Puppet release notes
These are the new features, resolved issues, and deprecations in this version of Puppet.
Puppet 6.28.0
Released August 2022.
Enhancements
Extend Package Source to include HTTP Urls (Windows)
package { 'mysql':
ensure => '5.5.16',
source => 'https://example.com/packages/mysql-5.5.16-winx64.exe’,
install_options => ['INSTALLDIR=C:\mysql-5.5'],
}
PUP-11502
Bump to openssl-fips-1.1.1k-6
Updated openssl-fips on Red Hat to 1.1.1k-6. PA-4498
Update puppet-ca-bundle
Updated root certificate authority bundle included with puppet-agent
. PA-4496
Support for macOS 12 (M1)
This release adds support for macOS 12 (M1). PA-4457
Support for Windows 11 Enterprise (x86_64)
This release adds support for Windows 11 Enterprise (x86_64). PA-4249
Support for Ubuntu 22.04 (x86_64)
This release adds support for Ubuntu 22.04 (x86_64). PA-4233
Resolved issues
Puppet::HTTP::Client
cannot
connect to a server requiring client cert
authentication and whose server cert is issued by
a CA in the ssl_trust_store
Puppet's
http client can now establish a mutually authenticated TLS
connection when passing include_system_store: true
such as when
retrieving file content from HTTPS servers. Previously
puppet did not add its client certificate to the SSL
context, so the connection would fail if the HTTPS server
required a client certificate. PUP-11522
Legacy function error does not include the source ref
If a 3x function produces an error, the error message now includes the path to the file in which the function is defined. Contributed by Puppet community member lollipopman. PUP-11472
puppetserver_gem
doesn't
install gems when they are loaded by Facter
Fixed a bug that prevented the puppetserver_gem
provider from managing
gems that were first loaded by Facter. PUP-11452
Puppet Agent does not automatically refresh CRLs on
crl_refresh_interval
Puppet Agent now reloads its CA and CRL bundles every 30 minutes during each run. Previously it only loaded it when the process started, which meant the service had to be restarted if the CA/CRL files changed on disk. PUP-11428
Puppet agent --disable
is ignored with cron puppet
agent
(splay).
Puppet agent now checks the disabled lock file after sleeping due to splay. PUP-9998
puppet-cacerts
keystore is
missing on Red Hat 9, SLES 15 and Ubuntu 20.04
If Puppet agent is installed, there is a java keystore file. PA-4440
Deprecations and removals
Removed EOL operating system support
This release removes support for the following operating systems: Fedora 32, CentOS 8, Ubuntu 16.04. PA-4328
Security
Update puppet runtime's curl to 7.83.1
Updated runtime to fix CVE-2022-22576, CVE-2022-27774, and CVE-2022-27776. PA-4472
Puppet 6.27.1
Released April 2022.
Enhancements
Allow Puppet::HTTP::Client
to connect to trusted
server using the puppet certificate for client authentication
You can now specify an https URL as the source
of a
file
resource when the TLS server requires a
client certificate for authentication. PUP-11471
Resolved issues
Ruby security fix
Applied patch for security vulnerability in Ruby 2.5.9 (CVE-2022-28739). PA-4364
Puppet::Util::Windows
is
undefined on non-Windows
platforms
Fixed a bug that prevented pdk unit tests from working when trying to test a resource with a Windows provider, such as "service" resources. PUP-11459
No option to fail fast when agent-specified environment does not exist
When using strict_environment_mode=true
, a run now
fails early if the requested environment does not exist on
the server, or if the server does not allow the agent to
specify its own environment. PUP-11440
puppet lookup
fails to
interpolate topscope variables when an environment is
specified
Fixed an issue where Puppet 6.26 and
7.14 failed to resolve toplevel facts in hiera configs when
using the --environment
option for puppet
lookup
. PUP-11437
Rspec tests with custom facts fail on some modules
This release fixes an issue where rspec module tests would compile with the runner node’s facts instead of using the custom facts supplied by the test. PUP-11435
Nokogiri upgrade for macOS
Upgraded nokogiri gem to 1.13.2 on macOS due to upstream security fix. PA-4323
Some gemspecs are missing from puppet-agent
MSI
On Windows, it is now possible to install a gem that has a dependency on Facter or Hiera into Puppet's vendored ruby. PA-4313
Puppet 6.27.0
This version was never released.
Puppet 6.26.0
Released January 2022.
Enhancements
ENC-enforced environment bypass for lookup
You can now bypass the ENC-enforced environment when performing a lookup. To bypass
the enforced environment, use lookup
with the
--environment
option to specify the desired
environment. Puppet always uses the environment you specified regardless of the
ENC-enforced environment. PUP-7479
Support for RHEL 9
This release includes support for Red Hat Enterprise Linux (RHEL) 9. PUP-11364
Support for Windows Server 2022(x86_64)
This release includes support for Windows Server 2022(x86_64) . PUP-11238Resolved issues
Failures when using purge_ssh_keys
Puppet no longer fails
when using purge_ssh_keys
if
the user's home directory doesn't exist yet. PUP-11380
Puppet::FileSystem.chmod
does
not validate its arguments
Puppet::FileSystem.chmod
now
validates its arguments like other methods. PUP-11345
Warning:
#<Puppet::Transaction::Persistence
after upgrading to Puppet
agent 6.25.0
Fixes a regression introduced in 6.25.0 and 7.10.0 that caused a
Puppet::Transaction::Persistence
warning
during each agent run. PUP-11321
User resource tries to create rather than modify users created by a utility
This release moves the ssh_authorized_key
resource's creation
to the end of the user type flow, after all user properties
and parameters were resolved, to avoid order dependency
errors. PUP-11320
Puppet code merger using incorrect command
Reduces memory usage when parsing manifests. PUP-11318
Failure when using the names "apply" and "plan" within an
apply()
block in a
plan
The names "apply" and "plan" can now be used as resource parameter
names in all cases. Previously, using them within an apply()
block in a plan
would fail. PUP-11315
Puppet attempts to execute
directories from /etc/init.d/
Prevents Puppet from considering
directories from /etc/init.d/
as services. PUP-11313
High memory consumption from lib/puppet/pops/parser/lexer2.rb
Reduced lexer2
memory usage. PUP-11236
versioncmp()
treats 11.0 as
greater than 11
versioncmp()
now strips redundant
numbers. PUP-11235
puppet lookup --facts
{filename}
fails if filename does not
contain a dot
Before this release, puppet lookup --facts
{filename}
failed early when the filename
given did not contain a dot. This fix removes the early
extensions check and adds a fallback instead: tries both
formats (JSON then YAML) to read the given facts file when
its path doesn't end with any of the expected extensions
(yaml/yml/json). Otherwise, it follows previous
implementation and respects the given extension. PUP-11204
Facts provided in a file cannot be used for classification
Fixed a bug where facts provided in a file were not being merged with the facts used for classification. This is because Puppet collected and merged the said facts after the classification happened. To fix this, we ensured that Puppet resolves the facts being used for classification before the node request. PUP-10435
Inconsistent handling of trusted facts in the lookup CLI
When using puppet lookup
with --facts
, if
the facts file overrides any of hostname, domain, fqdn, clientcert
, then
it must override all of them. Also, if a value for certname
is provided in a
fact file for the lookup application, use it when creating
the trusted information object. This makes it possible to
override trusted.certname
for classification. PUP-8220
Lookup ignores environment from the classifier when using a rule with trusted facts
Fixed an issue where trusted facts could not be used as rules for classification. This was fixed by gathering the trusted facts from the PuppetDB query result, and overriding the trusted facts context. PUP-8094
Misleading results when using --node
flag in puppet lookup
Fixed an issue where puppet lookup
would result in misleading results when using the --node
flag. This happened
because there can be cases where the target node does not
have any facts cached. To avoid this, the fix implemented
checks for the node facts/facts given in a fact file, and if
it doesn't find any it raises an error. PUP-7362
Puppet could not retrieve
attributes from fifo
and
socket
files
This release allows Puppet to
retrieve attributes for fifo
and socket
files and manage
them when the given manifest has a file
resource which is recursing over a
given path. PUP-4045
Puppet hangs trying to replace a FIFO
Puppet no longer hangs when trying to replace a fifo with a file, directory or symlink. PUP-1460
Puppet uses deprecated psych features
Puppet is now compatible with psych 4.0. PUP-11405
Agent no longer calls the Puppet::Node
terminus to resolve the
environment during the run
Introduced a Puppet setting use_last_environment=true|false
and a
corresponding puppet agent -t
--no-use_last_environment
boolean command
line option that forces the agent to make a node request
like it did prior to 7.12 and 6.25. By default, the agent
does not make a node request. PUP-11379
Puppet user and service resources are slow on Mac OS X
Managing users and services on macOS is much faster. PUP-11332
Puppet::Node#environment_name
may return the wrong value
Puppet::Node#environment_name
now
always returns the symbolic name of the environment (if one
has been set on the node). PUP-11330
Puppet lookups failed due to missing certificates
The puppet lookup
command now works
if the agent does not have certificates available locally.
PUP-11402
The generate types
command does
not handle errors correctly
If the generate types
command
failed to generate a custom type, it logged an error and
returned a 0 exit code instead of failing. The command now
correctly fails with a non-zero exit code if the command
cannot generate a type. PUP-11078
Bump Ruby date gem
We've bumped the date gem in our vendored Ruby to fix a vulnerability. PA-4131
Puppet 6.25.1
Released November 2021.
Enhancements
Faster iterative functions
This release speeds up the amount of time it takes to type check arguments passed to blocks of iterative functions, such as reduce and merge. PUP-9561
Resolved issues
Puppet can leak credentials when following HTTP redirects
Previously, Puppet followed HTTP redirects, the Authentication and Cookie headers were passed to different hosts, which could leak sensitive information. Now the Authentication and Cookie headers are only sent when redirecting to the same hosts. This fixes CVE-2021-27023. PUP-11188
Puppet agent silently skips unknown resources
Puppet::Type::Component
) by default and
skipped when applying a catalog. This release adds a new
resource attribute that specifies the type of resource —
this is used to differentiate between built-in types and
user defined types. Resources that are known and available
on the server node are also verified on the agent node,
which now fails when something unknown is found in the
received catalog. This fixes CVE-2021-27025. PUP-11209
Puppet gem and rspec-puppet
failures
This release moves the DEFAULT_TIMEOUT
constant from lib/puppet/util/windows/service.rb
to
lib/puppet/util/windows.rb
in a non-OS
guarded code area. This change avoids uninitialized constant
errors when
compiling catalogs on non-Windows operating systems. PUP-11319
Puppet agent downloads all plugins after updating
Puppet 6.25.0 and 7.12.0 introduced a regression which caused a newly upgraded agent to download all of its plugins. Now the agent performs a single node request to resynchronize its environment with the server. PUP-11328
Puppet 6.25.0
Released October 2021.
We would like to thank the following Puppet community member for their contributions to this release: natemccurdy.
New features
The write-catalog-summary
setting
This release adds the write_catalog_summary
setting to
control whether the resources.txt
and classes.txt
files are written to disk after applying a
catalog. By default, puppet agent
and puppet apply
behave the same as before — puppet agent
writes the files, and puppet apply
does not. PUP-1042
Enhancements
Support for Ubuntu 18.04 (aarch64)
This release adds support for Ubuntu 18.04 (aarch64). PUP-11162
Support for AlmaLinux 8 (x86_64)
This release adds support for AlmaLinux 8 (x86_64). PUP-11242
Support for Rocky Linux 8 (x86_64)
This release adds support for Rocky Linux 8 (x86_64). PUP-11231
Puppet module type scripts directory
This release adds a new scripts/
subdirectory to the
module
class. It automatically generates the
scripts?()
, scripts()
, and
script()
functions in the class for retrieving the available
scripts. This helps to standardize specific file loading from either the
files
directory or scripts
directory in a
module. PUP-11165
Lower memory consumption in Ruby files
This release lowers memory consumption by 10%. This is achieved by freezing string literals in Ruby classes with high memory consumption. PUP-11232
Facter.value
replaced by Puppet.runtime[:facter]
This release replaces calls to Facter.value
with calls to
Puppet.runtime[:facter]
, and removes require
'facter'
statements. PUP-11217
Support for multiple Facter implementations
You can now register a Facter implementation when
initializing Puppet via the
Puppet.initialize_settings
method. PUP-11216
Load Task files from scripts
Tasks can now load files from the scripts mount. PUP-11200
onlyif
and unless
in --noop
documented
This release documents the noop behavior of the onlyif
and unless
parameters of the
exec resource. PUP-11199
Scripts file serving mount
When using Puppet APIs to load file content
and metadata, you can access files in the scripts/
directory of a module using the scripts file mount. PUP-11187
RHEL9 support for services
Puppet now usessystemd
as the default service provider for EL 9 variants, such as the Red Hat or CentOS stream.
PUP-11168The launchd
service provider
fails if a parsable but invalid LaunchAgent
or
LaunchDaemon
plist
file exists
This release fixes an issue
where the launchd
service provider failed if a parsable
but invalid LaunchAgent
or LaunchDaemon
plist
file existed. PUP-11164Cleaned up ext/
directory
This release removes unused files from the ext/
directory used by upstream Linux
and Solaris packages. PUP-10685
Option to enable long filename support in the Windows MSI installer
This release updates the MSI installer for Puppet agents to enable long filenames either through a check box in the installer or by setting theENABLE_LONG_PATHS=true
option in the command line. PA-3843OpenSSL updates
-
On Windows 2012 FIPS (x64), OpenSSL 1.0.2 has been patched for CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841 and CVE-2021-3712 - PA-3976
-
On redhatfips-7-x86_64 RedHat 7 FIPS (x64), OpenSSL has been bumped to 1.1.1k and patched for CVE-2021-3712 and CVE-2021-3711 - PA-3974
Deprecations and removals
Support for Fedora 30 (x86_64) removed
This release removes support for Fedora 30 (x86_64). PUP-11092
Support for Fedora 31 (x86_64) removed
This release removes support for Fedora 31 (x86_64). PUP-11093
Support for Mac OS X 10.14 (x86_64) removed
This release removes support for Mac OS X 10.14 (x86_64). PUP-11094
Support for Red Hat 5 (x86_64, i386) removed
This release removes support for Red Hat 5 (x86_64, i386). PUP-11091
Resolved issues
Default timeout ignores Windows services
Previously, default timeouts caused issues on Windows when services took longer than 10 seconds to change state. You can now specify the default timeout value for syncing service properties. PUP-10925
User attributes ignores forcelocal
This release fixes an issue where setting forcelocal => true
on an
user resource checked the resource's home
and shell
attributes against their values
from the directory service provider. Contributed by Puppet community member
natemccurdy. PUP-11241
Puppet fails to install packages on Solaris if another
pkg
install is
running
Installing packages on Solaris with the pkg command does
not work if another instance of pkg
is
already running. Now Puppet tries the
install
command 5 times, and
only fails if the package cannot be installed. PUP-11208The concat
module ignores the
ENC environment
This release fixes an issue where an ENC-specified environment was not pushed during a Puppet run. This caused indirector requests with no specified environment to default to using an incorrect environment. PUP-11265
Util::JSON.dump
receives
non-hash
options
Previously, Puppet's
/puppet/v3/file_metadatas
REST API
failed if the multi_json
gem
was uninstalled or when it was running puppetserver
from source.
PUP-11237
Puppet sends warning for BOM and US-ASCII encoding
This release removes BOM for non-UTF encoding and its warnings. ASCII characters are single bytes, which means there is no need for a BOM to detect byte ordering (LSB/MSB). PUP-11196
User resource not removing password on AIX agents
This release fixes an issue where deleting an AIX user with Puppet would not clean up the user's password. PUP-11190
Undefined method []
for nil:NilClass
when handling
SemanticPuppet::Dependency::UnsatisfiableGraph
Previously, the puppet
module
install command broke when
dependencies could not be resolved. Puppet now emits an
error message instead. PUP-11172
User resource unable to remove the home directory
This release fixes an issue where the user home directory was not removed whenmanagehome
was set to true
. PUP-11170Static catalogs not working for file resources when versioned_deploys
is
enabled
Previously, when :versioned_environment_dirs
was set to
true
, catalog
compilation failed to add metadata for static catalog file
resources; this meant that an agent receiving a catalog
would not attempt to request that static file content. This
has been fixed and the metadata is now correctly added to
the catalog when :versioned_environment_dirs
is set to
true
. PUP-11169
Changes to current working directory when listing modules
Puppet Server and agent no longer change their current working directories when listing modules in an environment directory. PUP-11166
An environment reloaded during a single compilation could fail
Previously, Puppet Server could
reload an environment while it was being used to compile a
catalog. If translations were enabled (Puppet[:disable_i18n]
set
to false
), compilation could
fail. Now Puppet Server prevents
environments from being reloaded while they are in use, and
instead reloads the environment the next time it is
requested. PUP-11158
The pkg
provider cannot unhold
and update packages in the same run
Previously, the pkg
package provider was unable to handle manifests where a
package was updated and marked as unhold at the same time.
