Puppet release notes

This version is out of date. For current versions, see Puppet packages and versions.

These are the new features, resolved issues, and deprecations in this version of Puppet.

Puppet 6.4.5

Released 14 January 2020

New features

Virtual package support for apt and dpkg providers

To allow virtual packages, ensure that the packages attribute allow_virtual is set to true in your Puppet resource file. PUP-10023

Package support for DNF modules

Puppet now supports managing DNF modules, which are groups of packages that represent an application, a language runtime, or any logical group.

Modules can be available in multiple streams, usually representing a major version of the software they include. Profiles are package subsets representing a specific use case of the module (these are handled by the flavor parameter of the package type).

Due to the significant difference between a package and a module, dnfmodule is an opt-in provider and should be explicitly specified in the manifest. PUP-9978

Windows security improvements

This release removes a dependency on .bat files when running Puppet as a service on Windows. PUP-9940

Resubmit facts at the end of an agent's run.

Puppet submits facts when requesting a catalog, but if the agent modifies the system while applying the catalog, then the facts in PuppetDB won't be refreshed until the agent runs again, which may be 30 minutes (or however runinterval is configured). This feature makes it possible to submit facts again at the end of the agent's run, after the catalog has been applied. To enable this feature, set resubmit_facts=true in the agent's puppet.conf. Resubmitting facts doubles the fact submission load on PuppetDB, since each agent will submit facts twice per run. This feature is disabled by default. PUP-5934

Update to compilation warnings

This release includes improvements to the evaluator, meaning some compilation warnings now take less time to compute. PUP-10213

Improvements to PuppetStack.top_of_stack function

Performance of manifests that use the PuppetStack.top_of_stack function have been greatly improved. This includes manifests that use the puppetlabs-stdlib deprecation function or the pseudo keywords break, return, and next. PUP-10170

Merge dependency warnings

If a class has a failed dependency every resource in that class generates a notice level message about the dependency failure and a warning level message about skipping the resource. At large-node and/or large-code scale, one dependency failure can create an overwhelming number of warnings. To collapse all messages caused by one class dependency failure into one message associated with the class, set merge_dependency_warnings=true. PUP-10017

OpenSSL 1.0.2 updated to 1.1.1d

OpenSSL1.0.2 was end of life as of 31 Dec 2019. The OpenSSL version used in puppet 5.5.x has been upgraded to OpenSSL 1.1.1d. PUP-3029

Deprecation warning for Windows Server 2008 and 2008 R2

On January 14, 2020 support for Windows Server 2008 and 2008 R2 will end. PUP-3018

forcelocal in AIX

Clarified user type documentation to reflect forcelocal parameter usage on AIX. PUP-7113

Resolved issues

Certificate requests sometimes raised confusing error messages

Previously, when Puppet encountered a connection error, it would create a new exception with additional contextual information around what was causing the error. However, this new exception could cause an additional "Wrong number of arguments" error. Puppet now raises the original error and logs it with any additional contextual information. PUP-10121

If the http_proxy environment variable was set, Puppet would ignore the no_proxy setting in puppet.conf

This release fixes a bug where Puppet would attempt to use a proxy specified in the http_proxy environment variable, even though Puppet[:no_proxy] was set to bypass the proxy. PUP-10112

The no_proxy setting ignored FQDN suffixes unless they had a leading wildcard or period

Previously, Puppet would only bypass a proxy if no_proxy had a leading wildcard or period. For example, *.example.comor .example.com. Puppet now bypasses the HTTP proxy if the no_proxy environment variable or puppet setting is a suffix of the destination server FQDN. PUP-10106

Error messages for exec commands with paths that could not be resolved included sensitive data passed to the command

If an exec resource's command is not executable or cannot be resolved into a fully qualified path, Puppet now only prints the command, and not the potentially sensitive arguments passed to the command. Puppet also redacts the output of sensitive commands when the logoutput parameter is set to true, or the parameter is on_failure (the default) and the command fails.

