Puppet known issues

These are the known issues in this version of Puppet.

User and group management on macOS 10.14 requires Full Disk Access

To manage users and groups with Puppet on macOS 10.14, you must grant Puppet Full Disk Access (FDA). You must also grant FDA to the parent process that triggers your Puppet run. For example:
  • To run Puppet in a server-agent infrastructure, you must grant FDA to the pxp-agent.

  • To run Puppet from a remote machine with SSH commands, you must grant FDA to sshd.

  • To run Puppet commands from the terminal, you must grant FDA to terminal.app.

To give Puppet access on a machine running macOS10.14, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable, along with any other parent processes you use to run. For detailed steps, see Add full disk access for Puppet on macOS 10.14 and newer. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

Hiera knockout_prefix is ineffective in hierarchies more than three levels deep

When specifying a deep merge behaviour in Hiera, the knockout_prefix identifier is effective only against values in an adjacent array, and not in hierarchies more than three levels deep. HI-223

Specify the epoch when using version ranges with the yum package provider

When using version ranges with the yum package provider, there is a limitation which requires you to specify the epoch as part of the version in the range, otherwise it will use the implicit epoch `0`. For more information, see the RPM packaging guide. PUP-10298

Deferred functions can only use built-in Puppet types

Deferred functions can only use types that are built into Puppet (for example String). They cannot use types from modules like stdlib because Puppet does not plugin-sync these types to the agent. PUP-8600

The Puppet agent installer fails when systemd is not present on Debian 9

The puppet-agent package does not include sysv init scripts for Debian 9 (Stretch) and newer. If you have disabled or removed systemd, puppet-agent installation and Puppet agent runs can fail.

Upgrading Windows agent fails with ScriptHalted error

Registry references to nssm.exe were removed in PA-3263. Upgrading from a version without this update to a version that contains it triggers a Windows SecureRepair sequence that fails if any of the files delivered in the original *.msi package are missing. This is an issue when upgrading to one of the following Puppet agent versions: 5.5.21, 5.5.22, 6.17.0, 6.18.0, 6.19.0, 6.19.1, 6.20.0, 7.0.0, 7.1.0 or 7.3.0. To work around this issue, put the *.msi file for the currently installed version in the C:\Windows\Installer folder before you upgrade. Starting with Puppet agent 6.21.0 and 7.4.0, the nssm.exe registry value will be replaced with an empty string, instead of the registry key being removed, to avoid triggering Windows SecureRepair. PA-3545