This is now fixed. PUP-10956
Environment caches string and symbol environment names differently
This release fixes an issue that resulted in Puppet caching duplicate copies of an environment. PUP-10955
A lookup fails if lookup_options
is
empty
Previously, when lookup_options
were defined at the global or
environment layer, and the module defined an empty hash, the
compilation failed. This is now fixed and the empty hash is ignored.
PUP-10890Rich data types can corrupt the transaction store
This release fixes an issue that prevented Puppet from reporting
corrective changes when using rich data types such as
Deferred
, Binary
, and Sensitive
. PUP-10820
Puppet.lookup(:current_environment)
is
wrong if the environment changes during convergence
This release fixes an issue where an old environment
could be used if the environment had changed due to pluginsync
. PUP-10308
Failure to fetch node definition results in bad
pluginsync
and
cascading failure
Previously, Puppet agents would make a node
definition request to the server to find out the correct environment
to run in. This request has now been removed, and the agent saves its
last used environment in the last_run_summary.yaml
file. If the environment is
not set in the CLI or config, agents attempt to use the environment in
last_run_summary.yaml
— only
if the previous run had an agent/server environment mismatch. PUP-10216The puppet resource --to_yaml
emits class tags
This release stops the resource --to_yaml
command emitting Puppet class tags,
such as Puppet::Util::Execution::ProcessOutput
,
by ensuring that the PScalarDataType
only checks the instance
of String, and not other subclasses. PUP-10105
Catalog failure on first run due to pluginsync
and environment
switch
Previously, an agent failed its run if it
switched to a new environment where the manifests relied on a fact
that only existed in the new environment. Now the agent redirects to
the server-specified environment and the run continues using that
environment. PUP-9570Agent cannot compile catalog if it specifies an non-existent
environment in puppet.conf
This release fixes an issue that caused the agent run to fail if the agent requested an environment that did not exist on the server — even when the classifier controlled the environment. PUP-6802
Puppet agent does not save local copy of last_run_report.yaml
The agent now saves a local copy of its last run report, even if it fails to submit the report to the primary Puppet Server. PUP-6708
User resource exposes hashed password when changing password or adding a user
Previously, when managing passwords with theuseradd
provider, the password hash appeared when listing running processes.
Now the password is set with the chpasswd
command that uses stdin
to receive the password from a temporary
file, so it no longer appears in the process list. PUP-3634Puppet 6.24.0
Released July 2021.
We would like to thank the following Puppet community member for their contributions to this release: cocker-cc
Enhancements
The puppet ssl show
command prints custom object
identifiers (OID)
The puppet ssl show
command now shows the
names of certificate extensions containing custom OIDs — when the trusted_oid_mapping_file
exists. This functionality used
to exist in the puppet cert print
command. PUP-11120
Updated argument error message
If you call a function with an argument Puppet does not accept, the error message provides a list of acceptable function signatures. PUP-7792
Updated error message for incorrect module name
If the author component of a module name is omitted, the puppet module install <author-module>
command
provides a name suggestion in the error message. PUP-10641
Puppet reports the license gem on Apache
Puppet now reports the Apache 2.0 license when installed as a gem. PUP-11118
Support for Debian 11 Bullseye amd64
This release adds support for Debian 11 Bullseye amd64. PUP-11030
macOS
puppet-agent
code-signs executables
The macOS
puppet-agent
AIO packages now provide code-signed
executables for puppet
and pxp-agent
. PA-3756
Solaris OpenSSL patching replaced with compiler arguments
This release adds AES CTR-DRGB performance improvements to Puppet’s vendored OpenSSL. PA-3698
The empty
function accepts Sensitive
data types
The empty
function now accepts Sensitive
data types, which allows you to test a Sensitive
variable that is neither nil or empty. For
example, a variable in an ERB template. Contributed by Puppet community member cocker-cc. PUP-11124
The unwrap
function accepts Any
data type
The unwrap
function now accepts the Any
data type. This means that the component modules,
such as puppetlabs-postgresql
, can migrate to using
Sensitive
values, while still accepting
non-Sensitive values. You do not need to special case when unwrapping the value.
Contributed by Puppet community member cocker-cc. PUP-11123
The exec
provider supports commands as an
Array
When a command is an Array of Strings, passed as [cmdname, arg1, ...]
, it is now executed directly instead of being
passed to the standard shell. This is supported for the following exec parameters:
comand
, onlyif
,
unless
, refresh
.
Note that onlyif
and unless
already accept multiple commands as an Array — you need to pass
the value as an Array of Array to use this new behaviour. PUP-5704
Embedded Ruby (ERB) templates allow a leading Byte Order Mark (BOM)
Previously, when a template contained a BOM, it was preserved by the template
function and included in the resulting file or
PowerShell command. Puppet now passes the bom
option when reading the file, removing the BOM as it is read.
PUP-8243
Deprecations and removals
Support for Debian 8 removed
This release removes support for Debian 8. PUP-11059
Resolved issues
The --extra cli
option is not
functional
The puppet help
command
no longer displays the --extra
command line option. PUP-8700
The parsedfile
provider
produces an undefined method each for nil:NilClass
Puppet now prints an error if a parsedfile
provider returns nil, for
example, when using the nagios_core
module. PUP-9369
Unclear error message if user
or group
providers are not
suitable
Puppet now prints a more
detailed error message if the user
or group
providers are not functional.
PUP-9825
The Puppet::Resources.search
method fails when conditions are provided
This release fixes an issue that prevented the Puppet::Resource.indirection.search
method from accepting conditions when filtering results.
PUP-7799
Repository error message URL is missing part of the path
Previously, the puppet
module
command reported an incorrect URL
in the error message when the module_repository
setting was
overridden. This is now fixed. PUP-8650
The desired_value
file mode is
reported without leading zeros
Puppet now reports file modes with a leading zero in the
desired_value
field — for example, 0755
— which is consistent with the previous_value
. PUP-7493
Filebucket fails when using a non-default environment from the server
The filebucket application no longer requires an environment to exist locally. PUP-10796
Unable to load PKey.read with private keys
Puppet agent now loads private keys in the PKCS#8 format. PUP-11082
Cached environments are not deleted when the directory is removed
Puppet now removes environments that are no longer on disk. PUP-11129
Unable to run the puppet
resource
command when the environment is
specified
Previously, running puppet
resource
on the agent with an invalid
environment would fail. With this release, the application
falls back to the default environment, if the specified one
does not exist. PUP-6554
Puppet prints unnecessary errors in debug
Puppet no longer prints an unnecessary error message when resolving account names to security identifiers on Windows. PUP-10967
Setting age=0
on a tidy
resource does not
remove all files
Previously, the age
parameter of the tidy
resource only removed files older than those specified. This
is now fixed and Puppet
removes all files. PUP-11079
The agent_specified_environment
fact is not populating
This release fixes an issue where the agent_specified_environment
fact did not
populate when the environment was set in the [agent]
section. This is
now fixed and populates in the following order: CLI, agent
section, main section. PUP-6801
pip ensure=>latest
fails with
pip>=20.3.0
In version 20.3b1, pip
removed the ability to list available versions of a package.
This release adds the --use-deprecated=legacy-resolver
argument
so that you can query available
versions. PUP-11029
The pxp-agent
does not use the
wrapper script
The pxp-agent
service
script on the AIX, OSX, and Solaris platforms now
manipulates the service using the wrapper script located in
/opt/puppetlabs/bin/pxp-agent
, which
cleans up the linker environment before calling the actual
environment. This prevent failures due to incompatible
libraries being loaded. To modify the pxp-agent
linker environment, directly
call the pxp-agent
binary,
for example, /opt/puppetlabs/puppet/bin/pxp-agent
.
PCP-890
Puppet 6.23.0
Released June 2021.
We would like to thank the following Puppet community member for their contributions to this release: tobias-urdin.
Enhancements
Fedora 34 support
This release adds support for Fedora 34. PUP-10892
File limit with the max_files
parameter
By default, the file
and tidy
resource types
generate a warning on the Puppet Enterprise (PE) console and
report when Puppet tries to manage more than 1000
files with the recurse
parameter set to true
. The
file
and tidy
resource types now support a new
parameter — max_files
— that enforces a hard limit. If the number
of recursive files is greater than the limit, the agent run fails. You can set the
max_files
parameter to -1
to disable the
warning. PUP-10946
Case sensitive parameter for the fqdn_rand()
function
The fqdn_rand()
function now accepts an optional parameter to
downcase the FQDN fact, so that the function's result is not case sensitive. You
must pass the parameter after the seed
string, for example,
fqdn_rand(100, 'expensive job 1', true)
. By default, the
function remains case-sensitive. PUP-10922
Improve enable=delayed_start
error message
This release improves an error message to properly convey that you cannot set a
systemd
service to delayed_start
on operating
systems other than Windows. PUP-11062
Ruby support long paths on Windows
This release adds the following patch into the Puppet Agent vendored Ruby. The patch implements long path support on Windows. PA-3759
Improved Ruby Performance
New Ruby performance patches — reducing 50-90% of file IO when loading Puppet and Facter. PA-3526
Bump curl to 7.77.0
This release bumps the curl dependency to 7.77.0. PA-3762
Resolved issues
PUPPET_SERVER
MSI install property does not work
Previously, using PUPPET_SERVER
as an MSI property did not set the
server
setting. This is now fixed. PA-3667
Puppet does not specify SELinux filetype when getting the default context
Previously, Puppet created files with the wrong default SELinux context, which was only corrected after a subsequent Puppet run. This is now fixed. Contributed by Puppet community member tobias-urdin. PUP-7559
NIM provider used very restrictive regular expressions
Previously, the NIM provider only allowed numbers when parsing RPM
release tags and didn't accept bff
(installp)
packages marked as security
updates in the header. In this release, Puppet allows
installation of such packages. PUP-3631
Unable to mask a static systemd
service
This release fixes an issue where the systemd
provider did not mask
static systemd
services. Contributed by Puppet community member nmaludy. PUP-11034
Masking service failed
Previously, Puppet failed to mask a systemd
service that did not exist. This bug is now fixed. PUP-10974
Sensitive instances shared the same value yet weren’t equal
Previously, two type Sensitive instances failed to compare as
equal—despite sharing the same underlying strings. In this
release, comparisons such as $a =
Sensitive("secret"); $b = Sensitive("secret");
notice($a == $b)
now return as true.
PUP-11061
SemVer
datatype components failed to pass as
hash or argument list
Previously, the build
or
prerelease
components of the
SemVer
datatype failed to pass as
a hash or list of arguments. This bug is now fixed. PUP-11077
User keychains were inaccessible to Puppet Agent
Previously, user keychains were inaccessible to Puppet Agent if you ran Puppet Agent through the macOS daemon. This bug is now fixed. PUP-11081
Puppet returned an error when specifying the
purge_ssh_keys
parameter
Previously, Puppet returned an error if you specified
the purge_ssh_keys
parameter for a user resource that didn’t
previously exist. To fix this bug, Puppet prioritizes
the ensure
property of a user before the
purge_ssh_keys
parameter. PUP-11067
Nil vertices caused resource management errors
Previously, managing resources that call the generate
method —
failed when using the puppet resource
subcommand— due to the
presence of a nil vertex in the catalog. To fix this bug, Puppet can no longer add nil vertices to the catalog.
PUP-11074
Unable to update UserRightAssignment
Previously, validating the logonaccount
and
logonpassword
parameters for the service
resource on Windows failed too early. This release moves the parameters further down
the catalog compilation order list to avoid early errors. PUP-10999
Puppet cannot change/set new user passwords on macOS Big Sur
Previously, you could not set or change the password of a new user
created on macOS Big Sur.
This bug is now fixed by ensuring the
ApplicationAuthority
field exists
whenever you create a new user. PUP-11026
Puppet returned an error when creating new users on macOS 10.14
Previously, if you created a new user on macOS 10.14, Puppet returned an
Operation not permitted @
rb_sysopen
error. This bug is now
fixed.PUP-11095
Agent failures with server_list
Previously, when Puppet processed
server_list
and tried to find a
functional server, it threw an error if it could not
connect, causing the agent to fail. This is now fixed. PUP-10844
Puppet 6.22.1
Released 26 April 2021.
We would like to thank the following Puppet community members for their contributions to this release: gcampbell12, cschug, and StackKorora.
New features
Improvements to the puppet facts diff
command
This release makes the following improvements to the puppet facts diff
CLI command:
-
The command shows all of the differences between Facter 3 and Facter 4 — including facts only available in Facter 4 — and sorts the output results in alphabetical order. You can also remove certain facts from the output using the
--exclude <regex>
CLI option and see the results in a fully structured form. PUP-10985 -
The command filters the output based on an exclude list. This only contains volatile facts — those that are expected to change value between consecutive Facter runs. PUP-10947
-
The command pretty-prints JSON output. You can specify the older form with
--render_as json
. PUP-10973
Backport logic to detect migrated CA directory location
cadir
setting value. PUP-11004Curl bumped to 7.76.0
This release bumps Curl to 7.76.0, fixing the following CVEs:
OpenSSL bumped to 1.1.1k
This release bumps OpenSSL to 1.1.1k, fixing the following CVEs:
Ruby bumped to 2.5.9
This release bumps Ruby to 2.5.9, fixing the following CVEs:
The GlobalSignRoot
CA R3
This release adds the GlobalSignRoot
CA R3
certificate for rubygems.org. PA-3525
The ciphers
setting
The ciphers
setting configures which TLS
ciphersuites the agent supports. The default set of ciphersuites is the same, but
you can now make the list of ciphersuites more restricted, for example, to only
accept TLS v1.2 or greater ciphersuites. PUP-10889
The puppet ssl show
command
The puppet ssl show
command prints the
full-text version of a host's certificate, including extensions. PUP-10888
The puppet facts show
command backported to
6.x agent
The puppet facts show
command can now
retrieve a list of facts from the system. Run puppet facts
show --help
to see all of the supported options. PUP-10884
Resolved issues
Puppet cannot parse systemd
instances when the list-unit-files
output has an additional column
This release fixes an issue affecting the parsing of systemd
service instances caused by a change in the systemctl list-unit-files
command output. PUP-10949
Race condition with agent_disabled_lockfile
This release fixes a race condition that caused the agent to become disabled and no longer enforce desired state. Contributed by Puppet community member gcampbell12. PUP-11000
Retrieve SID for users under APPLICATION PACKAGE
AUTHORITY
A known issue with LookupAccountNameW
caused Puppet to fail when managing Windows users under APPLICATION PACKAGE AUTHORITY
with fully qualified names. This is now fixed and we have added an account name step
to prevent faulty queries. PUP-10899
Retrieving the current user with the fully-qualified username fails on Windows
Previously, retrieving the current username SID on Windows caused Puppet to fail in certain scenarios, for example, when the user was a secondary domain controller. This release adds a fallback mechanism that uses the fully qualified domain name for lookup. You can retrieve the current user with the fully-qualified username and domain on Windows. PUP-10898
Windows package provider continues to read the
DisplayVersion
key after it is embedded
NULL
Previously, Puppet would not stop reading
the registry at the correct WCHAR_NULL
because it
was encoded to UTF-16LE, causing Puppet to read bad
data and fail. This is now fixed. PUP-10943
Listing environments during code deploys prevents environment cache invalidation
Previously, catalog compilations for a newly created environment directory
could fail if the environment was listed while the directory was being created. This
issue only occurred when using an environment_timeout
value greater than 0 and less than unlimited. This
is now fixed.
User resource with forcelocal
and groups
attributes set fails if /etc
/group
contains empty lines
This release fixes an issue where Puppet
failed when applying user resources with forcelocal
if there were empty lines in /etc
/group
. PUP-10997
Augeas fails with Postgresql 13
This release patches the vendored Augaes in puppet-agent
so that PostgreSQL 13 configuration file is no longer
parsed. PA-3406
The puppet facts diff
command logs error when the
apt
module is installed
Previously, the puppet facts diff
command,
which compares Facter 3 and Facter 4 facts, did not run Facter 4 in a clean environment, causing undefined
behavior for custom facts resolving. With this release, Puppet 4 facts are read when running puppet facts
in a new shell and custom facts resolve
correctly. PUP-10940
Cannot ensure dnfmodule
with no default
profile
Previously, using the dnfmodule
provider to
install a module with no default profile and without passing the enable_only
parameter failed in newer versions of DNF.
PUP-11024
Puppet 6.21.1
Released 16 February 2021.
Resolved issues
Puppet
users with forcelocal
are no longer
idempotent
This release fixes a regression where setting the gid
parameter on a user resource with forcelocal
was not idempotent. PUP-10896Puppet 6.21.0
Released 9 February 2021.
