Puppet release notes

Extend Package Source to include HTTP Urls (Windows)

package { 'mysql': 
ensure => '5.5.16', 
source => 'https://example.com/packages/mysql-5.5.16-winx64.exe’, 
install_options => ['INSTALLDIR=C:\mysql-5.5'], 
}

Bump to openssl-fips-1.1.1k-6

Updated openssl-fips on Red Hat to 1.1.1k-6. PA-4498

Update puppet-ca-bundle

Updated root certificate authority bundle included with puppet-agent. PA-4496

Support for macOS 12 (M1)

This release adds support for macOS 12 (M1). PA-4457

Support for Windows 11 Enterprise (x86_64)

This release adds support for Windows 11 Enterprise (x86_64). PA-4249

Support for Ubuntu 22.04 (x86_64)

This release adds support for Ubuntu 22.04 (x86_64). PA-4233

Puppet::HTTP::Client cannot connect to a server requiring client cert authentication and whose server cert is issued by a CA in the ssl_trust_store

Puppet's http client can now establish a mutually authenticated TLS connection when passing include_system_store: true such as when retrieving file content from HTTPS servers. Previously puppet did not add its client certificate to the SSL context, so the connection would fail if the HTTPS server required a client certificate. PUP-11522

Legacy function error does not include the source ref

If a 3x function produces an error, the error message now includes the path to the file in which the function is defined. Contributed by Puppet community member lollipopman. PUP-11472

puppetserver_gem doesn't install gems when they are loaded by Facter

Fixed a bug that prevented the puppetserver_gem provider from managing gems that were first loaded by Facter. PUP-11452

Puppet Agent does not automatically refresh CRLs on crl_refresh_interval

Puppet Agent now reloads its CA and CRL bundles every 30 minutes during each run. Previously it only loaded it when the process started, which meant the service had to be restarted if the CA/CRL files changed on disk. PUP-11428

Puppet agent --disable is ignored with cron puppet agent (splay).

Puppet agent now checks the disabled lock file after sleeping due to splay. PUP-9998

puppet-cacerts keystore is missing on Red Hat 9, SLES 15 and Ubuntu 20.04

If Puppet agent is installed, there is a java keystore file. PA-4440

Removed EOL operating system support

This release removes support for the following operating systems: Fedora 32, CentOS 8, Ubuntu 16.04. PA-4328

Update puppet runtime's curl to 7.83.1

Updated runtime to fix CVE-2022-22576, CVE-2022-27774, and CVE-2022-27776. PA-4472

Allow Puppet::HTTP::Client to connect to trusted server using the puppet certificate for client authentication

You can now specify an https URL as the source of a file resource when the TLS server requires a client certificate for authentication. PUP-11471

Ruby security fix

Applied patch for security vulnerability in Ruby 2.5.9 (CVE-2022-28739). PA-4364

Puppet::Util::Windows is undefined on non-Windows platforms

Fixed a bug that prevented pdk unit tests from working when trying to test a resource with a Windows provider, such as "service" resources. PUP-11459

No option to fail fast when agent-specified environment does not exist

When using strict_environment_mode=true, a run now fails early if the requested environment does not exist on the server, or if the server does not allow the agent to specify its own environment. PUP-11440

puppet lookup fails to interpolate topscope variables when an environment is specified

Fixed an issue where Puppet 6.26 and 7.14 failed to resolve toplevel facts in hiera configs when using the --environment option for puppet lookup. PUP-11437

Rspec tests with custom facts fail on some modules

This release fixes an issue where rspec module tests would compile with the runner node’s facts instead of using the custom facts supplied by the test. PUP-11435

Nokogiri upgrade for macOS

Upgraded nokogiri gem to 1.13.2 on macOS due to upstream security fix. PA-4323

Some gemspecs are missing from puppet-agent MSI

On Windows, it is now possible to install a gem that has a dependency on Facter or Hiera into Puppet's vendored ruby. PA-4313

ENC-enforced environment bypass for lookup

You can now bypass the ENC-enforced environment when performing a lookup. To bypass the enforced environment, use lookup with the --environment option to specify the desired environment. Puppet always uses the environment you specified regardless of the ENC-enforced environment. PUP-7479

Support for RHEL 9

This release includes support for Red Hat Enterprise Linux (RHEL) 9. PUP-11364

Support for Windows Server 2022(x86_64)

Failures when using purge_ssh_keys

Puppet no longer fails when using purge_ssh_keys if the user's home directory doesn't exist yet. PUP-11380

Puppet::FileSystem.chmod does not validate its arguments

Puppet::FileSystem.chmod now validates its arguments like other methods. PUP-11345

Warning: #<Puppet::Transaction::Persistence after upgrading to Puppet agent 6.25.0

Fixes a regression introduced in 6.25.0 and 7.10.0 that caused a Puppet::Transaction::Persistence warning during each agent run. PUP-11321

User resource tries to create rather than modify users created by a utility

This release moves the ssh_authorized_key resource's creation to the end of the user type flow, after all user properties and parameters were resolved, to avoid order dependency errors. PUP-11320

Puppet code merger using incorrect command

Reduces memory usage when parsing manifests. PUP-11318

Failure when using the names "apply" and "plan" within an apply() block in a plan

The names "apply" and "plan" can now be used as resource parameter names in all cases. Previously, using them within an apply() block in a plan would fail. PUP-11315

Puppet attempts to execute directories from /etc/init.d/

Prevents Puppet from considering directories from /etc/init.d/ as services. PUP-11313

High memory consumption from lib/puppet/pops/parser/lexer2.rb

Reduced lexer2 memory usage. PUP-11236

versioncmp() treats 11.0 as greater than 11

versioncmp() now strips redundant numbers. PUP-11235

puppet lookup --facts {filename} fails if filename does not contain a dot

Before this release, puppet lookup --facts {filename} failed early when the filename given did not contain a dot. This fix removes the early extensions check and adds a fallback instead: tries both formats (JSON then YAML) to read the given facts file when its path doesn't end with any of the expected extensions (yaml/yml/json). Otherwise, it follows previous implementation and respects the given extension. PUP-11204

Facts provided in a file cannot be used for classification

Fixed a bug where facts provided in a file were not being merged with the facts used for classification. This is because Puppet collected and merged the said facts after the classification happened. To fix this, we ensured that Puppet resolves the facts being used for classification before the node request. PUP-10435

Inconsistent handling of trusted facts in the lookup CLI

When using puppet lookup with --facts, if the facts file overrides any of hostname, domain, fqdn, clientcert, then it must override all of them. Also, if a value for certname is provided in a fact file for the lookup application, use it when creating the trusted information object. This makes it possible to override trusted.certname for classification. PUP-8220

Lookup ignores environment from the classifier when using a rule with trusted facts

Fixed an issue where trusted facts could not be used as rules for classification. This was fixed by gathering the trusted facts from the PuppetDB query result, and overriding the trusted facts context. PUP-8094

Misleading results when using --node flag in puppet lookup

Fixed an issue where puppet lookup would result in misleading results when using the --node flag. This happened because there can be cases where the target node does not have any facts cached. To avoid this, the fix implemented checks for the node facts/facts given in a fact file, and if it doesn't find any it raises an error. PUP-7362

Puppet could not retrieve attributes from fifo and socket files

This release allows Puppet to retrieve attributes for fifo and socket files and manage them when the given manifest has a file resource which is recursing over a given path. PUP-4045

Puppet hangs trying to replace a FIFO

Puppet no longer hangs when trying to replace a fifo with a file, directory or symlink. PUP-1460

Puppet uses deprecated psych features

Puppet is now compatible with psych 4.0. PUP-11405

Agent no longer calls the Puppet::Node terminus to resolve the environment during the run

Introduced a Puppet setting use_last_environment=true|false and a corresponding puppet agent -t --no-use_last_environment boolean command line option that forces the agent to make a node request like it did prior to 7.12 and 6.25. By default, the agent does not make a node request. PUP-11379

Puppet user and service resources are slow on Mac OS X

Managing users and services on macOS is much faster. PUP-11332

Puppet::Node#environment_name may return the wrong value

Puppet::Node#environment_name now always returns the symbolic name of the environment (if one has been set on the node). PUP-11330

Puppet lookups failed due to missing certificates

The puppet lookup command now works if the agent does not have certificates available locally. PUP-11402

The generate types command does not handle errors correctly

If the generate types command failed to generate a custom type, it logged an error and returned a 0 exit code instead of failing. The command now correctly fails with a non-zero exit code if the command cannot generate a type. PUP-11078

Bump Ruby date gem

We've bumped the date gem in our vendored Ruby to fix a vulnerability. PA-4131

Faster iterative functions

This release speeds up the amount of time it takes to type check arguments passed to blocks of iterative functions, such as reduce and merge. PUP-9561

Puppet can leak credentials when following HTTP redirects

Previously, Puppet followed HTTP redirects, the Authentication and Cookie headers were passed to different hosts, which could leak sensitive information. Now the Authentication and Cookie headers are only sent when redirecting to the same hosts. This fixes CVE-2021-27023. PUP-11188

Puppet agent silently skips unknown resources

Puppet gem and rspec-puppet failures

This release moves the DEFAULT_TIMEOUT constant from lib/puppet/util/windows/service.rb to lib/puppet/util/windows.rb in a non-OS guarded code area. This change avoids uninitialized constant errors when compiling catalogs on non-Windows operating systems. PUP-11319

Puppet agent downloads all plugins after updating

Puppet 6.25.0 and 7.12.0 introduced a regression which caused a newly upgraded agent to download all of its plugins. Now the agent performs a single node request to resynchronize its environment with the server. PUP-11328

The write-catalog-summary setting

This release adds the write_catalog_summary setting to control whether the resources.txt and classes.txt files are written to disk after applying a catalog. By default, puppet agent and puppet apply behave the same as before — puppet agent writes the files, and puppet apply does not. PUP-1042

Support for Ubuntu 18.04 (aarch64)

This release adds support for Ubuntu 18.04 (aarch64). PUP-11162

Support for AlmaLinux 8 (x86_64)

This release adds support for AlmaLinux 8 (x86_64). PUP-11242

Support for Rocky Linux 8 (x86_64)

This release adds support for Rocky Linux 8 (x86_64). PUP-11231

Puppet module type scripts directory

This release adds a new scripts/ subdirectory to the module class. It automatically generates the scripts?(), scripts(), and script() functions in the class for retrieving the available scripts. This helps to standardize specific file loading from either the files directory or scripts directory in a module. PUP-11165

Lower memory consumption in Ruby files

This release lowers memory consumption by 10%. This is achieved by freezing string literals in Ruby classes with high memory consumption. PUP-11232

Facter.value replaced by Puppet.runtime[:facter]

This release replaces calls to Facter.value with calls to Puppet.runtime[:facter], and removes require 'facter' statements. PUP-11217

Support for multiple Facter implementations

You can now register a Facter implementation when initializing Puppet via the Puppet.initialize_settings method. PUP-11216

Load Task files from scripts

Tasks can now load files from the scripts mount. PUP-11200

onlyif and unless in --noop documented

This release documents the noop behavior of the onlyif and unless parameters of the exec resource. PUP-11199

Scripts file serving mount

When using Puppet APIs to load file content and metadata, you can access files in the scripts/ directory of a module using the scripts file mount. PUP-11187

RHEL9 support for services

The launchd service provider fails if a parsable but invalid LaunchAgent or LaunchDaemon plist file exists

Cleaned up ext/ directory

This release removes unused files from the ext/ directory used by upstream Linux and Solaris packages. PUP-10685

Option to enable long filename support in the Windows MSI installer

OpenSSL updates

• On Windows 2012 FIPS (x64), OpenSSL 1.0.2 has been patched for CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841 and CVE-2021-3712 - PA-3976

• On redhatfips-7-x86_64 RedHat 7 FIPS (x64), OpenSSL has been bumped to 1.1.1k and patched for CVE-2021-3712 and CVE-2021-3711 - PA-3974

Support for Fedora 30 (x86_64) removed

This release removes support for Fedora 30 (x86_64). PUP-11092

Support for Fedora 31 (x86_64) removed

This release removes support for Fedora 31 (x86_64). PUP-11093

Support for Mac OS X 10.14 (x86_64) removed

This release removes support for Mac OS X 10.14 (x86_64). PUP-11094

Support for Red Hat 5 (x86_64, i386) removed

This release removes support for Red Hat 5 (x86_64, i386). PUP-11091

Default timeout ignores Windows services

Previously, default timeouts caused issues on Windows when services took longer than 10 seconds to change state. You can now specify the default timeout value for syncing service properties. PUP-10925

User attributes ignores forcelocal

This release fixes an issue where setting forcelocal => true on an user resource checked the resource's home and shell attributes against their values from the directory service provider. Contributed by Puppet community member natemccurdy. PUP-11241

Puppet fails to install packages on Solaris if another pkg install is running

The concat module ignores the ENC environment

This release fixes an issue where an ENC-specified environment was not pushed during a Puppet run. This caused indirector requests with no specified environment to default to using an incorrect environment. PUP-11265

Util::JSON.dump receives non-hash options

Previously, Puppet's /puppet/v3/file_metadatas REST API failed if the multi_json gem was uninstalled or when it was running puppetserver from source. PUP-11237

Puppet sends warning for BOM and US-ASCII encoding

This release removes BOM for non-UTF encoding and its warnings. ASCII characters are single bytes, which means there is no need for a BOM to detect byte ordering (LSB/MSB). PUP-11196

User resource not removing password on AIX agents

This release fixes an issue where deleting an AIX user with Puppet would not clean up the user's password. PUP-11190

Undefined method [] for nil:NilClass when handling SemanticPuppet::Dependency::UnsatisfiableGraph

Previously, the puppet module install command broke when dependencies could not be resolved. Puppet now emits an error message instead. PUP-11172

User resource unable to remove the home directory

Static catalogs not working for file resources when versioned_deploys is enabled

Previously, when :versioned_environment_dirs was set to true, catalog compilation failed to add metadata for static catalog file resources; this meant that an agent receiving a catalog would not attempt to request that static file content. This has been fixed and the metadata is now correctly added to the catalog when :versioned_environment_dirs is set to true. PUP-11169

Changes to current working directory when listing modules

Puppet Server and agent no longer change their current working directories when listing modules in an environment directory. PUP-11166

An environment reloaded during a single compilation could fail

Previously, Puppet Server could reload an environment while it was being used to compile a catalog. If translations were enabled (Puppet[:disable_i18n] set to false), compilation could fail. Now Puppet Server prevents environments from being reloaded while they are in use, and instead reloads the environment the next time it is requested. PUP-11158

The pkg provider cannot unhold and update packages in the same run

Previously, the pkg package provider was unable to handle manifests where a package was updated and marked as unhold at the same time. This is now fixed. PUP-10956

