-
Prior to this release, use of the
server_list
setting could cause misleading agent errors. Now, when running in debug mode, Puppet prints the exception that caused it to skip an entry in the server_list setting. PUP-8036 -
This release adds information to debug output that specifies whether the server setting originates from the
server
orserver_list
setting in the configuration. PUP-9470
Puppet 5.5.12
Released 26 March 2019
This is a bug-fix and new feature release.
New features
-
Running the
exec
resource with--debug
and--noop
now prints a debug message with the command if checks prevent it from being executed. Ifcommand
,onlyif
, orunless
are marked as sensitive, all commands are redacted from the log output. PUP-9357 -
This release of the
puppet-agent
package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489 -
This release adds a
puppet-agent
package for macOS 10.14 Mojave. On macOS 10.14 Mojave, you must grant Puppet Full Disk Access to be able to manage users and groups. To give Puppet access on a machine running 10.14, go toSystem Preferences > Security & Privacy > Privacy > Full Disk Access
, and add the path to the Puppet executable. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227 -
This release adds support for Red Hat Enterprise Linux 8.
Bug fixes
-
Augeas 1.11.0 has been released with a number of fixes and improvements. Update the puppet-agent package to get the new version. PA-2364
-
This
puppet-agent
package release includes a security patch for Ruby 2.4.5. To learn more about the CVEs that this patch address, see the Ruby security advisories. PA-2510 -
For the
filebucket
type,server
andport
no longer have explicit default values in the type definition. Ifserver
is not set, it defaults to the first entry inserver_list
if set; otherwise, it defaults toserver
. Ifport
is not set, it defaults to the port in the first entry ofserver_list
if set; otherwise, it defaults tomasterport
. PUP-9025 -
This release modifies the
pxp-agent
service to kill allpxp-agent
processes when the service is restarted, rather than only the current process. PCP-833 -
This release fixes an issue where
call()
function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477 -
This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496
-
For the
filebucket
type,server
andport
no longer have explicit default values in the type definition. Ifserver
is not set, it defaults to the first entry inserver_list
if set; otherwise, it defaults toserver
. Ifport
is not set, it defaults to the port in the first entry ofserver_list
if set; otherwise, it defaults tomasterport
. PUP-9025 -
Previously, if you used the type
Optional
without any arguments, it could result in an internal error. This is now fixed. On its own,Optional
, means the same asAny
. You should always supply a type argument with the desired type if the value is notundef
. PUP-9467 -
Prior to this release, agent runs provided the same output for both intentional and corrective changes. Now corrective changes are now explicitly called out in the logs as corrective. PUP-9324
-
The upstart provider was being evaluated when loaded, causing issues with testing and availability during transactions. This has been fixed so that the provider is evaluated only when provider suitability is being checked. PUP-9336
-
If you passed an invalid path to
--logdest
option, Puppet silently ignored it. Now, if you give a--logdest
location that Puppet cannot find or write to, the run fails with an error. PUP-6571 -
The Windows group resource was incorrectly printing an array of SIDs for members. The resource now correctly prints members as
/ . [PUP-9435]((https://tickets.puppetlabs.com/browse/PUP-9435)) -
Heredoc expressions with interpolation using an access expression such as
$facts['somefact']
sometimes failed with a syntax error. This error was related to the relative location of the heredoc and surrounding whitespace and is now resolved. PUP-9303 -
The
SublocatedExpression
class is no longer generated by the parser. TheSublocatedExpression
class itself will not be removed until 7.0.0, but it no longer appears in AST produced by the parser. PUP-9303 -
Puppet commands now fail if Puppet Server is unable to read the
puppet.conf
file. Only thehelp
and--version
commands work if thepuppet.conf
file is unreadable. PUP-5575 -
If the agent encounters exceptions when pre-fetching resources for catalog application, it now logs the exceptions and returns a more useful error message. PUP-8962
-
Improved error handling for PNTransformer When parsing into structured AST, the parser produced an error on some empty constructs because the PNTransformer could not resolve them. Now it generates a Nop expression instead. PUP-9400
- Puppet now treats
owner
andgroup
on the file resource as in-sync in the following scenario:- The
owner
andgroup
are not set in the resource. - Either the
owner
or thegroup
is set to theSystem
user on the running mode. - The
System
userACE
is set toFullControl
.