Puppet wouldn't install dpkg sub-packages when ensure was set to held

Puppet now correctly installs dpkg sub-packages and sets them to held if ensure is set to held. PUP-10059

Puppet couldn't manage pip resources if the pip command was in a directory containing spaces

Puppet can now manage pip resources in directories containing spaces, such as C:\Program Files\Python27on Windows. PUP-9647

Sensitive values redacted in notify resource messages

Prior to this release, the notify resource leaked data if the message was a sensitive datatype with a raw value, not encapsulated in quotes. Now sensitive values are redacted when they are interpolated in a notify resource's message. PUP-9295

Improved handling of pip version detection during catalog compilation

Previously, the pip provider failed if pip --version did not emit the version on the first line of output. PUP-8986

The systemd service provider failed on services whose names started with a dash

The systemd service provider can now manage services whose names start with a dash. Contributed by j-collier. PUP-7218

Improvements to handling of working directory

Previously, if the cwd parameter was not specified, puppet would change its working directory to the current working directory, which was redundant and could fail if the current working directory was not accessible. Now, wxec resources only change the current working directory if the cwd parameter is specified in a manifest. PUP-5915

Introducing puppet_trace and bug fix in trace

This release fixes a bug where stacktraces from errors no longer had the Ruby stack frames interleaved with the Puppet stack frames when using trace. This release also introduces a new setting, puppet_trace, which prints the Puppet stack without the Ruby frames interleaved. If the trace setting is enabled, it overrides the value of puppet_trace. PUP-10150

Puppet loaded types and providers during environment convergence

Previously, Puppet agents could fail to apply a catalog if the agent switched environments based on node classification and if there were different versions of a module in those environments. As a result of this fix an agent only loads types and providers once, convergences to its server-assigned environment quickly, and only updates its cached catalog after the environment converges. PUP-10160

Premature loading of module-provided facts under -p

Previously, when running facter -p on Windows with custom facts or module facts that required additional files that were not present in $LOAD_PATH, an error would occur. Now, $LOAD_PATH will be set without using facter, getting it directly from the system environment. PUP-10136

Debian Puppet-agent package lacked SELinux Ruby library

Ruby SELinux libraries are now also provided for Debian and Ubuntu platforms. PUP-2985

puppetdb_query didn't respond to hostprivkey & hostcert settings

Previously, an override of the client certificate and corresponding private key in Puppet settings using the hostcert and hostprivkey was not possible. This fix restores that capability. PUP-10165

Package provider removed colon from package name

This fix corrects the implementation of a colon (":") as a version slot separator for Gentoo Linux. PUP-10124

When checking binary file changes, puppet agent -t, puppet apply --show_diff occasionally generated an error

Previously, puppet agent -t or puppet apply --show_diff could generate an error when trying to display the changes it made to a binary file. Puppet now detects this case and prints a generic message stating that the binary files differ. PUP-10097

Windows confused domain and local accounts

Puppet no longer checks for domain users or groups when managing local resources on Windows. This fix addresses a local user management issue occurring when an Active Directory account existed with the same name as the local user. PUP-10057

Incorrect HP-UX usermod syntax

The HP-UX provider forced command line arguments to usermod to be in a specific order. PUP-9391

Puppet 6.4.4

Released 15 October 2019

New features

New no_proxy setting available in puppet.conf

You can now specify no_proxy as a Puppet setting, consistent with other http_proxy_* Puppet settings. The NO_PROXY environment variable takes precedence over the no_proxy Puppet setting. PUP-9316

serverip6 fact added

This release adds the serverip6 fact, which returns the server's IPv6 address. If Puppet cannot find either serverip or serverip6 facts, it returns a warning. PUP-5109

puppet plugin information was not included in help

The puppet help command did not include help information for puppet plugin Now the plugin command is included in puppet help output. PUP-9959

Module installation performance with minitar improved

Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with this fsync option turned off by default. PUP-10013

Automatic (delayed start) is now an option for Windows services

Puppet can now set Windows service startup type to Auto-Start (Delayed). To set a service to use this setting, set the enable parameter of the service resource to "delayed". PUP-6382

Agent startup logged at debug level in daemon mode

When running in daemon mode, Puppet logs the configuration used on agent startup at the debug level. The log is sent to the output specified by the --logdest option. Configuration is reloaded and also logged on SIGHUP. PUP-9754

Resolved issues

Agents now connect directly if target host is set to NO_PROXY

If the agent is configured to use an HTTP proxy, and it attempts to connect to a host that matches an entry in the NO_PROXY environment variable, then Puppet connects directly to the host instead of using the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942

HTTP connections did not support authenticating proxies

Agents could not connect through an authenticating HTTP proxy when making REST requests to Puppet infrastructure, such as when requesting a catalog. Now agents will observe the http_proxy_user and http_proxy_password settings or HTTP_PROXY_USER/PASSWORD environment variables when making those requests. PUP-4470