Environment caches string and symbol environment names differently

This release fixes an issue that resulted in Puppet caching duplicate copies of an environment. PUP-10955

A lookup fails if lookup_options is empty

Rich data types can corrupt the transaction store

This release fixes an issue that prevented Puppet from reporting corrective changes when using rich data types such as Deferred, Binary, and Sensitive. PUP-10820

Puppet.lookup(:current_environment) is wrong if the environment changes during convergence

This release fixes an issue where an old environment could be used if the environment had changed due to pluginsync. PUP-10308

Failure to fetch node definition results in bad pluginsync and cascading failure

The puppet resource --to_yaml emits class tags

This release stops the resource --to_yaml command emitting Puppet class tags, such as Puppet::Util::Execution::ProcessOutput, by ensuring that the PScalarDataType only checks the instance of String, and not other subclasses. PUP-10105

Catalog failure on first run due to pluginsync and environment switch

Agent cannot compile catalog if it specifies an non-existent environment in puppet.conf

This release fixes an issue that caused the agent run to fail if the agent requested an environment that did not exist on the server ​​— even when the classifier controlled the environment. PUP-6802

Puppet agent does not save local copy of last_run_report.yaml

The agent now saves a local copy of its last run report, even if it fails to submit the report to the primary Puppet Server. PUP-6708

User resource exposes hashed password when changing password or adding a user

The puppet ssl show command prints custom object identifiers (OID)

The puppet ssl show command now shows the names of certificate extensions containing custom OIDs — when the trusted_oid_mapping_file exists. This functionality used to exist in the puppet cert print command. PUP-11120

Updated argument error message

If you call a function with an argument Puppet does not accept, the error message provides a list of acceptable function signatures. PUP-7792

Updated error message for incorrect module name

If the author component of a module name is omitted, the puppet module install <author-module> command provides a name suggestion in the error message. PUP-10641

Puppet reports the license gem on Apache

Puppet now reports the Apache 2.0 license when installed as a gem. PUP-11118

Support for Debian 11 Bullseye amd64

This release adds support for Debian 11 Bullseye amd64. PUP-11030

macOS puppet-agent code-signs executables

The macOS puppet-agent AIO packages now provide code-signed executables for puppet and pxp-agent. PA-3756

Solaris OpenSSL patching replaced with compiler arguments

This release adds AES CTR-DRGB performance improvements to Puppet’s vendored OpenSSL. PA-3698

The empty function accepts Sensitive data types

The empty function now accepts Sensitive data types, which allows you to test a Sensitive variable that is neither nil or empty. For example, a variable in an ERB template. Contributed by Puppet community member cocker-cc. PUP-11124

The unwrap function accepts Any data type

The unwrap function now accepts the Any data type. This means that the component modules, such as puppetlabs-postgresql, can migrate to using Sensitive values, while still accepting non-Sensitive values. You do not need to special case when unwrapping the value. Contributed by Puppet community member cocker-cc. PUP-11123

The exec provider supports commands as an Array

When a command is an Array of Strings, passed as [cmdname, arg1, ...], it is now executed directly instead of being passed to the standard shell. This is supported for the following exec parameters: comand, onlyif, unless, refresh. Note that onlyif and unless already accept multiple commands as an Array — you need to pass the value as an Array of Array to use this new behaviour. PUP-5704

Embedded Ruby (ERB) templates allow a leading Byte Order Mark (BOM)

Previously, when a template contained a BOM, it was preserved by the template function and included in the resulting file or PowerShell command. Puppet now passes the bom option when reading the file, removing the BOM as it is read. PUP-8243

Support for Debian 8 removed

This release removes support for Debian 8. PUP-11059

The --extra cli option is not functional

The puppet help command no longer displays the --extra command line option. PUP-8700

The parsedfile provider produces an undefined method each for nil:NilClass

Puppet now prints an error if a parsedfile provider returns nil, for example, when using the nagios_core module. PUP-9369

Unclear error message if user or group providers are not suitable

Puppet now prints a more detailed error message if the user or group providers are not functional. PUP-9825

The Puppet::Resources.search method fails when conditions are provided

This release fixes an issue that prevented the Puppet::Resource.indirection.search method from accepting conditions when filtering results. PUP-7799

Repository error message URL is missing part of the path

Previously, the puppet module command reported an incorrect URL in the error message when the module_repository setting was overridden. This is now fixed. PUP-8650

The desired_value file mode is reported without leading zeros

Puppet now reports file modes with a leading zero in the desired_value field ⁠— for example, 0755 ⁠— which is consistent with the previous_value. PUP-7493

Filebucket fails when using a non-default environment from the server

The filebucket application no longer requires an environment to exist locally. PUP-10796

Unable to load PKey.read with private keys

Puppet agent now loads private keys in the PKCS#8 format. PUP-11082

Cached environments are not deleted when the directory is removed

Puppet now removes environments that are no longer on disk. PUP-11129

Unable to run the puppet resource command when the environment is specified

Previously, running puppet resource on the agent with an invalid environment would fail. With this release, the application falls back to the default environment, if the specified one does not exist. PUP-6554

Puppet prints unnecessary errors in debug

Puppet no longer prints an unnecessary error message when resolving account names to security identifiers on Windows. PUP-10967

Setting age=0 on a tidy resource does not remove all files

Previously, the age parameter of the tidy resource only removed files older than those specified. This is now fixed and Puppet removes all files. PUP-11079

The agent_specified_environment fact is not populating

This release fixes an issue where the agent_specified_environment fact did not populate when the environment was set in the [agent] section. This is now fixed and populates in the following order: CLI, agent section, main section. PUP-6801

pip ensure=>latest fails with pip>=20.3.0

In version 20.3b1, pip removed the ability to list available versions of a package. This release adds the --use-deprecated=legacy-resolver argument so that you can query available versions. PUP-11029

The pxp-agent does not use the wrapper script

The pxp-agent service script on the AIX, OSX, and Solaris platforms now manipulates the service using the wrapper script located in /opt/puppetlabs/bin/pxp-agent, which cleans up the linker environment before calling the actual environment. This prevent failures due to incompatible libraries being loaded. To modify the pxp-agent linker environment, directly call the pxp-agent binary, for example, /opt/puppetlabs/puppet/bin/pxp-agent. PCP-890

Fedora 34 support

This release adds support for Fedora 34. PUP-10892

File limit with the max_files parameter

By default, the file and tidy resource types generate a warning on the Puppet Enterprise (PE) console and report when Puppet tries to manage more than 1000 files with the recurse parameter set to true. The file and tidy resource types now support a new parameter — max_files — that enforces a hard limit. If the number of recursive files is greater than the limit, the agent run fails. You can set the max_files parameter to -1 to disable the warning. PUP-10946

Case sensitive parameter for the fqdn_rand() function

The fqdn_rand() function now accepts an optional parameter to downcase the FQDN fact, so that the function's result is not case sensitive. You must pass the parameter after the seed string, for example, fqdn_rand(100, 'expensive job 1', true). By default, the function remains case-sensitive. PUP-10922

Improve enable=delayed_start error message

This release improves an error message to properly convey that you cannot set a systemd service to delayed_start on operating systems other than Windows. PUP-11062

Ruby support long paths on Windows

This release adds the following patch into the Puppet Agent vendored Ruby. The patch implements long path support on Windows. PA-3759

Improved Ruby Performance

New Ruby performance patches — reducing 50-90% of file IO when loading Puppet and Facter. PA-3526

Bump curl to 7.77.0

This release bumps the curl dependency to 7.77.0. PA-3762

PUPPET_SERVER MSI install property does not work

Previously, using PUPPET_SERVER as an MSI property did not set the server setting. This is now fixed. PA-3667

Puppet does not specify SELinux filetype when getting the default context

Previously, Puppet created files with the wrong default SELinux context, which was only corrected after a subsequent Puppet run. This is now fixed. Contributed by Puppet community member tobias-urdin. PUP-7559

NIM provider used very restrictive regular expressions

Previously, the NIM provider only allowed numbers when parsing RPM release tags and didn't accept bff (installp) packages marked as security updates in the header. In this release, Puppet allows installation of such packages. PUP-3631

Unable to mask a static systemd service

This release fixes an issue where the systemd provider did not mask static systemd services. Contributed by Puppet community member nmaludy. PUP-11034

Masking service failed

Previously, Puppet failed to mask a systemd service that did not exist. This bug is now fixed. PUP-10974

Sensitive instances shared the same value yet weren’t equal

Previously, two type Sensitive instances failed to compare as equal—despite sharing the same underlying strings. In this release, comparisons such as $a = Sensitive("secret"); $b = Sensitive("secret"); notice($a == $b) now return as true. PUP-11061

SemVer datatype components failed to pass as hash or argument list

Previously, the build or prerelease components of the SemVer datatype failed to pass as a hash or list of arguments. This bug is now fixed. PUP-11077

User keychains were inaccessible to Puppet Agent

Previously, user keychains were inaccessible to Puppet Agent if you ran Puppet Agent through the macOS daemon. This bug is now fixed. PUP-11081

Puppet returned an error when specifying the purge_ssh_keys parameter

Previously, Puppet returned an error if you specified the purge_ssh_keys parameter for a user resource that didn’t previously exist. To fix this bug, Puppet prioritizes the ensure property of a user before the purge_ssh_keys parameter. PUP-11067

Nil vertices caused resource management errors

Previously, managing resources that call the generate method — failed when using the puppet resource subcommand— due to the presence of a nil vertex in the catalog. To fix this bug, Puppet can no longer add nil vertices to the catalog. PUP-11074

Unable to update UserRightAssignment

Previously, validating the logonaccount and logonpassword parameters for the service resource on Windows failed too early. This release moves the parameters further down the catalog compilation order list to avoid early errors. PUP-10999

Puppet cannot change/set new user passwords on macOS Big Sur

Previously, you could not set or change the password of a new user created on macOS Big Sur. This bug is now fixed by ensuring the ApplicationAuthority field exists whenever you create a new user. PUP-11026

Puppet returned an error when creating new users on macOS 10.14

Previously, if you created a new user on macOS 10.14, Puppet returned an Operation not permitted @ rb_sysopen error. This bug is now fixed.PUP-11095

Agent failures with server_list

Previously, when Puppet processed server_list and tried to find a functional server, it threw an error if it could not connect, causing the agent to fail. This is now fixed. PUP-10844

Improvements to the puppet facts diff command

This release makes the following improvements to the puppet facts diff CLI command:

• The command shows all of the differences between Facter 3 and Facter 4 — including facts only available in Facter 4 — and sorts the output results in alphabetical order. You can also remove certain facts from the output using the --exclude <regex> CLI option and see the results in a fully structured form. PUP-10985

• The command filters the output based on an exclude list. This only contains volatile facts — those that are expected to change value between consecutive Facter runs. PUP-10947

• The command pretty-prints JSON output. You can specify the older form with --render_as json. PUP-10973

Backport logic to detect migrated CA directory location

Curl bumped to 7.76.0

This release bumps Curl to 7.76.0, fixing the following CVEs:

• CVE-2021-22890

• CVE-2021-22876

PA-3690

OpenSSL bumped to 1.1.1k

This release bumps OpenSSL to 1.1.1k, fixing the following CVEs:

• CVE-2021-3450

• CVE-2021-3449

PA-3669

Ruby bumped to 2.5.9

This release bumps Ruby to 2.5.9, fixing the following CVEs:

• CVE-2020-25613

• CVE-2021-28965

PA-3695

The GlobalSignRoot CA R3

This release adds the GlobalSignRoot CA R3 certificate for rubygems.org. PA-3525

The ciphers setting

The ciphers setting configures which TLS ciphersuites the agent supports. The default set of ciphersuites is the same, but you can now make the list of ciphersuites more restricted, for example, to only accept TLS v1.2 or greater ciphersuites. PUP-10889

The puppet ssl show command

The puppet ssl show command prints the full-text version of a host's certificate, including extensions. PUP-10888

The puppet facts show command backported to 6.x agent

The puppet facts show command can now retrieve a list of facts from the system. Run puppet facts show --help to see all of the supported options. PUP-10884

Puppet cannot parse systemd instances when the list-unit-files output has an additional column

This release fixes an issue affecting the parsing of systemd service instances caused by a change in the systemctl list-unit-files command output. PUP-10949

Race condition with agent_disabled_lockfile

This release fixes a race condition that caused the agent to become disabled and no longer enforce desired state. Contributed by Puppet community member gcampbell12. PUP-11000

Retrieve SID for users under APPLICATION PACKAGE AUTHORITY

A known issue with LookupAccountNameW caused Puppet to fail when managing Windows users under APPLICATION PACKAGE AUTHORITY with fully qualified names. This is now fixed and we have added an account name step to prevent faulty queries. PUP-10899

Retrieving the current user with the fully-qualified username fails on Windows

Previously, retrieving the current username SID on Windows caused Puppet to fail in certain scenarios, for example, when the user was a secondary domain controller. This release adds a fallback mechanism that uses the fully qualified domain name for lookup. You can retrieve the current user with the fully-qualified username and domain on Windows. PUP-10898

Windows package provider continues to read the DisplayVersion key after it is embedded NULL

Previously, Puppet would not stop reading the registry at the correct WCHAR_NULL because it was encoded to UTF-16LE, causing Puppet to read bad data and fail. This is now fixed. PUP-10943

Listing environments during code deploys prevents environment cache invalidation

Previously, catalog compilations for a newly created environment directory could fail if the environment was listed while the directory was being created. This issue only occurred when using an environment_timeout value greater than 0 and less than unlimited. This is now fixed.

