Puppet release notes

This version is out of date. For current versions, see Puppet packages and versions.

These are the new features, resolved issues, and deprecations in this version of Puppet.

Puppet 6.0.10

Released 16 July 2019

New features

Improved server_list output and error messaging

Previously, using config print to view your server_list would output a nested array that was difficult to read. Using config print now outputs the text in the same human-readable format as its entry in puppet.conf. Puppetnow uses the same human-readable output for errors you receive from being unable to connect to a server in server_list (PUP-9495).

Disabled Ruby 2.5.1 automatic HTTP retry mechanism

This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the puppetserver report processor (PUP-3905).

Resolved issues

Amazon platforms now use yum as the default provider

Prior to this release, Amazon platforms did not have a default provider set. This resulted in Puppet trying to use the gem provider to install Amazon packages. PUP-9724

Removing a user resource on Solaris 11 installations that use home directory configurations did not work

Previously, trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706

puppet device always initializes SSL directories with the correct permissions

When initialising new device certificates, puppet device would sometimes set permissions in a way that prevented the pe-puppet user from reading some directories. PUP-9642

Puppet no longer upgrades Debian upgrade packages before setting them on hold

Prior to this release, if you set a Debian package on hold with ensure => held and the package had a pending upgrade, Puppet installed the upgrade before locking the package. PUP-9564

Hiera 3 lookups with convert_to keys

If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with convert_to, you'd get an error: "undefined method 'call_function' for Hiera::Scope". PUP-9693

Lockfile retained old PID, causing agent failure

This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691

Puppet now registers OIDs in the SSL application

SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746

puppet resource cron command now returns Solaris crontabs

This release fixes reading of crontabs using Puppet for Solaris 11. Now crontabs for all users are listed when running puppet resource cron. PUP-9697

Puppet 6.0.9

Released 30 April 2019

Resolved issues

Critical security patch to libxslt version in Puppet

The libxslt version packaged in puppet-runtime is now updated to version 1.11.33. This update patches a critical security issue in libxslt. See CVE-2019-11068 for details about this vulnerability. PA-2667

--logdest option accepts multiple logging destinations

This release fixes an issue where you could no longer specify multiple logging destinations on the command line with the --logdest option. This feature stopped working after we added the ability to specify a logging destination in puppet.conf. PUP-9565

Documentation options changed to provide rubygems compatibility

Puppet now uses the --no-document option to exclude documentation when installing gems, instead of the deprecated --no-rdoc and --no-ri options. This change allows compatibility with rubygems 3.0 and greater. PUP-9395

Puppet 6.0.8

Released 16 April 2019

New features

Performance improvements to puppet device

This release improves performance of puppet device by removing redundant work during initialization. PUP-9584

Resolved issues

Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrative API to expire the cache as needed. PUP-9497

puppet device failed to manage multiple devices

The puppet device command would not manage multiple network devices in a single run. This was a regression introduced in 6.0.5. PUP-9587

Debug mode now shows server_list error correctly

Prior to this release, use of the server_list setting could cause misleading agent errors. Now, when running in debug mode, Puppet prints the exception that caused it to skip an entry in the server_list setting. PUP-8036

Debug output shows origin of server setting

This release adds information to debug output that specifies whether the server setting originates from the server or server_list setting in the configuration. PUP-9470

puppet device --apply failed to apply catalog to unregistered targets

With these changes, the puppet device command properly initializes the private directories required for compiling and running catalogs. PUP-9047

Puppet 6.0.7

Released 26 March 2019

New features

Corrective changes explicitly logged

Prior to this release, agent runs provided the same output for both intentional and corrective changes. Now corrective changes are now explicitly called out in the logs as corrective. PUP-9324

Added protection against illegally defined methods in functions

Puppet now raises an error if a loaded legacy function uses an illegal method definition.