Puppet does not use proxy to connect to localhost

If an HTTP proxy is configured either in Puppet settings or the HTTP_PROXY_* environment variables, then Puppet does not use the proxy when connecting to localhost or This behavior can be modified by changing the no_proxy setting in puppet.conf or the NO_PROXY environment variable. PUP-2172

exec conditionals respect sensitive types

The exec type's onlyif and unless checks now return redacted output if it is marked sensitive. PUP-9956

Plug-in download speed improved

The puppet plugin download command now reuses HTTPS connections. This significantly speeds up the download process. PUP-8662

Puppet no longer ignores truncated file downloads caused by a Ruby issue

Prior to this release, Puppet silently ignored truncated file downloads, such as when using a file resource whose source parameter contained a puppet://, http://, or https:// URL. This issue was caused by a Ruby issue and is fixed in this release. PA-2849

Puppet tried to install packages that were already installed

Previously, Puppet incorrectly parsed the output of pip freeze when it reported package versions using the arbitrary equality operator, ===. As a result, Puppet treated the package as not installed and tried to reinstall it during every Puppet run. PUP-10015

Query parameters for HTTP and HTTPS file resources are preserved

When retrieving metadata and content for HTTP or HTTPS file resources, Puppet now preserves query parameters. Previously, Puppet requested only the path element of the URI and skipped the query parameters. PUP-9109

YAML output with special characters was not valid

Previously, the puppet resource --to_yaml and puppet device --to_yaml commands did not generate valid YAML if the output contained special characters such as a single quote. PUP-7808

Ruby security update

This version upgrades the Ruby version to 2.5.7 to address security issues:

Curl security update

This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.

OpenSSL security update

This version updates OpenSSL to 1.1.1d to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.

Puppet 6.4.3

Released 16 July 2019

Resolved issues

Puppet no longer upgrades Debian upgrade packages before setting them on hold

Prior to this release, if you set a Debian package on hold with ensure => held and the package had a pending upgrade, Puppet would install the upgrade before locking the package. PUP-9564

Disabled Ruby 2.5.1 automatic HTTP retry mechanism

This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the puppetserver report processor. PUP-3905

Security update to curl

This release includes an update to curl to address security issues. See https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html for information about the CVEs. PA-2689

Hiera 3 lookups with convert_to keys

If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with convert_to, you'd get an error: "undefined method 'call_function' for Hiera::Scope". PUP-9693

Ruby in the Puppet agent caused issues with other components

This release fixes an issue where the gem update --system command used in the Puppet agent caused conflicts with software that depends on gems in Puppet's vendored Ruby directory, such as r10k. Now gem paths always contain the path for this directory, even after updating. PA-2628

puppet agent --fingerprint returns the CSR hash

When you run the puppet agent --fingerprint command, if the agent doesn't have a client cert yet, thePuppet returns the SHA256 digest of the certificate request (CSR). This functionality was broken as of Puppet 6.4.0, and is now fixed. PUP-9720

Recurring Puppet runs exited on some SSL bootstrap errors

Recurring Puppet runs wait a specified amount of time while bootstrapping the SSL system, and then retry if an error is encountered. This behavior was broken as of Puppet 6.4.0, and this release restores the behavior.

The wait interval is controlled by the waitforce setting. One-time Puppet runs such as puppet agent --test or puppet agent --onetime do not retry, and instead exit when the first error occurs. PUP-9717

Lockfile retained old PID, causing agent failure

This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691

Puppet now registers OIDs in the SSL application

SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746

Augeas updated

Update Augeas to 1.12.0, which includes the always_query_group_plugin keyword. PA-2562

puppet resource cron command now returns Solaris crontabs

This release fixes reading of crontabs using Puppet for Solaris 11. Now crontabs for all users are listed when running puppet resource cron. PUP-9697

Agent now requires findutils as a dependency

Prior to this release, Puppet agent required find, but didn't correctly declare it as a dependency. The agent now requires findutils as a dependency. PA-2629

Dependency issues when installing tools that require gems

This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670

Agent runs no longer fail if regional language is Arabic (UAE)

The Puppet agent failed to run if the Regional language was changed to Arabic (United Arab Emirates). Now if the code page is not available in Ruby, the handler reverts to UTF-8 and the agent does not fail. PA-2191