PUP-10942

User resource with forcelocal and groups attributes set fails if /etc/group contains empty lines

This release fixes an issue where Puppet failed when applying user resources with forcelocal if there were empty lines in /etc/group. PUP-10997

Augeas fails with Postgresql 13

This release patches the vendored Augaes in puppet-agent so that PostgreSQL 13 configuration file is no longer parsed. PA-3406

The puppet facts diff command logs error when the apt module is installed

Previously, the puppet facts diff command, which compares Facter 3 and Facter 4 facts, did not run Facter 4 in a clean environment, causing undefined behavior for custom facts resolving. With this release, Puppet 4 facts are read when running puppet facts in a new shell and custom facts resolve correctly. PUP-10940

Cannot ensure dnfmodule with no default profile

Previously, using the dnfmodule provider to install a module with no default profile and without passing the enable_only parameter failed in newer versions of DNF. PUP-11024

Puppet users with forcelocal are no longer idempotent

User resource with forcelocal uses getent for groups

The useradd provider now checks the forcelocal parameter and gets local information on the groups (from /etc/groups) and gid (from /etc/passwd) of the user when requested. PUP-10857

Slow Puppet agent run after upgrade to version 6

This release improves the performance of the apt package provider when removing packages by reducing the calls to apt-mark showmanual. PUP-10856

The apt provider does not work with local packages

The apt package provider now allows you to install packages from local file using source parameter. PUP-10854

JSON terminus for node and report

This release implements JSON termini for node and report indirection. The format of the last_run_report.yaml report can be affected by the cache setting key of the report terminus in the routes.yaml file. To ensure the file extension matches the content, update the lastrunreport configuration to reflect the terminus changes (lastrunreport = $statedir/last_run_report.json). PUP-10712

JSON terminus for facts

This release adds a new JSON terminus for facts, allowing them to be stored and loaded as JSON. Puppet agents continue to default to YAML, but you can use JSON by configuring the agent application in routes.yaml. Puppet Server 7 also caches facts as JSON instead of YAML by default. You can re-enable the old YAML terminus in routes.yaml. PUP-10656

Multiple logdest locations in puppet.conf accepted

You can set multiple logdest locations using a comma separated list. For example: /path/file1,console,/path/file2. PUP-10795

New serverport setting type

The serverport setting is an alias for masterport. PUP-10725

The puppet module install command lists unsatisfiable dependencies

If the puppet module install command fails, Puppet returns a more detailed error, including the unsatisfiable module(s) and its ranges. PUP-9176

Interpolation of sensitive values in EPP templates

Previously, if you interpolated a sensitive value in a template, you were required to unwrap the sensitive value and rewrap the result. Now the epp and inline_epp functions automatically return a Sensitive value if any interpolated variables are sensitive. For example: inline_epp("Password is <%= Sensitive('opensesame') %>"). Note that these changes just apply to EPP templates, not ERB templates. PUP-8969

OpenSSL bumped to 1.1.1i

This release bumps OpenSSL to 1.1.1i. PA-3513

Curl bumped to 7.74.0

This release bumps Curl to 7.74.0. PA-3512

(Experimental feature) puppet facts diff action

This release adds a new action called puppet facts diff to check if there are differences between Facter 3 and Facter 4 outputs. Facts that change over time like memory and uptime are ignored. PUP-10815

func3x_check setting removed

The func3x_check setting has been removed. PUP-10724

The puppet apply command creates warnings

Remove Pathname#cleanpath workaround

This release removes an unnecessary workaround when cleaning file paths, as Ruby 1.9 is no longer supported. PUP-10840

Cached catalog contains the result of deferred evaluation instead of the deferred function

Puppet 6.12.0 introduced a regression that caused the result of a deferred function to be stored in the cached catalog. As a result, an agent running with a cached catalog would not re-evaluate the deferred function. This is now fixed. PUP-10818

Calling scope#tags results in undefined method

Previously, calling the tags method within an ERB template resulted in a confusing error message. The error message now makes it clear that this method is not supported. PUP-10779

Puppet agent installation fails when msgpack is enabled on puppetserver

Previously, the agent failed to deserialize the catalog and fail the run if the msgpack gem was enabled but not installed. Now the agent only supports that format when the msgpack gem is installed in the agents vendored Ruby. PUP-10772

Setting facterng twice raises an exception

Previously, calling puppet config set facterng true twice resulted in a failure. This is now fixed and facterng is only enabled if it is not already. PUP-10731

Puppet feature detection leaves Ruby gems in a bad state

This release fixes a Ruby gem caching issue that prevented the agent from applying a catalog if a gem was managed using the native package manager, such as yum or apt. PUP-10719

Fine grained environment timeout issues

Previously, if the environment.conf for an environment was updated and the environment was cleared, puppetserver used old values for per-environment settings. This happened if the environment timed out or if the environment was explicitly cleared using puppetserver's environment cache REST API. With this fix, if an environment is cleared, Puppet reloads the per-environment settings from the updated environment.conf. PUP-10713.

Setting certname in multiple sections bypasses validation

Previously, Puppet only validated the certname setting when specified in the main setting, but not if the value was in a non-global setting like agent. As a result, it was possible to set the certname setting to a value containing uppercase letters and prevent the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in. PUP-9481

puppet config set certname accepts upper-case names

Previously, the puppet config set command could set a value that was invalid, causing Puppet to fail the next time it ran or the service was restarted. Now the command validates the value before committing the change to puppet.conf. PUP-2173

3x functions cannot be called from deferred functions in Puppet agent

This release allows deferred 3.x functions, like sprintf, to be called during a Puppet agent run. PUP-10819

Issue with Puppet creating production folder when multiple environment paths are set

Previously, the production environment folder was automatically created at every Puppet ran in the first search path, if it did not already exist. This release Puppet Puppet searches all the given paths before creating a new production environment folder.PUP-10842

Masterport not honoured when configured in a section other than main

Puppet 6.28.0 added the serverport config as an alias for masterport. This introduced a regression — when masterport was set in a section of puppet.conf that was not main, it ignored masterport and set it to the default value. This is now fixed, and both masterport and serverport are visible in other sections. PUP-10722

New server_used report parameter

This release adds a new report parameter called server_used. It behaves like master_used. PUP-10672

Removed Puppet::Agent::Locker#running? deprecation warning

The Locker#running? method is still in use. This release removes the deprecation message. PUP-10624

The puppetserver_gem package provider added to core Puppet

Previously, the provider was part of the puppetlabs-puppetserver_gem module, which no longer receive updates. This release moves the puppetserver_gem provider to core Puppet. PUP-10604

Added pip2 package provider when pip3 is the system default

This release adds the pip2 provider to allow you to explicitly use the Python 2 pip. PUP-7526

New environment_timeout_mode setting to clear short-lived Puppet environments from memory

This release adds the environment_timeout_mode setting, which allows you to clear short-lived Puppet environments from memory, while also caching frequently used environments indefinitely. This reduces the Puppet Server memory footprint. For more information, see the release notes summary in the ticket. PUP-8014

Puppet does not log connection error details when a functional master cannot be located

Previously, errors were only logged at the debug level or at the err level if the no servers were available. Puppet agents now log errors that occur when trying to connect to each server in server_list at the err level. PUP-10664

Performance regression with large hashes using lookup

This release fixes a performance regression in 5.5.x and 6.0x. which affected Hiera lookups in large hashes. PUP-10628

Status endpoint does not use the extra_headers setting

If http_extra_headers is set, Puppet sends the headers for each HTTP request it makes when processing the server_list setting to determine which server to use. PUP-10617

Fact yaml does not quote mac addresses

Previously, when Puppet facts were called with the --render-as yaml option, the macaddress fact was unquoted. This resulted in bad data if other tools parsed the resulted yaml and interpreted the value as a sexagesimal (base 60) integer when the address did not contain chars A-F. This release adds quoting to all yaml strings that contain the : character. PUP-9505

Data type casts cause Puppet Server to retain compiler instances

This issue is now fixed when running under JRuby. PUP-10659

Resource collector overrides cause Puppet Server to retain compiler instances

This issue is now fixed when running under JRuby. PUP-10657

New property and parameter to manage user rights on Windows

You can now manage rights and privileges for local Windows users with the roles property and role_membership parameter. PUP-10547

Curl upgraded to 7.71.1

This release upgrades Curl to 7.71.1 PA-3333

Add facts and vars back to PAL ScriptCompiler scope

As part of work on PUP-10397, we removed vars and facts from PAL ScriptCompiler which resulted in a breaking change to a public API. This release adds local facts back. PUP-10615

Misuse of URL encoding in file resource HTTP GET

Puppet 6.16.0 introduced a regression when using HTTP file sources, the URL request path or query contained special characters. This release restores the previous behavior. To specify a path or query that contains a space, you need the URL encoded in the manifest. PUP-10603

Puppet lookup loads external facts on the initiating node

Previously, some Puppet default settings required Facter to retrieve data that loaded all external facts and slowed down Puppet. With this release, local external facts are not evaluated when performing a lookup command on a remote node. PUP-10599

The ppt package provider does not mark managed packages as manual

With this release, the apt package provider can now mark packages as manual. PUP-6631

An error is logged during an agent run if Puppet Server does not have at least one <module>/lib dir in its modules directory

If Puppet Server does not have at least one modules directory, the file_metadatas REST API for the plugins, pluginfacts and locales mounts returns file metadata for /etc/puppetlabs/code, instead of returning HTTP 404. PUP-2608

Puppet agent fails to install on a Windows VM if the Windows installer is not used

Constant corrective changes on SLES 12

This release fixes a regression introduced in Puppet 6.16.0 where the zypper package provider reported corrective changes when the package_version package was installed. PUP-10609

Puppet::Util::Yaml safe_load not loading Time class which leads to compilation error for time serial data

Previously, when an agent run enforced a time-based property of a resource, the next agent run generated an error and lost the ability to report on corrective changes accurately. This occurred when using the {{audit}} metaparameter to monitor file mtime. This is now fixed. PUP-10585

The puppet apply command fails if Puppet types have been generated

Previously, running puppet apply failed if the Puppet generate types command was run before. In this release, puppet apply ignores resource type in the environment resource_types directory. PUP-9602

Puppet run continues despite failed Pluginsync

Previously, Puppet agents ignored pluginsync errors and applied the catalog with incorrect facts and plugin versions, leading to obscure errors or data corruption. This release adds a new setting — ignore_plugin_errors. If set to false, the agent aborts the run if pluginsync fails. The setting defaults to true so the old behavior is preserved.PUP-1763

The puppet_gem provider does not use vendored PKG_CONFIG_PATH when installing native extensions

This release allows you to install gems with native extensions that require PKG_CONFIG_PATH, when using puppet_gem provider, for example the rugged gem PUP-10584

Puppet::Util.default_env method unintentionally removed in 6.17.0

Testing modules using rspec-puppet versions earlier than 2.7.10 resulted in the error undefined local variable or method 'default_env' for Puppet::Util:Module. This is now fixed. PUP-10586

Allow running Puppet commands via AWS Session Manager on Windows 2019

Previously, installing a Puppet agent on EC2 Windows Server 2019 via AWS Session Manager caused an error. This is now fixed. PUP-10600

Extended trusted_external_command setting

The trusted_external_command setting can now be set to a directory. For each executable file in the directory, the external trusted facts will be stored in the basename key of the trusted['external'] hash. PUP-10528

Updated permissions for files in /cache/state/

This release updates the permission for state.yaml and transactionstore.yaml to remove the group write access. PUP-8922

HTTPS file sources allow additional CA certificates

Support for file content from artifactory

Puppet can now retrieve file content from artifactory using an HTTP(S) source parameter. PUP-6114

Support for username:password@domain for HTTP/HTTPS sources

You can now retrieve file content using HTTP basic authentication. The credentials should not appear in debug output or reports. PUP-6916

boost and yaml-cpp dependencies in the SLES 15 puppet-agent package

The boost and yaml-cpp dependencies are now vendored in the SLES 15 agent build. PA-3006

Added logonaccount and logonpassword

This release adds the logonaccount and logonpassword fields for managing the logon credentials used by services on Windows. PUP-1289

Puppet cannot apply a cached catalog containing binary rich data

Previously, Puppet could not apply a cached catalog if it contained binary or deferred data types, causing it to always fallback to requesting a new catalog. PUP-10572

File sources with path starting with double slashes are interpreted as a local file

Puppet incorrectly handled a file resource if the source’s parameter path component had an extra slash, for example, puppet:////modules/mymodule. PUP-10544

Puppet agents can't download file content from puppetserver via "raw" HTTPS

Resolve Rspec warnings for Ruby 2.7

You can now run Puppet from source on Ruby 2.7 using bundler without warnings. PUP-10537

Checksums are not validated when downloading file http(s):// sources

If a file resource has a desired checksum type and value, but the file downloaded from the remote source does not match, Puppet will raise an error that they mismatch, and will not update the file on the local system. PUP-10368

HTTP file sources fail for GET-only URIs

Puppet can now retrieve file content from Amazon AWS and GitHub releases, for example, source => https://github.com/path/to/released/artifact. PUP-6380

Ensure Windows wide character strings have a wide terminator

This release improves memory safety when Puppet converts Ruby strings to wide character strings on Windows. PUP-10254

“HTTP 406 Not Acceptable” error message should contain format names

This release prints the MIME types, instead of format objects, from the Accept header, in cases where puppetserver cannot generate a catalog in the requested format. PUP-10549

Puppet Windows package provider fails if there are garbage characters after an embedded NULL

This release fixes a bug in the Windows package provider when reading package version from registry. This happened if there were garbage characters after the wide NULL terminator. PUP-10536

Sensitive data type lost when declaring multiple resources using title arrays

This release fixes support of sensitive data type parameters when declaring multiple resources using title arrays PUP-10511

Agent runs failing with "Invalid or unsupported charset:ANSI_X3.4-1968"

Previously, agent runs failed when the locale settings where unrecognised or in an error state because leatherman logging expects a working locale. This release implements a defense for the leatherman logging function. PA-3254

Puppet does not add correct command flags

This release fixes an issue where Puppet would not add the correct command flags when ensuring a user resource with managehome enabled. PUP-8897

Puppet agent should ignore nssm.exe during an upgrade

Previously, if a puppet-agent upgrade on Windows happened when nssm.exe was loaded by EventLog service, certain services were restarted, leading to unreachable machines. This release includes an nssm executable for pxp-agent (nssm-pxp-agent.exe) and we have remove Windows registry references to the old nssm.exe. PA-3263

Puppet should ignore system Ruby settings

Running Puppet using a wrapper script from the puppet-agent package will now ignore the following ruby related environment variables: GEM_HOME, GEM_PATH, DLN_LIBRARY_PATH, RUBYLIB, RUBYLIB_PREFIX, RUBYOPT, RUBYPATH, RUBYSHELL PA-3248

The application orchestration features

The application orchestration features are deprecated and will be removed in Puppet 7. As a result, the following will also be deprecated:

• The {{site}}, {{produces}} or {{consumes}} keywords.

• The export and consume metaparameters.

• The environment catalog REST API.

