Puppet release notes

Module installation performance with minitar improved

Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with the fsync option turned off by default. PUP-10013

Automatic (delayed start) is now an option for Windows services

Puppet can now set Windows service startup type to Auto-Start (Delayed). To set a service to use this setting, set the enable parameter of the service resource to "delayed". PUP-6382

Module repository credentials redacted during installation

When you install a module, if the module repository URL includes credentials, Puppet now redacts the credentials in the command line output. PUP-9787

Sensitive values redacted in notify resource messages

Prior to this release, the notify resource leaked data if the message was a sensitive datatype with a raw value, not encapsulated in quotes. Now sensitive values are redacted when they are interpolated in a notify resource's message. PUP-9295

Ruby security update

Curl security update

This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.

OpenSSL security update

This version upgrades OpenSSL to 1.1.1d to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.

Puppet tried to install packages that were already installed

Previously, Puppet incorrectly parsed the output of pip freeze when it reported package versions using the arbitrary equality operator, ===. As a result, Puppet treated the package as not installed and tried to reinstall it during every Puppet run. PUP-10015

Query parameters for HTTP and HTTPS file resources are preserved

When retrieving metadata and content for HTTP or HTTPS file resources, Puppet now preserves query parameters. Previously, Puppet requested only the path element of the URI and skipped the query parameters. PUP-9109

YAML output with special characters was not valid

Previously, the puppet resource --to_yaml and puppet device --to_yaml commands did not generate valid YAML if the output contained special characters such as a single quote. PUP-7808

serverip6 fact added

This release adds the serverip6 fact, which returns the server's IPv6 address. If Puppet cannot find either serverip or serverip6 facts, it returns a warning. PUP-5109

Agent startup logged at debug level in daemon mode

When running in daemon mode, Puppet logs the configuration used on agent startup at the debug level. The log is sent to the output specified by the --logdest option. Configuration is reloaded and also logged on SIGHUP. PUP-9754

puppet plugin information was not included in help

The puppet help command did not include help information for puppet plugin Now the plugin command is included in puppet help output. PUP-9959

system.d could not run as non-root

This release fixes a regression introduced in Puppet 6.8.0, where the systemd provider was prevented from working when running as non-root. For example, the command puppet resource service did not include systemd services. PUP-10016

puppet module uninstall now works in FIPS mode

Previously, the puppet module uninstall command failed if you ran it in FIPS mode. With the release, puppet module uninstall now works in FIPS mode, provided you specify either the --ignore_changes or --force arguments. If you do not specify one of these arguments, then uninstall fails, so that local changes to the module are not lost. PUP-9991

no_proxy setting correctly bypasses proxy even when HTTP_PROXY environment is set

Fixes a bug where Puppet attempted to use a proxy specified in the HTTP_PROXY environment variable, even though the no_proxy setting was set to bypass the proxy. PUP-9990

exec conditionals respect sensitive types

The exec type's onlyif and unless checks now return redacted output if it is marked sensitive. PUP-9956

install_only parameter added for yum, dnf providers

This release adds a new parameter, install_only, for yum and dnf package providers. Set this parameter for packages that should only be installed, but never updated, such as kernels. PUP-9605

Plug-in download speed improved

The puppet plugin download command now reuses HTTPS connections. This significantly speeds up the download process. PUP-8662

Puppet no longer ignores truncated file downloads caused by a Ruby issue

Prior to this release, Puppet silently ignored truncated file downloads, such as when using a file resource whose source parameter contained a puppet://, http://, or https:// URL. This issue was caused by a Ruby issue and is fixed in this release. PA-2849

Virtual package support removed for apt and dpkg providers

This release removes the virtual package support added for the dpkg and apt providers in the previous release.

Puppet 6.8.0 added virtual package support to these providers with an allow_virtual setting that defaulted to true. This caused issues because virtual packages are not enabled by default on apt and dpkg. PUP-9974

Fixed command execution with certain sensitive non-string arguments

Puppet could not execute commands with non-string arguments if the command was also marked as sensitive and the arguments were passed as an Array to the execute method. The issue is fixed for all providers, including the useradd provider. PUP-9973

puppet module install command prefers SHA-256 for verifying tarball

The puppet module install command now prefers SHA-256 when verifying the downloaded module tarball, but falls back to MD5 if necessary. PUP-9909

puppet-agent packages for Debian 10 added

A puppet-agent package for Debian is now available.