Library failure on AIX 7

If LD_LIBRARY_PATH ws set on an AIX 7 node, Puppet might fail with the following error:
libfacter was not found. Please make sure it was installed to the expected location.
This error is now fixed.PA-2668

Custom MSI actions are logged

Custom MSI actions did not correctly log STDERR to the MSI log. PA-2691

Some commands could not be found

Some Puppet commands, such as puppet-infra, might not be found in the system PATH. This fix ensures that the relevant directory, opt/puppetlabs/bin, is available in the PATH. PA-2750

Puppet 6.4.2

Released 30 April 2019

Resolved issues

Critical security patch to libxslt version in Puppet

The libxslt version packaged in puppet-runtime is now updated to version 1.11.33. This update patches a critical security issue in libxslt. See CVE-2019-11068 for details about this vulnerability. PA-2667

--logdest option accepts multiple logging destinations

This release fixes an issue where you could no longer specify multiple logging destinations on the command line with the --logdest option. This feature stopped working after we added the ability to specify a logging destination in puppet.conf. PUP-9565

Improved error message for certificate that doesn't match hostname

Prior to this release, agents printed a cryptic error message when connecting to an SSL server whose certificate did not match the hostname the agent tried to connect to. This was a regression when running on Ruby 2.4 or later, because of differences in how Ruby reports the mismatched certificate. Puppet now prints the expected error message. PUP-8213

Task parameter values no longer logged

Because parameters for task execution may be sensitive, the pxp-agent no longer logs or writes parameter values to disk. PCP-814

Documentation options changed to provide rubygems compatibility

Puppet now uses the --no-document option to exclude documentation when installing gems, instead of the deprecated --no-rdoc and --no-ri options. This change allows compatibility with rubygems 3.0 and greater. PUP-9395

Puppet 6.4.1

Released 16 April 2019

New features

Certificate download error message improved

The error message returned when the certificate can't be downloaded has been improved, to help make it clear when the agent is waiting for the cert to be signed on the CA. PUP-3122

Documentation improved for allow_duplicate_certs setting

Documentation for the allow_duplicate_certs setting has been updated to indicate that the settingallows new requests to overwrite old requests, but it doesn't overwrite an existing cert. The request still needs to be signed for that to happen. PUP-9574

Performance improvements to puppet device

This release improves performance of puppet device by removing redundant work during initialization. PUP-9584

puppet-agent support removed for Cumulus 2.2, Debian 7

This release removes puppet-agent support for:
  • Cumulus 2.2 (amd64)

  • Debian 7 (x86_64, i386)

Resolved issues

Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

puppet device failed to manage multiple devices

The puppet device command would not manage multiple network devices in a single run. This was a regression introduced in Puppet 6.0.5. PUP-9587

puppet device could not manage network devices

This release fixes a regression in Puppet 6.4.0 that prevented the device application from being able to manage network devices. PUP-9579

waitforcert option did not work with puppet device

This release fixes a regression in 6.4.0 that prevented Puppet's waitforcert option working with puppet device application. PUP-9589

Debug mode now shows server_list error correctly

Prior to this release, use of the server_list setting could cause misleading agent errors. Now, when running in debug mode, Puppet prints the exception that caused it to skip an entry in the server_list setting. PUP-8036

Debug output shows origin of server setting

This release adds information to debug output that specifies whether the server setting originates from the server or server_list setting in the configuration. PUP-9470

puppet device --apply failed to apply catalog to unregistered targets

With these changes, the puppet device command properly initializes the private directories required for compiling and running catalogs. PUP-9047

ASCII characters in cert names caused issues with string operations

Previously if Puppet agents or servers used a CA-issued certificate containing non-US ASCII characters, then the agent would not correctly render the name of the CA in its output, such as when running puppet ssl verify. PUP-9472

Puppet 6.4.0

Released 26 March 2019

New features

HTTP certification requests

When run with debug, Puppet now prints the HTTP request and the response information. For example:
Debug: HTTP GET https://puppet.delivery.puppetlabs.net:8140/puppet/v3/file_metadatas/pluginfacts
returned 200 OK

Debug logging for the exec resource

This version introduces the following improvements to debug logging for the exec resource:
  • Running the exec resource with --debug and --noop now prints a debug message with the command if checks prevent it from being executed. If command, onlyif, or unless are marked as sensitive, all commands are redacted from the log output. PUP-9357