New puppet help command to generate ronn output

This release adds a puppet help <app> --ronn command to generate help text for an application in ronn format. This eliminates the need for puppet man which is deprecated and will be removed in Puppet 7. PUP-10502

FileMetadata HTTP terminus to use the new Puppet::HTTP::Client code

Puppet now uses the HTTP client to retrieve file metadata from HTTP(S) sources. PUP-10482

New method for registering runtime implementations

This feature allows caller to register runtime implementations. Currently only HTTP is supported. PUP-10429

Puppet observes waitforlock when acquiring the ssl lock

Puppet uses an ssl lockfile to ensure its certificates and keys on disk are not modified by multiple Puppet processes. If Puppet is unable to acquire the ssl lockfile, and the new Puppet[:waitforlock] setting is enabled, Puppet will wait that many seconds before retrying the ssl lock. Puppet will wait for Puppet[:maxwaitforlock] seconds at most before giving up. PUP-10420

External trusted data is executed for file_content requests

The trusted_external_command is now only run once when external data is requested, instead of every time a request is made. PUP-10292

Improved error message when a file resource requires a non-existent directory

This release improves the error message that occurs when trying to manage a file resource whose parent directory does not exist. PUP-4442

Support on version ranges for the eq operator

Now all the providers that support version ranges will also handle simple versions, making the behaviour consistent between package providers, for example, 1.2.3. PUP-10496

New disabled value in dnfmodule package provider

This release adds a disabled value to the ensure field in the dnf module provider. PUP-10419

Added SemVerRange support to zypper package provider

This release adds support of >, >=, <, <=, >=A <=B ranges for package version specified in :ensure for zypper provider. PUP-10299

The Puppet runtime API now accept symbols as names

This release changes the Puppet.runtime method to take symbols instead of strings. PUP-10471

New Puppet agent options when waiting for lock

PUP-8051

New Puppet introduction in the documentation

An introduction to Puppet to help new users learn the basic concepts and features. See the Puppet introduction.

Installer switch service-enable true reports wrong actions in certain conditions

Previously, the puppet resource command wrongly reporting the enabled state of a systemd service when the ensure parameter was also specified. This is now fixed. PUP-10479

OpenSSL errors on AWS FIPS

Previously, interleaving ruby/leatherman OpenSSL on RehHat7 FIPS led to OpenSSL module errors when the Ruby HTTP client was reused. This is now fixed to adapt openssl.cnf and configure FIPS algorithms, by setting evp_setting to fips_mode = true. PA-3223

An "unable to set ownership" error with logdest on agents running as root

Puppet no longer generates an error when using a log file destination. PUP-10407

Puppet plugin download fails if an agent specified environment does not exist on the agent

Calling puppet plugin download --environment <env> failed if the environment directory did not exist locally. This is now fixed. PUP-10307

The agent incorrectly reports corrective changes when base64 padding is missing from Content-MD5

Previously, when managing file resources with HTTP(S) source parameters, Puppet only parsed the header, causing interoperability problems when the base64 encoded value was not padded. Now Puppet parses the Content-MD5 header according to RFC 2045. PUP-10164

The purge_ssh_keys parameter requires you to set the home directory in the manifest

The release fixes an issue where Puppet required you to manage the home directory when purging SSH keys with purge_ssh_keys. PUP-10506

The pip package provider does not handle pip executable paths with spaces

Paths containing spaces will now be quoted in the pip package providers. PUP-10485

Portage package provider does not work on Gentoo-based distributions

This release fixes an issue where the Gentoo provider was incorrectly selected on Gentoo-family distributions. PUP-10469

Running remove_old_postgresql_versions after upgrade fails

This release fixes an issue in Puppet's behaviour when listing information about a single specific service and all available ones by showing services in a static state. PUP-10437

Zypper provider does not recognize --no-gpg-checks as a global option

This release allows --no-gpg-checks to be passed as an item to install_options property for the zypper package provider. Note that for backward compatibility --no-gpg-check was not removed. PUP-10433

Puppet agent fails to self-restart with configuration changes or updates

Previously, when two agent runs were taking place at the same time, under some circumstances, the Puppet agent could get in a restart_requested state. This is now fixed. PUP-10351

User resource expiry incorrect on SLES 11

On SLES 11, setting a user resource expiry to absent resulted in disabling the user instead. This is now fixed. PUP-7663

The systemd provider does not honor documented enabled states

Previously, enabling indirect services caused an idempotency issue in Puppet. This has been fixed by not allowing users to enable/disable these services and to print a debug log instead. PUP-7163

The puppet module search command

Instead, search for modules on Puppet Forge. PUP-10480

The {find,search,save,destroy,head} methods in the abstract rest terminus

Calling Puppet::Indirection::Rest.{find,search,save,destroy,head} is deprecated as part of an effort to separate the indirector and HTTP requests. If a custom terminus extends the abstract rest terminus, it will implement the networking request itself or call Puppet's HTTP client. PUP-10445

HTTP file content terminus

The HTTP terminus for retrieving file content is deprecated and will be removed in Puppet 7. PUP-10444

Route HttpPool.connection through HTTP client

Calls to Puppet::Network::HttpPool are routed to the new HTTP client, but preserve the existing behavior for that API. The HttpPool class is deprecated and will be removed in Puppet 7. PUP-10289

The Puppet::Network::HTTP::{Connection,NoCachePool,Compression} class

The Puppet::Network::HTTP::Connection class is deprecated and will be removed in Puppet 7. Calls to the Puppet::Network::HttpPool factory methods (such as http_instance) are routed to the new HTTP client in Puppet. PUP-10481

HTTP client API uses a generic options hash

Instead of using keyword arguments, the HTTP client API uses a generic options hash. This change allows more flexibility with development and ensures there are no problematic version dependencies. PUP-10353

HTTP report processor uses HTTP client

The HTTP report processor uses new Puppet HTTP client when running in puppet apply. Note that it still uses the existing HTTP client when running in puppetserver. PUP-10316

HTTP report processor setting includes system truststore

Previously, when an HTTPS URL was specified, the processor would only trust the Puppet CA when verifying the server SSL certificate. This release adds a Puppet[:report_include_system_store] setting, which defaults to false. If set to true, the report processor trusts CA certificates in the puppet-agent CA bundle, as well as Puppet CA. This change only affects the HTTPS processor when running in the context of puppet apply. PUP-7737

Unified service return values

The return values of the HTTP client service methods now returns the request response, as well as previous return values. PUP-10418

Filebucket rest terminus uses HTTP client code

The filebucket rest terminus now uses the new HTTP client code. All HTTP requests that are routed through the rest terminus will go through HTTP::Client. This includes the logic to find which server to submit requests to. PUP-10385

New metric for Puppet agent run

This release adds a new Startup time metric that accounts for the interval between Puppet agent initialization and the actual run. PUP-10371

New certificate extension OID

This release adds a new certificate extension OID — 1.3.6.1.4.1.34380.1.1.26 — and short name — pp_owner. PUP-10364

SemVerRange support for yum, apt, pip and gem package providers

This release adds support for range intersection for the yum, apt, pip and gem package providers. Note that when using version ranges with the yum package provider, there is a limitation that requires you to specify the epoch for the version in the range. See known issues for more information. PUP-10298, PUP-`10297, PUP-10296, PUP-10295

Custom retrieve() method with non-standard return values removed

This release removes the retrieve() custom method and adjusts tests dependent on the behavior. PUP-9943

Facts and vars from ScriptCompiler scope removed

This release removes node specific values from the scope of script compiles, as they did not happen in the context of a node. PUP-10397

Partitioned reports table

The PuppetDB reports table is now partitioned by day for better query and garbage collection performance. If you are an open source user, have a large database and do not delete your reports prior to the upgrade, you need to change the start timeout manually. This can take 80-85 minutes per 10GB — note that is an estimate and will be different for every user. PDB-4606

Ubuntu 20.04 support

This release adds puppet-agent support for Ubuntu 20.04. PUP-10284

Upgrade Puppet Server 6.9.2 from Puppet 6.5

Previously, when querying environments without an environments directory, Puppet Server would report a 406 with an undefined method error. Now it reports an empty environments list. PUP-10405

The pkgng provider does not parse latest version properly

The pkgng provider now correctly parses the latest versions for packages. PUP-10382

The pkgng provider does not support install_options

The pkgng provider now supports install_options. PUP-10380

puppet plugin download does not download from locales mount

This release fixes a regression in 6.14.0 that caused puppet plugin download to not download files from the locales mount in the same way that the agent does. PUP-10374

Puppet apply recursive copy of directory fails in file resource

This release fixes a regression in Puppet 6.14.0 that prevented the puppet apply application from recursively copying a directory from a module using a puppet:// URL. PUP-10367

Puppet agent unable to fetch file from HTTPS source

This release fixes a regression in 6.14.0 that prevented Puppet agents from retrieving file content from HTTPS sources, when the server's certificate was issued by a CA other than the Puppet CA. PUP-10365

server_list processed up to four times per agent run

This release fixes a regression in 6.14.0 that caused Puppet agents to process their server_list up to 4 times per agent run, instead of once per run. This release restores the behavior that existed in 6.13.0 and before. PUP-10363

Can't disable Puppet::SSL::Host deprecation warning when using PuppetDB terminus

Puppet no longer generates a deprecation warning when calling Puppet::Network::HttpPool.http_instance, which used to happen when using the puppetlabs-puppetdb module to install and manage PuppetDB. PUP-10355

The puppet_gem package provider ensure => absent breaks file resources

The puppet_gem provider can now uninstall a gem during an agent run. PUP-10319

Puppet 6 daemons do not release ssl_lockfile

Previously, daemonized Puppet agents kept the ssl_lockfile locked while waiting for Puppet Server to issue their certificate. This prevented foreground Puppet commands from working. Now the agent releases the ssl_lockfile while it sleeps and reacquires the lock when it wakes up. PUP-10228

Pacman provider does partial upgrades

This release prevents the Pacman package provider from partial upgrades. PUP-10152

Persistent HTTP connection timeouts cannot be changed when using the new HTTP client

The release fixes a regression in 6.14.0 that caused Puppet to cache persistent HTTP connections for 15 seconds, instead of the expected 4 seconds, and it was not possible to change the timeout using the Puppet[:http_keepalive_timeout] setting. PUP-10434

RedHat RHBA-2020:1028 breaks `yum.rb` in yum provider

This release fixes an issue where Red Hat Subscription Manager updates caused ensure => latest to do nothing. PUP-10432

Windows service calls deprecated puppet agent --configprint

This release fixes an issue where Puppet Windows service called deprecated puppet agent --configprint. PUP-10414

Puppet .dmg packages fail on macOS 10.15

In macOS 10.15, the -noidme flag caused .dmg package installation to fail. This release removes the -noidme flag with hdiutil when using pkgdmg package provider. PUP-10408

Gem provider reports changes when using composed requirements

This release fixes idempotency of gem resources with composite requirements, such as range intersections ( >=1.3, <2.2). PUP-10395

Ruby file loaded twice

Previously, the gem package provider’s Ruby file loaded twice and caused warnings on each Puppet run. This release removes an unnecessary file requirement that caused this issue. PUP-10390

Puppet resource service does not return all active services on Ubuntu

This release fixes an inconsistency in Puppet's behaviour when listing information about a specific service. PUP-10378

Custom file ownership for lastrunreport ignored

This release fixes a bug introduced in 6.13.0 where ownership for the lastrunreport file ignored what was defined in puppet.conf. PUP-10376

Custom file mode for lastrunreport ignored

This release fixes a bug introduced in 6.13.0 where the mode for the lastrunreport file was reset and ignored what was defined in puppet.conf. PUP-10325

Latest version ensured for python package is incorrect

Previously, using pip to ensure the latest package available could cause a lack of idempotency, with Puppet identifying the latest version incorrectly. This release improves the comparing and sorting mechanism of versions. PUP-10375

5.5.17 agents fails on interval runs

There were various paths in a Puppet run that did not explicitly return an exit code, leading to a TypeError exception. With this release, the exit argument from run_in_fork is unaffected by these errors. PUP-10366

Facter 4 debug logs do not use Puppet logger

This release fixes an issue where enabling the facterng feature flag stopped the debug logs from being forwarded to Puppet. PUP-10322

Windows user management fails if group contains not resolvable Domain accounts

Previously, if an Active Directory user was added as a member of a local group and then deleted, Puppet did not manage the respective group members. With this release, Puppet will manage the group by showing SID instead of the account name for non-resolvable users. PUP-10303

Windows pidlock access denied

With this release, use SeDebugPrivilege on Windows when opening a lockfile PID to determine whether the process is a Puppet process. PUP-10248

Ruby security update

PA-3176

OpenSSL security update

This version upgrades the OpenSSL version from 1.1.1f to 1.1.1g on non-fips platforms to address CVE-2020-1967. PA-3186

Agent upgrade restarts Windows DHCP Server service

Previously, Windows components (such as DHCP Client) restarted after Puppet agent upgrades. This was a result of nssm.exe being registered as the EventMessageFile, which got loaded and locked into svchost.exe when viewing events raised by pxp-agent. The agent upgrade tried to replace nssm.exe, but failed as it was loaded, and the only way to unload it was to restart. This fix removes the usage of nssm.exe for events and replaces it with EventCreate.exe when generating event messages, so now the EventCreate.exe will get loaded and locked by svchost.exe when viewing Puppet events. This will no longer interfere with the agent upgrade. PA-3175

Hiera-eyaml prints error message when decryption fails

If Puppet fails to decrypt a value stored in hiera-eyaml, include the name of the key where the lookup failed in an error message. PUP-10317

Puppet uses new http client for all REST requests

Prior to this release, the agent only used the http client for certificate related requests. Note that this does not change how Puppet works when running as a library inside Puppet Server. PUP-10260

Send extra headers when requesting a catalog compilation

You can now define custom headers to send with http requests to Puppet infrastructure. Use the :http_extra_headers setting to define these. They should be a comma separated string of key:value pairs. PUP-9566

Puppet HTTP API does not allow callers to trust system cacerts

The HTTP client now accepts a parameter to trust the system certificate store when making HTTPS connections. By default, it only trusts the Puppet PKI. The API is private and may change in a future release. PUP-5069

macOS 10.12, macOS 10.13 and Fedora 28 support removed

This release of the puppet-agent package removes support for macOS 10.12, macOS 10.13 and Fedora 28. PUP-10244, PUP-10245, PUP-10242.

Disable metrics v1 endpoint and restrict v2 to localhost

To prevent information exposure as a result of CVE-2020-7943, the /metrics/v1 endpoints are disabled by default, and access to the /metrics/v2 endpoints are restricted to localhost. PE-28468

Secondary group handling causing issues in 6.13.0

The members parameter of a group resource was validated by checking if each user exists before the manifest was applied, resulting in a manifest containing both user creation and group members update, which would fail. You can now dd new user and update group membership in the same manifest apply. PUP-10320

Client does not reconnect when the server closes a persistent connection

Previously, Puppet failed to reuse a previously cached connection if it was using the new HTTP client, if the previous request was kept alive, or if the server closed the connection between when the client caches it and when the client tries to reuse it. PUP-10347

Replace find_functional_server call with http client

Puppet agents now use the new HTTP client to resolve the first available server in the server_list setting. PUP-10315

Puppet tries to print ssl information for non-ssl connections in debug mode

In debug mode, Puppet now only prints TLS protocols and ciphersuites for HTTPS connections, but not HTTP connections. PUP-10314

Close http client

During the SSL bootstrapping process, Puppet now closes all active HTTP connections before sleeping for "waitforcert" seconds. PUP-10288

When a site has no active connections, it should be removed from the pool.