Illegally defined methods can disrupt the entire system, leading to to difficult-to-diagnose problems and leakage between environments. For information about fixing illegal methods, see the topic on refactoring legacy functions. PUP-9294

Debug logging for the exec resource in no-operation mode now includes commands

Running the exec resource with --debug and --noop now prints a debug message with the command if checks prevent it from being executed. If command, onlyif, or unless are marked as sensitive, all commands are redacted from the log output. PUP-9357

Resolved issues

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. Always supply a type argument with the desired type if the value is not undef. PUP-9467

Puppet now produces an error when a functional server is not found

If server_list is set and a functional server is not found, Puppet returns an error rather than falling back to the server setting. PUP-9076

Puppet commands fail if the puppet.conf file is unreadable

Puppet commands now fail if Puppet Server is unable to read the puppet.conf file. Only the help and --version commands work if the puppet.conf file is unreadable. PUP-5575

Added protection against illegal methods in legacy functions

Puppet now protects against illegal method definitions in loaded legacy functions. Illegal methods in legacy functions disrupt the entire system and can cause difficult-to-diagnose issues. For information on how to remove such methods from legacy functions, see the topic about refactoring legacy functions. PUP-9294

filebucket type server and port settings no longer have explicit defaults

For the filebucket type, server and port no longer have explicit default values in the type definition. If server is not set, it defaults to the first entry in server_list if set; otherwise, it defaults to server. If port is not set, it defaults to the port in the first entry of server_list if set; otherwise, it defaults to masterport. PUP-9025

Upstart provider evaluated during provider check instead of during loading

The upstart provider was being evaluated when loaded, causing issues with testing and availability during transactions. This has been fixed so that the provider is evaluated only when provider suitability is being checked. PUP-9336

Restarting pxp-agent service kills all processes when restarted

This release modifies the pxp-agent service to kill all pxp-agent processes when the service is restarted, rather than only the current process. PCP-833

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Exceptions encountered during resource pre-fetch are logged

If the Puppet agent encounters exceptions when pre-fetching resources for catalog application, it now logs the exceptions and returns a more useful error message. PUP-8962

Invalid path to --logdest option was ignored

Now if you give a --logdest location that Puppet cannot find or write to, the run fails with an error. PUP-6571

Improved error handling for PNTransformer

When parsing Puppet into structured AST, the Puppet parser produced an error on some empty constructs because the PNTransformer could not resolve them. Now it generates a Nop expression instead. PUP-9400

Syntax errors on interpolated heredocs are resolved

Heredoc expressions with interpolation using an access expression such as $facts['somefact'] sometimes failed with a syntax error. This error was related to the relative location of the heredoc and surrounding whitespace and is now resolved. PUP-9303

Parser no longer generates SublocatedExpression class

The AST SublocatedExpression class is no longer generated by the parser. The SublocatedExpression class itself will be removed from Puppet in a future release. PUP-9303

Puppet no longer sets file permissions to the same value every run

Puppet now treats owner and group on the file resource as in-sync in the following scenario:
  • The owner and group are not set in the resource.

  • Either the owner or the group is set to the System user on the running mode.

  • The System user ACE is set to FullControl.

Puppetnow allows users to specifically configure the System user to less than FullControl by setting the owner and/or group parameters to System in the file resource. In this case, Puppet emits a warning since setting System to less than FullControl may have unintended consequences. PUP-9337

Windows group resource no longer outputs an array of SIDs for members

The Windowsgroup resource now correctly prints members as <DOMAIN>/<user>. PUP-9435

This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496

Puppet 6.0.6

This version of Puppet was never released.

Puppet 6.0.5

Released 15 January 2019

New features

Clean certificates for remote nodes

The puppet ssl clean command now accepts a --target CERTNAME parameter to clean certificates for remote nodes configured through device.conf. PUP-9248

Updated puppet-agent package availability for Fedora

A puppet-agent package is now available for Fedora 29. As of this release, no puppet-agent package is available for Fedora 27, which reached end of life in November 2018.

Service support for systemd on Linux Mint 18 and newer

This release adds support for services on Linux Mint 18 and newer, which use the init systemd instead of upstart for services. PUP-9326

Resolved issues

Agent package writes to the correct location on Solaris

The puppet-agent package on Solaris 11 failed because it tried to write files to the /system directory. The package now writes to the correct location in the /var directory. PA-2776

Catalog compilation error fixed

When compiling a catalog, Puppet sometimes raised the error "Attempt to redefine entity." This issue has been fixed with an update to the internal logic. PUP-8002