Puppet now allows users to specifically configure the
System
user to less thanFullControl
by setting theowner
and/orgroup
parameters toSystem
in the file resource. In this case, Puppet emits a warning since settingSystem
to less thanFullControl
may have unintended consequences. PUP-9337 - The
-
If a functional server was not found, Puppet agent fell back to the
server
setting. Puppet agent now returns an error ifserver_list
is set and a functional server is not found. PUP-9076 - The
pxp-agent init
script started more than one process if thepidfile
was missing. This release modifies thepxp-agent
service to kill allpxp-agent
processes when the service is restarted, rather than only the current process. PCP-833
Puppet 5.5.11
This version of Puppet was never released.
Puppet 5.5.10
Released 15 January 2019
This is a bug-fix release.
Bug fixes
-
The agent package on Solaris 11 failed because it tried to write files to
/system
. Now the package writes to the correct user-facing location in/var
. PA-2776 -
puppet-agent
packages for Fedora have been updated. As of this release, apuppet-agent
package for Fedora 29 is available. Updated packages for Fedora 27, which reached end of life in November 2018, are no longer available. -
The
puppet module install
command now downloads only the release metadata it needs to perform dependency resolution, drastically reducing data download and improving installation time. For thepuppetlabs-stdlib
module, this change reduces the data download from 25MB to 68KB, and any module that depends onstdlib
will benefit when installed. PUP-9364 -
When compiling a catalog, Puppet sometimes raised the error “Attempt to redefine entity.” This issue has been fixed with an update to the internal logic. PUP-8002
-
Puppet now treats incomplete services the same way as nonexistent services, returning
enabled => false
andensure => :stopped
in either case. If you try to setensure => running
orenabled => true
on an incomplete or nonexistent service, Puppet raises an error. PUP-9240 -
Prior to this release, the
puppet device
command failed if the environment specified inpuppet.conf
or with the--environment
option was not ‘production’. This issue is fixed. Nowpuppet device
uses its own device-specific cache for pluginsynced code (facts, types, and providers). Additionally,puppet device
now supports a--libdir
option for overriding any pluginsynced code with a local directory for testing. PUP-8766 -
Failed dependency resources are now reported only once. After that resource has been reported, other resources that depend on the failed resource will not be reported again. However, you still get the skip message for each skipped resource. PUP-6562
-
Error messages and logging are improved for some sync errors. Previously, Puppet provided no log message and an uninformative error. PUP-1542
-
When compiling a catalog, Puppet sometimes raised the error “Attempt to redefine entity.” This issue has been fixed with an update to the internal logic. PUP-8002
-
SELinux utilities within the Puppet codebase now recognize that the
tmpfs
supports extended attributes and SELinux labels. The queryselinux_label_support?
returnstrue
for a file mounted ontmpfs
. PUP-9330 -
This release fixes a regression in the string formatting rules that caused a short form for an Array or Hash to not be recognized. For example,
String([1,[2,3],4], '%#a")
would not format with indentation, but would format the long formString([1,[2,3],4], {Array => { format => '%#a"}})
. Now the short form works for Array and Hash as intended. PUP-9329 -
Prior to this release, the data types
Timestamp
andTimespan
raised errors if time range was specified withInteger
orFloat
values. These data types now support time ranges specified with these values. PUP-9310 -
This release fixes an issue where refreshed resources, such as reboot or some execs, did not create a status event in the event report. If the refresh fails, an event is also created for the failure. PUP-9339
Puppet 5.5.9
This version of Puppet was never released.
Puppet 5.5.8
Released 1 November 2018.
This is a bug-fix, new feature, and deprecation release.