Reduction in memory usage when the last connection from the HTTP pool is borrowed and not returned. PUP-10286

The puppet apply command does not stream file content

Now the puppet apply command uses the same code path as puppet agent to stream file content from puppet://" and "http(s):// file sources. As a result, the memory footprint is reduced. PUP-8338

The puppet describe --list command requires the description to include a period

The puppet describe --list command now displays summary information for each type and provider, regardless of whether the summary contains a period. PUP-2641

The Puppet agent fails due to a Ruby error

This release fixes an issue with large environment blocks on Windows, which caused a Ruby error. PA-3113

Puppet reads parameter resource for forcelocal set

When managing a user or group resource with a forcelocal set, Puppet reads /etc/passwd or /etc/group for each parameter of the resource. Files are read once per managed resource. PUP-10117

forcelocal parameter available for user and group resources

The forcelocal parameter can be used on AIX for managing local user and group resources, however this option conflicts with the ia_load_module parameter. PUP-10169

Default behavior changed for strict_hostname_checking

pe_serverversion optionally added to server_facts

If the file /opt/puppetlabs/server/pe_version exists on an agent then the file will be read and added to server_facts under the name pe_serverversion. PUP-9750

Puppet follows symlink to source directory if versioned_environment_dirs setting is true

If the path to an environment is a symlink and the versioned_environment_dirs setting is true, Puppet follows that symlink to the source directory. PUP-10255

Improvements to groupadd provider

The groupadd provider now manages members using the members resource parameter. PUP-9465

Update to flavor package parameter

The flavor package parameter is now a property which can be changed after initially set. Supported providers are dnfmodule and openbsd. PUP-10171

Agent sleeps then retries connection after 429, 503 message

When Puppet Server returns a 429 or 503 to an agent after it tries to make an http request, the agent run will sleep and then retry the connection after. Previously, the agent kept the http connection open during the sleep. Now, the connection closes prior to the sleep in order to reduce the resource load on the Puppet Server. PUP-10227

mark property added as alternative to held value for ensure

This release adds the mark property with Debian and Solaris instead of setting the ensure attribute to held. The held value for ensure is deprecated. Allowed values for mark are hold or none, and it defaults to none. You can specify mark along with ensure. If ensure is missing, mark defaults to present. You cannot use the mark property together with purged, absent, or held values for ensure. PUP-1537

Puppet docs updated to include OSX Catalina 10.15 (amd64)

Puppet's public-facing documentation now includes information on this platform. PUP-10111

Puppet incorrectly parsed XML plist data

Previously, Puppet tried to parse an XML property list file as ASCII instead of UTF-8. This fix resolves the issue. PUP-10241

Missing ppAuthCertExt added to custom_extensions

The custom_extension method allows certificate extensions to access the manifest. Although, ppAuthCertExt was added it never updated to be included. This fix adds the missing ppAuthCertExt OID and updates docs to reference it. PUP-10234

Functions slowed when called with chained syntax

The Puppet language supports calling functions using prefix or chained syntax, for example: each($var) and $var.each, respectively. Chained syntax should result in the same behaviour as prefixed syntax. However, chained syntax preform slower. This fix addresses the gap. Now, chained syntax is much faster, especially with a large hash, such as $facts from the node. PUP-10113

Array settings printed poor default values and error reporting

Puppet now prints a clear error message if the disable_warnings setting is specified incorrectly: "Cannot disable unrecognized warning types foo. Valid values are deprecations, undefined_variables, undefined_resources." PUP-2820

puppet facts upload face only tried first primary server in server_list

puppet facts upload now tries each server entry in the server_list setting, similar to how puppet agent does. Previously, it only tried the first entry in the server_list setting. PUP-8900

PObjectTypeExtension doesn't implement implementation_class

Objects that inherit from the {{PObjectTypeExtension}} base type--for example {{Puppet::Datatypes::Error}} objects-- raise errors when serialized to pcore due to missing methods. The missing methods have been implemented and the types are now able to be serialized to pcore. PUP-10221

Puppet incorrectly detected stale pidfile

When an agent is incorrectly terminated, it occasionally detected a stale pidfile . This fix orders a pidfile lock removal when an agent is started as a LightWeight Process (LWP) and is incorrectly terminated on POSIX operating systems. PUP-10218

Yum provider doesn't allow array of strings

The Yum package provider now accepts an array of strings to be specified for the install_options parameter in addition to the previous implementation which only accepted an array of hashes. Fix provided by community contributor Corey Osman. PUP-10177

Fixed syntax error in pxp-agent init script

The pxp-agent init script no longer errors if there are multiple instances of the service running. PUP-889

puppet resource now returns the name of the provider

The puppet resource <type> command returns resources from all suitable providers. Previously, the name of the provider was not included in the output. However, the result was ambiguous for resource types like package which support multiple providers at the same time, for example yum and gem. The puppet resource command now returns the name of the provider so that resources are uniquely identified. PUP-3721

Couldn't set, change password of a user resource in macOS 10.15

Due to a change in user management in Apple's macOS 10.15, Puppet could no longer manage user passwords on that version. Puppet now uses the dsimport utility to manage passwords on macOS 10.15 or higher. PUP-10246

Mailalias performs a change when value has a comma

When a mailalias resources is used, Puppet refreshes the alias without prompting, changing the value. To mitigate this, do not use commas. Mailalias records field separators when surrounded by double quotes . Example: "...project" is okay, but "...project," will cause an issue). PUP-10287

Puppet agent cannot run as administrator if first PA run is done as system

If the first Puppet agent run was done under SYSTEM account, following runs done by administrator users failed to send the report to primary server. This was due to insufficient file permissions caused by the implementation of Puppet::Util.replace_file. Puppet now uses the new Puppet::FileSystem.replace_file method which correctly handles files permissions on Windows. PUP-9719

Update to compilation warnings

This release includes improvements to the evaluator, meaning some compilation warnings now take less time to compute. PUP-10213

Improvements to some manifest function performance

Performance of manifests that use the PuppetStack.top_of_stack function have been greatly improved. This includes manifests that use the puppetlabs-stdlib deprecation function or the pseudo keywords break, return, and next. PUP-10170

Merge dependency warnings

If a class has a failed dependency every resource in that class generates a notice level message about the dependency failure and a warning level message about skipping the resource. At large-node or large-code scale, one dependency failure can create an overwhelming number of warnings. To collapse all messages caused by one class dependency failure into one message associated with the class, set merge_dependency_warnings=true. PUP-10017

OpenSSL 1.0.2 updated to 1.1.1d

OpenSSL1.0.2 reached end of life on 31 Dec 2019. The OpenSSL version used in Puppet 5.5.x has been upgraded to OpenSSL 1.1.1d. PUP-3029

Deprecation warning for Windows Server 2008 and 2008 R2

On January 14, 2020 support for Windows Server 2008 and 2008 R2 ends. PA-3018

puppet module install uses Puppet's HTTP client

The puppet module install command now uses Puppet's HTTP client to connect to the Forge. It observes the Puppet[:sourceaddress] setting, useful when running the install command on a puppetserver with multiple network interfaces. PUP-10041

Systemd is the default service provider for Cumulus 4

This release adds systemd as the default service provider for Cumulus 4. PR contributed by Brian Rak PUP-10162

Introduces puppet_trace and bug fix in trace

This release fixes a bug where stacktraces from errors no longer had the Ruby stack frames interleaved with the Puppet stack frames when using trace. This release also introduces a new setting, puppet_trace, which prints the Puppet stack without the Ruby frames interleaved. If the trace setting is enabled, it overrides the value of puppet_trace. PUP-10150

Puppet loaded types and providers during environment convergence

Previously, Puppet agents could fail to apply a catalog if the agent switched environments based on node classification and if there were different versions of a module in those environments. As a result of this fix, an agent loads types and providers only once, convergences to its server-assigned environment quickly, and updates its cached catalog after the environment converges. PUP-10160

Premature loading of module-provided facts under -p

Previously, when running facter -p on Windows with custom facts or module facts that required additional files that were not present in $LOAD_PATH, an error would occur. Now, $LOAD_PATH are set without using Facter, getting it directly from the system environment. PUP-10136

Debian Puppet-agent package lacked SELinux Ruby library

Ruby SELinux libraries are now also provided for Debian and Ubuntu platforms. PA-2985

puppetdb_query didn't respond to hostprivkey & hostcert settings

Previously, an override of the client certificate and corresponding private key in Puppet settings using the hostcert and hostprivkey was not possible. This fix restores that capability. PUP-10165

Package provider removed colon from package name

This fix corrects the implementation of a colon (:) as a version slot separator for Gentoo Linux. PUP-10124

When checking binary file changes, puppet agent -t, puppet apply --show_diff occasionally generated an error

Previously, puppet agent -t or puppet apply --show_diff could generate an error when trying to display the changes it made to a binary file. Puppet now detects this case and prints a generic message stating that the binary files differ. PUP-10097

Windows confused domain and local accounts

Puppet no longer checks for domain users or groups when managing local resources on Windows. This fix addresses a local user management issue occurring when an Active Directory account existed with the same name as the local user. PUP-10057

Fixed HP-UX usermod syntax

The HP-UX provider forced command line arguments to usermod to be in a specific order. This is now fixed. PUP-9391

server_list setting not observed when making CA requests

The CA service now observes the ServerList resolver when attempting to resolve routes. Previously, SRV Records or the server/ca_server setting found this information. PUP-10157

Could not create local user when username already exists in Windows domain

As of this release, Puppet ignores case for the domain/computer name comparison when checking for local accounts on domain-joined Windows machines. PUP-10219

Template rendering updated to enhance ease of use

Password did not update when account disabled for Win 2012 R2

Puppet can now change the password for a non-active account on Windows. PUP-10021

Regression: Puppet 6.11 can't manage SELinux on Centos/Redhat 8

This release fixes an issue with management of SELinux using Puppet on RedHat and Debian based systems. PA-3067

Fixed systemd daemon-reload issue

SSL state machine and application now use the Puppet HTTP client

This release modifies puppet ssl, puppet device, and puppet agent to use the Puppet HTTP client to bootstrap SSL certificates on the node. PUP-10040

Virtual package support for apt and dpkg providers

To allow virtual packages, ensure that the packages attribute allow_virtual is set to true in your Puppet resource file. PUP-10023

Package support for DNF modules

Puppet now supports managing DNF modules, which are groups of packages that represent an application, a language runtime, or any logical group.

Modules can be available in multiple streams, usually representing a major version of the software they include. Profiles are package subsets representing a specific use case of the module (these are handled by the flavor parameter of the package type).

Due to the significant difference between a package and a module, dnfmodule is an opt-in provider and should be explicitly specified in the manifest. PUP-9978

Boolean support for selboolean

The selboolean value property now accepts true and false values in addition to on and off. PUP-9963

Windows improvements

This release removes a dependency on .bat files when running Puppet as a service on Windows. PUP-9940

Resubmit facts at the end of an agent's run

Puppet submits facts when requesting a catalog, but if the agent modifies the system while applying the catalog, then the facts in PuppetDB won't be refreshed until the agent runs again, which may be 30 minutes depending on how runinterval is configured. This feature makes it possible to submit facts again at the end of the agent's run, after the catalog has been applied. To enable this feature, set resubmit_facts=true in the agent's puppet.conf. Resubmitting facts doubles the fact submission load on PuppetDB, since each agent will submit facts twice per run. This feature is disabled by default. PUP-5934

Experimental feature: catalog compilation with external trusted data from third parties

Use trusted_external_command to add trusted facts from an external source during catalog compilation.

PUP-9994

Hardened Linux Executable and Linkable Format (ELF) binaries

Linux ELF binaries and shared objects are now compiled with Position Independent Executables (PIE) support, stack canary, and Relocation Read-Only (RELRO). PA-2986

Certificate requests sometimes raised confusing error messages

Previously, when Puppet encountered a connection error, it would create a new exception with additional contextual information around what was causing the error. However, this new exception could cause an additional "Wrong number of arguments" error. Puppet now raises the original error and logs it with any additional contextual information. PUP-10121

The no_proxy setting ignored FQDN suffixes unless they had a leading wildcard or period

Previously, Puppet would only bypass a proxy if no_proxy had a leading wildcard or period. For example, *.example.comor .example.com. Puppet now bypasses the HTTP proxy if the no_proxy environment variable or puppet setting is a suffix of the destination server FQDN. PUP-10106

Puppet device runs would fail when specifying csr_attributes.yaml

The csr_attributes.yaml file can now be specified when requesting a certificate signing request for a device using puppet device --target devicename. PUP-10104

On certain Linux distributions, Puppet could incorrectly handle the service setting

On Linux distributions that do not have a default service provider, Puppet sometimes defaulted to using the defpath before verifying that runit was suitable. PUP-10102

Error messages for exec commands with paths that could not be resolved included sensitive data passed to the command

If an exec resource's command is not executable or cannot be resolved into a fully qualified path, Puppet now only prints the command, and not the potentially sensitive arguments passed to the command. Puppet also redacts the output of sensitive commands when the logoutput parameter is set to true, or the parameter is on_failure (the default), and the command fails. PUP-10100

Puppet wouldn't install dpkg sub-packages when ensure was set to held

Puppet now correctly installs dpkg sub-packages and sets them to held if ensure is set to held. PUP-10059

skip_tags was missing help documentation

Added help documentation for skip_tags. Contributed by cvquesty. PUP-10026

The deep_merge Ruby gem was vendored by Puppet

This release adds a runtime gem dependency for the deep_merge gem and ensures that the gem is no longer vendored. PUP-10014

Puppet couldn't manage pip resources if the pip command was in a directory containing spaces

Puppet can now manage pip resources in directories containing spaces, such as C:\Program Files\Python27on Windows. PUP-9647

User resource did not respect forcelocal for the comment parameter

Prior to this release, a user resource configured with forcelocal would still try to sync the comment parameter with the external directory services. PUP-9562

Pluginsynced module API improvements

If a module used a legacy Ruby (Puppet version 3) function, and it was pluginsynced (via puppet agent -t ), the function could not be loaded when using Puppet as a library.Puppet 3 API functions are now available from the cached lib directory. If a function exists in both version 3 and version 4, Puppet uses the version 4 implementation. PUP-9509

Improved handling of pip version detection during catalog compilation

Previously, the pip provider failed if pip --version did not emit the version on the first line of output. PUP-8986

The pip package provider did not use install_options when ensure was set to latest

Puppet now uses install_options whenever pip install is executed. PUP-8949

The systemd service provider failed on services whose names started with a dash

The systemd service provider can now manage services whose names start with a dash. Contributed by j-collier. PUP-7218

Improvements to working directory handling

Previously, if the cwd parameter was not specified, puppet would change its working directory to the current working directory, which was redundant and could fail if the current working directory was not accessible. Now, wxec resources only change the current working directory if the cwd parameter is specified in a manifest. PUP-5915

Puppet was unable to manage passwords for disabled Windows users

Puppet can now manage passwords for disabled Windows users. PUP-10021

Module installation performance with minitar improved

Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with the fsync option turned off by default. PUP-10013

Automatic (delayed start) is now an option for Windows services

Puppet can now set Windows service startup type to Auto-Start (Delayed). To set a service to use this setting, set the enable parameter of the service resource to "delayed". PUP-6382

Module repository credentials redacted during installation

When you install a module, if the module repository URL includes credentials, Puppet now redacts the credentials in the command line output. PUP-9787

Sensitive values redacted in notify resource messages

Prior to this release, the notify resource leaked data if the message was a sensitive datatype with a raw value, not encapsulated in quotes. Now sensitive values are redacted when they are interpolated in a notify resource's message. PUP-9295

Ruby security update

Curl security update

This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.