Curl binaries removed from Windows package

In Puppet 6 installation, curl binaries were being loaded before the native curl in the PATH on recent Windows releases. To prevent this, we've removed the curl binaries on Windows agent, although the libraries haven't changed. PA-2319

Puppet no longer ignores the srv_domain setting

This release fixes an issue where Puppet 6.0 ignored the srv_domain setting when using DNS SRV records to connect to the ca_server. PUP-9399

Command line module installation improved

The puppet module install command now downloads only the release metadata it needs to perform dependency resolution, drastically reducing data download and improving installation time. For the puppetlabs-stdlib module, this change reduces the data download from 25MB to 68KB, and any module that depends on stdlib installs faster. PUP-9364

Prior to this release, the data types Timestamp and Timespan raised errors if time range was specified with Integer or Float values. These data types now support time ranges specified with these vales. PUP-9310

puppet device failed if environment was not production

Prior to this release, the puppet device command failed if the environment specified in puppet.conf or with the --environment option was not 'production'. This issue is fixed. Now puppet device uses its own device-specific cache for pluginsynced code (facts, types, and providers). Additionally, puppet device now supports a --libdir option for overriding any pluginsynced code with a local directory for testing. PUP-8766

Failed dependency resources are reported only once

After a failed resource has been reported, other resources that depend on the failed resource will not be reported again. However, you still get the skip message for each skipped resource. PUP-6562

Refreshed resource status now included in event report

This release fixes an issue where refreshed resources, such as reboot or some execs, did not create a status event in the event report. PUP-9339

Fixed recognition of short form Arrays and Hashes

This release fixes a regression in the string formatting rules that caused a short form for an Array or Hash to not be recognized. For example, String([1,[2,3],4], '%#a") would not format with indentation, but would format the long form String([1,[2,3],4], {Array => { format => '%#a"}}). Now the short form works for Array and Hash as intended. PUP-9329

puppet ssl clean now deletes local certificate requests

This release fixes an issue where the puppet ssl clean command did not correctly delete local certificate requests. PUP-9327

Puppet 6.0.4

Released 1 November 2018

New features

RHEL 8 uses DNF as the default package provider

To avoid incompatibility with yum, DNF has been added as the default package provider for RHEL 8 and later. PUP-9198

Resolved issues

Stacktrace with puppetlabs-mysql

Previously, Puppet failed with a faulty error message when a legacy function did not comply with the standard rules. In this version, the intended error is raised. PUP-9270

Ownership error with logdest on agents

Puppet now sets only the user, group, and mode of log files if Puppet creates them. PUP-7331

Members property didn't return arrays

The members property has been fixed to have the same API for retrieve and should as it did prior to the breaking changes in 5.5.7, while also reporting the right change notification. Providers can now return an array for getter and accept an array for setter. PUP-9267

Puppet 6.0.3

Released 25 October 2018

New features

puppet ssl clean cleans up all certificate artifacts on an agent

Added puppet ssl clean command to the puppet ssl application. This command removes an agent’s private key, public key, certificate, or certificate signing request. If the --localca option is specified, the action also removes the agent’s copy of the CA certificates and CRL bundle that it previously downloaded from the CA. This way you will not accidentally delete your entire CA directory when trying to clean the agent that’s running on the CA host. Note that puppet ssl clean is a companion to puppetserver ca clean. Run the former on an agent host to clean that agent’s ssl directory. Run the latter on the CA to manage certificates and requests for all agents. PUP-9156

Logdest setting in puppet.conf

The --logdest argument can now be set in the puppet.conf file as the logdest setting. PUP-2997

Resolved issues

Module paths with common root trigger validation errors

Overlapping module paths caused an incorrect illegal location deprecation warning or error. PUP-9211

Puppet didn't ignore empty init.pp

Empty or comments-only files no longer emit a deprecation warning or error about illegal top level construct. PUP-9190

Format handler logged exceptions at too high a level

Previously, Puppet logged an exception at the error level every time it needed to fall back to encoding a catalog in PSON. This caused the logs to fill up with errors when nothing was wrong. Catalog encoding in PSON now logs at the debug level. PUP-9185

Exec resource exposed sensitive data

Sensitive data is no longer leaked into the resource file. PUP-7580

Puppet 6.0.2

Released 4 October 2018

New features

exists? method in Windows::Service module

The Puppet::Util::Windows::Service module now supports an exists? method, which returns true if a given service exists, false otherwise. PUP-9179