Bug fixes
- When
forcelocal
is true andexpiry
is set, useusermod
to manage a user instead oflusermod
.lusermod
does not support-e
and causes the Puppet run to fail. PUP-9195 - Puppet 5.5.7 failed with a faulty error message when a legacy function did not comply with the standard rules. This is now fixed in Puppet 5.5.8 and accepts the illegal implementation of the function. PUP-9270
- Puppet will now only set the user, group, and mode of log files if Puppet creates them. PUP-7331
- The members property has been fixed to have the same API for
retrieve
andshould
as it did prior to the breaking changes in 5.5.7, while also reporting the right change notification. Providers can now return an array forgetter
and accept an array forsetter
. PUP-9267.
New feature
- RHEL 8 now has DNF as the default package provider. PUP-9198
Deprecation
- A regression was triggered by illegal constructs in functions that used the legacy 3.x function API. This has been fixed but will raise errors for the illegal constructs in Puppet 6. If you have 3.x functions that define methods inside the function body, or outside of the call to
newfunction
, they must be updated to work with Puppet 6 - and preferably use the modern 4x function API. PUP-9268
Puppet 5.5.7
Released 23 October 2018.
This release contains new features, bug fixes, and deprecations.
Bug fixes
- Fixed issue where overlapping module paths caused an incorrect illegal location deprecation warning or error. PUP-9211
- Empty or comments only files will no longer emit a deprecation warning or error about illegal top level construct. PUP-9190
- When using interpolation inside a heredoc, the position and location information for the interpolated expressions was wrong. This is now fixed. PUP-9163
- We have removed the deprecation warnings for most of the CA settings that were shipped prematurely in 5.5.6. All the CA settings, besides
capass
andcaprivatedir
, will still continue to function in Puppet 6. PUP-9158 - When called from the Puppet Language, the 3x functions were loaded when calling
function_<name>
(in Ruby) or when usingcall_function
(in Ruby) from another function. In some circumstances this caused warnings for overwrite of already loaded functions. PUP-9137 - Fixed a race condition between Puppet and launchd when restarting services on OSX. PUP-9111
- Previously Puppet took at least one second to execute external processes, even if the process completed more quickly than that. This is now fixed and significantly decreases the time it takes the Puppet agent to apply a catalog if the catalog contains a large number of exec resources, and each child process completes in less than one second. PUP-9092
- Updated Puppet portage package provider for changes to Gentoo package management. PUP-9044
- The AIX user provider now handles the groups property in a manner that is consistent with other Linux user providers. Specifically, it reads the user’s groups from the
/etc/group
file and implements inclusive/minimum membership correctly, even when the user’s primary group changes. PUP-7393 - The members property in the group resource has been fixed to report the right change notifications to Puppet. PUP-6542
- Previously, the
state.yaml
file could grow unbounded. The newstatettl
setting controls how long entries are cached (default: 32 days). If you use resource schedules, see thestatettl
documentation to see how this setting interacts with the schedule type. PUP-3647 -
Puppet::Util.safe_posix_fork
now ensures that the stdin, stdout, and stderr streams are redirected to the passed-in files by referencing the corresponding STDIN, STDOUT and STDERR Ruby constants, instead of the mutable global variables $stdin, $stdout and $stderr. PUP-9250 - Puppet will no longer leak sensitive data into the resource file. PUP-7580
New features and improvements
- The
Puppet::Util::Windows::ADSI::User
class now supports setting/unsetting ADSI userflags. PUP-9177 - It is no longer required to have a dependency listed in a module’s metadata.json on another module, in order to use functions or data types from that module. PUP-6964
-
Puppet::Util::Execution.execute
now supports acwd
option to specify the current working directory that the command will run in. This option is only available on the agent. It cannot be used on the master, including regular functions, Hiera backends, or report processors. PUP-6919 - The
--logdest
argument can now be set in the puppet.conf file as thelogdest
setting. PUP-2997
Deprecations
- A deprecation warning will be given during Puppet code validation when top level constructs that are not defined are found in auto loaded module files. PUP-9020
Puppet 5.5.6
Released 22 August 2018
This is a bug-fix release of Puppet. It contains several deprecations.