OpenSSL security update

This version upgrades OpenSSL to 1.1.1d to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.

Puppet tried to install packages that were already installed

Previously, Puppet incorrectly parsed the output of pip freeze when it reported package versions using the arbitrary equality operator, ===. As a result, Puppet treated the package as not installed and tried to reinstall it during every Puppet run. PUP-10015

Query parameters for HTTP and HTTPS file resources are preserved

When retrieving metadata and content for HTTP or HTTPS file resources, Puppet now preserves query parameters. Previously, Puppet requested only the path element of the URI and skipped the query parameters. PUP-9109

YAML output with special characters was not valid

Previously, the puppet resource --to_yaml and puppet device --to_yaml commands did not generate valid YAML if the output contained special characters such as a single quote. PUP-7808

serverip6 fact added

This release adds the serverip6 fact, which returns the server's IPv6 address. If Puppet cannot find either serverip or serverip6 facts, it returns a warning. PUP-5109

Agent startup logged at debug level in daemon mode

When running in daemon mode, Puppet logs the configuration used on agent startup at the debug level. The log is sent to the output specified by the --logdest option. Configuration is reloaded and also logged on SIGHUP. PUP-9754

puppet plugin information was not included in help

The puppet help command did not include help information for puppet plugin Now the plugin command is included in puppet help output. PUP-9959

system.d could not run as non-root

This release fixes a regression introduced in Puppet 6.8.0, where the systemd provider was prevented from working when running as non-root. For example, the command puppet resource service did not include systemd services. PUP-10016

puppet module uninstall now works in FIPS mode

Previously, the puppet module uninstall command failed if you ran it in FIPS mode. With the release, puppet module uninstall now works in FIPS mode, provided you specify either the --ignore_changes or --force arguments. If you do not specify one of these arguments, then uninstall fails, so that local changes to the module are not lost. PUP-9991

no_proxy setting correctly bypasses proxy even when HTTP_PROXY environment is set

Fixes a bug where Puppet attempted to use a proxy specified in the HTTP_PROXY environment variable, even though the no_proxy setting was set to bypass the proxy. PUP-9990

exec conditionals respect sensitive types

The exec type's onlyif and unless checks now return redacted output if it is marked sensitive. PUP-9956

install_only parameter added for yum, dnf providers

This release adds a new parameter, install_only, for yum and dnf package providers. Set this parameter for packages that should only be installed, but never updated, such as kernels. PUP-9605

Plug-in download speed improved

The puppet plugin download command now reuses HTTPS connections. This significantly speeds up the download process. PUP-8662

Puppet no longer ignores truncated file downloads caused by a Ruby issue

Prior to this release, Puppet silently ignored truncated file downloads, such as when using a file resource whose source parameter contained a puppet://, http://, or https:// URL. This issue was caused by a Ruby issue and is fixed in this release. PA-2849

Virtual package support removed for apt and dpkg providers

This release removes the virtual package support added for the dpkg and apt providers in the previous release.

Puppet 6.8.0 added virtual package support to these providers with an allow_virtual setting that defaulted to true. This caused issues because virtual packages are not enabled by default on apt and dpkg. PUP-9974

Fixed command execution with certain sensitive non-string arguments

Puppet could not execute commands with non-string arguments if the command was also marked as sensitive and the arguments were passed as an Array to the execute method. The issue is fixed for all providers, including the useradd provider. PUP-9973

puppet module install command prefers SHA-256 for verifying tarball

The puppet module install command now prefers SHA-256 when verifying the downloaded module tarball, but falls back to MD5 if necessary. PUP-9909

puppet-agent packages for Debian 10 added

A puppet-agent package for Debian is now available.

Virtual packages support for apt, dpkg

This release allows apt and dpkg providers to install virtual packages. By default, the allow_virtual setting defaults to true, which enables the ability to install virtual packages.

package { 'rubygems': ensure => 'latest' }

package {'rubygems': 
ensure => 'absent' 
allow_virtual => false 
}

This feature also address the Ubuntu reporting issue in MODULES-2047. PUP-9909

New no_proxy setting available in puppet.conf

You can now specify no_proxy as a Puppet setting, consistent with other http_proxy_* Puppet settings. The NO_PROXY environment variable takes precedence over the no_proxy Puppet setting. PUP-9316

bolt-shim module no longer required to run scripts over pxp-agent

Previously, to run a script over a pxp-agent, you had to first install the bolt_shim module. This fix allows pxp-agent to respond to requests to execute a script run action without the module. PUP-869

Agents now connect directly if target host is set to NO_PROXY

If the agent is configured to use an HTTP proxy, and it attempts to connect to a host that matches an entry in the NO_PROXY environment variable, then Puppet connects directly to the host instead of using the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942

Windows components restarted on agent upgrades

During puppet-agent upgrades, Windows Network Components were sometimes restarted. This occurred when the upgrade process tried to modify a DLL file that was already loaded. This release fixes the issue, and Windows components no longer restart during upgrades. PA-2701

Conflict between puppet-agent and puppetserver packages resolved

Puppet might fail to load under JRuby 9.1, if puppet-agent 6.4 or greater and puppetserver 6.0.x were installed on the same host. PUP-9927

Services incorrectly reported as absent after change

When Puppet runs a resource service that changes the state of the service, the returned status would always fail, causing the ensure status of the service to be absent. Now Puppet correctly returns the service status when a change of the service is requested. PUP-9908

Passing code to the parser failed on STDIN

Resolved an issue where puppet parser validate failed with an error when a valid manifest was passed in through the STDIN pipe. PUP-9816

Puppet selects systemd

Puppet selects systemd as the default service provider on Debian 10, "buster". PUP-9752

Puppet repeated file mode changes on some Windows files

When puppet apply changes the mode on a file inside a protected Windows directory, Puppet changes the mode on every run, even if the desired mode matches the current mode. This fix improves the analysis of the file mode, so that if the desired mode matches the current mode, Puppet does not set the mode. PUP-9722

Passwords for the user type were output in Debug logging

User providers will not output exec command lines with passwords during debugging level logging. Instead, the passwords are now marked [redacted]. PUP-9585

Device certificates could be lost in backup and restore

Prior to this change, Puppet device certificates were stored under the cache directory. When the proxy agent for a device is the primary server, and the user executes a backup and restore, either manually or automated as in OpsWorks, the certificate and keys were lost, requiring certificate regeneration for those devices.

This fix moves the device certificate directory to a persistent path, leaving the old path as a symbolic link for compatibility purposes.

If you are using the device_manager module to manage your devices, upgrade to 3.0.1 or later to avoid deleting certificates from their new location. PUP-8736

systemd provider confined to init system matching systemd

This change allows the systemd provider to work in a chrooted environment. PUP-7312

HTTP connections did not support authenticating proxies

Agents could not connect through an authenticating HTTP proxy when making REST requests to Puppet infrastructure, such as when requesting a catalog. Now agents will observe the http_proxy_user and http_proxy_password settings or HTTP_PROXY_USER/PASSWORD environment variables when making those requests. PUP-4470

Puppet does not use proxy to connect to localhost

If an HTTP proxy is configured either in Puppet settings or the HTTP_PROXY_* environment variables, then Puppet does not use the proxy when connecting to localhost or 127.0.0.1. This behavior can be modified by changing the no_proxy setting in puppet.conf or the NO_PROXY environment variable. PUP-2172

Puppet was unable to appropriately manage SELinux file contexts

Previously, Puppet was unable to effectively manage the SELinux file context without restarting the Puppet service. This issue was due to an infinitely cached default context for each file. Now Puppet clears this cache after each catalog apply. PUP-2169

SSL-related API classes deprecated

Various classes are marked as deprecated in API documentation, and will be removed in a future major version of Puppet. Constructing an instance of Puppet::SSL::Host, attempting to get or set Puppet[:ssl_server_ca_auth], or attempting to set Puppet[:ssl_client_ca_auth] now generates a deprecation warning. PUP-9513

The following classes or methods are deprecated and will be removed in a future version of Puppet:

Catalog application failed with puppetlabs-ciscopuppet module

Catalog application failed when using a custom resource type whose automatic relationship method, such as autorequire or autobefore, returned an instance of Puppet::Type instead of a resource name. This occurred in particular when using the puppetlabs-ciscopuppet module. This issue was caused by a regression in Puppet 6.7.0. PUP-9926

Use of the mailalias resource type returned errors

Could not prefetch mailalias provider 'aliases': Could not 
parse line "mailer-daemon: postmaster" (file: /etc/aliases, line: 12

New ca_fingerprint setting verifies the CA bundle download against a fingerprint

openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '

Some commands could not be found

Some Puppet commands, such as puppet-infra, might not be found in the system PATH. This fix ensures that the relevant directory, opt/puppetlabs/bin, is available in the PATH. PA-2750

Custom MSI actions are logged

Custom MSI actions did not correctly log STDERR to the MSI log. PA-2691

--evaltrace option now shows total number of resources to be evaluated

The --evaltrace argument, used with the puppet agent and puppet apply commands, now returns the number of resources evaluated and the total number of resources to be evaluated. This option is useful for showing which resource in the catalog is being evaluated and the progress through the current catalog. PUP-9465

Provider autoloading issue fixed

In the 6.5.0 release, Puppet was unable to autoloading providers on some systems. This issue has been fixed. PUP-9794

pip provider error fixed

In the 6.5.0 release, Puppet encountered an undefined method error when running the pip provider. This issue has been fixed. PUP-9790

puppet agent --fingerprint returns the CSR hash

When you run the puppet agent --fingerprint command, if the agent doesn't have a client cert yet, thePuppet returns the SHA256 digest of the certificate request (CSR). This functionality was broken as of Puppet 6.4.0, and is now fixed. PUP-9720

Recurring Puppet runs exited on some SSL bootstrap errors

Recurring Puppet runs wait a specified amount of time while bootstrapping the SSL system, and then retry if an error is encountered. This behavior was broken as of Puppet 6.4.0, and this release restores the behavior.

The wait interval is controlled by the waitforce setting. One-time Puppet runs such as puppet agent --test or puppet agent --onetime do not retry, and instead exit when the first error occurs. PUP-9717

Lockfile retained old PID, causing agent failure

This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691

Puppet now registers OIDs in the SSL application

SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746

Use the staging_location parameter to customize the temporary location for new files

You can now use the staging_location parameter to render a file in a different location before you validate it with the validate_cms parameter. PUP-9389

Use puppet catalog compile to compile catalogs

The puppet catalog compile action works in the same way puppet server --compile worked before it was removed in Puppet 6.0.0. You must run the command on the puppetserver with access to your environments, modules, manifests, and Hiera data. PUP-9055

Create a Regexp with all special characters escaped

Create a Regexp that escapes all regexp special characters by adding a Boolean true as a second argument in a call to new. For example, Regexp(".[/", true) or Regexp.new(".[/", true). The default value is false. PUP-9554

Package providers now support an alternative gem command

Previously, package providers relied on $PATH for the default gem. This release adds a targetable feature to the package type, allowing package providers to implement a command attribute. The gem and pip providers now implement that attribute. This feature allows Puppet to manage packages in software collections, such as Red Hat Software Collections. PUP-6488

package { 'colorize':
  name     => 'colorize',
  provider => gem,
}

package { 'colorize-opt':
  name     => 'colorize',
  provider => gem,
  command  => '/opt/ruby/bin/gem',
}

Manage multiple Python installations with pip and pip3 package providers

You can now add a custom path to your pip and pip3 providers using a package command. If you have multiple Python installations, this allows you to point to a specific installation. PUP-1082

Specify the maximum amount of time an agent should wait for its certificate

By default, Puppet agents attempt to download their signed certificate indefinitely. This release adds a maxwaitforcert setting, which specifies the maximum amount of time an agent should wait for its certificate. Acceptable values are unlimited (the current behavior), or a duration such as 10m, or 1h. If you specify a duration, the agent waits the full amount of time and, if the certificate is not downloaded, exits with an error. PUP-3237

Elliptic-curve cryptography (ECC) key support

Specify a refresh interval for certificate revocation lists (CRLs)

Improved server_list output and error messaging

Previously, using config print to view your server_list would output a nested array that was difficult to read. Using config print now outputs the text in the same human-readable format as its entry in puppet.conf. Puppet uses the same human-readable output for errors you receive from being unable to connect to a server in server_list. PUP-9495

Improved JSON output support for validation errors

Fedora 30 support

This release adds puppet-agent support for Fedora 30. PA-2675

puppet device failed to manage multiple devices

The puppet device command would not manage multiple network devices in a single run. This was a regression introduced in Puppet 6.0.5. PUP-9587

Security update to curl

This release includes an update to curl to address security issues. See https://curl.haxx.se/docs/CVE-2019-5435.html and https://curl.haxx.se/docs/CVE-2019-5436.html for information about the CVEs. PA-2689

Amazon platforms now use yum as the default provider

Prior to this release, Amazon platforms did not have a default provider set. This resulted in Puppet trying to use the gem provider to install Amazon packages. PUP-9724

On Windows, Puppet no longer applies corrective changes to the administrator password on every Puppet run

Puppet now applies corrective changes to the administrator password only on the first run. PUP-9688

Improved syntax error feedback for legacy Ruby functions

If you loaded a legacy Ruby function with syntax errors, you'd get an error saying that your function "does not seem to be a Puppet 3x API function." Puppet now alerts you to syntax errors. PUP-9643

Password protected private key support for agent-only nodes

If a private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, the agent generates a key and uses the contents of the passfile to encrypt the key on disk using AES-128-CBC. If the agent already has an unencrypted private key, no change occurs. PUP-9466

Temporary files created from validate_cmd use the same permissions as the file resource

Prior to this release, the permissions of temporary files created by validate_cmd were different to the permissions defined on the file resource. PUP-8983

Uninstall an rpm package without specifying a version or build number

You can now remove a package with rpm package provider using ensure => absent without specifying a version or build number. PUP-8664

Tags specified via --skip_tags are no longer expanded by splitting on the namespace

Using --skip_tags split tags on the namespace separator (::) and caused Puppet to expand and skip all resources in the specified namespace. For example, using fruit:apples expanded and skipped ['fruit::apples', 'fruit', 'apples'] . PUP-8215

Improved error message when listing provider resources

You now get a more helpful error message if you try to list resources for a provider type that does not have the instances class method defined. PUP-4930

Performing two or more rapid-fire Puppet runs no longer results in a race condition

When an additional Puppet run was triggered immediately after Puppet had requested a certificate from the primary server, the primary server receives the original Certificate Signing Request (CSR) and continuously return the original certificate, which wouldn't match the new keys generated by the second Puppet run. PUP-2958

Removing a user resource on Solaris 11 installations with home directory configurations

Previously, trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706

Hiera 3 lookups with convert_to keys

If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with convert_to, you'd get an error: "undefined method 'call_function' for Hiera::Scope". PUP-9693

Perform string to integer conversions on decimal strings with leading zeros

Converting a decimal string with leading zeros – for example, Integer("08", 10)– to an integer would result in an error. PUP-9689

puppet device always initializes SSL directories with the correct permissions

When initializing new device certificates, puppet device would sometimes set permissions in a way that prevented the pe-puppet user from reading some directories PUP-9642.