Resolved issues

exec cwd is not respected for unless or onlyif commands

A regression in a previous release made unless and onlyif of the exec resource not respect the specified  cwd setting. This has now been fixed. PUP-9194

Windows agents couldn't apply a stopped service if the service didn't exist

The Windows service provider now returns enable = false, ensure = stopped for nonexistent services, and errors when setting enable = true or  ensure = running on nonexistent services. PUP-6822

Puppet 6.0.1

Released 2 October 2018

New features

Userflag support for the Windows::ADSI::User class

The Puppet::Util::Windows::ADSI::User class now supports setting and unsetting ADSI userflags. PUP-9177

Puppet::Util::Windows::Process.execute working directory

Puppet::Util::Execution.execute now supports a cwd option to specify the current working directory that the command will run in. This option is only available on the agent. It cannot be used on the master, meaning it cannot be used in, for example, regular functions, Hiera backends, or report processors. PUP-6919

Enable translation for extracted modules

Extracted modules are now translated. PUP-9053

Resolved issues

Nested :undef is transformed to nil

Tests (or Ruby logic in one function calling other functions) that assumed that calling a function with a nested :undef would convert it to either  nil or leave it as :undef were no longer working in Puppet 6.0.0. This was changed in PUP-9112, wherein certain transformations were no longer needed because the language did not need them. However, tests and custom logic in Ruby do benefit from keeping those conversions. Now, :undef in nested array and hash values is converted to nil, which makes a difference when calling 3x functions from Ruby. PUP-9180

Incorrectly identifing the start of lists inside heredocs

When using interpolation inside a heredoc, the position and location information for the interpolated expressions were wrong. This could lead to two problems:
  • If using [] expressions, a mysterious syntax error would be raised if a seemingly arbitrary position after the interpolation contained white-space.
  • If there were errors in the interpolation, they could be reported for the wrong line and position on the line.

These are now fixed. PUP-9163

Master server status wasn't specifically requested

Previously, an agent configured to use one or more compiler servers with the server_list setting could skip an available server under certain conditions. Now the agent requests status of the master service specifically, which accurately reports if the compiler service is available. PUP-9159

puppet cert didn't output helpful error text when called with args

Previously, the helpful error text from puppet cert describing the new command alternatives would only appear when puppet cert was called with no arguments. It will now appear with any puppet cert invocation. PUP-9155

Task metadata didn't support task spec revision 3

For Bolt, the task object returned by PAL’s ScriptCompiler#task_signature method has been changed to pass through metadata to enable support for revision 3 of the task specification. PUP-9153

Scope#function_xxx loaded 3x function wasn't overwritten by 4x load

3x functions loaded as a side effect of calling function_<name>() in Ruby were again loaded when called from the Puppet language or when using call_function in Ruby from another function. This caused warnings for overwrite of already loaded functions to appear in some circumstances, and it impacted performance when reloading. PUP-9137

puppet apply --catalog didn't trigger resolution of deferred values

puppet apply --catalog did not resolve deferred values when applying the catalog. PUP-9121

Restarting services using launchd service provider was unreliable

Restarting services on Mac OS X frequently failed due to a race condition in Puppet. PUP-9111

Outdated portage package provider for new output generated by qatom

We have updated the Portage package provider for changes to Gentoo package management. PUP-9044

AIX provider had inconsistent behavior with user resource

The AIX user provider now handles the groups property in a manner that’s consistent with other Linux user providers. Specifically, it reads the user’s groups from the /etc/group file and implements inclusive/minimum membership correctly, even when the user’s primary group changes. PUP-7393

Group resource emitted misleading change notification

The members property in the group resource has now been fixed to report the right change notifications to Puppet. PUP-6542

Files were stored forever in state.yaml

Previously, the state.yaml file could grow unbounded. The new statettl setting controls how long entries are cached (default: 32 days). If you use resource schedules, see the statettl documentation to see how this setting interacts with the schedule type. PUP-3647

Puppet 6.0.0

Released 18 September 2018

New features

Select types moved to modules

In this release, many types were moved out of the Puppet codebase, and into modules on the  Puppet Forge . This change enables easier composability and reusability of the Puppet codebase and enables development to proceed more quickly without risk of destabilizing the rest of Puppet. Some types are now in supported modules and are repackaged back into the agent. Some are now in modules that are updated, but are not repackaged into the agent. And some are in modules that are deprecated, not updated, and not repackaged back into the agent.