Resolved issues
User resource with forcelocal
uses getent
for groups
The useradd
provider now checks the forcelocal
parameter and gets local information on the
groups (from /etc/groups
) and gid (from /etc/passwd
) of the user when requested. PUP-10857
Slow Puppet agent run after upgrade to version 6
This release improves the performance of the apt
package provider when removing packages by reducing the calls to
apt-mark showmanual
. PUP-10856
The apt
provider does not work with local
packages
The apt
package provider now allows you to
install packages from local file using source parameter. PUP-10854
Puppet 6.20.0
Released 20 January 2021.
New features
JSON terminus for node and report
This release implements JSON termini for node and report indirection. The
format of the last_run_report.yaml
report can be
affected by the cache setting key of the report terminus in the routes.yaml
file. To ensure the file extension matches
the content, update the lastrunreport
configuration
to reflect the terminus changes (lastrunreport =
$statedir/last_run_report.json
). PUP-10712
JSON terminus for facts
This release adds a new JSON terminus for facts, allowing them to be stored
and loaded as JSON. Puppet agents continue to default
to YAML, but you can use JSON by configuring the agent application in routes.yaml
. Puppet Server 7
also caches facts as JSON instead of YAML by default. You can re-enable the old YAML
terminus in routes.yaml
. PUP-10656
Multiple logdest
locations in puppet.conf
accepted
You can set multiple logdest
locations
using a comma separated list. For example: /path/file1,console,/path/file2
. PUP-10795
New serverport
setting type
The serverport
setting is an alias for
masterport
. PUP-10725
The puppet module install
command lists
unsatisfiable dependencies
If the puppet module install
command fails,
Puppet returns a more detailed error, including
the unsatisfiable module(s) and its ranges. PUP-9176
Interpolation of sensitive values in EPP templates
Previously, if you interpolated a sensitive value in a template, you were
required to unwrap the sensitive value and rewrap the result. Now the epp
and inline_epp
functions automatically return a Sensitive value if any interpolated variables are
sensitive. For example: inline_epp("Password is <%=
Sensitive('opensesame') %>"
). Note that these changes just apply to EPP
templates, not ERB templates. PUP-8969
OpenSSL bumped to 1.1.1i
This release bumps OpenSSL to 1.1.1i. PA-3513
Curl bumped to 7.74.0
This release bumps Curl to 7.74.0. PA-3512
(Experimental feature) puppet facts diff
action
This release adds a new action called puppet facts
diff
to check if there are differences between Facter 3 and Facter 4
outputs. Facts that change over time like memory
and
uptime
are ignored. PUP-10815
Deprecations
func3x_check
setting removed
The func3x_check
setting has been removed.
PUP-10724
Resolved issues
The puppet
apply
command creates warnings
This release eliminates Ruby 2.7.x warnings when running puppet apply
with node statements. PUP-10845Remove Pathname#cleanpath
workaround
This release removes an unnecessary workaround when cleaning file paths, as Ruby 1.9 is no longer supported. PUP-10840
Cached catalog contains the result of deferred evaluation instead of the deferred function
Puppet 6.12.0 introduced a regression that caused the result of a deferred function to be stored in the cached catalog. As a result, an agent running with a cached catalog would not re-evaluate the deferred function. This is now fixed. PUP-10818
Calling scope#tags
results in undefined
method
Previously, calling the tags method within an ERB template resulted in a confusing error message. The error message now makes it clear that this method is not supported. PUP-10779
Puppet agent installation fails when msgpack is enabled on puppetserver
Previously, the agent failed to deserialize the catalog and fail the run if
the msgpack
gem was enabled but not installed. Now
the agent only supports that format when the msgpack
gem is installed in the agents vendored Ruby. PUP-10772
Setting facterng
twice raises an
exception
Previously, calling puppet config set facterng
true
twice resulted in a failure. This is now fixed and facterng
is only enabled if it is not already. PUP-10731
Puppet feature detection leaves Ruby gems in a bad state
This release fixes a Ruby gem caching issue that prevented the agent from applying a catalog if a gem was managed using the native package manager, such as yum or apt. PUP-10719
Fine grained environment timeout issues
Previously, if the environment.conf
for an
environment was updated and the environment was cleared, puppetserver used old
values for per-environment settings. This happened if the environment timed out or
if the environment was explicitly cleared using puppetserver's environment cache
REST API. With this fix, if an environment is cleared, Puppet reloads the per-environment settings from the
updated environment.conf
. PUP-10713.
Setting certname in multiple sections bypasses validation
Previously, Puppet only validated the certname setting when specified in the main setting, but not if the value was in a non-global setting like agent. As a result, it was possible to set the certname setting to a value containing uppercase letters and prevent the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in. PUP-9481
puppet config set
certname accepts upper-case
names
Previously, the puppet config set
command
could set a value that was invalid, causing Puppet to
fail the next time it ran or the service was restarted. Now the command validates
the value before committing the change to puppet.conf
. PUP-2173
3x functions cannot be called from deferred functions in Puppet agent
This release allows deferred 3.x functions, like sprintf
, to be called during a Puppet
agent run. PUP-10819
Issue with Puppet creating production folder when multiple environment paths are set
Previously, the production
environment
folder was automatically created at every Puppet ran
in the first search path, if it did not already exist. This release Puppet Puppet searches all the given paths before
creating a new production
environment folder.PUP-10842
Puppet 6.19.1
Released 22 October 2020.
Resolved issues
Masterport
not honoured when configured in a
section other than main
Puppet
6.28.0 added the serverport
config as an alias for
masterport
. This introduced a regression — when
masterport
was set in a section of puppet.conf
that was not main
, it ignored masterport
and set it
to the default value. This is now fixed, and both masterport
and serverport
are visible
in other sections. PUP-10722
Puppet 6.19.0
Released 20 October 2020
New features
New server_used
report parameter
This release adds a new report parameter called server_used
. It behaves like master_used
. PUP-10672
Removed Puppet::Agent::Locker#running?
deprecation warning
The Locker#running?
method is still in use.
This release removes the deprecation message. PUP-10624
The puppetserver_gem
package provider added to
core Puppet
Previously, the provider was part of the puppetlabs-puppetserver_gem
module, which no longer receive updates.
This release moves the puppetserver_gem
provider to
core Puppet. PUP-10604
Added pip2
package provider when pip3
is the system default
This release adds the pip2
provider to
allow you to explicitly use the Python 2 pip
. PUP-7526
New environment_timeout_mode
setting to clear
short-lived Puppet
environments from memory
This release adds the environment_timeout_mode
setting, which allows you to clear short-lived Puppet environments from
memory, while also caching frequently used environments indefinitely. This reduces
the Puppet Server memory
footprint. For more information, see the release notes summary in the ticket. PUP-8014
Resolved issues
Puppet does not log connection error details when a functional master cannot be located
Previously, errors were only logged at the debug
level or at the err
level if the no servers were
available. Puppet agents now
log errors that occur when trying to connect to each server in server_list
at the err
level. PUP-10664
Performance regression with large hashes using lookup
This release fixes a performance regression in 5.5.x and 6.0x. which affected Hiera lookups in large hashes. PUP-10628
Status endpoint does not use the extra_headers
setting
If http_extra_headers
is set, Puppet sends the headers for
each HTTP request it makes when processing the server_list
setting to determine which server to use. PUP-10617
Fact yaml does not quote mac addresses
Previously, when Puppet facts
were called with the --render-as yaml
option, the
macaddress
fact was unquoted. This resulted in
bad data if other tools parsed the resulted yaml and interpreted the value as a
sexagesimal (base 60) integer when the address did not contain chars A-F. This
release adds quoting to all yaml strings that contain the :
character. PUP-9505
Data type casts cause Puppet Server to retain compiler instances
This issue is now fixed when running under JRuby. PUP-10659
Resource collector overrides cause Puppet Server to retain compiler instances
This issue is now fixed when running under JRuby. PUP-10657
Puppet 6.18.0
Released 25 August 2020
New features
Resolved issues
Add facts
and vars
back to PAL ScriptCompiler scope
As part of work on PUP-10397, we removed vars
and facts
from PAL
ScriptCompiler which resulted in a breaking change to a public API. This release
adds local facts
back. PUP-10615
Misuse of URL encoding in file resource HTTP GET
Puppet 6.16.0 introduced a regression when using HTTP file sources, the URL request path or query contained special characters. This release restores the previous behavior. To specify a path or query that contains a space, you need the URL encoded in the manifest. PUP-10603
Puppet
lookup
loads external facts on the initiating
node
Previously, some Puppet default settings
required Facter to retrieve
data that loaded all external facts and slowed down Puppet. With this release,
local external facts are not evaluated when performing a lookup
command on a remote node. PUP-10599
The ppt
package provider does not mark managed
packages as manual
With this release, the apt
package provider
can now mark packages as manual. PUP-6631
An error is logged during an agent run if Puppet Server does not have at
least one <module>/lib dir
in its modules
directory
If Puppet Server does not
have at least one modules directory, the file_metadatas
REST API for the plugins
, pluginfacts
and locales
mounts returns file metadata for /etc/puppetlabs/code
, instead of returning HTTP 404.
PUP-2608
Puppet agent fails to install on a Windows VM if the Windows installer is not used
This release fixes a regression introduced in 6.17.0. You can now install packages whenHKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components
does not exist. PA-3351Constant corrective changes on SLES 12
This release fixes a regression introduced in Puppet 6.16.0 where the
zypper
package provider reported corrective
changes when the package_version
package was
installed. PUP-10609
Puppet::Util::Yaml safe_load
not loading
Time
class which leads to compilation error
for time serial data
Previously, when an agent run enforced a time-based property of a resource,
the next agent run generated an error and lost the ability to report on corrective
changes accurately. This occurred when using the {{audit}}
metaparameter to monitor file mtime
. This is now fixed. PUP-10585
The puppet apply
command fails if Puppet types have been
generated
Previously, running puppet apply
failed if
the Puppet generate types
command was run before. In this release, puppet
apply
ignores resource type in the environment resource_types
directory. PUP-9602
Puppet run continues
despite failed Pluginsync
Previously, Puppet
agents ignored pluginsync
errors and applied the
catalog with incorrect facts
and plugin
versions, leading to obscure errors or data
corruption. This release adds a new setting — ignore_plugin_errors
. If set to false, the agent aborts the run if
pluginsync
fails. The setting defaults to true
so the old behavior is preserved.PUP-1763
The puppet_gem
provider does not use vendored
PKG_CONFIG_PATH
when installing native
extensions
This release allows you to install gems with native extensions that require PKG_CONFIG_PATH
, when using puppet_gem
provider, for example the rugged
gem PUP-10584
Puppet::Util.default_env
method unintentionally
removed in 6.17.0
Testing modules using rspec-puppet
versions earlier
than 2.7.10 resulted in the error undefined local variable or method
'default_env' for Puppet::Util:Module. This is now fixed. PUP-10586
Allow running Puppet commands via AWS Session Manager on Windows 2019
Previously, installing a Puppet agent on EC2 Windows Server 2019 via AWS Session Manager caused an error. This is now fixed. PUP-10600
Puppet 6.17.0
Released 14 July 2020.
New features
Extended trusted_external_command
setting
The trusted_external_command
setting can now be set
to a directory. For each executable file in the directory, the external trusted
facts will be stored in the basename
key of the
trusted['external']
hash. PUP-10528
Updated permissions for files in /cache/state/
This release updates the permission for state.yaml
and transactionstore.yaml
to remove the group write
access. PUP-8922
HTTPS file sources allow additional CA certificates
The releases allows you to configure Puppet agents to trust additional CA certificates when connecting to HTTPS servers when the CA certificate is neither the Puppet CA or in the CA cert bundle of the puppet-agent package. To enable this setting, setssl_trust_store
to a file containing
CA cert(s) in PEM format concatenated together, for example, /etc/pki/tls/cert.pem
. Note that this setting only applies when Puppet makes an HTTPS request to
non-Puppet REST endpoints.
PUP-7814Support for file content from artifactory
Puppet can now retrieve file content from artifactory using an HTTP(S) source parameter. PUP-6114
Support for username:password@domain for HTTP/HTTPS sources
You can now retrieve file content using HTTP basic authentication. The credentials should not appear in debug output or reports. PUP-6916
boost
and yaml-cpp
dependencies in the SLES 15 puppet-agent package
The boost
and yaml-cpp
dependencies are now vendored in the SLES 15 agent build.
PA-3006
Added logonaccount
and logonpassword
This release adds the logonaccount
and logonpassword
fields for managing the logon
credentials used by services on Windows. PUP-1289
Resolved issues
Puppet cannot apply a cached catalog containing binary rich data
Previously, Puppet could not apply a cached catalog if it contained binary or deferred data types, causing it to always fallback to requesting a new catalog. PUP-10572
File sources with path starting with double slashes are interpreted as a local file
Puppet incorrectly
handled a file resource if the source’s parameter path component had an extra slash,
for example, puppet:////modules/mymodule
. PUP-10544
Puppet agents can't download file content from puppetserver via "raw" HTTPS
If Puppet tries to download file metadata from an HTTP(S) file source and the HEAD request results in "HTTP 403 Forbidden" or "405 Method Not Allowed", it fallback to a GET request with a 0 byte range. PUP-10543Resolve Rspec warnings for Ruby 2.7
You can now run Puppet from source on Ruby 2.7 using bundler without warnings. PUP-10537
Checksums are not validated when downloading file http(s):// sources
If a file resource has a desired checksum type and value, but the file downloaded from the remote source does not match, Puppet will raise an error that they mismatch, and will not update the file on the local system. PUP-10368
HTTP file sources fail for GET-only URIs
Puppet can now retrieve file
content from Amazon AWS and GitHub releases, for example, source => https://github.com/path/to/released/artifact
. PUP-6380
Ensure Windows wide character strings have a wide terminator
This release improves memory safety when Puppet converts Ruby strings to wide character strings on Windows. PUP-10254
“HTTP 406 Not Acceptable” error message should contain format names
This release prints the MIME types, instead of format objects, from the Accept header, in cases where puppetserver cannot generate a catalog in the requested format. PUP-10549
Puppet Windows package provider fails if there are garbage characters after an embedded NULL
This release fixes a bug in the Windows package provider when reading package version from registry. This happened if there were garbage characters after the wide NULL terminator. PUP-10536
Sensitive data type lost when declaring multiple resources using title arrays
This release fixes support of sensitive data type parameters when declaring multiple resources using title arrays PUP-10511
Agent runs failing with "Invalid or unsupported charset:ANSI_X3.4-1968"
Previously, agent runs failed when the locale settings where unrecognised or in an error state because leatherman logging expects a working locale. This release implements a defense for the leatherman logging function. PA-3254
Puppet does not add correct command flags
This release fixes an issue where Puppet would not add the correct command
flags when ensuring a user
resource with managehome
enabled. PUP-8897
Puppet agent should
ignore nssm.exe
during an upgrade
Previously, if a puppet-agent upgrade on Windows happened when
nssm.exe
was loaded by EventLog service, certain
services were restarted, leading to unreachable machines. This release includes an
nssm
executable for pxp-agent (nssm-pxp-agent.exe
) and we have remove Windows registry
references to the old nssm.exe
. PA-3263
Puppet should ignore system Ruby settings
Running Puppet
using a wrapper script from the puppet-agent package will now ignore the following
ruby related environment variables: GEM_HOME
,
GEM_PATH
, DLN_LIBRARY_PATH
, RUBYLIB
, RUBYLIB_PREFIX
, RUBYOPT
,
RUBYPATH
, RUBYSHELL
PA-3248
Deprecations
The application orchestration features
The application orchestration features are deprecated and will be removed in Puppet 7. As a result, the following will also be deprecated:
-
The
{{site}}
,{{produces}}
or{{consumes}}
keywords. -
The export and consume metaparameters.
-
The environment catalog REST API.
Puppet 6.16.0
Released 3 June 2020.
New features
New puppet help
command to generate ronn output
This release adds a puppet help <app> --ronn
command to generate help text for an application in ronn format. This eliminates the
need for puppet man
which is deprecated and will be
removed in Puppet 7. PUP-10502
FileMetadata HTTP terminus to use the new Puppet::HTTP::Client
code
Puppet now uses the HTTP client to retrieve file metadata from HTTP(S) sources. PUP-10482
New method for registering runtime implementations
This feature allows caller to register runtime implementations. Currently only HTTP is supported. PUP-10429
Puppet observes waitforlock
when acquiring the ssl lock
Puppet uses an ssl lockfile to ensure its
certificates and keys on disk are not modified by multiple Puppet processes. If Puppet is unable to acquire the ssl lockfile, and the
new Puppet[:waitforlock]
setting is enabled, Puppet will wait that many seconds before retrying
the ssl lock. Puppet will wait for Puppet[:maxwaitforlock]
seconds at most before giving
up. PUP-10420
External trusted data is executed for file_content
requests
The trusted_external_command
is now only
run once when external data is requested, instead of every time a request is made.