The Windows package resource removes trailing whitespace

This release updates the Windows registry read method to replace null byte sequences with a space. This issue caused PuppetDB to discard updated facts from affected nodes. PUP-9639

Puppet no longer upgrades Debian upgrade packages before setting them on hold

Prior to this release, if you set a Debian package on hold with ensure => held and the package had a pending upgrade, Puppet installed the upgrade before locking the package. PUP-9564

Disabled Ruby 2.5.1 automatic HTTP retry mechanism

This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the Puppet Server report processor. PUP-3905

System updates to Ruby in the Puppet agent conflicted with other software

This release fixes an issue where the gem update --system command used in the Puppet agent caused conflicts with software that depends on gems in Puppet's vendored Ruby directory, such as r10k. Now gem paths always contain the path for this directory, even after updating. PA-2628

Dependency issues when installing tools that require gems

This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670

HTTP certification requests

Debug: HTTP GET https://puppet.delivery.puppetlabs.net:8140/puppet/v3/file_metadatas/pluginfacts
returned 200 OK

Debug logging for the exec resource

• Running the exec resource with --debug and --noop now prints a debug message with the command if checks prevent it from being executed. If command, onlyif, or unless are marked as sensitive, all commands are redacted from the log output. PUP-9357

• Puppet now gives a debug message when checking the existence of a file specified by creates. PUP-9511

New method: Puppet::FileSystem.replace_file

Use Puppet::FileSystem.replace_file to replace a file. If a mode is specified, it will always be applied to the file. Otherwise, if the file being replaced exists, its mode will be preserved. If the file doesn't exist, then the mode will default to 0640. This method supersedes Puppet::Util.replace_file, which will be deprecated in a future release. PUP-9499

SSL Improvements

• Puppet no longer uses Puppet::SSL::Host. Puppet::SSL::Host will be deprecated in a future release. PUP-9459

• Puppet no longer saves its public key to disk, because the public key is derivable from its private key and is contained in its certificate. If you need to, you can extract the public key using $ openssl rsa -in $(puppet config print hostprivkey) -pubout. PUP-9459

• The puppet ssl, puppet device, and puppet agent applications are now the only applications that can initialize SSL. Puppet applications other than puppet agent, puppet device, and puppet ssl now raise an error if they attempt to make an SSL connection while the SSL bootstrap process is incomplete. PUP-9461 PUP-9459

• Added an API for loading certificates, keys, and certificate revocation lists (CRLs). PUP-9455

• Added an API for creating an SSLContext containing certificates and keys needed to make an SSL connection. PUP-9456

• Added a method to Puppet::Network::HttpPool to create an HTTPS connection using a specified SSLContext. PUP-9457

• Instead of using Puppet::SSL::HOST, puppet ssl now uses an SSL state machine to download certificate authority (CA) and certificate revocation list (CRL) bundles. PUP-9458

• Puppet preserves existing user and group behavior when saving SSL-related files. PUP-9463

• The new puppet ssl bootstrap action submits a CSR and downloads the client certificate without running puppet agent -t. PUP-9556

SUSE Linux Enterprise Server support removed

This release of the puppet-agent package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489

Ruby security patch in puppet-agent package

This puppet-agent package release includes a security patch for Ruby 2.5.3. To learn more about the CVEs that this patch address, see the Ruby security advisories. PA-2512

Resolved SSL issues

• Puppet no longer conditionally sends its certificate signing request (CSRs) based on the presence or absence of the file on disk. Instead it generates and sends the CSR whenever it needs to check for a certificate. Puppet still saves the CSR to disk, but it never reads it back in. PUP-4568

• Puppet no longer downloads the CSR from the server, so it can never get into a state where it saves the wrong CSR to disk, causing it to be stuck. As a result, it's now possible to enable allow_duplicate_certs=true and have the agent submit a CSR with the same name as a previous instance of the node. The admin still needs to revoke the old cert and sign the new CSR in order for the agent to get its certificate. PUP-2354

• Puppet no longer uses the indirector to handle certificates or keys. PUP-6207

• Puppet was too permissive about skipping SSL verification if no client certificate was found. Puppet now never downgrades verification based on the absence of a client certificate. PUP-7295

• Mismatched certificates were cached on the host, causing Puppet to print an error on each run until an admin removed the files. If a client certificate, Certificate Authority (CA) bundle, or certificate revocation list (CRL) bundle are invalid, Puppet now discards them. PUP-7903

• The error message for a mismatched certificates name was not helpful. When a Puppet agent tries to connect to an SSL server where the certificate does not match the hostname it is trying to connect to, it will now return the expected error message. PUP-8213

• The Puppet agent was not verifying its peer in an SSL connection when downloading a CRL. Puppet now verifies the server's SSL certificate when retrieving a CRL. PUP-9142

filebucket type server and port settings no longer have explicit defaults

For the filebucket type, server and port no longer have explicit default values in the type definition. If server is not set, it defaults to the first entry in server_list if set; otherwise, it defaults to server. If port is not set, it defaults to the port in the first entry of server_list if set; otherwise, it defaults to serverport. PUP-9025

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Puppet agent now produces an error when a functional server is not found

If server_list is set and a functional server is not found, Puppet returns an error rather than falling back to the server setting. PUP-9076

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. Supply a type argument with the desired type if the value is not undef. PUP-9467

Fixed remote MSI package installation on Windows

This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496

Corrective changes explicitly logged

Prior to this release, agent runs provided the same output for both intentional and corrective changes. Now corrective changes are now explicitly called out in the logs as corrective. PUP-9324

New collections and index functions

This release adds group_by and partition functions that operate on collections.

The group_by function is useful for separating targets into categories based on properties of those targets. The partition function allows you to use a Boolean condition to separate targets that otherwise be two opposite filter operations. PUP-9372

This release also adds an index() function that can return the index of a specified element in an Array, Hash, String, or other iterable value that is either equal to a given value or for which a given lambda returns a truthy value. PUP-9482

puppet-agent package added for macOS 10.14 Mojave

This release adds a puppet-agent package for macOS 10.14 Mojave.

On macOS 10.14 Mojave, you must grant Puppet Full Disk Access to be able to manage users and groups. To give Puppet access on a machine running macOS 10.14, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

Syntax errors on interpolated heredocs are resolved

Heredoc expressions with interpolation using an access expression such as $facts['somefact'] sometimes failed with a syntax error. This error was related to the relative location of the heredoc and surrounding whitespace and is now resolved. PUP-9303

Restarting pxp-agent service kills all processes when restarted

This release modifies the pxp-agent service to kill all pxp-agent processes when the service is restarted, rather than only the current process. PCP-833

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. Always supply a type argument with the desired type if the value is not undef. PUP-9467

Invalid path to --logdest option was ignored

Now if you give a --logdest location that Puppet cannot find or write to, the run fails with an error. PUP-6571

Upstart provider evaluated during provider check instead of during loading

The upstart provider was being evaluated when loaded, causing issues with testing and availability during transactions. This has been fixed so that the provider is evaluated only when provider suitability is being checked. PUP-9336

Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

SublocatedExpression class

The AST SublocatedExpression class is no longer generated by the parser. The SublocatedExpressionclass itself will be removed from Puppet in a future release. PUP-9303

Improved support for Solaris pkg provider

This release adds support for install_options for the pkg provider on Solaris. PUP-5287

puppet-agent package available for Red Hat 8 beta

A puppet-agent package is available for the beta release of Red Hat 8. Because this Red Hat version is a beta release, not all functions are verified to work correctly. Do not use this version of puppet-agent in production.

Added protection against illegal methods in legacy functions

Puppet now protects against illegal method definitions in loaded legacy functions. Illegal methods in legacy functionsdisrupt the entire system and can cause difficult-to-diagnose issues. For information on how to remove such methods from legacy functions, see Refactoring legacy 3.x functions. PUP-9294

Puppet logs JSON in newline-delimited format

For newline-delimited JSON logs, set the logdest setting or command line option to an absolute path ending with the .jsonl extension, such as puppet agent --logdest /var/log/puppet.jsonl. This is preferable to the JSON format, since the generated log is not valid JSON and requires an appended closing ] to make it valid. PUP-8687

Fedora 27 puppet-agent package no longer available

Fedora 27 reached end of life in November 2018. Updated puppet-agent packages for this version are no longer available.

Fix for specifying package versions in portage provider

Prior to this release, you could not specify package versions when managing packages with the portage package provider. The provider now accepts and honors a version string for managing packages. PUP-9071

Exceptions encountered during resource pre-fetch are logged

If the Puppet agent encounters exceptions when pre-fetching resources for catalog application, it now logs the exceptions and returns a more useful error message. PUP-8962

Puppet commands fail if the puppet.conf file is unreadable

Puppet commands now fail if Puppet Server is unable to read the puppet.conf file. Only the --help and --version commands work if the puppet.conf file is unreadable. PUP-5575

Improved error handling for PNTransformer

When parsing Puppet into structured AST, the Puppet parser produced an error on some empty constructs because the PNTransformer could not resolve them. Now it generates a Nop expression instead. PUP-9400

Failed dependency resources are reported only once

After a failed resource has been reported, other resources that depend on the failed resource will not be reported again. However, you still get the skip message for each skipped resource. PUP-6562

Command line module installation improved

The puppet module install command now downloads only the release metadata it needs to perform dependency resolution, drastically reducing data download and improving installation time. For the puppetlabs-stdlib module, this change reduces the data download from 25MB to 68KB, and any module that depends on stdlib installs faster. PUP-9364

Puppet no longer ignores the srv_domain setting

This release fixes an issue where Puppet 6.0 ignored the srv_domain setting when using DNS SRV records to connect to the ca_server. PUP-9399

Package provider included in puppet resource default output

The puppet resource <package-name> command now includes the package provider as part of its output.

Clean certificates for remote nodes

The puppet ssl clean command now accepts a --target CERTNAME parameter to clean certificates for remote nodes configured through device.conf. PUP-9248

puppet-agent package available for Fedora 29

A puppet-agent package is now available for Fedora 29.

The systemd provider checks for new and changed units

When Puppet starts or restarts a service, the systemd provider checks to see whether the service requires a daemon reload, and reloads the systemd daemon if necessary. This ensures the service runs with the latest configuration on disk. PUP-3483

New service timeout parameter for Windows

On Windows systems, you can now specify a service timeout parameter that configures how long, in seconds, Puppet should wait when syncing service properties. PUP-9132

service { "service-name":
 enable => true,
   ensure => running,
   timeout => 45
}

Format strings with double quotes

You can now force strings to have double quotes when formatting strings with the String.new function. Previously, this function dynamically determined whether to use single quotes or double quotes for the string.

To force double quotes, specify the alternative format flag # when you specify the string format. PUP-9344

Service support for systemd on Linux Mint 18 and newer

This release adds support for services on Linux Mint 18 and newer, which use the init systemd instead of upstart for services. PUP-9326

Parser validation finds and reports syntax issues in heredocs

Heredoc syntax checking is now performed during validation, unless the heredoc contains any interpolated expressions. This includes manifest and EPP template syntax checks. Heredocs with interpolation are checked during evaluation. Prior to this release, heredoc syntax checks were run only during evaluation.

By default, heredocs are treated as text unless otherwise specified with the end-of-text tag, such as @(EOT:json), @(EOT:pp), or @(EOT:epp). To check syntax in heredocs, run puppet parser validate. PUP-9257

Improved handling of incompletely configured services

Puppet now treats incomplete services the same way as nonexistent services, returning enabled => false and ensure => :stopped in either case. If you try to set ensure => running or enabled => true on an incomplete or nonexistent service, Puppet raises an error. PUP-9240

Refreshed resource status now included in event report

This release fixes an issue where refreshed resources, such as reboot or some execs, did not create a status event in the event report. PUP-9339

Catalog compilation error fixed

When compiling a catalog, Puppet sometimes raised the error "Attempt to redefine entity." This issue has been fixed with an update to the internal logic. PUP-8002

The exec provider supports empty environment variables

Prior to this release, the exec provider did not support empty environment variables. If an empty environment variable is set on the system, Puppet temporarily overwrites it during execution.. PUP-1209

Puppet recognizes tmpfs support for SELinux labels

SELinux utilities within the Puppet codebase now recognize that the tmpfs supports extended attributes and SELinux labels. The query selinux_label_support? returns true for a file mounted on tmpfs. PUP-9330

Fixed recognition of short form Arrays and Hashes

This release fixes a regression in the string formatting rules that caused a short form for an Array or Hash to not be recognized. For example, String([1,[2,3],4], '%#a") would not format with indentation, but would format the long form String([1,[2,3],4], {Array => { format => '%#a"}}). Now the short form works for Array and Hash as intended. PUP-9329

puppet ssl clean now deletes local certificate requests

This release fixes an issue where the puppet ssl clean command did not correctly delete local certificate requests. PUP-9327

Resolved Timestamp and Timespan data type errors

Prior to this release, the data types Timestamp and Timespan raised errors if time range was specified with Integer or Float values. These data types now support time ranges specified with these values. PUP-9310

Select types moved to modules

In this release, many types were moved out of the Puppet codebase (stdlib), and into modules on the Forge. This change enables easier composability and reusability of the Puppet codebase and enables development to proceed more quickly without risk of destabilizing the rest of Puppet. Some types are now in supported modules and are repackaged back into the agent. Some are now in modules that are updated, but are not repackaged into the agent. And some are in modules that are deprecated, not updated, and not repackaged back into the agent.