Note: Puppet 5.5.4 and 5.5.5 releases do not exist. To keep Puppet and Puppet agent versions synchronized, we have skipped to version 5.5.6.
Bug fixes
-
The
tagged
function is no longer case sensitive. Thetagged
function will now returntrue
if the string case-insensitively matches a resource or catalog tag. Previously, the function was case sensitive. (PUP-9024) -
Puppet Server catalog failed to compile when
disable_i18n = true
in the main section inpuppet.conf
. This is now fixed. (PUP-9010) -
puppet-agent-5.5.4-1.el6.x86_64 on Scientfic Linux 6 failed to use
upstart
. This is fixed. Note that theupstart
provider only works on platforms that have theupstart daemon
running. Puppet checks this withinitctl version --quiet
. (PUP-9008) -
This fix eliminates the use of
Kernel.eval
to convert stringified arrays to Ruby arrays when specified in Augeas resources in the manifest. (PUP-8974)
New features and improvements
- We added deprecation warnings for manifests declaring things in the wrong namespace so that strict naming can be enforced. (PUP-8894)
Deprecations
-
All Puppet subcommands that perform actions on the CA are deprecated. This includes
cert
,ca
,certificate
,certificate_revocation_list
, andcertificate_request
. Their functionality will be replaced in Puppet 6 by a new CA command-line interface under Puppet Server, and a new client-side subcommand for SSL client tasks. This change deprecatespuppet.conf
settings:ca_name
cadir
cacert
cakey
capub
cacrl
caprivatedir
csrdir
signeddir
capass
serial
autosign
allow_duplicate_certs
ca_ttl
cert_inventory
-
The LDAP Node Terminus is deprecated. (PUP-7600)
-
Setting
source_permissions
touse
oruse_when_creating
is deprecated. If you need to manage permissions, set them explicitly usingowner
,group
, andmode
. (PUP-5921)
Puppet 5.5.3
Released 17 July 2018
This is a bug-fix release of Puppet.
Bug fixes
-
The
selmodule
type in Puppet 5.5.3 checks module names more strictly when determining whether a module has already been loaded. Specifically, its search wasn’t anchored to the start of the module name in previous versions of Puppet, resulting in modules whose only difference in name is a prefix (such as “motd” and “mymotd”) falsely reporting which module is loaded. Puppet 5.5.3 resolves this issue. (PUP-8943) -
When resources fail to restart when notified from another resource, Puppet 5.5.3 now flags them as failed and reports them as such. Reports also now include the
failed_to_restart
status for individual resources. This change also increments the report format version to 10. (PUP-8908) -
When
config_version
refers to an external program, the last run summary in Puppet 5.5.3 no longer includes the Puppet-specific class name in YAML output. This is designed to make the YAML output easier to work with when using other YAML-processing tools. (PUP-8767) -
When previous versions of Puppet cleared the environment cache, associated translation domains lingered until they were replaced the next time the environment was used. Environments that were never used again would still consume memory required for the translations, resulting in a memory leak. Puppet 5.5.3 resolves this issue by releasing translation domains when the related cached environment is purged. (PUP-8672)
-
Since Puppet 4.10.9, non-existent Solaris SMF services reported a state of
:absent
instead of:stopped
. This change could break some workflows, so the behavior has been reverted in this release to report non-existent Solaris SMF services as:stopped
. (PUP-8262)
Regression fixes
- The introduction of
multi_json
in Puppet 5.5.0 broke the JSON log destination. Puppet 5.5.3 fixes this regression. (PUP-8773)
New features
- The new
puppet device --facts
command allows you to display facts on a device, much in the same way that thepuppet facts
command behaves on other agents. (PUP-8699)
Deprecations
-
The
puppet module build
command is deprecated in Puppet 5.5.3 and will be removed in a future release. To build modules and submit them to the Puppet Forge, use the Puppet Development Kit. (PUP-8762) -
The
--configprint
flag is deprecated in Puppet 5.5.3. When runningpuppet <SUBCOMMAND> --configprint
with thedebug
orverbose
flags, Puppet outputs a deprecation warning. Usepuppet config <SUBCOMMAND>
to output setting values. (PUP-8712) -
Puppet has long verified absolute paths across platforms with
Puppet::Util.absolute_path?(path)
. However, it now uses Ruby’s built-in methods to accomplish this. Puppet 5.5.3 therefore deprecatesPuppet::Util.absolute_path?(path)
in favor ofPathname.new(path.to_s).absolute?
