Puppet known issues

These are the known issues in this version of Puppet.

Package collection on MacOS triggers attempt to install developer tools for Python

When running Puppet 7.8.0 on macOS, Puppet may attempt to collect Python packages, which are no longer used in macOS. An error message states that PIP packages cannot be collected, with a prompt to install associated command-line developer tools. This behavior is triggered by a stub executable present in macOS. PUP-11508

Puppet lookups fail to interpolate topscope variables when an environment is specified

In Puppet 6.26 and 7.14, the lookup command fails to resolve toplevel facts in hiera configs if you're using the --environment option. For example, if you use a toplevel variable like "nodes/%{fqdn}.yaml", Puppet interpolates the variable as an empty string. As a workaround, use trusted facts or specify the fact value using the "facts" hash, such as "%{facts.hostname}". This issue can be resolved by upgrading to Puppet 7.15.0. PUP-11437

User and group management on macOS 10.14 and above requires Full Disk Access (FDA)

To manage users and groups with Puppet on macOS 10.14 and above, you must grant Puppet Full Disk Access (FDA). You must also grant FDA to the parent process that triggers your Puppet run. For example:
  • To run Puppet in a server-agent infrastructure, you must grant FDA to the pxp-agent.

  • To run Puppet from a remote machine with SSH commands, you must grant FDA to sshd.

  • To run Puppet commands from the terminal, you must grant FDA to terminal.app.

To give Puppet access, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable, along with any other parent processes you use to run. For detailed steps, see Add full disk access for Puppet on macOS 10.14 and newer. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

The puppet node clean command fails for users who have their cadir in the legacy location

In Puppet 7, the default location of the cadir has moved. If you have it in the old location, most upgrades trigger a warning when executing commands from Puppet. It causes the puppet node clean command to fail. PUP-10786

Hiera knockout_prefix is ineffective in hierarchies more than three levels deep

When specifying a deep merge behaviour in Hiera, the knockout_prefix identifier is effective only against values in an adjacent array, and not in hierarchies more than three levels deep. HI-223

Specify the epoch when using version ranges with the yum package provider

When using version ranges with the yum package provider, there is a limitation which requires you to specify the epoch as part of the version in the range, otherwise it uses the implicit epoch `0`. For more information, see the RPM packaging guide. PUP-10298

Deferred functions can only use built-in Puppet types

Deferred functions can only use types that are built into Puppet (for example String). They cannot use types from modules like stdlib because Puppet does not plugin-sync these types to the agent. PUP-8600

The Puppet agent installer fails when systemd is not present on Debian 9

The puppet-agent package does not include sysv init scripts for Debian 9 (Stretch) and newer. If you have disabled or removed systemd, puppet-agent installation and Puppet agent runs can fail.

Upgrading Windows agent fails with ScriptHalted error

Registry references to nssm.exe were removed in PA-3263. Upgrading from a version without this update to a version that contains it triggers a Windows SecureRepair sequence that fails if any of the files delivered in the original *.msi package are missing. This is an issue when upgrading to one of the following Puppet agent versions: 5.5.21, 5.5.22, 6.17.0, 6.18.0, 6.19.0, 6.19.1, 6.20.0, 7.0.0, 7.1.0 or 7.3.0. To work around this issue, put the *.msi file for the currently installed version in the C:\Windows\Installer folder before you upgrade. Starting with Puppet agent 6.21.0 and 7.4.0, the nssm.exe registry value will be replaced with an empty string, instead of the registry key being removed, to avoid triggering Windows SecureRepair. PA-3545

The Puppet agent installer fails when systemd is not present on Debian 9

In versions less than 7.4.0, the puppet-agent package does not include sysv init scripts for Debian 9 (Stretch) and newer. If you had disabled or removed systemd, the puppet-agent installation and agent runs could fail. This is now fixed. PA-2028