Note: New functions handle undef values more strictly than their stdlib counterparts. Code that relies on undef values being implicitly treated as other types will return an evaluation error.

See the Resource Type Reference page for the full list, and links to the Forge modules for those types that moved.

Resource API

Resource API has been added, providing a new, recommended method to create custom types and providers. The Resource API is built on top of Puppet core and is easier, faster, and safer than the old types and providers method. See the Resource API documentation for more information.

Upgrade to Ruby 2.3 or later

Puppet now requires Ruby 2.3 or later, and reports an error when running older Ruby versions. We removed code paths for older Ruby support, such as 1.8.7, relaxed our gem dependencies to include gems that require Ruby 2 or up, and now test Puppet pull requests against JRuby 9k. PUP-6893, PUP-8483, PUP-8484

puppetserver ca command

The new puppetserver ca command replaces the puppet cert command. Running the puppet cert command results in an error, with instructions on alternative commands to use. Some actions (fingerprint, print) have not been directly replaced, because OpenSSL provides good equivalents. For verifying certificates, use puppet ssl verify. For more usage details, see the intermediate CA documentation. PUP-9022

node clean uses the Puppet Server CA API

The puppet node clean command now goes through the Puppet Server CA API to clean up certificates for a given node. This avoids issues where multiple entities attempt to revoke certs at once, because all of these updates are now funneled through the API, which handles concurrent requests correctly. See SERVER-115 and PUP-9108 for more information.

Agents can use CA and CRL bundles

The agent now correctly saves and loads chained SSL certificates and certificate revocation lists when in an environment where its certificates are issued by Puppet acting as an intermediate CA. PUP-8652

Load files from pluginsync during catalog application

Use the Deferred data type in a catalog to call functions on the agent before the catalog is applied. It is now possible to call all functions implemented in Ruby on the agent side. (Notably, it is not possible to call functions written in the Puppet language, as they are not available on the agent). PUP-9035

puppet ssl subcommand

There is a new Puppet subcommand for working with SSL certificates. The puppet ssl command supports the submit_requestdownload_cert, and verify actions for working with SSL certificates on the agent. PUP-9028

File requirements included in task infoservice files responses

When requesting task details, the master now returns a list of all files from the tasks metadata files and implementations['files'] keys. PUP-9081

Devuan default service provider

The Devuan service provider now defaults to the Debian init provider. PUP-9048

apply statement in plan language

An apply keyword has been added to the Puppet parser when running with tasks enabled. See Puppet specifications for details. PUP-8977

Updated default input_method for task object type

The input_method property of tasks now defaults to undef rather than the string both. This allows more flexibility in defaults and what input_methods we choose to support in the future. PUP-8898

convert_to() function accepts additional arguments

convert_to() function now accepts additional arguments. Previously, it accepted only the data type to convert to. PUP-8761

compare function

compare(a,b) function has been added. It returns -10, or 1 depending on if a is before b, same as b, or after b. The function works with the comparable types: String, Numeric, Semver, Timestamp, and Timespan. For  String comparison it is possible to ignore or take case into account. PUP-8693

Deferred data type

A new data type Deferred has been added. It is used to describe a function call that can be invoked at a later point in time. PUP-8635

Call function resolves Deferred values

It is now possible to resolve a Deferred value by using the call function. It can resolve a deferred function call, and a deferred variable dereference (with support to dig into a structured value). PUP-8641

Concatenate with + on Binary type

It is now possible to use the plus operator + to concatenate two Binary data type values. (PUP-8605) The sort() function has been moved from stdlib to Puppet. The function now also accepts a lambda for the purpose of using a custom compare. PUP-8622

Select string functions moved from stdlib to Puppet

The functions upcase(), downcase(), capitalize(), camelcase(), lstrip(), rstrip(), strip(), chop(), chomp(), and size() have been updated to the modern function API and the new versions are in Puppet and no longer require stdlib. The functions are generally backward compatible. PUP-8604