  • Puppet now gives a debug message when checking the existence of a file specified by creates. PUP-9511

New method: Puppet::FileSystem.replace_file

Use Puppet::FileSystem.replace_file to atomically replace a file. If a mode is specified, it will always be applied to the file. Otherwise, if the file being replaced exists, its mode will be preserved. If the file doesn't exist, then the mode will default to 0640. This method supersedes Puppet::Util.replace_file, which will be deprecated in a future release. PUP-9499

SSL Improvements

This version introduces several features to improve Puppet agent's SSL subsystem, including the introduction of an SSL state machine. For information on agent-side checks and HTTPS requests, see Agent-master HTTPS communications. PUP-9459
The following SSL improvements have been made:
  • Puppet no longer uses Puppet::SSL::Host. Puppet::SSL::Host will be deprecated in a future release. PUP-9459

  • Puppet no longer saves its public key to disk, because the public key is derivable from its private key and is contained in its certificate. If you need to, you can extract the public key using $ openssl rsa -in $(puppet config print hostprivkey) -pubout. PUP-9459

  • The puppet ssl, puppet device, and puppet agent applications are now the only applications that can initialize SSL. Puppet applications other than puppet agent, puppet device, and puppet ssl now raise an error if they attempt to make an SSL connection while the SSL bootstrap process is incomplete. PUP-9461 PUP-9459

  • Added an API for loading certificates, keys, and certificate revocation lists (CRLs). PUP-9455

  • Added an API for creating an SSLContext containing certificates and keys needed to make an SSL connection. PUP-9456

  • Added a method to Puppet::Network::HttpPool to create an HTTPS connection using a specified SSLContext. PUP-9457

  • Instead of using Puppet::SSL::HOST, puppet ssl now uses an SSL state machine to download certificate authority (CA) and certificate revocation list (CRL) bundles. PUP-9458

  • Puppet preserves existing user and group behavior when saving SSL-related files. PUP-9463

  • The new puppet ssl bootstrap action submits a CSR and downloads the client certificate without running puppet agent -t. PUP-9556

SUSE Linux Enterprise Server support removed

This release of the puppet-agent package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489

Resolved issues

Ruby security patch in puppet-agent package

This puppet-agent package release includes a security patch for Ruby 2.5.3. To learn more about the CVEs that this patch address, see the Ruby security advisories. PA-2512

Resolved SSL issues

Improvements in the SSL subsystem ( PUP-9459) have resolved the following issues:
  • Puppet no longer conditionally sends its certificate signing request (CSRs) based on the presence or absence of the file on disk. Instead it generates and sends the CSR whenever it needs to check for a certificate. Puppet still saves the CSR to disk, but it never reads it back in. PUP-4568

  • Puppet no longer downloads the CSR from the server, so it can never get into a state where it saves the wrong CSR to disk, causing it to be stuck. As a result, it's now possible to enable allow_duplicate_certs=true and have the agent submit a CSR with the same name as a previous instance of the node. The admin still needs to revoke the old cert and sign the new CSR in order for the agent to get its certificate. PUP-2354

  • Puppet no longer uses the indirector to handle certificates or keys. PUP-6207

  • Puppet was too permissive about skipping SSL verification if no client certificate was found. Puppet now never downgrades verification based on the absence of a client certificate. PUP-7295

  • Mismatched certificates were cached on the host, causing Puppet to print an error on each run until an admin removed the files. If a client certificate, Certificate Authority (CA) bundle, or certificate revocation list (CRL) bundle are invalid, Puppet now discards them. PUP-7903

  • The error message for a mismatched certificates name was not helpful. When a Puppet agent tries to connect to an SSL server where the certificate does not match the hostname it is trying to connect to, it will now return the expected error message. PUP-8213

  • The Puppet agent was not verifying its peer in an SSL connection when downloading a CRL. Puppet now verifies the server's SSL certificate when retrieving a CRL. PUP-9142

filebucket type server and port settings no longer have explicit defaults

For the filebucket type, server and port no longer have explicit default values in the type definition. If server is not set, it defaults to the first entry in server_list if set; otherwise, it defaults to server. If port is not set, it defaults to the port in the first entry of server_list if set; otherwise, it defaults to masterport. PUP-9025

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Puppet agent now produces an error when a functional server is not found

If server_list is set and a functional server is not found, Puppet returns an error rather than falling back to the server setting. PUP-9076

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. You should always supply a type argument with the desired type if the value is not undef. PUP-9467

Fixed remote MSI package installation on Windows

This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496


Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

SublocatedExpression class

The AST SublocatedExpression class is no longer generated by the parser. The SublocatedExpressionclass itself will be removed from Puppet in a future release. PUP-9303

Certificate authority subcommands and v1 CA HTTP API

Certificate authority subcommands have been removed from Puppet, including: cert, ca, certificate, certificate request, and certificate_revocation_list. Use puppetserver ca and puppet ssl instead. PUP-8998

As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650

For details on changes and the new commands, see our documentation about certificates and SSL.