See the Resource Type Reference for the full list and links to the Forge modules for those types that moved.

Resource API

Resource API has been added, providing a new, recommended method to create custom types and providers. The Resource API is built on top of the Puppet core and is easier, faster, and safer than the old types and providers method. See the Resource API documentation for more information.

Upgrade to Ruby 2.3 or later

Puppet now requires Ruby 2.3 or later, and reports an error when running older Ruby versions. We removed code paths for older Ruby support, such as 1.8.7, relaxed our gem dependencies to include gems that require Ruby 2 or up, and now test Puppet pull requests against JRuby 9k. PUP-6893, PUP-8483, PUP-8484

puppetserver ca command

The new puppetserver ca command replaces the puppet cert command. Running the puppet cert command results in an error, with instructions on alternative commands to use. Some actions (fingerprint, print) have not been directly replaced, because OpenSSL provides good equivalents. For verifying certificates, use puppet ssl verify. For more usage details, see the intermediate CA documentation. PUP-9022

node clean uses the Puppet Server CA API

The puppet node clean command now goes through the Puppet Server CA API to clean up certificates for a given node. This avoids issues where multiple entities attempt to revoke certs at once, because all of these updates are now funneled through the API, which handles concurrent requests correctly. See SERVER-115 and PUP-9108 for more information.

Agents can use CA and CRL bundles

The agent now correctly saves and loads chained SSL certificates and certificate revocation lists when in an environment where its certificates are issued by Puppet acting as an intermediate CA. PUP-8652

Load files from pluginsync during catalog application

Use the Deferred data type in a catalog to call functions on the agent before the catalog is applied. It is now possible to call all functions implemented in Ruby on the agent side. It is not possible to call functions written in the Puppet language, as they are not available on the agent. PUP-9035

puppet ssl subcommand

There is a new Puppet subcommand for working with SSL certificates. The puppet ssl command supports the submit_request, download_cert, and verify actions for working with SSL certificates on the agent. PUP-9028

File requirements included in task infoservice files responses

When requesting task details, the primary server now returns a list of all files from the tasks metadata files and implementations['files'] keys. PUP-9081

Devuan default service provider

The Devuan service provider now defaults to the Debian init provider. PUP-9048

apply statement in plan language

An apply keyword has been added to the Puppet parser when running with tasks enabled. See Puppet specifications for details. PUP-8977

Updated default input_method for task object type

The input_method property of tasks now defaults to undef rather than the string both. This allows more flexibility in defaults and what input_methods we choose to support in the future. PUP-8898

convert_to() function accepts additional arguments

convert_to() function now accepts additional arguments. Previously, it accepted only the data type to convert to. PUP-8761

compare function

A compare(a,b) function has been added. It returns -1, 0, or 1 depending on if a is before b, same as b, or after b. The function works with the comparable types: String, Numeric, Semver, Timestamp, and Timespan. For String comparison it is possible to ignore or take case into account. PUP-8693

Deferred data type

A new data type Deferred has been added. It is used to describe a function call that can be invoked at a later point in time. PUP-8635

Call function resolves Deferred values

It is now possible to resolve a Deferred value by using the call function. It can resolve a deferred function call, and a deferred variable dereference (with support to dig into a structured value). PUP-8641

Concatenate with + on Binary type

It is now possible to use the plus operator + to concatenate two Binary data type values. (PUP-8605) The sort() function has been moved from stdlib to Puppet. The function now also accepts a lambda for the purpose of using a custom compare. PUP-8622

Select string functions moved from stdlib to Puppet

The functions upcase(), downcase(), capitalize(), camelcase(), lstrip(), rstrip(), strip(), chop(), chomp(), and size() have been updated to the modern function API and the new versions are in Puppet and no longer require stdlib. The functions are generally backward compatible. PUP-8604

Select math functions moved from stdlib to Puppet

The math functions abs, ceil, floor, round, min, and max are now available in Puppet. The functions are compatible with the functions with the same name in stdlib with the added feature in min and max of calling them with a single array and being able to use a lambda with a custom compare. These stdlib math functions used inconsistent string to numeric conversions that were also unintentionally making the functions compare values in strange ways. The automatic conversions are now deprecated and will issue a warning. PUP-8603

Agent support for rich data content negotiation

The rich_data setting is now enabled by default. Catalog requests have two new content types, application/vnd.puppet.rich+json and application/vnd.puppet.rich+msgpack, that are used when both primary server and agent have this enabled (and depending on whether preferred_serialization_format is json or msgpack). PUP-8601

vendor_modules added to basemodulepath

The default basemodulepath now includes a vendored modules directory, which enables Puppet to load modules that are vendored in the puppet-agent package. To prevent Puppet from loading modules from this directory, change the basemodulepath back to its previous value, for example, on *nix: $codedir/modules:/opt/puppetlabs/puppet/modules. On Windows: $codedir/modules. PUP-8582

environment.conf modulepath accepts globs

The modulepath as defined in environment.conf can now accept globs in the path name. PUP-8556

Customize default package providers

This change adds a notdefaultfor that prevents a provider from being a default for a given set of facts. notdefaultfor overrides any defaultfor and should be defined more narrowly. PUP-8552

Define properties or parameters for types as sensitive

Parameters can now be marked sensitive at the class level rather than just the instance level. PUP-8514

Update default provider for Ubuntu

SystemD is now the default provider for Ubuntu 17.04 and 17.10. PUP-8495

Functions to use dot notation to dig into a hash or array

It is now possible to use dot notation to dig out a value from a structure, like in Hiera lookup and elsewhere in Puppet. To support this, the getvar() function has moved from stdlib to Puppet, and we have added a new function get(). You can now for example use getvar('facts.os.family') starting with the variable name. The get function is the general function which takes a value and a dot-notation string. PUP-7822

Puppet 4.x functions available to all modules

It is no longer required to have a dependency listed in a module’s metadata.json on another module in order to use functions or data types from the other module. PUP-6964

Updated addressable Ruby gem

Updated the version of the addressable Ruby gem now that JRuby 1.9.3 support has been removed. PUP-6894

Undeprecated certificate authority settings

Settings related to certificate authorities are no longer being deprecated as planned in PUP-9027. Warnings related to these planned deprecations have been removed. PUP-9116

Reported events didn't stringify rich data

With rich data turned on for a catalog (now the default), a report could contain rich data in reported events, but nothing downstream from the agent was prepared to handle rich data. This is now fixed so that data in reported events are stringified when needed. PUP-9093

Illegal top-level constructs didn't produce an appropriate error

The deprecation for illegal top-level constructs is now an error. PUP-9091

__ptype and __pvalue were allowed as attribute names

Attempt to use the reserved attribute names __ptype and __pvalue in custom Object data types now raises an error instead of producing a bad result when serializing such objects. PUP-9079

A hash containing the key __ptype couldn't be serialized using human-readable JSON

It was not possible to use a hash key __pcore_type in a hash because that triggered the special handling during serialization. Now, the special key has changed to __ptype and it is not possible to also use that as a key in a hash and still be able to serialize it, such as using it in a catalog. PUP-8976

Status endpoint wasn't used to determine if Puppet Server was available

When the agent is configured with a list of servers (using server_list), it now requests server status from the status endpoint instead of the node endpoint. PUP-8967

Selmodule thought 'foo' existed if 'myfoo' was loaded

The selmodule type is more strict about checking if a module has already been loaded, and no longer considers modules such as "bar" and "foobar" to be the same module. PUP-8943

Resource status of failed_to_restart wasn't included in reports

Puppet considers resources that have failed to restart when notified from another resource as failed, and marks them as such in reports. Reports also now include the failed_to_restart status for individual resources, instead of only including a total count of failed_to_restart resources in the resource metrics section. This bumps the report format version to 10. PUP-8908

File type wasn't redefined when required in code

Fixed an issue running in JRuby where we didn’t store autoloaded paths in the same way that the JRuby implementation did, leading to a bug where a type or provider could get loaded more than once. PUP-8733

Puppet lost track of the current environment

Puppet autoloader methods now require a non-nil environment. This is a breaking API change, but

not affect any user extensions like 3x functions. Puppet sometimes used the configured environment instead of the current environment to autoload. This mainly affected agents when loading provider features. Calling Puppet::Parser::Functions.autoloader.load* methods are deprecated, and issue a warning if strict mode is set to warning or error. Instead use Scope#call_function("myfunction") to call other functions from within a function. PUP-8696

Comparison of numeric to timestamp or timespan failed

When comparing numeric to timestamp or timespan it did not work to compare with the numeric value first. This is now fixed. PUP-8694

http_read_timeout and runtimeout defaults were limited

The http_read_timeout default changed from infinite to 10 minutes. This prevents the agent from hanging if there are network disruptions after the agent has sent an HTTP request and is waiting for a response that might never arrive. Similarly, the runtimeout default also changed from infinite to 1 hour. PUP-8683

tidy resource was too chatty

The tidy resource type now uses the debug log level for its File does not exist message, instead of the info level. This means that resources of this type will no longer emit the message by default when the target of the resource has already been cleaned from disk. PUP-8667

Agents didn't use the CRL bundle to verify primary server revocation status

With this change, if the user has distributed the CRL chain out-of-band, then the agent successfully loads it and uses it to verify its connection to other Puppet infrastructure (for example, the primary server). It expects the CRL chain to be one or more PEM-encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat in Puppet 5. PUP-8656

Puppet 5 and Ruby 2.4 couldn't handle invalid plists

When processing malformed plist files, we used to use /dev/stdout, which can cause Ruby to complain. We now use - instead which means to use stdout when processing the plist file with plutil. PUP-8545

White space surrounding comments in EPP were handled incorrectly

EPP comments <%# Like this %> always trimmed preceding whitespace. This is different from ERB making it more difficult to migrate ERB templates to EPP. There was also no way of making EPP preserve those spaces. Now, EPP comment does not trim preceding whitespace by default, and a new left trimming tag <%#- has been added. This is a backwards incompatibility in that code such as "Before <%# comment %>after" resulted in the string "Beforeafter", whereas now it will be "Before after". PUP-8476

filter function didn't accept truthy values

The filter function did not accept truthy value returned from the block as indication of values to include in the result. Only exactly Boolean true was accepted. PUP-8320

Unsafe YAML data could be loaded

Puppet now uses YAML.safe_load consistently to ensure only known classes are loaded. PUP-7834

Gemfile didn't support consuming the Puppet gem via a Git reference

Restructure the Puppet Gemfile so that bundler installs Puppet’s runtime, feature-related, and test dependencies by default. The development and documentation groups can be installed using: bundle install –with development documentation. PUP-7433

Puppet didn't use shared gem dependency for semantic_puppet

Puppet now uses the shared gem dependency for semantic_puppet, rather than loading its own vendored version. PUP-7157

Puppet, the agent, and Puppet Server didn't use a shared gem directory for semantic_puppet

Puppet now loads semantic_puppet from a shared gem directory, so that Puppet, the agent, and Puppet Server all require and use the same version of the gem. (~>1.0.x) PUP-7115

metrics.time.total didn't correlate to time reported in log

Total time now reports the measured time of the run instead of a sum of other run times. PUP-6344

Features weren't re-evaluated when a block was used

Puppet.features.add(:my_feature) do require 'mylib' end

Puppet.features.add(:my_feature, libs: ['my_lib']) 

Previously the result of the block was always cached. With this change only true or false return values are cached. To indicate that the state of the feature is unknown and may become available later, the block returns nil. PUP-5985

Manifests that declared things in the wrong namespace didn't trigger errors

Errors will be reported for module files declarations that have a namespace inconsistent with their directory and file location. PUP-4242

Invalid .dot files were generated by missing escapes of quoted strings

Generating graphs of catalogs (such as puppet apply --graph) now correctly handles resources with double quotes in the title. PUP-2838

Outdated vendored semantic_pupet gem

We have updated the vendored semantic_puppet gem in the puppet-agent package to the most recent version, 1.0.2. PA-1881

Certificate authority subcommands and v1 CA HTTP API

Certificate authority subcommands have been removed from Puppet, including: cert, ca, certificate, certificate request, and certificate_revocation_list. Use puppetserver ca and puppet ssl instead. PUP-8998

As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650

Ruby certificate authority

Puppet no longer has a Ruby CA. All CA actions now rely entirely on the Clojure implementation in Puppet Server. It can be interacted with by means of the CA API and the puppetserver ca command, which leverages the API using subcommands like those provided by puppet cert. PUP-8912

Trusted server facts

Trusted server facts are always enabled and the trusted_server_facts setting has been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530

write_only_yaml node terminus

The write_only_yaml node terminus was used to “determine the list of nodes that the primary server knows about” and predated widespread PuppetDB adoption. The write_only_yaml has been deprecated since 4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a compile. PUP-8528

LDAP node terminus

The LDAP node terminus has been removed. PUP-7601

computer, macauthorization, and mcx types and providers

The computer, macauthorization, and mcx types and providers have been moved to the macdslocal_core module. It is not repackaged into puppet-agent in the 6.0 series.

Nagios types

The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core module from the Forge.

Cisco network devices

The Cisco network device types no longer ship with Puppet. These types and providers have been deprecated in favor of the puppetlabs/cisco_ios module, which is available on the Forge. PUP-8575

:undef in types and providers

In previous versions, values from manifests assigned to resource attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef to represent those values. When using puppet apply types and providers would see those as :undef or as the string “undef” depending on the implementation of the type. When using a primary server, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level undef values are still encoded as empty string for backwards compatibility). PUP-9112

puppet module build command

To reduce the amount of developer tooling installed on all agents, this version of puppet removes the puppet module build command. To continue building module packages for the Forge and other repositories, install Puppet Development Kit (PDK). PUP-8763

pcore_type and pcore_value

The earlier experimental -rich_data format used the tags pcore_type and pcore_value, these are now shortened to __ptype and __pvalue respectively. If you are using this experimental feature and have stored serializations you need to change them or write them again with the updated version. PUP-8597

Webrick

Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)

puppet server command

The puppet server command and its subcommands have been removed. Instead, use a puppet-config command. PE-24280

–strict flag in puppet module command

The –strict flag in puppet module has been removed. The default behavior remains intact, but the tool no longer accepts non-strict versioning (such as release candidates and beta versions). PUP-8558

Select settings

String duplication in 3x runtime converter

Types and provider implementations must not mutate the parameter values of a resource. With this release, it is more likely that the parameters of a resource have frozen (that is, immutable) string values and any type or provider that directly mutates a resource parameter might fail. Previously, every resource attribute was copied to not make application break even if they did mutate. Look for use of gsub! in your modules and replace logic with non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified. PUP-7141

Puppet.newtype method

The deprecated Puppet.newtype method (deprecated since 2011) has now been removed. ( PUP-7078)

Certificate handling commands deprecated but not removed