Select math functions moved from stdlib to Puppet

The math functions abs, ceil, floor, round, min, and max are now available in Puppet. The functions are compatible with the functions with the same name in stdlib with the added feature in  min and max of calling them with a single array and being able to use a lambda with a custom compare. These stdlib math functions used inconsistent string to numeric conversions that were also unintentionally making the functions compare values in strange ways. The automatic conversions are now deprecated and will issue a warning. PUP-8603

Agent support for rich data content negotiation

The rich_data setting is now enabled by default. Catalog requests have two new content types, application/vnd.puppet.rich+json and  application/vnd.puppet.rich+msgpack, that are used when both master and agent have this enabled (and depending on whether preferred_serialization_format is  json or msgpack). PUP-8601

vendor_modules added to basemodulepath

The default basemodulepath now includes a vendored modules directory, which enables Puppet to load modules that are vendored in the puppet-agent package. To prevent Puppet from loading modules from this directory, change the basemodulepath back to its previous value, for example, on *nix$codedir/modules:/opt/puppetlabs/puppet/modules. On Windows$codedir/modules. PUP-8582

environment.conf modulepath accepts globs

The modulepath as defined in environment.conf can now accept globs in the path name. PUP-8556

Customize default package providers

This change adds a notdefaultfor that prevents a provider from being a default for a given set of facts. notdefaultfor overrides any  defaultfor and should be defined more narrowly. PUP-8552

Define properties or parameters for types as sensitive

Parameters can now be marked sensitive at the class level rather than just the instance level. PUP-8514

Update default provider for Ubuntu

SystemD is now the default provider for Ubuntu 17.04 and 17.10. PUP-8495

Functions to use dot notation to dig into a hash or array

It is now possible to use dot notation to dig out a value from a structure, like in Hiera lookup and elsewhere in Puppet. To support this, the getvar() function has moved from stdlib to Puppet, and we have added a new function get(). You can now for example use getvar('facts.os.family') starting with the variable name. The get function is the general function which takes a value and a dot-notation string. PUP-7822

Puppet 4.x functions available to all modules

It is no longer required to have a dependency listed in a module’s metadata.json on another module in order to use functions or data types from the other module. PUP-6964

Updated addressable Ruby gem

Updated the version of the addressable Ruby gem now that JRuby 1.9.3 support has been removed. PUP-6894

Undeprecated certificate authority settings

Settings related to certificate authorities are no longer being deprecated as planned in PUP-9027. Warnings related to these planned deprecations have been removed. PUP-9116

Resolved issues

Reported events didn't stringify rich data

With rich data turned on for a catalog (now the default), a report could contain rich data in reported events, but nothing downstream from the agent was prepared to handle rich data. This is now fixed so that data in reported events are stringified when needed. PUP-9093

Illegal top-level constructs didn't produce an appropriate error

The deprecation for illegal top-level constructs is now an error. PUP-9091

__ptype and __pvalue were allowed as attribute names

Attempt to use the reserved attribute names __ptype and __pvalue in custom Object data types will now raise an error instead of producing bad result when serializing such objects. PUP-9079

A hash containing the key __ptype couldn't be serialized using human-readable JSON

It was not possible to use a hash key __pcore_type in a hash as that would trigger the special handling during serialization. Now, the special key has changed to __ptype and it is not also possible to use that as a key in a hash and still be able to serialize it (for example use it in a catalog). PUP-8976

Status endpoint wasn't used to determine if Puppet Server was available

When the agent is configured with a list of servers (using server_list), it will now request server status from the status endpoint instead of the node endpoint. PUP-8967

Selmodule thought foo existed if myfoo was loaded

The selmodule type is now more strict about checking if a module has already been loaded, and should no longer consider modules such as “bar” and “foobar” to be the same module. PUP-8943

Resource status of failed_to_restart wasn't included in reports

Puppet now considers resources that have failed to restart when notified from another resource as failed, and will mark them as such in reports. Reports also now include the failed_to_restart status for individual resources, instead of only including a total count of failed_to_restart resources in the resource metrics section. This bumps the report format version to 10. PUP-8908

File type wasn't redefined when required in code

Fixed an issue running in JRuby where we didn’t store autoloaded paths in the same way that the JRuby implementation did, leading to a bug where a type or provider could get loaded more than once. PUP-8733