PUP-10292
Improved error message when a file resource requires a non-existent directory
This release improves the error message that occurs when trying to manage a file resource whose parent directory does not exist. PUP-4442
Support on version ranges for the eq
operator
Now all the providers that support version ranges will also handle simple
versions, making the behaviour consistent between package providers, for example,
1.2.3
. PUP-10496
New disabled value in dnfmodule
package
provider
This release adds a disabled value to the ensure field in the dnf
module provider. PUP-10419
Added SemVerRange
support to zypper
package provider
This release adds support of >
, >=
, <
, <=
, >=A <=B
ranges
for package version specified in :ensure
for zypper
provider. PUP-10299
The Puppet runtime API now accept symbols as names
This release changes the Puppet.runtime
method to
take symbols instead of strings. PUP-10471
New Puppet agent options when waiting for lock
-
Waitforlock
: The frequency an agent should run when there is an ongoing Puppet agent instance. -
Maxwaitforlock
: The maximum amount of time an agent should wait for another agent to finish before starting a new run.
New Puppet introduction in the documentation
An introduction to Puppet to help new users learn the basic concepts and features. See the Puppet introduction.
Resolved issues
Installer switch service-enable true
reports
wrong actions in certain conditions
Previously, the puppet resource
command
wrongly reporting the enabled
state of a systemd
service when the ensure
parameter was also specified. This is now fixed. PUP-10479
OpenSSL errors on AWS FIPS
Previously, interleaving ruby/leatherman OpenSSL on RehHat7 FIPS led to
OpenSSL module errors when the Ruby HTTP client was
reused. This is now fixed to adapt openssl.cnf
and
configure FIPS algorithms, by setting evp_setting
to
fips_mode = true
. PA-3223
An "unable to set ownership" error with logdest on agents running as root
Puppet no longer generates an error when using a log file destination. PUP-10407
Puppet plugin download fails if an agent specified environment does not exist on the agent
Calling puppet plugin download --environment
<env>
failed if the environment directory did not exist locally.
This is now fixed. PUP-10307
The agent incorrectly reports corrective changes when base64 padding is missing from Content-MD5
Previously, when managing file resources with HTTP(S) source parameters, Puppet only parsed the header, causing interoperability problems when the base64 encoded value was not padded. Now Puppet parses the Content-MD5 header according to RFC 2045. PUP-10164
The purge_ssh_keys
parameter requires you to set
the home directory in the manifest
The release fixes an issue where Puppet required you
to manage the home directory when purging SSH keys with purge_ssh_keys
. PUP-10506
The pip
package provider does not handle pip
executable paths with spaces
Paths containing spaces will now be quoted in the pip
package providers. PUP-10485
Portage package provider does not work on Gentoo-based distributions
This release fixes an issue where the Gentoo provider was incorrectly selected on Gentoo-family distributions. PUP-10469
Running remove_old_postgresql_versions
after
upgrade fails
This release fixes an issue in Puppet's behaviour when listing information about a single specific service and all available ones by showing services in a static state. PUP-10437
Zypper provider does not recognize --no-gpg-checks
as a global option
This release allows --no-gpg-checks
to be passed as
an item to install_options
property for the zypper
package provider. Note that for backward
compatibility --no-gpg-check
was not removed. PUP-10433
Puppet agent fails to self-restart with configuration changes or updates
Previously, when two agent runs were taking place at the same time, under some
circumstances, the Puppet agent could get in a
restart_requested
state. This is now fixed.
PUP-10351
User resource expiry incorrect on SLES 11
On SLES 11, setting a user resource expiry to absent
resulted in disabling the user instead. This is now fixed.
PUP-7663
The systemd
provider does not honor documented
enabled states
Previously, enabling indirect services caused an idempotency issue in Puppet. This has been fixed by not allowing users to enable/disable these services and to print a debug log instead. PUP-7163
Deprecations
The puppet module search
command
Instead, search for modules on Puppet Forge. PUP-10480
The {find,search,save,destroy,head}
methods in
the abstract rest terminus
Calling Puppet::Indirection::Rest.{find,search,save,destroy,head}
is
deprecated as part of an effort to separate the indirector and HTTP requests. If a
custom terminus extends the abstract rest terminus, it will implement the networking
request itself or call Puppet's HTTP client. PUP-10445
HTTP file content terminus
The HTTP terminus for retrieving file content is deprecated and will be removed in Puppet 7. PUP-10444
Route HttpPool.connection
through HTTP
client
Calls to Puppet::Network::HttpPool
are routed to the
new HTTP client, but preserve the existing behavior for that API. The HttpPool
class is deprecated and will be removed in Puppet 7. PUP-10289
The Puppet::Network::HTTP::{Connection,NoCachePool,Compression}
class
The Puppet::Network::HTTP::Connection
class
is deprecated and will be removed in Puppet 7. Calls
to the Puppet::Network::HttpPool
factory methods
(such as http_instance
) are routed to the new HTTP
client in Puppet. PUP-10481
Puppet 6.15.0
Released 30 April 2020.
New features
HTTP client API uses a generic options hash
Instead of using keyword arguments, the HTTP client API uses a generic options hash. This change allows more flexibility with development and ensures there are no problematic version dependencies. PUP-10353
HTTP report processor uses HTTP client
The HTTP report processor uses new Puppet HTTP client
when running in puppet apply
. Note that it still
uses the existing HTTP client when running in puppetserver
. PUP-10316
HTTP report processor setting includes system truststore
Previously, when an HTTPS URL was specified, the processor would only trust the
Puppet CA when verifying the server SSL certificate. This release adds a Puppet[:report_include_system_store]
setting, which
defaults to false. If set to true, the report processor trusts CA certificates in
the puppet-agent
CA bundle, as well as Puppet CA. This change only affects the HTTPS
processor when running in the context of puppet
apply
. PUP-7737
Unified service return values
The return values of the HTTP client service methods now returns the request response, as well as previous return values. PUP-10418
Filebucket rest terminus uses HTTP client code
The filebucket rest terminus now uses the new HTTP client code. All HTTP
requests that are routed through the rest terminus will go through HTTP::Client
. This includes the logic to find which
server to submit requests to. PUP-10385
New metric for Puppet agent run
This release adds a new Startup time
metric
that accounts for the interval between Puppet agent
initialization and the actual run. PUP-10371
New certificate extension OID
This release adds a new certificate extension OID — 1.3.6.1.4.1.34380.1.1.26
— and short name — pp_owner
. PUP-10364
SemVerRange
support for yum
, apt
, pip
and gem
package providers
This release adds support for range intersection for the yum
, apt
, pip
and gem
package providers. Note
that when using version ranges with the yum
package
provider, there is a limitation that requires you to specify the epoch for the
version in the range. See known issues for more information. PUP-10298, PUP-`10297, PUP-10296, PUP-10295
Custom retrieve()
method with non-standard return
values removed
This release removes the retrieve()
custom method and
adjusts tests dependent on the behavior. PUP-9943
Facts and vars from ScriptCompiler
scope removed
This release removes node specific values from the scope of script compiles, as they did not happen in the context of a node. PUP-10397
Partitioned reports table
The PuppetDB reports table is now partitioned by day for better query and garbage collection performance. If you are an open source user, have a large database and do not delete your reports prior to the upgrade, you need to change the start timeout manually. This can take 80-85 minutes per 10GB — note that is an estimate and will be different for every user. PDB-4606
Ubuntu 20.04 support
This release adds puppet-agent
support for
Ubuntu 20.04. PUP-10284
Resolved issues
Upgrade Puppet Server 6.9.2 from Puppet 6.5
Previously, when querying environments without an environments
directory, Puppet Server would
report a 406 with an undefined method error. Now it reports an empty environments
list. PUP-10405
The pkgng
provider does not parse latest version
properly
The pkgng
provider now correctly parses the
latest versions for packages. PUP-10382
The pkgng
provider does not support install_options
The pkgng
provider now supports install_options
. PUP-10380
puppet plugin download
does not download from
locales mount
This release fixes a regression in 6.14.0 that caused puppet plugin download
to not download files from the
locales
mount in the same way that the agent
does. PUP-10374
Puppet apply recursive copy of directory fails in file resource
This release fixes a regression in Puppet
6.14.0 that prevented the puppet apply
application
from recursively copying a directory from a module using a puppet:// URL. PUP-10367
Puppet agent unable to fetch file from HTTPS source
This release fixes a regression in 6.14.0 that prevented Puppet agents from retrieving file content from HTTPS sources, when the server's certificate was issued by a CA other than the Puppet CA. PUP-10365
server_list
processed up to four times per agent
run
This release fixes a regression in 6.14.0 that caused Puppet agents to process their server_list
up to 4 times per agent run, instead of once per run. This
release restores the behavior that existed in 6.13.0 and before. PUP-10363
Can't disable Puppet::SSL::Host
deprecation
warning when using PuppetDB terminus
Puppet no longer generates a deprecation
warning when calling Puppet::Network::HttpPool.http_instance
, which used to happen when
using the puppetlabs-puppetdb
module to install and
manage PuppetDB. PUP-10355
The puppet_gem
package provider ensure => absent
breaks file resources
The puppet_gem
provider can now uninstall a
gem during an agent run. PUP-10319
Puppet 6 daemons do not release ssl_lockfile
Previously, daemonized Puppet agents kept the ssl_lockfile
locked while waiting for Puppet Server to issue their certificate. This prevented
foreground Puppet commands from working. Now the
agent releases the ssl_lockfile
while it sleeps and
reacquires the lock when it wakes up. PUP-10228
Pacman provider does partial upgrades
This release prevents the Pacman package provider from partial upgrades. PUP-10152
Persistent HTTP connection timeouts cannot be changed when using the new HTTP client
The release fixes a regression in 6.14.0 that caused Puppet to cache persistent HTTP connections for 15
seconds, instead of the expected 4 seconds, and it was not possible to change the
timeout using the Puppet[:http_keepalive_timeout]
setting
. PUP-10434
RedHat RHBA-2020:1028 breaks `yum.rb` in yum provider
This release fixes an issue where Red Hat
Subscription Manager updates caused ensure => latest
to do nothing. PUP-10432
Windows service calls deprecated puppet agent --configprint
This release fixes an issue where Puppet
Windows service called deprecated puppet agent --configprint
. PUP-10414
Puppet
.dmg
packages fail on macOS 10.15
In macOS 10.15, the -noidme
flag caused .dmg
package
installation to fail. This release removes the -noidme
flag with hdiutil
when using
pkgdmg
package provider. PUP-10408
Gem provider reports changes when using composed requirements
This release fixes idempotency of gem
resources with composite requirements, such as range intersections ( >=1.3, <2.2
). PUP-10395
Ruby file loaded twice
Previously, the gem
package provider’s Ruby file loaded twice and caused warnings on each
Puppet run. This release removes an unnecessary
file requirement that caused this issue. PUP-10390
Puppet resource service
does not return all active services on Ubuntu
This release fixes an inconsistency in Puppet's behaviour when listing information about a specific service. PUP-10378
Custom file ownership for lastrunreport
ignored
This release fixes a bug introduced in 6.13.0 where ownership for the lastrunreport
file ignored what was defined in puppet.conf
. PUP-10376
Custom file mode for lastrunreport
ignored
This release fixes a bug introduced in 6.13.0 where the mode for the
lastrunreport
file was reset and ignored what
was defined in puppet.conf
. PUP-10325
Latest version ensured for python package is incorrect
Previously, using pip
to ensure the latest
package available could cause a lack of idempotency, with Puppet identifying the latest version incorrectly.
This release improves the comparing and sorting mechanism of versions. PUP-10375
5.5.17 agents fails on interval runs
There were various paths in a Puppet run
that did not explicitly return an exit code, leading to a TypeError
exception. With this release, the exit
argument from run_in_fork
is
unaffected by these errors. PUP-10366
Facter 4 debug logs do not use Puppet logger
This release fixes an issue where enabling the facterng
feature flag stopped the debug logs from being forwarded to
Puppet. PUP-10322
Windows user management fails if group contains not resolvable Domain accounts
Previously, if an Active Directory user was added as a member of a local group and then deleted, Puppet did not manage the respective group members. With this release, Puppet will manage the group by showing SID instead of the account name for non-resolvable users. PUP-10303
Windows pidlock access denied
With this release, use SeDebugPrivilege
on
Windows when opening a lockfile PID to determine
whether the process is a Puppet process. PUP-10248
Ruby security update
- CVE-2020-10663: Unsafe Object Creation Vulnerability in JSON
- CVE-2020-10933: Heap exposure vulnerability in the socket library
OpenSSL security update
This version upgrades the OpenSSL version from 1.1.1f to 1.1.1g on non-fips platforms to address CVE-2020-1967. PA-3186
Agent upgrade restarts Windows DHCP Server service
Previously, Windows components (such as DHCP Client)
restarted after Puppet agent upgrades. This was a
result of nssm.exe
being registered as the EventMessageFile
, which got loaded and locked into
svchost.exe
when viewing events raised by
pxp-agent
. The agent upgrade tried to replace
nssm.exe
, but failed as it was loaded, and the
only way to unload it was to restart. This fix removes the usage of nssm.exe
for events and replaces it with EventCreate.exe
when generating event messages, so now
the EventCreate.exe
will get loaded and locked by
svchost.exe
when viewing Puppet events. This will no longer interfere with the
agent upgrade. PA-3175
Puppet 6.14.0
Released 10 March 2020
New features
Hiera-eyaml prints error message when decryption fails
If Puppet fails to decrypt a value stored in
hiera-eyaml
, include the name of the key where the lookup
failed in an error message. PUP-10317
Puppet uses new http client for all REST requests
Prior to this release, the agent only used the http client for certificate related requests. Note that this does not change how Puppet works when running as a library inside Puppet Server. PUP-10260
Send extra headers when requesting a catalog compilation
You can now define custom headers to send with http requests to Puppet infrastructure. Use the
:http_extra_headers
setting to define these. They should be a
comma separated string of key:value
pairs. PUP-9566
Puppet HTTP API does not allow callers to trust system cacerts
The HTTP client now accepts a parameter to trust the system certificate store when making HTTPS connections. By default, it only trusts the Puppet PKI. The API is private and may change in a future release. PUP-5069
macOS 10.12, macOS 10.13 and Fedora 28 support removed
This release of the puppet-agent
package removes
support for macOS 10.12, macOS 10.13 and Fedora 28. PUP-10244, PUP-10245, PUP-10242.
Resolved issues
Disable metrics v1 endpoint and restrict v2 to localhost
To prevent information exposure as a result of CVE-2020-7943, the /metrics/v1
endpoints are disabled by default, and access to the /metrics/v2
endpoints are restricted to localhost. PE-28468
Secondary group handling causing issues in 6.13.0
The members parameter of a group resource was validated by checking if each user exists before the manifest was applied, resulting in a manifest containing both user creation and group members update, which would fail. You can now dd new user and update group membership in the same manifest apply. PUP-10320
Client does not reconnect when the server closes a persistent connection
Previously, Puppet failed to reuse a previously cached connection if it was using the new HTTP client, if the previous request was kept alive, or if the server closed the connection between when the client caches it and when the client tries to reuse it. PUP-10347
Replace find_functional_server
call with http client
Puppet agents now use the new HTTP client to resolve
the first available server in the server_list
setting. PUP-10315
Puppet tries to print ssl information for non-ssl connections in debug mode
In debug mode, Puppet now only prints TLS protocols and ciphersuites for HTTPS connections, but not HTTP connections. PUP-10314
Close http client
During the SSL bootstrapping process, Puppet now closes all active HTTP connections before sleeping for "waitforcert" seconds. PUP-10288
When a site has no active connections, it should be removed from the pool.
Reduction in memory usage when the last connection from the HTTP pool is borrowed and not returned. PUP-10286
The puppet apply command
does not stream file content
Now the puppet apply
command uses the same code path as
puppet agent
to stream file content from puppet://" and
"http(s)://
file sources. As a result, the memory footprint is reduced.
PUP-8338
The puppet describe --list
command requires the description to
include a period
The puppet describe --list
command now displays summary information
for each type and provider, regardless of whether the summary contains a period.