. (PUP-7407)
Puppet 5.5.2
Released June 7, 2018.
This is a bug-fix and security release of Puppet.
Bug fixes
-
In previous versions of Puppet, attempting to create a Numeric type from the String “0” would result in an error. Puppet 5.5.2 resolves this issue. (PUP-8703)
-
When running Puppet on Ruby 2.0 or newer, Puppet would close and reopen HTTP connections that were idle for more than 2 seconds, causing increased load on Puppet masters. Puppet 5.5.2 ensures that the agent always uses the
http_keepalive_timeout
setting when determining when to close idle connections. (PUP-8663) -
When using the
--freeze_main
option in previous versions of Puppet, certain circumstances could result in an error even if no code being loaded modified the main loaded logic. Puppet 5.5.2 resolves this issue. (PUP-8637) -
Previous versions of Puppet did not allow aliased (custom) data types or Variant types to be used with the
match()
function. Puppet 5.5.2 removes this limitation. (PUP-8745)
Security fixes
- On Windows, Puppet no longer includes
/opt/puppetlabs/puppet/modules
in its default basemodulepath, because unprivileged users could create aC:\opt
directory and escalate privileges. (PUP-8707)
New features
-
Puppet 5.5.2 can accept globs in the path name for the
modulepath
as defined inenvironment.conf
. (PUP-8556) -
Puppet 5.5.2 simplifies the logic for resolving resources’ types in reports. (PUP-8746)
Deprecations
- Puppet 5.5.2 issues a deprecation warning when explicitly using a checksum value in the content property of a file resource. (PUP-7534)
Puppet 5.5.1
Released April 17, 2018.
This is a feature and bug-fix release of Puppet.
Deprecations
-
Ruby versions older than 2.3 are deprecated in Puppet 5.5.1 and will be removed in Puppet 6. Puppet issues warnings when using older versions of Ruby. (PUP-8504)
-
Puppet 5.5.1 removes the deprecation of
empty(undef)
introduced in Puppet 5.5.0. (PUP-8623)
Bug fixes
-
When reporting metrics on the time of a Puppet run, previous versions of Puppet instead reported the sum of other run times. Puppet 5.5.1 reports the measured time of the run. (PUP-6344)
-
If the production environment did not exist when running Puppet, previous versions would create the directory as the user
root
and grouproot
instead of the service account if one is available. Puppet 5.5.1 sets the owner and group to the service account if it exists on the node. (PUP-6996) -
The
yumrepo
provider in previous versions of Puppet attempted to runstat
on non-existent repository files when a repository file not being managed by ayumrepo
resource was deleted. This led to an error on the first attempt at running Puppet. In Puppet 5.5.1,yumrepo
ensures the file exists before attempting to runstat
. (PUP-8421) -
On AIX, Puppet 5.5.1 correctly manages users on the latest AIX service packs. (PUP-8538)
-
The
augeas
provider in previous versions of Puppet did not properly unescape quotes in quoted arguments forset
and similar commands, resulting in escaping backslashes appearing in output. Puppet 5.5.1 correctly removes those escaping backslashes. (PUP-8561) -
Previous versions of Puppet overpopulated the context stack with the server version, which drastically increased the time it took to parse the context stack for every request due to a massive amount of redundant data. Puppet 5.5.1 doesn’t overpopulate the stack with duplicate information. (PUP-8562)
-
Extra information for
puppet config print
is shown only when passing theverbose
ordebug
options in Puppet 5.5.1. (PUP-8566) -
When parsing EPP templates containing CRLF line breaks, previous versions of Puppet did not generate files containing CRLF line breaks, which could cause issues when using EPP templates on platforms such as Windows that expect them. (ERB templates were not affected.) Puppet 5.5.1 correctly passes CRLF line breaks in EPP templates to the generated output. (PUP-8240)
New features
-
When forming relationships between resources by using an invalid resource reference, the error message in Puppet 5.5.1 includes the source location. (PUP-8498)