Puppet lost track of the current environment

Puppet autoloader methods now require a non-nil environment. This is a breaking API change, but should not affect any user extensions like 3x functions. Puppet sometimes used the configured environment instead of the current environment to autoload. This mainly affected agents when loading provider features. Calling Puppet::Parser::Functions.autoloader.load* methods are deprecated, and issue a warning if strict mode is set to warning or error. Instead use Scope#call_function("myfunction") to call other functions from within a function. PUP-8696

Comparison of numeric to timestamp or timespan failed

When comparing numeric to timestamp or timespan it did not work to compare with the numeric value first. This is now fixed. PUP-8694

http_read_timeout and runtimeout defaults were limited

The http_read_timeout default changed from infinite to 10 minutes. This prevents the agent from hanging if there are network disruptions after the agent has sent an HTTP request and is waiting for a response which might never arrive. Similarly, the runtimeout default also changed from infinite to 1 hour. PUP-8683

tidy resource was too chatty

The tidy resource type now uses the debug log level for its File does not exist message, instead of the info level. This means that resources of this type will no longer emit the message by default when the target of the resource has already been cleaned from disk. PUP-8667

Agents didn't use the CRL bundle to verify master revocation status

With this change, if the user has distributed the CRL chain out-of-band, then the agent successfully loads it and uses it to verify its connection to other Puppet infrastructure (for example, the master). It expects the CRL chain to be one or more PEM-encoded CRLs concatenated together (the same format as a cert bundle). This fixes the “Agent-side CRL checking is not possible” caveat on in our External CA documentation. PUP-8656

Puppet 5 and Ruby 2.4 couldn't handle invalid plists

When processing malformed plist files, we used to use /dev/stdout, which can cause Ruby to complain. We now use - instead which means to use stdout when processing the plist file with plutil. PUP-8545

White space surrounding comments in EPP were handled incorrectly

EPP comments <%# Like this %> always trimmed preceding whitespace. This is different from ERB making it more difficult to migrate ERB templates to EPP. There was also no way of making EPP preserve those spaces. Now, EPP comment does not trim preceding whitespace by default, and a new left trimming tag <%#- has been added. This is a backwards incompatibility in that code like, Before <%# comment %>after resulted in the string "Beforeafter", whereas now it will be "Before after". PUP-8476

filter function didn't accept truthy values

The filter function did not accept truthy value returned from the block as indication of values to include in the result. Only exactly boolean true was accepted. PUP-8320

Unsafe YAML data could be loaded

Puppet now uses YAML.safe_load consistently to ensure only known classes are loaded. PUP-7834

Gemfile didn't support consuming the Puppet gem via a Git reference

Restructure the Puppet Gemfile so that bundler installs Puppet’s runtime, feature-related, and test dependencies by default. The development and documentation groups can be installed using: bundle install –with development documentation. PUP-7433

Puppet didn't use shared gem dependency for semantic_puppet

Puppet now uses the shared gem dependency for semantic_puppet, rather than loading its own vendored version. PUP-7157

Puppet, the agent, and Puppet Server didn't use a shared gem directory for semantic_puppet

Puppet now loads semantic_puppet from a shared gem directory, so that Puppet, the agent, and Puppet Server all require and use the same version of the gem. (~>1.0.x) PUP-7115

metrics.time.total didn't correlate to time reported in log

Total time now reports the measured time of the run instead of a sum of other run times. PUP-6344

Features weren't re-evaluated when a block was used

Features defined using a block or a list of libraries now behave the same, so the following are equivalent:
Puppet.features.add(:my_feature) do require 'mylib' end
Puppet.features.add(:my_feature, libs: ['my_lib'])            

Previously the result of the block was always cached. With this change only true or false return values are cached. To indicate that the state of the feature is unknown and may become available later, the block should return nil. PUP-5985

Manifests that declared things in the wrong namespace didn't trigger errors

Errors will be reported for module files declarations that have a namespace inconsistent with their directory and file location. PUP-4242

Invalid .dot files were generated by missing escapes of quoted strings

Generating graphs of catalogs (such as puppet apply --graph) now correctly handles resources with double quotes in the title. PUP-2838


Fine grained control of file and environment timeouts deprecated

As of Puppet 6.0.8, fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrative API to expire the cache as needed. PUP-9497

Certificate authority subcommands and v1 CA HTTP API

Certificate authority subcommands have been removed from Puppet, including: cert, ca, certificate, certificate request, and certificate_revocation_list. Use puppetserver ca and puppet ssl instead. PUP-8998

As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650

For details on changes and the new commands, see our documentation about certificates and SSL.