PUP-2641
The Puppet agent fails due to a Ruby error
This release fixes an issue with large environment blocks on Windows, which caused a Ruby error. PA-3113
Puppet 6.13.0
Released 18 February 2020
New features
Puppet reads parameter resource for
forcelocal
set
When managing a user or group resource with a forcelocal
set, Puppet reads /etc/passwd
or
/etc/group
for each parameter of the resource. Files are read
once per managed resource. PUP-10117
forcelocal
parameter available for user and group
resources
The forcelocal
parameter can be used on AIX for managing local user
and group resources, however this option conflicts with the
ia_load_module
parameter. PUP-10169
Default behavior changed for strict_hostname_checking
strict_hostname_checking
from false
to
true
. It is recommended that Open Source Puppet and Puppet Enterprise users that are not upgrading still set
strict_hostname_checking
to true
to ensure
secure behavior. You also must specify the FQDN of the host. node
/^foo/
pe_serverversion
optionally added to
server_facts
If the file /opt/puppetlabs/server/pe_version
exists on an agent
then the file will be read and added to server_facts
under the name
pe_serverversion
. PUP-9750
Puppet follows symlink to source directory if
versioned_environment_dirs
setting is
true
If the path to an environment is a symlink and the
versioned_environment_dirs
setting is true
,
Puppet follows that symlink to the source directory. PUP-10255
Improvements to groupadd
provider
The groupadd
provider now manages members using the
members
resource parameter. PUP-9465
Update to flavor
package parameter
The flavor
package parameter is now a property which can be changed
after initially set. Supported providers are dnfmodule
and
openbsd
. PUP-10171
Agent sleeps then retries connection after 429, 503 message
When Puppet Server returns a 429 or 503 to an agent after it tries to make an http request, the agent run will sleep and then retry the connection after. Previously, the agent kept the http connection open during the sleep. Now, the connection closes prior to the sleep in order to reduce the resource load on the Puppet Server. PUP-10227
mark
property added as alternative to held
value for ensure
This release adds the mark
property with Debian and Solaris
instead of setting the ensure
attribute to held
.
The held
value for ensure
is deprecated. Allowed
values for mark
are hold
or none
,
and it defaults to none
. You can specify mark
along with ensure
. If ensure
is missing,
mark
defaults to present
. You cannot use the
mark
property together with purged
,
absent
, or held
values for
ensure
. PUP-1537
Puppet docs updated to include OSX Catalina 10.15 (amd64)
Puppet's public-facing documentation now includes information on this platform. PUP-10111
Resolved issues
Puppet incorrectly parsed XML plist data
Previously, Puppet tried to parse an XML property list file as ASCII instead of UTF-8. This fix resolves the issue. PUP-10241
Missing ppAuthCertExt added to custom_extensions
The custom_extension
method allows certificate extensions to access
the manifest. Although, ppAuthCertExt was added it never updated to be included.
This fix adds the missing ppAuthCertExt OID and updates docs to reference it. PUP-10234
Functions slowed when called with chained syntax
The Puppet language supports calling functions using prefix or chained syntax, for
example: each($var)
and $var.each
, respectively.
Chained syntax should result in the same behaviour as prefixed syntax. However,
chained syntax preform slower. This fix addresses the gap. Now, chained syntax is
much faster, especially with a large hash, such as $facts from the node. PUP-10113
Array
settings printed poor default values and error
reporting
Puppet now prints a clear error message if the disable_warnings
setting is specified incorrectly: "Cannot disable unrecognized warning types
foo
. Valid values are deprecations
,
undefined_variables
, undefined_resources
."
PUP-2820
puppet facts upload
face only tried first primary server in
server_list
puppet facts upload
now tries each server entry in the server_list
setting, similar to how puppet agent
does. Previously, it only
tried the first entry in the server_list setting. PUP-8900
PObjectTypeExtension doesn't implement implementation_class
Objects that inherit from the {{PObjectTypeExtension}} base type--for example {{Puppet::Datatypes::Error}} objects-- raise errors when serialized to pcore due to missing methods. The missing methods have been implemented and the types are now able to be serialized to pcore. PUP-10221
Puppet incorrectly detected stale pidfile
When an agent is incorrectly terminated, it occasionally detected a stale pidfile . This fix orders a pidfile lock removal when an agent is started as a LightWeight Process (LWP) and is incorrectly terminated on POSIX operating systems. PUP-10218
Yum provider doesn't allow array of strings
The Yum package provider now accepts an array of strings to be specified for the
install_options
parameter in addition to the previous
implementation which only accepted an array of hashes. Fix provided by community
contributor Corey Osman. PUP-10177
Fixed syntax error in pxp-agent init script
The pxp-agent init script no longer errors if there are multiple instances of the service running. PUP-889
puppet resource
now returns the name of the provider
The puppet resource <type>
command returns resources from all
suitable providers. Previously, the name of the provider was not included in the
output. However, the result was ambiguous for resource types like
package
which support multiple providers at the same time, for
example yum
and gem
. The puppet
resource
command now returns the name of the provider so that resources
are uniquely identified. PUP-3721
Couldn't set, change password of a user resource in macOS 10.15
Due to a change in user management in Apple's macOS 10.15, Puppet could no longer
manage user passwords on that version. Puppet now uses the dsimport
utility to manage passwords on macOS 10.15 or higher. PUP-10246
Mailalias performs a change
when value has a
comma
When a mailalias resources is used, Puppet refreshes the alias without prompting, changing the value. To mitigate this, do not use commas. Mailalias records field separators when surrounded by double quotes . Example: "...project" is okay, but "...project," will cause an issue). PUP-10287
Puppet agent cannot run as administrator if first PA run is done as system
If the first Puppet agent run was done under SYSTEM account, following runs done by
administrator users failed to send the report to primary server. This was due to
insufficient file permissions caused by the implementation of
Puppet::Util.replace_file
. Puppet now uses the new
Puppet::FileSystem.replace_file
method which correctly handles
files permissions on Windows. PUP-9719
Puppet 6.12.0
Released 14 January 2020
New features
Update to compilation warnings
This release includes improvements to the evaluator, meaning some compilation warnings now take less time to compute. PUP-10213
Improvements to some manifest function performance
Performance of manifests that use the PuppetStack.top_of_stack
function have been greatly improved. This includes manifests that use the
puppetlabs-stdlib deprecation
function or the pseudo keywords
break
, return
, and next
.
PUP-10170
Merge dependency warnings
If a class has a failed dependency every resource in that class generates a
notice
level message about the dependency failure and a
warning
level message about skipping the resource. At
large-node or large-code scale, one dependency failure can create an overwhelming
number of warnings. To collapse all messages caused by one class dependency failure
into one message associated with the class, set
merge_dependency_warnings=true
. PUP-10017
OpenSSL 1.0.2 updated to 1.1.1d
OpenSSL1.0.2 reached end of life on 31 Dec 2019. The OpenSSL version used in Puppet 5.5.x has been upgraded to OpenSSL 1.1.1d. PUP-3029
Deprecation warning for Windows Server 2008 and 2008 R2
On January 14, 2020 support for Windows Server 2008 and 2008 R2 ends. PA-3018
puppet module install
uses Puppet's HTTP client
The puppet module install
command now uses Puppet's HTTP client to
connect to the Forge. It observes the Puppet[:sourceaddress]
setting, useful when running the install command on a puppetserver
with multiple network interfaces. PUP-10041
Systemd is the default service provider for Cumulus 4
This release adds systemd as the default service provider for Cumulus 4. PR contributed by Brian Rak PUP-10162
Resolved issues
Introduces puppet_trace
and bug fix in
trace
This release fixes a bug where stacktraces from errors no longer had the Ruby stack
frames interleaved with the Puppet stack frames when using trace
.
This release also introduces a new setting, puppet_trace
, which
prints the Puppet stack without the Ruby frames interleaved. If the
trace
setting is enabled, it overrides the value of
puppet_trace
. PUP-10150
Puppet loaded types and providers during environment convergence
Previously, Puppet agents could fail to apply a catalog if the agent switched environments based on node classification and if there were different versions of a module in those environments. As a result of this fix, an agent loads types and providers only once, convergences to its server-assigned environment quickly, and updates its cached catalog after the environment converges. PUP-10160
Premature loading of module-provided facts under -p
Previously, when running facter -p
on Windows with custom facts or
module facts that required additional files that were not present in
$LOAD_PATH
, an error would occur. Now,
$LOAD_PATH
are set without using Facter, getting it directly
from the system environment. PUP-10136
Debian Puppet-agent package lacked SELinux Ruby library
Ruby SELinux libraries are now also provided for Debian and Ubuntu platforms. PA-2985
puppetdb_query
didn't respond to hostprivkey
& hostcert
settings
Previously, an override of the client certificate and corresponding private key in
Puppet settings using the hostcert
and hostprivkey
was not possible. This fix restores that capability. PUP-10165
Package provider removed colon from package name
This fix corrects the implementation of a colon (:
) as a version
slot separator for Gentoo Linux. PUP-10124
When checking binary file changes, puppet agent -t
,
puppet apply --show_diff
occasionally generated an
error
Previously, puppet agent -t
or puppet apply
--show_diff
could generate an error when trying to display the changes
it made to a binary file. Puppet now detects this case and prints a generic message
stating that the binary files differ. PUP-10097
Windows confused domain and local accounts
Puppet no longer checks for domain users or groups when managing local resources on Windows. This fix addresses a local user management issue occurring when an Active Directory account existed with the same name as the local user. PUP-10057
Fixed HP-UX usermod
syntax
The HP-UX provider forced command line arguments to usermod
to be in
a specific order. This is now fixed. PUP-9391
server_list
setting not observed when making CA requests
The CA service now observes the ServerList resolver when attempting to resolve
routes. Previously, SRV Records or the server/ca_server
setting
found this information. PUP-10157
Could not create local user when username already exists in Windows domain
As of this release, Puppet ignores case for the domain/computer name comparison when checking for local accounts on domain-joined Windows machines. PUP-10219
Template rendering updated to enhance ease of use
Secret values resolved by deferred functions can now be used directly with tools like Vault. This fix makes it easier to render templates on the agent. PUP-10139Password did not update when account disabled for Win 2012 R2
Puppet can now change the password for a non-active account on Windows. PUP-10021
Regression: Puppet 6.11 can't manage SELinux on Centos/Redhat 8
This release fixes an issue with management of SELinux using Puppet on RedHat and Debian based systems. PA-3067
Puppet 6.11.1
Released 20 November 2019
Resolved Issues
Fixed systemd
daemon-reload
issue
This release fixes a regression where
the daemon-reload
method returned all properties instead of the value
for a specific NeedDaemonReload
property. Contributed by alexjfisher. PUP-10149Puppet 6.11.0
Released 19 November 2019
New features
SSL state machine and application now use the Puppet HTTP client
This release modifies puppet ssl
, puppet device
,
and puppet agent
to use the Puppet HTTP client to bootstrap SSL
certificates on the node. PUP-10040
Virtual package support for apt and dpkg providers
To allow virtual packages, ensure that the packages
attribute
allow_virtual
is set to true
in your Puppet resource file. PUP-10023
Package support for DNF modules
Puppet now supports managing DNF modules, which are groups of packages that represent an application, a language runtime, or any logical group.
Modules can be available in multiple streams, usually representing a major version of the software they include. Profiles are package subsets representing a specific use case of the module (these are handled by the flavor parameter of the package type).
Due to the significant difference between a package and a module,
dnfmodule
is an opt-in provider and should be explicitly
specified in the manifest. PUP-9978
Boolean support for selboolean
The selboolean
value property now accepts true
and
false
values in addition to on
and
off
. PUP-9963
Windows improvements
This release removes a dependency on .bat files when running Puppet as a service on Windows. PUP-9940
Resubmit facts at the end of an agent's run
Puppet submits facts when requesting a catalog, but if
the agent modifies the system while applying the catalog, then the facts in PuppetDB won't be refreshed until the agent runs
again, which may be 30 minutes depending on how runinterval
is
configured. This feature makes it possible to submit facts again at the end of the
agent's run, after the catalog has been applied. To enable this feature, set
resubmit_facts=true
in the agent's
puppet.conf
. Resubmitting facts doubles the fact submission load on
PuppetDB, since each agent will submit facts
twice per run. This feature is disabled by default. PUP-5934
Experimental feature: catalog compilation with external trusted data from third parties
Use trusted_external_command
to add trusted facts from an external
source during catalog compilation.
trusted_external_command
is a path to an executable
command that can produce external trusted facts. The command must: - Take the name of a node as a command-line argument.
- Return a JSON hash with the external trusted facts for this node.
- Exit with a non-zero exit code for unknown or invalid nodes.
Hardened Linux Executable and Linkable Format (ELF) binaries
Linux ELF binaries and shared objects are now compiled with Position Independent Executables (PIE) support, stack canary, and Relocation Read-Only (RELRO). PA-2986
Resolved issues
Certificate requests sometimes raised confusing error messages
Previously, when Puppet encountered a connection error, it would create a new exception with additional contextual information around what was causing the error. However, this new exception could cause an additional "Wrong number of arguments" error. Puppet now raises the original error and logs it with any additional contextual information. PUP-10121
The no_proxy
setting ignored FQDN suffixes unless they had a
leading wildcard or period
Previously, Puppet would only bypass a proxy if
no_proxy
had a leading wildcard or period. For example,
*.example.com
or .example.com
. Puppet now bypasses the HTTP proxy if the
no_proxy
environment variable or puppet setting is a suffix of
the destination server FQDN. PUP-10106
Puppet device runs would fail when specifying
csr_attributes.yaml
The csr_attributes.yaml
file can now be specified when requesting a
certificate signing request for a device using puppet device --target
devicename
. PUP-10104
On certain Linux distributions, Puppet could
incorrectly handle the service
setting
On Linux distributions that do not have a default service provider, Puppet sometimes defaulted to using the
defpath
before verifying that runit
was
suitable. PUP-10102
Error messages for exec
commands with paths that could not be
resolved included sensitive data passed to the command
If an exec
resource's command is not executable or cannot be
resolved into a fully qualified path, Puppet now only
prints the command, and not the potentially sensitive arguments passed to the
command. Puppet also redacts the output of sensitive
commands when the logoutput
parameter is set to
true
, or the parameter is on_failure
(the
default), and the command fails. PUP-10100
Puppet wouldn't install dpkg sub-packages when
ensure
was set to held
Puppet now correctly installs dpkg sub-packages and sets them to
held
if ensure
is set to
held
. PUP-10059
skip_tags
was missing help
documentation
Added help
documentation for skip_tags
. Contributed
by cvquesty. PUP-10026
The deep_merge Ruby gem was vendored by Puppet
This release adds a runtime gem dependency for the deep_merge gem and ensures that the gem is no longer vendored. PUP-10014
Puppet couldn't manage pip resources if the pip command was in a directory containing spaces
Puppet can now manage pip resources in directories
containing spaces, such as C:\Program Files\Python27
on Windows. PUP-9647
User resource did not respect forcelocal
for the
comment
parameter
Prior to this release, a user resource configured with forcelocal
would still try to sync the comment
parameter with the external
directory services. PUP-9562
Pluginsynced module API improvements
If a module used a legacy Ruby (Puppet version 3) function, and it was pluginsynced
(via puppet agent -t
), the function could not be loaded when using
Puppet as a library.Puppet 3 API functions are now available from the
cached lib
directory. If a function exists in both version 3 and
version 4, Puppet uses the version 4 implementation.
PUP-9509
Improved handling of pip version detection during catalog compilation
Previously, the pip provider failed if pip --version
did not emit
the version on the first line of output. PUP-8986
The pip package provider did not use install_options
when
ensure
was set to latest
Puppet now uses install_options
whenever pip install
is executed. PUP-8949
The systemd
service provider failed on services whose names
started with a dash
The systemd
service provider can now manage services whose names
start with a dash. Contributed by j-collier. PUP-7218
Improvements to working directory handling
Previously, if the cwd
parameter was not specified, puppet would
change its working directory to the current working directory, which was redundant
and could fail if the current working directory was not accessible. Now,
wxec
resources only change the current working directory if the
cwd
parameter is specified in a manifest. PUP-5915
Puppet was unable to manage passwords for disabled Windows users
Puppet can now manage passwords for disabled Windows users. PUP-10021
Puppet 6.10.1
Released 15 October 2019
New features
Module installation performance with minitar improved
Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with the fsync option turned off by default. PUP-10013
Automatic (delayed start) is now an option for Windows services
Puppet can now set Windows
service
startup type to Auto-Start (Delayed). To set
a service to use this setting, set the enable
parameter of the service
resource to "delayed".
PUP-6382
Resolved issues
Module repository credentials redacted during installation
When you install a module, if the module repository URL includes credentials, Puppet now redacts the credentials in the command line output. PUP-9787
Sensitive values redacted in notify
resource
messages
Prior to this release, the notify
resource leaked
data if the message was a sensitive
datatype with a
raw value, not encapsulated in quotes. Now sensitive values are redacted when they
are interpolated in a notify
resource's
message.
PUP-9295
Ruby security update
- RDoc vulnerabilities
- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
- CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
- CVE-2019-16254: HTTP response splitting in WEBrick
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
Curl security update
This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.
OpenSSL security update
This version upgrades OpenSSL to 1.1.1d to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.
Puppet 6.10.0
Released 1 October 2019
Resolved issues
Puppet tried to install packages that were already installed
Previously, Puppet incorrectly parsed the output of
pip freeze
when it reported package versions
using the arbitrary equality operator, ===
. As a
result, Puppet treated the package as not installed
and tried to reinstall it during every Puppet run.