-
In previous versions of Puppet, the
yumrepo
type limited priority values to a range fom 1 to 99. Puppet 5.5.1 now accepts any positive or negative integer, which matches the behavior ofyum
when determining valid priority values. (PUP-4678) -
Previous versions of Puppet applied the
tidy
resource to all files that it found, even when Puppet managed the files. Thetidy
resource in Puppet 5.5.1 skips any files that are managed by Puppet when deciding if it should remove files. (PUP-7307) -
SystemD is the new default provider for Ubuntu 17.04 and 17.10. (PUP-8495)
Puppet 5.5.0
Released March 20, 2018.
This is a feature and bug-fix release of Puppet.
Bug fixes
-
When processing malformed plist files, previous versions of Puppet used
/dev/stdout
, which can cause Ruby to report warnings. Puppet 5.5 instead uses-
, which uses stdout when processing the plist file withplutil
. (PUP-8545) -
Previous versions of Puppet might incorrectly report an error that a match expression had no effect, if for instance numeric match variables could be set as a side-effect of evaluating the match. For example, this valid code would produce an error:
'cdf' =~ /^([a-z])(.*)/ notice($2)
Puppet 5.5.0 resolves the issue. (PUP-8519)
-
The
puppet lookup
command-line tool called the external node classifier (node terminus) even if the--compile
flag was not enabled. This could cause errors, because Puppet would load classes indicated by the ENC without a complete and proper setup, or if loaded code was had parse errors. In Puppet 5.5.0, the configured ENC is used only if the--compile
flag is enabled. (PUP-8502) -
If selinux bindings were not available in previous versions of Puppet, it would try and fail to manage a setting because it could not read its current state. In Puppet 5.5.0, if no selinux bindings are available, Puppet doesn’t try to read the setting’s current inaccessible state. (PUP-8477)
-
The
puppet parser dump
output format in previous versions of Puppet produced output with an initial lowercase letter for names of types, when it should have used an initial uppercase letter. Puppet 5.5.0 resolves the issue. (PUP-8474) -
Since Puppet 5.4.0, Puppet uses the
lusermod
command instead ofusermod
when settingforcelocal => true
on a user resource in *nix. Puppet also typically manages group membership via the user resource. However, unlikeusermod
, thelusermmod
command cannot manage group membership. Therefore, Puppet 5.4.0 couldn’t manage group membership in a user resource.Puppet 5.5.0 calls
usermod
only when trying to manage group membership for a user resource. In some situations, such as attempting to add a user to a NIS or LDAP group, the command might still fail. However, this behavior is consistent with versions of Puppet prior to 5.4.0. (PUP-8470) -
Puppet 5.5.0 should no longer log warnings resulting from inadvisable coding practices, such as using ambiguous arguments, to the process’s
stderr
. This resolves an issue in previous versions of Puppet where log managers could cause a broken pipe. (PUP-8467) -
In a custom Node terminus, previous versions of Puppet allowed you to construct the Node object where
$::environment
would be empty during catalog compilation, even though the Node object had a properly set environment. In Puppet 5.5.0, catalog compilation now consults the node’s environment directly when setting$::environment
. (PUP-8443) -
The data types Timespan and Timestamp incorrectly set the upper bounds to the same as lower bounds when created with a single parameter. For example,
T[x]
was interpreted asT[x,x]
instead ofT[x, <no-limit>]
. Puppet 5.5.0 resolves this by assuming no upper bound when passed a single parameter. (PUP-8439) -
While previous versions of Puppet could create new Windows groups containing virtual accounts, it couldn’t manage groups that contained at least one virtual account. Puppet might also have been unable to correctly manage groups with account names that appeared in both the local computer and a domain, due to a failure to properly disambiguate the accounts. Puppet 5.5.0 resolves both problems. (PUP-8231)