Ruby certificate authority 

Puppet no longer has a Ruby CA. All CA actions now rely entirely on the Clojure implementation in Puppet Server. It can be interacted with by means of the CA API and the puppetserver ca command, which leverages the API using subcommands like those provided by puppet certPUP-8912

Trusted server facts

Trusted server facts are always enabled and have been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530

write_only_yaml node terminus

The write_only_yaml node terminus was used to “determine the list of nodes that the master knows about” and predated widespread PuppetDB adoption. The write_only_yaml has been deprecated since 4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a compile. PUP-8528

LDAP node terminus

The LDAP node terminus has been removed. PUP-7601

computermacauthorization, and mcx types and providers

The computermacauthorization, and mcx types and providers have been moved to the macdslocal_core module. It is not repackaged into puppet-agent in the 6.0 series.

Nagios types

The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core module from the Forge.

Cisco network devices

The Cisco network device types no longer ship with Puppet. These types and providers have been deprecated in favor of the puppetlabs/cisco_ios module, which is available on the Forge. PUP-8575

:undef in types and providers

In previous versions, values from manifests assigned to resource attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef to represent those values. When using puppet apply types and providers would see those as :undef or as the string “undef” depending on the implementation of the type. When using a master, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level undef values are still encoded as empty string for backwards compatibility). PUP-9112

puppet module build command

To reduce the amount of developer tooling installed on all agents, this version of puppet removes the puppet module build command. To continue building module packages for the Forge and other repositories, install  Puppet Development Kit (PDK). PUP-8763

pcore_type and pcore_value

The earlier experimental -rich_data format used the tags pcore_type and pcore_value, these are now shortened to __ptype and __pvalue respectively. If you are using this experimental feature and have stored serializations you need to change them or write them again with the updated version. PUP-8597


Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)

puppet master command

The puppet master command and its subcommands have been removed. Instead, use a  puppet-config command.  PE-24280

–strict flag in puppet module 

The –strict flag in puppet module has been removed. The default behavior remains intact, but the tool no longer accepts non-strict versioning (such as release candidates and beta versions). PUP-8558

Select settings

The following settings have been removed:
  • The previously deprecated configtimeout setting has been removed in favor of the http_connect_timeout and http_read_timeout setting. PUP-8534

  • The unused ignorecache setting has been removed. PUP-8533

  • The previously deprecated pluginsync setting has now been removed. The agent’s pluginsync behavior is controlled based on whether it is using a cached catalog or not. PUP-8532

  • The deprecated app_management setting has now been removed. Previously, this setting was ignored, and always treated as though it was set to be on. PUP-8531

  • The deprecated ordering setting has been removed, and catalogs now always have the ordering previously provided by the manifest value of this setting. PUP-6165

  • Settings related to the rack webserver from Puppet, including binaddress and masterhttplog. PUP-3658

String duplication in 3x runtime converter

Types and provider implementations must not mutate the parameter values of a resource. With this release, it is more likely that the parameters of a resource have frozen (that is, immutable) string values and any type or provider that directly mutates a resource parameter may fail. Previously, every resource attribute was copied to not make application break even if they did mutate. Look for use of gsub! in your modules and replace logic with non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified. PUP-7141

Puppet.newtype method

The deprecated Puppet.newtype method (deprecated since 2011) has now been removed. ( PUP-7078)

Certificate handling commands deprecated but not removed

The following subcommands were deprecated in a previous version and slated for removal in this version. While these subcommands are still deprecated, they have not yet been removed.
  • ca_name
  • cadir
  • cacert
  • cakey
  • capub
  • cacrl
  • caprivatedir
  • csrdir
  • signeddir
  • capass
  • serial
  • autosign
  • allow_duplicate_certs
  • ca_ttl
  • cert_inventory
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.