PUP-10015
Query parameters for HTTP and HTTPS file resources are preserved
When retrieving metadata and content for HTTP
or
HTTPS
file resources, Puppet now preserves query parameters. Previously,
Puppet requested only the path
element of the URI and skipped the query parameters. PUP-9109
YAML output with special characters was not valid
Previously, the puppet resource --to_yaml
and puppet device --to_yaml
commands did not generate valid
YAML if the output contained special characters such as a single quote. PUP-7808
Puppet 6.9.0
Released 17 September 2019
New features
serverip6
fact added
This release adds the serverip6
fact, which returns
the server's IPv6 address. If Puppet cannot find
either serverip
or serverip6
facts, it returns a warning. PUP-5109
Agent startup logged at debug level in daemon mode
When running in daemon mode, Puppet logs the
configuration used on agent startup at the debug level. The log is sent to the
output specified by the --logdest
option.
Configuration is reloaded and also logged on SIGHUP. PUP-9754
puppet plugin
information was not included in help
The puppet help
command did not include help
information for puppet plugin
Now the plugin
command is included in puppet help
output. PUP-9959
Resolved issues
system.d
could not run as non-root
This release fixes a regression introduced in Puppet
6.8.0, where the systemd
provider was prevented from
working when running as non-root. For example, the command puppet resource service
did not include systemd
services. PUP-10016
puppet module uninstall
now works in FIPS
mode
Previously, the puppet module uninstall
command
failed if you ran it in FIPS mode. With the release, puppet
module uninstall
now works in FIPS mode, provided you specify either
the --ignore_changes
or --force
arguments. If you do not specify one of these arguments, then
uninstall fails, so that local changes to the module are not lost. PUP-9991
no_proxy
setting correctly bypasses proxy even
when HTTP_PROXY
environment is set
Fixes a bug where Puppet attempted to use a proxy
specified in the HTTP_PROXY
environment variable,
even though the no_proxy
setting was set to bypass
the proxy. PUP-9990
exec
conditionals respect sensitive types
The exec
type's onlyif
and unless
checks now return
redacted output if it is marked sensitive. PUP-9956
install_only
parameter added for yum
, dnf
providers
This release adds a new parameter, install_only
, for
yum
and dnf
package providers. Set this parameter for packages that should only be installed,
but never updated, such as kernels. PUP-9605
Plug-in download speed improved
The puppet plugin download
command now reuses HTTPS
connections. This significantly speeds up the download process. PUP-8662
Puppet no longer ignores truncated file downloads caused by a Ruby issue
Prior to this release, Puppet silently ignored
truncated file downloads, such as when using a file resource whose source parameter
contained a puppet://
, http://
, or https://
URL. This issue
was caused by a Ruby issue and is fixed in this
release. PA-2849
Puppet 6.8.1
Released 28 August 2019
Resolved issues
Virtual package support removed for apt
and
dpkg
providers
This release removes the virtual package support added for the dpkg
and apt
providers in the previous
release.
Puppet 6.8.0 added virtual package support to these
providers with an allow_virtual
setting that
defaulted to true
. This caused issues because
virtual packages are not enabled by default on apt
and dpkg
. PUP-9974
Fixed command execution with certain sensitive non-string arguments
Puppet could not execute commands with non-string
arguments if the command was also marked as sensitive and the arguments were passed
as an Array to the execute
method. The issue is
fixed for all providers, including the useradd
provider. PUP-9973
Puppet 6.8.0
Released 21 August 2019
New features
puppet module install
command prefers SHA-256 for
verifying tarball
The puppet module install
command now prefers SHA-256
when verifying the downloaded module tarball, but falls back to MD5 if necessary.
PUP-9909
puppet-agent packages for Debian 10 added
A puppet-agent
package for Debian is now available.
Virtual packages support for apt
, dpkg
This release allows apt
and dpkg
providers to install virtual packages. By default, the allow_virtual
setting defaults to true
, which enables the ability to install virtual packages.
rubygems
: package { 'rubygems': ensure => 'latest' }
Puppet finds and installs the real package ruby
. You can also uninstall a virtual package this way,
by setting the package's ensure
attribute to absent
: package {'rubygems':
ensure => 'absent'
allow_virtual => false
}
By default, this removes the ruby
package. To disable virtual packages, set allow_virtual
to false
.This feature also address the Ubuntu reporting issue in MODULES-2047. PUP-9909
New no_proxy
setting available in puppet.conf
You can now specify no_proxy
as a Puppet setting, consistent with other http_proxy_*
Puppet settings. The NO_PROXY
environment variable takes precedence over the no_proxy
Puppet setting. PUP-9316
bolt-shim
module no longer required to run scripts
over pxp-agent
Previously, to run a script over a pxp-agent
, you had
to first install the bolt_shim
module. This fix
allows pxp-agent
to respond to requests to execute a
script run action without the module. PUP-869
Resolved issues
Agents now connect directly if target host is set to NO_PROXY
If the agent is configured to use an HTTP proxy, and it attempts to connect to a host
that matches an entry in the NO_PROXY
environment
variable, then Puppet connects directly to the host
instead of using the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942
Windows components restarted on agent upgrades
During puppet-agent
upgrades, Windows Network Components were sometimes restarted.
This occurred when the upgrade process tried to modify a DLL file that was already
loaded. This release fixes the issue, and Windows
components no longer restart during upgrades. PA-2701
Conflict between puppet-agent
and puppetserver
packages resolved
Puppet might fail to load under JRuby 9.1, if puppet-agent
6.4 or greater and puppetserver
6.0.x were installed on the same host. PUP-9927
Services incorrectly reported as absent after change
When Puppet runs a resource service that changes the
state of the service, the returned status would always fail, causing the ensure
status of the service to be absent. Now Puppet correctly returns the service status when a
change of the service is requested. PUP-9908
Passing code to the parser failed on STDIN
Resolved an issue where puppet parser validate
failed
with an error when a valid manifest was passed in through the STDIN pipe. PUP-9816
Puppet selects systemd
Puppet selects systemd
as the default service provider on Debian 10,
"buster". PUP-9752
Puppet repeated file mode changes on some Windows files
When puppet apply
changes the mode on a file inside a
protected Windows directory, Puppet changes the mode on every run, even if the
desired mode matches the current mode. This fix improves the analysis of the file
mode, so that if the desired mode matches the current mode, Puppet does not set the mode. PUP-9722
Passwords for the user type were output in Debug logging
User providers will not output exec command lines with passwords during debugging
level logging. Instead, the passwords are now marked [redacted]
. PUP-9585
Device certificates could be lost in backup and restore
Prior to this change, Puppet device certificates were stored under the cache directory. When the proxy agent for a device is the primary server, and the user executes a backup and restore, either manually or automated as in OpsWorks, the certificate and keys were lost, requiring certificate regeneration for those devices.
This fix moves the device certificate directory to a persistent path, leaving the old path as a symbolic link for compatibility purposes.
If you are using the device_manager
module to manage
your devices, upgrade to 3.0.1 or later to avoid deleting certificates from their
new location. PUP-8736
systemd provider confined to init system matching systemd
This change allows the systemd provider to work in a chrooted environment. PUP-7312
HTTP connections did not support authenticating proxies
Agents could not connect through an authenticating HTTP proxy when making REST
requests to Puppet infrastructure, such as when
requesting a catalog. Now agents will observe the http_proxy_user
and http_proxy_password
settings or HTTP_PROXY_USER/PASSWORD
environment variables when making those
requests. PUP-4470
Puppet does not use proxy to connect to localhost
If an HTTP proxy is configured either in Puppet
settings or the HTTP_PROXY_*
environment variables,
then Puppet does not use the proxy when connecting to
localhost or 127.0.0.1. This behavior can be modified by changing the no_proxy
setting in puppet.conf
or the NO_PROXY
environment variable. PUP-2172
Puppet was unable to appropriately manage SELinux file contexts
Previously, Puppet was unable to effectively manage the SELinux file context without restarting the Puppet service. This issue was due to an infinitely cached default context for each file. Now Puppet clears this cache after each catalog apply. PUP-2169
Deprecations
SSL-related API classes deprecated
Various classes are marked as deprecated in API documentation, and will be removed in
a future major version of Puppet. Constructing an
instance of Puppet::SSL::Host
, attempting to get or
set Puppet[:ssl_server_ca_auth]
, or attempting to
set Puppet[:ssl_client_ca_auth]
now generates a
deprecation warning. PUP-9513
The following classes or methods are deprecated and will be removed in a future version of Puppet:
- Puppet::Network::HttpPool.http_instance
- Puppet::Network::HttpPool.http_ssl_instance
- Puppet::SSL::Host
- Puppet::SSL::Base
- Puppet::SSL::Key
- Puppet::SSL::Certificate
- Puppet::SSL::CertificateRequest (just the indirector related stuff, the rest is ok)
- Puppet::Indirector::SslFile
- Puppet::SSL::Key::*
- Puppet::SSL::Certificate::*
- Puppet::SSL::CertificateRequest::*
- Puppet::SSL::Validator
- Puppet::SSL::Validator::*
- Puppet::SSL::VerifierAdapter
- ssl_client_ca_auth
- ssl_server_ca_auth
Puppet 6.7.2
Released 26 July 2019
Resolved issues
Catalog application failed with puppetlabs-ciscopuppet
module
Catalog application failed when using a custom resource type whose automatic
relationship method, such as autorequire
or
autobefore
, returned an instance of
Puppet::Type
instead of a resource name. This occurred in
particular when using the puppetlabs-ciscopuppet
module. This issue
was caused by a regression in Puppet 6.7.0. PUP-9926
Use of the mailalias
resource type returned errors
mailalias
resource type.
Puppet was unable to correctly parse files,
resulting in errors such as:
Could not prefetch mailalias provider 'aliases': Could not
parse line "mailer-daemon: postmaster" (file: /etc/aliases, line: 12
This
issue was caused by a regression introduced inPuppet
6.7.0. PUP-9914
Puppet 6.7.1
This version of Puppet was never released.
Puppet 6.7.0
Released 23 July 2019
New features
New ca_fingerprint
setting verifies the CA
bundle download against a fingerprint
ca_fingerprint
setting to specify
that newly provisioned agents should verify the CA certificate when it is initially
downloaded. This provides a way to securely bootstrap new agents. To enable this
verification, set ca_fingerprint
to the SHA256
digest of the CA certificate, which can be calculated on the Puppet Server. To calculate this SHA, run the following
command on the primary server, or on the CA server if you have specified a server
other than the primary server: openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
PUP-9638
Resolved issues
Some commands could not be found
Some Puppet commands, such as puppet-infra
, might not be found in the system PATH. This fix ensures
that the relevant directory, opt/puppetlabs/bin
, is
available in the PATH. PA-2750
Custom MSI actions are logged
Custom MSI actions did not correctly log STDERR
to
the MSI log. PA-2691
Puppet 6.6.0
Released 1 July 2019
New features
--evaltrace option now shows total number of resources to be evaluated
The --evaltrace
argument, used with the puppet
agent and puppet apply commands, now returns the
number of resources evaluated and the total number of resources to be evaluated.
This option is useful for showing which resource in the catalog is being evaluated
and the progress through the current catalog. PUP-9465
Resolved issues
Provider autoloading issue fixed
In the 6.5.0 release, Puppet was unable to autoloading providers on some systems. This issue has been fixed. PUP-9794
pip
provider error fixed
In the 6.5.0 release, Puppet encountered an undefined
method error when running the pip
provider. This issue has been
fixed. PUP-9790
puppet agent --fingerprint
returns the CSR hash
When you run the puppet agent --fingerprint
command, if the agent
doesn't have a client cert yet, thePuppet returns the
SHA256 digest of the certificate request (CSR). This functionality was broken as of
Puppet 6.4.0, and is now fixed. PUP-9720
Recurring Puppet runs exited on some SSL bootstrap errors
Recurring Puppet runs wait a specified amount of time while bootstrapping the SSL system, and then retry if an error is encountered. This behavior was broken as of Puppet 6.4.0, and this release restores the behavior.
The wait interval is controlled by the waitforce
setting. One-time
Puppet runs such as puppet agent
--test
or puppet agent --onetime
do not retry, and
instead exit when the first error occurs. PUP-9717
Lockfile retained old PID, causing agent failure
This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691
Puppet now registers OIDs in the SSL application
SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746
Puppet 6.5.0
Released 19 June 2019
New features
Use the staging_location
parameter to customize the temporary
location for new files
You can now use the staging_location
parameter to render a file in a
different location before you validate it with the validate_cms
parameter. PUP-9389
Use puppet catalog compile
to compile catalogs
The puppet catalog compile
action works in the same way
puppet server --compile
worked before it was removed in Puppet 6.0.0. You must run the command on the
puppetserver
with access to your environments, modules,
manifests, and Hiera data. PUP-9055
Create a Regexp
with all special characters escaped
Create a Regexp
that escapes all regexp special characters by adding
a Boolean true
as a second argument in a call to
new
. For example, Regexp(".[/", true)
or
Regexp.new(".[/", true)
. The default value is
false
. PUP-9554
Package providers now support an alternative gem
command
Previously, package providers relied on $PATH
for the default gem.
This release adds a targetable
feature to the
package
type, allowing package providers to implement a
command
attribute. The gem
and
pip
providers now implement that attribute. This feature allows
Puppet to manage packages in software
collections, such as Red Hat Software Collections.
PUP-6488
package { 'colorize':
name => 'colorize',
provider => gem,
}
package { 'colorize-opt':
name => 'colorize',
provider => gem,
command => '/opt/ruby/bin/gem',
}
Manage multiple Python installations with pip
and
pip3
package providers
You can now add a custom path to your pip
and pip3
providers using a package command
. If you have multiple Python
installations, this allows you to point to a specific installation. PUP-1082
Specify the maximum amount of time an agent should wait for its certificate
By default, Puppet agents attempt to download their
signed certificate indefinitely. This release adds a maxwaitforcert
setting, which specifies the maximum amount of time an agent should wait for its
certificate. Acceptable values are unlimited
(the current
behavior), or a duration such as 10m
, or 1h
. If
you specify a duration, the agent waits the full amount of time and, if the
certificate is not downloaded, exits with an error. PUP-3237
Elliptic-curve cryptography (ECC) key support
key_type=ec
setting. By default, Puppet uses the prime256v1
elliptic
curve, but you can specify an alternate curve using the named_curve
setting if the curve is supported by Ruby and
OpenSSL. See OpenSSL::PKey::EC.builtin_curves
for a list of
supported curves. PUP-2606key_type
and named_curve
settings if the
agent already has a private key. These settings only control the type of private
key that the agent generates. The settings do not affect which curve is selected
in the TLS protocol.Specify a refresh interval for certificate revocation lists (CRLs)
crl_refresh_interval
setting to specify a refresh interval
for CRLs. If specified as a duration, such as 8h
, or
7d
, the agent refreshes its CRL on its first run after the
specified duration has elapsed. If the agent downloads a new CRL, it uses the new
CRL for all subsequent network requests. If the refresh request fails or if the CRL
is unchanged on the certificate authority (CA), the agent run continues using the
local CRL. PUP-2310runinterval
. Setting runinterval
to an
equal or lesser value than the duration causes Puppet to refresh the CRL on every agent
run.Improved server_list
output and error messaging
Previously, using config print
to view your
server_list
would output a nested array that was difficult to
read. Using config print
now outputs the text in the same
human-readable format as its entry in puppet.conf
. Puppet uses the same human-readable output for errors
you receive from being unable to connect to a server in
server_list
. PUP-9495
Improved JSON output support for validation errors
puppet parser validate
subcommand now supports a
--render-as=json
option to output validate errors in a machine
readable JSON format. Additionally, if you use the command with multiple files, Puppet continues to validate additional files when it
finds a parse error, instead of halting immediately on the first error encountered.
PUP-8984puppet parser validate
returns a maximum of one parse error per
file.Fedora 30 support
This release adds puppet-agent
support for Fedora 30. PA-2675
Resolved issues
puppet device
failed to manage multiple devices
The puppet device
command would not manage multiple network devices
in a single run. This was a regression introduced in Puppet 6.0.5. PUP-9587
Security update to curl
This release includes an update to curl to address security issues. See https://curl.haxx.se/docs/CVE-2019-5435.html and https://curl.haxx.se/docs/CVE-2019-5436.html for information about the CVEs. PA-2689
Amazon platforms now use yum
as
the default provider
Prior to this release, Amazon platforms did not have a
default provider set. This resulted in Puppet trying
to use the gem
provider to install Amazon packages. PUP-9724
On Windows, Puppet no longer applies corrective changes to the administrator password on every Puppet run
Puppet now applies corrective changes to the administrator password only on the first run. PUP-9688
Improved syntax error feedback for legacy Ruby functions
If you loaded a legacy Ruby function with syntax errors, you'd get an error saying that your function "does not seem to be a Puppet 3x API function." Puppet now alerts you to syntax errors. PUP-9643
Password protected private key support for agent-only nodes
If a private key password file (Puppet[:passfile]
) exists and the
agent doesn't yet have a private key, the agent generates a key and uses the
contents of the passfile
to encrypt the key on disk using
AES-128-CBC. If the agent already has an unencrypted private key, no change occurs.