-
The
puppet config
command in Puppet 5.5.0 behaves better when a section is not specified, and resolves bugs that could cause settings to be set in the wrong section or resulted in duplicate sections. (PUP-7542) -
The
--render-as
flag forpuppet config print
can now produce appropriately structured formatted output with thejson
andyaml
options. The default format is unchanged. (PUP-8188) -
When running
puppet config print
in Puppet 5.5.0, theenvironment_timeout
setting printsunlimited
when set to ‘unlimited’, and prints the configuredenvironment_timeout
when no environment exists to set this value. (PUP-8409) -
The
puppet config print
,set
, anddelete
commands now print the environment and section on stderr to reduce user confusion. Thepuppet config print
command also warns the user if they do not specify a section. (PUP-2868) -
Previous versions of Puppet produced warnings or errors when managing Windows local groups that contained unresolvable SIDs from previously valid domain members that had since been deleted. Puppet 5.5.0 safely handles these unresolvable SIDs inside of groups. (PUP-7326)
-
The
yumrepro
provider in Puppet 5.5.0 trims the leading and trailing spaces from the values it finds when reading a YUM Repository Configuration File, instead of returning an error. (PUP-6639) -
Updated
yumrepo
provider descriptions for theexclude
andincludepkg
field now explain that the properties should be set to a string containing a space-separated list of package names or shell globs. (PUP-2884) -
The
yumrepo
provider in previous versions of Puppet overwrote repository configurations that weren’t being managed by ayumrepo
resource. Puppet 5.5.0 resolves this issue by checking for any unmanaged repository configurations before writing to the yumrepo config file. (PUP-723)
Known issues
-
The
yumrepo
provider contains the new propertytarget
. The property will be enabled in a future release and should not be used. (PUP-8542) -
In previous versions of Puppet, if Hiera read a YAML data file and the result was neither a hash nor completely empty, Hiera issued a warning. In Puppet 5.5, if the
--strict=error
flag is enabled, Hiera will instead produce an error if the file was read by the built-in YAML or eYAML backend functions. If the--strict
flag is set towarning
oroff
, Hiera issues a warning as before.Note that Ruby’s YAML parser does not fully comply with the YAML spec, and some faulty YAML files can still be loaded with unexpected results instead of errors. See PUP-8547 for details. (PUP-8541)
-
The
hiera-eyaml
gem was included with Puppet agent 5.5.0, but is not installed to a location in the working environment’s PATH until Puppet agent 5.5.7, which can lead to unexpected Puppet agent failures PA-2129:Error: Could not find command 'eyaml' Error: /Stage[main]/Hiera::Eyaml/Exec[createkeys]/returns: change from 'notrun' to ['0'] failed: Could not find command 'eyaml'
The preferred solution is to update Puppet to 5.5.7 or newer. To work around this issue on Puppet agent 5.5.0 to 5.5.6, link the installed hiera-eyaml gem executable to that path:
ln -s /opt/puppetlabs/puppet/lib/ruby/vendor_gems/bin/eyaml /opt/puppetlabs/puppet/bin/eyaml
Improvements
-
If a heredoc used an empty end tag (
@("")
), Puppet reported a Ruby NameError. Puppet 5.5.0 instead reports an error stating that the tag is empty. (PUP-8519) -
The
puppet help
andpuppet man
commands now print helpful error messages. (PUP-8444, PUP-8464) -
In Puppet 5.5.0, the
puppet cert clean
command can clean certificates even if none of the certificates in the provided list have already been signed. (PUP-8448) -
Puppet 5.5.0 restores the ability to upload facts to Puppet Server and other Puppet masters, as well as the
puppet facts upload
command, which is important for Direct Puppet workflows when agents always run from cached catalogs and need an alternate mechanism to upload facts. It also updates the default legacyauth.conf