Ruby certificate authority 

Puppet no longer has a Ruby CA. All CA actions now rely entirely on the Clojure implementation in Puppet Server. It can be interacted with by means of the CA API and the puppetserver ca command, which leverages the API using subcommands like those provided by puppet certPUP-8912

Trusted server facts

Trusted server facts are always enabled and have been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530

write_only_yaml node terminus

The write_only_yaml node terminus was used to “determine the list of nodes that the master knows about” and predated widespread PuppetDB adoption. The write_only_yaml has been deprecated since 4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a compile. PUP-8528

LDAP node terminus

The LDAP node terminus has been removed. PUP-7601

computermacauthorization, and mcx types and providers

The computermacauthorization, and mcx types and providers have been moved to the macdslocal_core module. It is not repackaged into puppet-agent in the 6.0 series.

Nagios types

The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core module from the Forge.

Cisco network devices

The Cisco network device types no longer ship with Puppet. These types and providers have been deprecated in favor of the puppetlabs/cisco_ios module, which is available on the Forge. PUP-8575

:undef in types and providers

In previous versions, values from manifests assigned to resource attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef to represent those values. When using puppet apply types and providers would see those as :undef or as the string “undef” depending on the implementation of the type. When using a master, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level undef values are still encoded as empty string for backwards compatibility). PUP-9112

puppet module build command

To reduce the amount of developer tooling installed on all agents, this version of puppet removes the puppet module build command. To continue building module packages for the Forge and other repositories, install Puppet Development Kit (PDK). PUP-8763

pcore_type and pcore_value

The earlier experimental -rich_data format used the tags pcore_type and pcore_value, these are now shortened to __ptype and __pvalue respectively. If you are using this experimental feature and have stored serializations you need to change them or write them again with the updated version. PUP-8597


Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)

puppet master command

The puppet master command and its subcommands have been removed. Instead, use a  puppet-config command. PE-24280

–strict flag in puppet module 

The –strict flag in puppet module has been removed. The default behavior remains intact, but the tool no longer accepts non-strict versioning (such as release candidates and beta versions). PUP-8558

Select settings

The following settings have been removed:
  • The previously deprecated configtimeout setting has been removed in favor of the http_connect_timeout and http_read_timeout setting. PUP-8534

  • The unused ignorecache setting has been removed. PUP-8533

  • The previously deprecated pluginsync setting has now been removed. The agent’s pluginsync behavior is controlled based on whether it is using a cached catalog or not. PUP-8532

  • The deprecated app_management setting has now been removed. Previously, this setting was ignored, and always treated as though it was set to be on. PUP-8531

  • The deprecated ordering setting has been removed, and catalogs now always have the ordering previously provided by the manifest value of this setting. PUP-6165

  • Settings related to the rack webserver from Puppet, including binaddress and masterhttplog. PUP-3658

String duplication in 3x runtime converter

Types and provider implementations must not mutate the parameter values of a resource. With this release, it is more likely that the parameters of a resource have frozen (that is, immutable) string values and any type or provider that directly mutates a resource parameter may fail. Previously, every resource attribute was copied to not make application break even if they did mutate. Look for use of gsub! in your modules and replace logic with non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified. PUP-7141

Puppet.newtype method

The deprecated Puppet.newtype method (deprecated since 2011) has now been removed. (PUP-7078)

Certificate handling commands deprecated but not removed

The following subcommands were deprecated in a previous version and slated for removal in this version. While these subcommands are still deprecated, they have not yet been removed.
  • ca_name
  • cadir
  • cacert
  • cakey
  • capub
  • cacrl
  • caprivatedir
  • csrdir
  • signeddir
  • capass
  • serial
  • autosign
  • allow_duplicate_certs
  • ca_ttl
  • cert_inventory
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.