PUP-9466
Temporary files created from validate_cmd
use the same
permissions as the file resource
Prior to this release, the permissions of temporary files created by
validate_cmd
were different to the permissions defined on the
file resource. PUP-8983
Uninstall an rpm package without specifying a version or build number
You can now remove a package with rpm
package provider using
ensure => absent
without specifying a version or build
number. PUP-8664
Tags specified via --skip_tags
are no longer expanded by
splitting on the namespace
Using --skip_tags
split tags on the namespace separator
(::
) and caused Puppet to expand
and skip all resources in the specified namespace. For example, using
fruit:apples
expanded and skipped ['fruit::apples',
'fruit', 'apples'
] . PUP-8215
Improved error message when listing provider resources
You now get a more helpful error message if you try to list resources for a provider type that does not have the instances class method defined. PUP-4930
Performing two or more rapid-fire Puppet runs no longer results in a race condition
When an additional Puppet run was triggered immediately after Puppet had requested a certificate from the primary server, the primary server receives the original Certificate Signing Request (CSR) and continuously return the original certificate, which wouldn't match the new keys generated by the second Puppet run. PUP-2958
Removing a user resource on Solaris 11 installations with home directory configurations
Previously, trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706
Hiera 3 lookups with convert_to
keys
If you used a Hiera 3 lookup
or Hiera handled an alias
and the key
was configured with convert_to
, you'd get an error: "undefined
method 'call_function' for Hiera::Scope
". PUP-9693
Perform string to integer conversions on decimal strings with leading zeros
Converting a decimal string with leading zeros – for example, Integer("08",
10)
– to an integer would result in an error. PUP-9689
puppet device
always initializes SSL directories with the
correct permissions
When initializing new device certificates, puppet device
would
sometimes set permissions in a way that prevented the pe-puppet
user from reading some directories PUP-9642.
The Windows package resource removes trailing whitespace
This release updates the Windows registry read
method to replace
null byte sequences with a space. This issue caused PuppetDB to discard updated facts from affected
nodes. PUP-9639
Puppet no longer upgrades Debian upgrade packages before setting them on hold
Prior to this release, if you set a Debian package on
hold with ensure => held
and the package had a pending upgrade,
Puppet installed the upgrade before locking the
package. PUP-9564
Disabled Ruby 2.5.1 automatic HTTP retry mechanism
This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the Puppet Server report processor. PUP-3905
System updates to Ruby in the Puppet agent conflicted with other software
This release fixes an issue where the gem update --system
command
used in the Puppet agent caused conflicts with
software that depends on gems in Puppet's vendored
Ruby directory, such as r10k. Now gem paths always contain the path for this
directory, even after updating. PA-2628
Dependency issues when installing tools that require gems
This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670
Puppet 6.4.0
Released 26 March 2019
New features
HTTP certification requests
Debug: HTTP GET https://puppet.delivery.puppetlabs.net:8140/puppet/v3/file_metadatas/pluginfacts
returned 200 OK
PUP-8769
Debug logging for the exec
resource
This version
introduces the following improvements to debug logging for the exec
resource: -
Running the
exec
resource with--debug
and--noop
now prints a debug message with the command if checks prevent it from being executed. Ifcommand
,onlyif
, orunless
are marked as sensitive, all commands are redacted from the log output. PUP-9357 -
Puppet now gives a debug message when checking the existence of a file specified by
creates
. PUP-9511
New method: Puppet::FileSystem.replace_file
Use Puppet::FileSystem.replace_file
to replace a file. If a
mode
is specified, it will always be applied to the file.
Otherwise, if the file being replaced exists, its mode
will be
preserved. If the file doesn't exist, then the mode
will default to
0640
. This method supersedes
Puppet::Util.replace_file
, which will be deprecated in a future
release. PUP-9499
SSL Improvements
This version introduces several features to improvePuppet
agent's SSL subsystem, including the introduction of an SSL
state machine. PUP-9459
-
Puppet no longer uses
Puppet::SSL::Host
.Puppet::SSL::Host
will be deprecated in a future release. PUP-9459 -
Puppet no longer saves its public key to disk, because the public key is derivable from its private key and is contained in its certificate. If you need to, you can extract the public key using
$ openssl rsa -in $(puppet config print hostprivkey) -pubout
. PUP-9459 -
The
puppet ssl
,puppet device
, andpuppet agent
applications are now the only applications that can initialize SSL. Puppet applications other thanpuppet agent
,puppet device
, andpuppet ssl
now raise an error if they attempt to make an SSL connection while the SSL bootstrap process is incomplete. PUP-9461 PUP-9459 -
Added an API for loading certificates, keys, and certificate revocation lists (CRLs). PUP-9455
-
Added an API for creating an
SSLContext
containing certificates and keys needed to make an SSL connection. PUP-9456 -
Added a method to
Puppet::Network::HttpPool
to create an HTTPS connection using a specified SSLContext. PUP-9457 -
Instead of using
Puppet::SSL::HOST
,puppet ssl
now uses an SSL state machine to download certificate authority (CA) and certificate revocation list (CRL) bundles. PUP-9458 -
Puppet preserves existing
user
andgroup
behavior when saving SSL-related files. PUP-9463 -
The new
puppet ssl bootstrap
action submits a CSR and downloads the client certificate without runningpuppet agent -t
. PUP-9556
SUSE Linux Enterprise Server support removed
This release of the puppet-agent
package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489
Resolved issues
Ruby security patch in puppet-agent
package
This puppet-agent
package release includes a security patch for Ruby 2.5.3. To learn more about the CVEs that this
patch address, see the Ruby
security advisories. PA-2512
Resolved SSL issues
Improvements in the SSL subsystem ( PUP-9459) have resolved the following issues:-
Puppet no longer conditionally sends its certificate signing request (CSRs) based on the presence or absence of the file on disk. Instead it generates and sends the CSR whenever it needs to check for a certificate. Puppet still saves the CSR to disk, but it never reads it back in. PUP-4568
-
Puppet no longer downloads the CSR from the server, so it can never get into a state where it saves the wrong CSR to disk, causing it to be stuck. As a result, it's now possible to enable
allow_duplicate_certs=true
and have the agent submit a CSR with the same name as a previous instance of the node. The admin still needs to revoke the old cert and sign the new CSR in order for the agent to get its certificate. PUP-2354 -
Puppet no longer uses the indirector to handle certificates or keys. PUP-6207
-
Puppet was too permissive about skipping SSL verification if no client certificate was found. Puppet now never downgrades verification based on the absence of a client certificate. PUP-7295
-
Mismatched certificates were cached on the host, causing Puppet to print an error on each run until an admin removed the files. If a client certificate, Certificate Authority (CA) bundle, or certificate revocation list (CRL) bundle are invalid, Puppet now discards them. PUP-7903
-
The error message for a mismatched certificates name was not helpful. When a Puppet agent tries to connect to an SSL server where the certificate does not match the hostname it is trying to connect to, it will now return the expected error message. PUP-8213
-
The Puppet agent was not verifying its peer in an SSL connection when downloading a CRL. Puppet now verifies the server's SSL certificate when retrieving a CRL. PUP-9142
filebucket
type server
and port
settings no longer have explicit defaults
For the filebucket
type, server
and
port
no longer have explicit default values in the type
definition. If server
is not set, it defaults to the first entry in
server_list
if set; otherwise, it defaults to
server
. If port
is not set, it defaults to the
port in the first entry of server_list
if set; otherwise, it
defaults to serverport
. PUP-9025
Custom functions can now be correctly called
This release fixes an issue where the call()
function could call
only functions that existed in Puppet core; custom
functions could not be called. Now any function in the environment is visible and
can be called. PUP-9477
Puppet agent now produces an error when a functional server is not found
If server_list
is set and a functional server is not found, Puppet returns an error rather than falling back to
the server
setting. PUP-9076
Optional
type without arguments no longer returns an error
Previously, if you used the type Optional
without any arguments, it
could result in an internal error. This is now fixed. On its own,
Optional
means the same as Any
. Supply a type
argument with the desired type if the value is not undef
. PUP-9467
Fixed remote MSI package installation on Windows
This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496
Puppet 6.3.0
Released 20 February 2019
New features
Corrective changes explicitly logged
Prior to this release, agent runs provided the same output for both intentional and corrective changes. Now corrective changes are now explicitly called out in the logs as corrective. PUP-9324
New collections and index functions
This release adds group_by
and partition
functions
that operate on collections.
The group_by
function is useful for separating targets into
categories based on properties of those targets. The partition
function allows you to use a Boolean condition to separate targets that otherwise be
two opposite filter operations. PUP-9372
This release also adds an index()
function that can return the index
of a specified element in an Array, Hash, String, or other iterable value that is
either equal to a given value or for which a given lambda returns a truthy value.
PUP-9482
puppet-agent
package added for macOS 10.14 Mojave
This release adds a puppet-agent
package for macOS 10.14 Mojave.
On macOS 10.14 Mojave, you must grant Puppet Full Disk Access to be able to manage users and groups. To give Puppet access on a machine running macOS 10.14, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227
Resolved issues
Syntax errors on interpolated heredocs are resolved
Heredoc expressions with interpolation using an access expression such as
$facts['somefact']
sometimes failed with a syntax error. This
error was related to the relative location of the heredoc and surrounding whitespace
and is now resolved. PUP-9303
Restarting pxp-agent
service kills all processes when
restarted
This release modifies the pxp-agent
service to kill all
pxp-agent
processes when the service is restarted, rather than
only the current process. PCP-833
Custom functions can now be correctly called
This release fixes an issue where the call()
function could call
only functions that existed in Puppet core; custom
functions could not be called. Now any function in the environment is visible and
can be called. PUP-9477
Optional
type without arguments no longer returns an
error
Previously, if you used the type Optional
without any arguments, it
could result in an internal error. This is now fixed. On its own,
Optional
means the same as Any
. Always supply
a type argument with the desired type if the value is not undef
.
PUP-9467
Invalid path to --logdest
option was ignored
Now if you give a --logdest
location that Puppet cannot find or write to, the run fails with an
error. PUP-6571
Upstart provider evaluated during provider check instead of during loading
The upstart provider was being evaluated when loaded, causing issues with testing and availability during transactions. This has been fixed so that the provider is evaluated only when provider suitability is being checked. PUP-9336
Deprecations
Fine grained control of file and environment timeouts deprecated
Fine grained control of file and environment timeouts is deprecated. Instead, use
0
or unlimited
to control default caching
behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497
SublocatedExpression
class
The AST SublocatedExpression
class is no longer generated by the
parser. The SublocatedExpression
class itself will be removed from
Puppet in a future release. PUP-9303
Puppet 6.2.0
Released 24 January 2019
New features
Improved support for Solaris
pkg
provider
This release adds support for install_options
for the
pkg
provider on Solaris. PUP-5287
puppet-agent
package available for Red Hat 8 beta
A puppet-agent
package is available for the beta release of Red Hat 8. Because this Red Hat version is a beta release, not all functions
are verified to work correctly. Do not use this version of
puppet-agent
in production.
Added protection against illegal methods in legacy functions
Puppet now protects against illegal method definitions in loaded legacy functions. Illegal methods in legacy functionsdisrupt the entire system and can cause difficult-to-diagnose issues. For information on how to remove such methods from legacy functions, see Refactoring legacy 3.x functions. PUP-9294
Puppet logs JSON in newline-delimited format
For newline-delimited JSON logs, set the logdest
setting or command
line option to an absolute path ending with the .jsonl
extension,
such as puppet agent --logdest /var/log/puppet.jsonl
. This is
preferable to the JSON format, since the generated log is not valid JSON and
requires an appended closing ]
to make it valid. PUP-8687
Fedora 27 puppet-agent
package no longer available
Fedora 27 reached end of life in November 2018. Updated puppet-agent
packages for this version are no longer available.
Resolved issues
Fix for specifying package versions in portage
provider
Prior to this release, you could not specify package versions when managing packages
with the portage
package provider. The provider now accepts and
honors a version string for managing packages. PUP-9071
Exceptions encountered during resource pre-fetch are logged
If the Puppet agent encounters exceptions when pre-fetching resources for catalog application, it now logs the exceptions and returns a more useful error message. PUP-8962
Puppet commands fail if the
puppet.conf
file is unreadable
Puppet commands now fail if Puppet Server is unable to read the
puppet.conf
file. Only the --help
and --version
commands work if
the puppet.conf
file is unreadable. PUP-5575
Improved error handling for PNTransformer
When parsing Puppet into structured AST, the Puppet parser produced an error on some empty constructs because the PNTransformer could not resolve them. Now it generates a Nop expression instead. PUP-9400
Failed dependency resources are reported only once
After a failed resource has been reported, other resources that depend on the failed resource will not be reported again. However, you still get the skip message for each skipped resource. PUP-6562
Command line module installation improved
The puppet module install
command now downloads only the release
metadata it needs to perform dependency resolution, drastically reducing data
download and improving installation time. For the puppetlabs-stdlib
module, this change reduces the data download from 25MB to 68KB, and any module that
depends on stdlib
installs faster. PUP-9364
Puppet no longer ignores the
srv_domain
setting
This release fixes an issue where Puppet 6.0 ignored
the srv_domain
setting when using DNS SRV records to connect to the
ca_server
. PUP-9399
Puppet 6.1.0
Released 18 December 2018
New features
Package provider included in puppet resource
default
output
The puppet resource <package-name>
command now includes the
package provider as part of its output.
Clean certificates for remote nodes
The puppet ssl clean
command now accepts a --target CERTNAME
parameter to clean certificates for
remote nodes configured through device.conf
. PUP-9248
puppet-agent
package available for Fedora 29
A puppet-agent
package is now available for Fedora 29.
The systemd provider checks for new and changed units
When Puppet starts or restarts a service, the systemd
provider checks to see whether the service
requires a daemon reload, and reloads the systemd daemon if necessary. This ensures
the service runs with the latest configuration on disk. PUP-3483
New service timeout
parameter for Windows
On Windows systems, you can now specify a service
timeout
parameter that configures how long, in
seconds, Puppet should wait when syncing service
properties. PUP-9132
service { "service-name":
enable => true,
ensure => running,
timeout => 45
}
Format strings with double quotes
You can now force strings to have double quotes when formatting strings with the
String.new
function. Previously, this function
dynamically determined whether to use single quotes or double quotes for the
string.
To force double quotes, specify the alternative format flag #
when you specify the string format. PUP-9344
Service support for systemd on Linux Mint 18 and newer
This release adds support for services on Linux Mint 18 and newer, which use the init systemd instead of upstart for services. PUP-9326
Parser validation finds and reports syntax issues in heredocs
Heredoc syntax checking is now performed during validation, unless the heredoc contains any interpolated expressions. This includes manifest and EPP template syntax checks. Heredocs with interpolation are checked during evaluation. Prior to this release, heredoc syntax checks were run only during evaluation.
By default, heredocs are treated as text unless otherwise specified with the
end-of-text tag, such as @(EOT:json)
, @(EOT:pp)
, or @(EOT:epp)
. To check syntax in heredocs, run puppet
parser validate
. PUP-9257
Resolved issues
Improved handling of incompletely configured services
Puppet now treats incomplete services the same way as
nonexistent services, returning enabled => false
and
ensure => :stopped
in either case. If you try to set
ensure => running
or enabled => true
on
an incomplete or nonexistent service, Puppet raises an error. PUP-9240
Refreshed resource status now included in event report
This release fixes an issue where refreshed resources, such as reboot or some execs, did not create a status event in the event report. PUP-9339
Catalog compilation error fixed
When compiling a catalog, Puppet sometimes raised the error "Attempt to redefine entity." This issue has been fixed with an update to the internal logic. PUP-8002
The exec provider supports empty environment variables
Prior to this release, the exec provider did not support empty environment variables. If an empty environment variable is set on the system, Puppet temporarily overwrites it during execution.. PUP-1209
Puppet recognizes tmpfs
support for SELinux labels
SELinux utilities within the Puppet codebase now
recognize that the tmpfs
supports extended
attributes and SELinux labels. The query selinux_label_support?
returns true
for a file mounted on tmpfs
. PUP-9330
Fixed recognition of short form Arrays and Hashes
This release fixes a regression in the string formatting rules that caused a short
form for an Array or Hash to not be recognized. For example, String([1,[2,3],4], '%#a")
would not format with indentation, but
would format the long form String([1,[2,3],4], {Array => {
format => '%#a"}})
. Now the short form works for Array and Hash as
intended. PUP-9329
puppet ssl clean
now deletes local certificate
requests
This release fixes an issue where the puppet ssl
clean
command did not correctly delete local certificate requests.