to allow agents to only upload their own facts. (PUP-8232 -
Time metrics recorded in the run report now include the time it takes to apply the catalog, convert the catalog, plugin sync, generate facts, retrieve nodes, and evaluate transactions. (PUP-920, PUP-6343)
New features
-
The
flatten()
,empty()
,join()
,keys()
,values()
, andlength()
functions have been promoted from thestdlib
module to Puppet.Additionally, the Puppet
length()
function adds support for returning the length of a Binary value, and theempty()
function supports answering if a Binary value is empty (has zero bytes).Puppet’s implementations take precedence over
stdlib
if you use a version of the module containing them, and maintain compatibility with theirstdlib
implementations. As a result, you should not need to change any Puppet code relying on these functions. However, note that the Puppet implementation ofempty()
deprecates being called with an undef or numeric value and will issue a warning. (PUP-8492, PUP-8497, PUP-8507) -
Puppet 5.5.0 uses the
MultiJson
gem to choose the fastest available JSON backend at runtime. By default, it loads the JSON gem built into Ruby. This allows Puppet Server to choose a faster backend if implemented. (PUP-8501) -
In addition to Ubuntu 16.10, Puppet 5.5.0 uses
systemd
as the default provider for Ubuntu 17.04 and 17.10. (PUP-8482) -
The S-Expression (Clojure-style) data format generated by
puppet parser dump
is formalized and updated in Puppet 5.5.0, and is now considered a supported API for tool integration. The new format is available in text and JSON formats, by using the--format
flag with eitherpn
for the new format orjson
for the new format in JSON. The--pretty
flag adds line breaks and indentation for readability.The previous format remains the default for
puppet parser dump
, but is deprecated and will be removed in the next major version of puppet. (PUP-8482) -
In Puppet 5.5.0, the
fqdn_rand()
function uses SHA256 to compute seed/rand when running on FIPS-enabled hosts, instead of MD5 as used on other hosts. As such, hosts generate differentfqdn_rand()
values depending on whether FIPS is enabled. (PUP-8469) -
Puppet 5.5.0 adds the new
provider_used
field to the report schema for serialization and deserialization. This field is populated with the provider used to provide the resource. (PUP-8412) -
Puppet 5.5.0 can retrieve the current system state as Puppet code from devices using
puppet device
. (PUP-8041) -
You can specify a type conversion in
lookup_options
for Hiera 5. This allows you to convert values to a rich data type, for example to make a value Sensitive or construct a Timestamp, as well as other values that cannot be directly represented in JSON or YAML. (PUP-7675) -
The
puppet config
command in Puppet 5.5.0 can remove settings. (PUP-3020) -
The
yumrepo
provider in Puppet 5.5.0 supports username and password fields. (PUP-7400)
Regressions
- The introduction of
multi_json
in Puppet 5.5.0 broke the JSON log destination. For example, running Puppet agent with the--logdest
option pointed at a JSON target would result in a Ruby failure. This regression is fixed in Puppet 5.5.3. (PUP-8773)
Deprecations
-
The S-Expression (Clojure-style) data format generated by
puppet parser dump
is formalized and updated in Puppet 5.5.0, and is now considered a supported API for tool integration. The new format is available in text and JSON formats, by using the--format
flag with eitherpn
for the new format orjson
for the new format in JSON. The--pretty
flag adds line breaks and indentation for readability.The previous format remains the default for
puppet parser dump
, but is deprecated and will be removed in the next major version of puppet. (PUP-8482) -
The
puppet man
command is deprecated and will be removed in a future release. To view Puppet command documentation from the command line, usepuppet help <subcommand>
or the installed manpages asman puppet-<subcommand>
. (PUP-8445)