PUP-9327
Resolved Timestamp
and Timespan
data type errors
Prior to this release, the data types Timestamp
and
Timespan
raised errors if time range was
specified with Integer
or Float
values. These data types now support time ranges specified with
these values. PUP-9310
Puppet 6.0.0
Released 18 September 2018
New features
Select types moved to modules
In this release, many types were moved out of the Puppet codebase (stdlib), and into modules on the Forge. This change enables easier composability and reusability of the Puppet codebase and enables development to proceed more quickly without risk of destabilizing the rest of Puppet. Some types are now in supported modules and are repackaged back into the agent. Some are now in modules that are updated, but are not repackaged into the agent. And some are in modules that are deprecated, not updated, and not repackaged back into the agent.
undef
values
more strictly than their stdlib counterparts. Code that relies on undef
values being implicitly treated as other types
will return an evaluation error.See the Resource Type Reference for the full list and links to the Forge modules for those types that moved.
Resource API
Resource API has been added, providing a new, recommended method to create custom types and providers. The Resource API is built on top of the Puppet core and is easier, faster, and safer than the old types and providers method. See the Resource API documentation for more information.
Upgrade to Ruby 2.3 or later
Puppet now requires Ruby 2.3 or later, and reports an error when running older Ruby versions. We removed code paths for older Ruby support, such as 1.8.7, relaxed our gem dependencies to include gems that require Ruby 2 or up, and now test Puppet pull requests against JRuby 9k. PUP-6893, PUP-8483, PUP-8484
puppetserver ca
command
The new puppetserver ca
command replaces the puppet cert
command. Running the puppet cert
command results in an error, with instructions on
alternative commands to use. Some actions (fingerprint
, print
) have not been
directly replaced, because OpenSSL provides good equivalents. For verifying
certificates, use puppet ssl verify
. For more usage
details, see the intermediate CA documentation. PUP-9022
node clean
uses the Puppet Server CA API
The puppet node clean
command now goes through the
Puppet Server CA API to clean up certificates for a
given node. This avoids issues where multiple entities attempt to revoke certs at
once, because all of these updates are now funneled through the API, which handles
concurrent requests correctly. See SERVER-115 and PUP-9108 for more information.
Agents can use CA and CRL bundles
The agent now correctly saves and loads chained SSL certificates and certificate revocation lists when in an environment where its certificates are issued by Puppet acting as an intermediate CA. PUP-8652
Load files from pluginsync
during catalog
application
Use the Deferred
data type in a catalog to call
functions on the agent before the catalog is applied. It is now possible to call all
functions implemented in Ruby on the agent side. It
is not possible to call functions written in the Puppet language, as they are not available on the agent. PUP-9035
puppet ssl
subcommand
There is a new Puppet subcommand for working with SSL
certificates. The puppet ssl
command supports the
submit_request
, download_cert
, and verify
actions for
working with SSL certificates on the agent. PUP-9028
File requirements included in task infoservice files responses
When requesting task details, the primary server now returns a list of all files from
the tasks metadata files
and implementations['files']
keys. PUP-9081
Devuan default service provider
The Devuan service provider now defaults to the Debian init provider. PUP-9048
apply
statement in plan language
An apply
keyword has been added to the Puppet parser when running with tasks enabled. See
Puppet specifications for details. PUP-8977
Updated default input_method
for task object
type
The input_method
property of tasks now defaults to
undef
rather than the string both
. This allows more flexibility in defaults and what
input_methods
we choose to support in the
future. PUP-8898
convert_to()
function accepts additional
arguments
convert_to()
function now accepts additional
arguments. Previously, it accepted only the data type to convert to. PUP-8761
compare
function
A compare(a,b)
function has been added. It returns
-1
, 0
, or
1
depending on if a
is before b
, same as b
, or after b
. The
function works with the comparable types: String
,
Numeric
, Semver
,
Timestamp
, and Timespan
. For String
comparison it is
possible to ignore or take case into account. PUP-8693
Deferred data type
A new data type Deferred
has been added. It is used
to describe a function call that can be invoked at a later point in time. PUP-8635
Call function resolves Deferred
values
It is now possible to resolve a Deferred
value by
using the call
function. It can resolve a deferred
function call, and a deferred
variable dereference (with support to dig
into a structured value). PUP-8641
Concatenate with +
on Binary type
It is now possible to use the plus operator +
to
concatenate two Binary
data type values. (PUP-8605) The sort()
function has been moved from stdlib
to Puppet. The function now also accepts a lambda for
the purpose of using a custom compare. PUP-8622
Select string functions moved from stdlib
to Puppet
The functions upcase()
, downcase()
, capitalize()
, camelcase()
, lstrip()
,
rstrip()
, strip()
, chop()
, chomp()
, and size()
have
been updated to the modern function API and the new versions are in Puppet and no longer require stdlib
. The functions are generally backward compatible. PUP-8604
Select math functions moved from stdlib
to Puppet
The math functions abs
, ceil
, floor
, round
, min
, and max
are now available in Puppet. The
functions are compatible with the functions with the same name in stdlib
with the added feature in min
and max
of calling them with a
single array and being able to use a lambda with a custom compare. These stdlib
math functions used inconsistent string to
numeric conversions that were also unintentionally making the functions compare
values in strange ways. The automatic conversions are now deprecated and will issue
a warning. PUP-8603
Agent support for rich data content negotiation
The rich_data
setting is now enabled by default.
Catalog requests have two new content types, application/vnd.puppet.rich+json
and application/vnd.puppet.rich+msgpack
, that are used when both primary
server and agent have this enabled (and depending on whether preferred_serialization_format
is json
or msgpack
). PUP-8601
vendor_modules
added to basemodulepath
The default basemodulepath
now includes a vendored
modules directory, which enables Puppet to load
modules that are vendored in the puppet-agent package. To prevent Puppet from loading modules from this directory,
change the basemodulepath
back to its previous
value, for example, on *nix: $codedir/modules:/opt/puppetlabs/puppet/modules
. On Windows: $codedir/modules
. PUP-8582
environment.conf
modulepath
accepts globs
The modulepath
as defined in environment.conf
can now accept globs in the path name. PUP-8556
Customize default package providers
This change adds a notdefaultfor
that prevents a
provider from being a default for a given set of facts. notdefaultfor
overrides any defaultfor
and should be defined more narrowly. PUP-8552
Define properties or parameters for types as sensitive
Parameters can now be marked sensitive at the class level rather than just the instance level. PUP-8514
Update default provider for Ubuntu
SystemD is now the default provider for Ubuntu 17.04 and 17.10. PUP-8495
Functions to use dot notation to dig into a hash or array
It is now possible to use dot notation to dig out a value from a structure, like in
Hiera lookup and elsewhere in Puppet. To support this, the getvar()
function has moved from stdlib
to Puppet, and we have added a
new function get()
. You can now for example use
getvar('facts.os.family')
starting with the
variable name. The get
function is the general
function which takes a value and a dot-notation string. PUP-7822
Puppet 4.x functions available to all modules
It is no longer required to have a dependency listed in a module’s metadata.json
on another module in order to use
functions or data types from the other module. PUP-6964
Updated addressable Ruby gem
Updated the version of the addressable Ruby gem now that JRuby 1.9.3 support has been removed. PUP-6894
Undeprecated certificate authority settings
Settings related to certificate authorities are no longer being deprecated as planned in PUP-9027. Warnings related to these planned deprecations have been removed. PUP-9116
Resolved issues
Reported events didn't stringify rich data
With rich data turned on for a catalog (now the default), a report could contain rich data in reported events, but nothing downstream from the agent was prepared to handle rich data. This is now fixed so that data in reported events are stringified when needed. PUP-9093
Illegal top-level constructs didn't produce an appropriate error
The deprecation for illegal top-level constructs is now an error. PUP-9091
__ptype
and __pvalue
were allowed as
attribute names
Attempt to use the reserved attribute names __ptype
and __pvalue
in custom Object
data types now
raises an error instead of producing a bad result when
serializing such objects. PUP-9079
A hash containing the key __ptype
couldn't be serialized using
human-readable JSON
It was not possible to use a hash key __pcore_type
in a hash because that
triggered the special handling during serialization. Now,
the special key has changed to __ptype
and it is not possible to also
use that as a key in a hash and still be able to serialize
it, such as using it in a catalog. PUP-8976
Status endpoint wasn't used to determine if Puppet Server was available
When the agent is configured with a list of servers (using server_list
), it now
requests server status from the status
endpoint instead of the node
endpoint. PUP-8967
Selmodule
thought 'foo'
existed if 'myfoo' was loaded
The selmodule
type is more strict
about checking if a module has already been loaded, and no
longer considers modules such as "bar" and "foobar" to be
the same module. PUP-8943
Resource status of failed_to_restart
wasn't included in
reports
Puppet considers resources
that have failed to restart when notified from another
resource as failed, and marks them as such in reports.
Reports also now include the failed_to_restart
status for individual
resources, instead of only including a total count of
failed_to_restart
resources in the resource metrics section. This bumps the
report format version to 10. PUP-8908
File type wasn't redefined when required in code
Fixed an issue running in JRuby where we didn’t store autoloaded paths in the same way that the JRuby implementation did, leading to a bug where a type or provider could get loaded more than once. PUP-8733
Puppet lost track of the current environment
Puppet autoloader methods now require a non-nil environment. This is a breaking API change, but
not affect any user extensions like 3x functions. Puppet sometimes used
the configured environment instead of the current
environment to autoload. This mainly affected agents when
loading provider features. Calling Puppet::Parser::Functions.autoloader.load*
methods are deprecated, and issue a warning if strict mode
is set to warning or error. Instead use Scope#call_function("myfunction")
to
call other functions from within a function. PUP-8696
Comparison of numeric to timestamp or timespan failed
When comparing numeric to timestamp or timespan it did not work to compare with the numeric value first. This is now fixed. PUP-8694
http_read_timeout
and
runtimeout
defaults were limited
The http_read_timeout
default
changed from infinite to 10 minutes. This prevents the agent
from hanging if there are network disruptions after the
agent has sent an HTTP request and is waiting for a response
that might never arrive. Similarly, the runtimeout
default also
changed from infinite to 1 hour. PUP-8683
tidy
resource was too
chatty
The tidy
resource type now uses the
debug log level for its File does not exist
message, instead of the info level. This means that
resources of this type will no longer emit the message by
default when the target of the resource has already been
cleaned from disk. PUP-8667
Agents didn't use the CRL bundle to verify primary server revocation status
With this change, if the user has distributed the CRL chain out-of-band, then the agent successfully loads it and uses it to verify its connection to other Puppet infrastructure (for example, the primary server). It expects the CRL chain to be one or more PEM-encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat in Puppet 5. PUP-8656
Puppet 5 and Ruby 2.4 couldn't handle invalid plists
When processing malformed plist files, we used to use /dev/stdout
, which can
cause Ruby to complain. We
now use -
instead which
means to use stdout
when
processing the plist file with plutil. PUP-8545
White space surrounding comments in EPP were handled incorrectly
EPP comments <%# Like this %>
always trimmed preceding whitespace. This is different from
ERB making it more difficult to migrate ERB templates to
EPP. There was also no way of making EPP preserve those
spaces. Now, EPP comment does not trim preceding whitespace
by default, and a new left trimming tag <%#-
has been added.
This is a backwards incompatibility in that code such as
"Before <%# comment
%>after
" resulted in the string
"Beforeafter"
,
whereas now it will be "Before
after"
. PUP-8476
filter
function didn't
accept truthy values
The filter
function did not accept
truthy value returned from the block as indication of values
to include in the result. Only exactly Boolean true
was accepted. PUP-8320
Unsafe YAML data could be loaded
Puppet now uses YAML.safe_load
consistently to ensure only known classes are loaded. PUP-7834
Gemfile didn't support consuming the Puppet gem via a Git reference
Restructure the Puppet Gemfile so that bundler installs Puppet’s runtime, feature-related, and test dependencies by default. The development and documentation groups can be installed using: bundle install –with development documentation. PUP-7433
metrics.time.total
didn't
correlate to time reported in log
Total time now reports the measured time of the run instead of a sum of other run times. PUP-6344
Features weren't re-evaluated when a block was used
Puppet.features.add(:my_feature) do require 'mylib' end
andPuppet.features.add(:my_feature, libs: ['my_lib'])
Previously the result of the block was always cached. With this change only true or false return values are cached. To indicate that the state of the feature is unknown and may become available later, the block returns nil. PUP-5985
Manifests that declared things in the wrong namespace didn't trigger errors
Errors will be reported for module files declarations that have a namespace inconsistent with their directory and file location. PUP-4242
Invalid .dot
files were
generated by missing escapes of quoted strings
Generating graphs of catalogs (such as puppet apply --graph
) now correctly
handles resources with double quotes in the title. PUP-2838
Outdated vendored semantic_pupet gem
We have updated the vendored semantic_puppet
gem in the puppet-agent
package to
the most recent version, 1.0.2. PA-1881
Deprecations
Certificate authority subcommands and v1 CA HTTP API
Certificate authority subcommands have been removed from Puppet, including: cert
, ca
, certificate
, certificate request
, and
certificate_revocation_list
. Use puppetserver ca
and puppet
ssl
instead. PUP-8998
As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650
Ruby certificate authority
Puppet no longer has a Ruby CA. All CA actions now rely entirely on the
Clojure implementation in Puppet Server. It can be
interacted with by means of the CA API and the puppetserver
ca
command, which leverages the API using subcommands like those
provided by puppet cert
. PUP-8912
Trusted server facts
Trusted server facts are always enabled and the trusted_server_facts
setting has been deprecated since 5.0. This
removes the setting and conditional logic. PUP-8530
write_only_yaml
node terminus
The write_only_yaml
node terminus was used to
“determine the list of nodes that the primary server knows about” and predated
widespread PuppetDB adoption. The write_only_yaml
has been deprecated since 4.10.5, and
this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a
compile. PUP-8528
LDAP node terminus
The LDAP node terminus has been removed. PUP-7601
computer
, macauthorization
, and mcx
types and
providers
The computer
, macauthorization
, and mcx
types and
providers have been moved to the macdslocal_core
module. It is not
repackaged into puppet-agent
in the 6.0 series.
Nagios types
The Nagios types no longer ship with Puppet, and are
now available as the puppetlabs/nagios_core
module from the Forge.
Cisco network devices
The Cisco network device types no longer ship with Puppet. These types and providers have been
deprecated in favor of the puppetlabs/cisco_ios
module, which is available on the Forge. PUP-8575
:undef
in types and providers
In previous versions, values from manifests assigned to resource attributes that
contained undef values nested in arrays and hashes would use the Ruby symbol :undef
to
represent those values. When using puppet apply
types and providers would see those as :undef
or as
the string “undef” depending on the implementation of the type. When using a primary
server, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level
undef values are still encoded as empty string for backwards compatibility). PUP-9112
puppet module build
command
To reduce the amount of developer tooling installed on all agents, this version of
puppet removes the puppet module build
command. To
continue building module packages for the Forge and
other repositories, install Puppet
Development Kit (PDK). PUP-8763
pcore_type
and pcore_value
The earlier experimental -rich_data
format used the
tags pcore_type
and pcore_value
, these are now shortened to __ptype
and __pvalue
respectively. If you are using this experimental feature and have stored
serializations you need to change them or write them again with the updated version.
PUP-8597
Webrick
Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)
puppet server
command
The puppet server
command and its subcommands have
been removed. Instead, use a puppet-config
command.
PE-24280
–strict
flag in puppet
module
command
The –strict
flag in puppet
module
has been removed. The default behavior remains intact, but
the tool no longer accepts non-strict versioning (such as release candidates and
beta versions). PUP-8558
Select settings
-
The previously deprecated
configtimeout
setting has been removed in favor of thehttp_connect_timeout
andhttp_read_timeout
setting. PUP-8534 -
The unused
ignorecache
setting has been removed. PUP-8533 -
The previously deprecated
pluginsync
setting has now been removed. The agent’s pluginsync behavior is controlled based on whether it is using a cached catalog or not. PUP-8532 -
The deprecated
app_management
setting has now been removed. Previously, this setting was ignored, and always treated as though it was set to be on. PUP-8531 -
The deprecated
ordering
setting has been removed, and catalogs now always have the ordering previously provided by themanifest
value of this setting. PUP-6165 - Settings related to the rack webserver from Puppet, including
binaddress
andserverhttplog
. PUP-3658
String duplication in 3x runtime converter
Types and provider implementations must not mutate the parameter values of a
resource. With this release, it is more likely that the parameters of a resource
have frozen (that is, immutable) string values and any type or provider that
directly mutates a resource parameter might fail. Previously, every resource
attribute was copied to not make application break even if they did mutate. Look for
use of gsub!
in your modules and replace logic with
non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified.
PUP-7141
Puppet.newtype
method
The deprecated Puppet.newtype
method (deprecated
since 2011) has now been removed. ( PUP-7078)
Certificate handling commands deprecated but not removed
-
ca_name
-
cadir
-
cacert
-
cakey
-
capub
-
cacrl
-
caprivatedir
-
csrdir
-
signeddir
-
capass
-
serial
-
autosign
-
allow_duplicate_certs
-
ca_ttl
-
cert_inventory