Virtual packages support for apt, dpkg

This release allows apt and dpkg providers to install virtual packages. By default, the allow_virtual setting defaults to true, which enables the ability to install virtual packages.

package { 'rubygems': ensure => 'latest' }

package {'rubygems': 
ensure => 'absent' 
allow_virtual => false 
}

This feature also address the Ubuntu reporting issue in MODULES-2047. PUP-9909

New no_proxy setting available in puppet.conf

You can now specify no_proxy as a Puppet setting, consistent with other http_proxy_* Puppet settings. The NO_PROXY environment variable takes precedence over the no_proxy Puppet setting. PUP-9316

bolt-shim module no longer required to run scripts over pxp-agent

Previously, to run a script over a pxp-agent, you had to first install the bolt_shim module. This fix allows pxp-agent to respond to requests to execute a script run action without the module. PUP-869

Agents now connect directly if target host is set to NO_PROXY

If the agent is configured to use an HTTP proxy, and it attempts to connect to a host that matches an entry in the NO_PROXY environment variable, then Puppet connects directly to the host instead of using the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942

Windows components restarted on agent upgrades

During puppet-agent upgrades, Windows Network Components were sometimes restarted. This occurred when the upgrade process tried to modify a DLL file that was already loaded. This release fixes the issue, and Windows components no longer restart during upgrades. PA-2701

Conflict between puppet-agent and puppetserver packages resolved

Puppet might fail to load under JRuby 9.1, if puppet-agent 6.4 or greater and puppetserver 6.0.x were installed on the same host. PUP-9927

Services incorrectly reported as absent after change

When Puppet runs a resource service that changes the state of the service, the returned status would always fail, causing the ensure status of the service to be absent. Now Puppet correctly returns the service status when a change of the service is requested. PUP-9908

Passing code to the parser failed on STDIN

Resolved an issue where puppet parser validate failed with an error when a valid manifest was passed in through the STDIN pipe. PUP-9816

Puppet selects systemd as the default service provider on Debian 10, "buster". PUP-9752

Puppet repeated file mode changes on some Windows files

When puppet apply changes the mode on a file inside a protected Windows directory, Puppet changes the mode on every run, even if the desired mode matches the current mode. This fix improves the analysis of the file mode, so that if the desired mode matches the current mode, Puppet does not set the mode. PUP-9722

Passwords for the user type were output in Debug logging

User providers will not output exec command lines with passwords during debugging level logging. Instead, the passwords are now marked [redacted]. PUP-9585

Device certificates could be lost in backup and restore

Prior to this change, Puppet device certificates were stored under the cache directory. When the proxy agent for a device is the master, and the user executes a backup and restore, either manually or automated as in OpsWorks, the certificate and keys were lost, requiring certificate regeneration for those devices.

This fix moves the device certificate directory to a persistent path, leaving the old path as a symbolic link for compatibility purposes.

If you are using the device_manager module to manage your devices, upgrade to 3.0.1 or later to avoid deleting certificates from their new location. PUP-8736

systemd provider confined to init system matching systemd

This change allows the systemd provider to work in a chrooted environment. PUP-7312

HTTP connections did not support authenticating proxies

Agents could not connect through an authenticating HTTP proxy when making REST requests to Puppet infrastructure, such as when requesting a catalog. Now agents will observe the http_proxy_user and http_proxy_password settings or HTTP_PROXY_USER/PASSWORD environment variables when making those requests. PUP-4470

Puppet does not use proxy to connect to localhost

If an HTTP proxy is configured either in Puppet settings or the HTTP_PROXY_* environment variables, then Puppet does not use the proxy when connecting to localhost or 127.0.0.1. This behavior can be modified by changing the no_proxy setting in puppet.conf or the NO_PROXY environment variable. PUP-2172

Puppet was unable to appropriately manage SELinux file contexts

Previously, Puppet was unable to effectively manage the SELinux file context without restarting the Puppet service. This issue was due to an infinitely cached default context for each file. Now Puppet clears this cache after each catalog apply. PUP-2169

SSL-related API classes deprecated

Various classes are marked as deprecated in API documentation, and will be removed in a future major version of Puppet. Constructing an instance of Puppet::SSL::Host, attempting to get or set Puppet[:ssl_server_ca_auth], or attempting to set Puppet[:ssl_client_ca_auth] now generates a deprecation warning. PUP-9513

The following classes or methods are deprecated and will be removed in a future version of Puppet:

Catalog application failed with puppetlabs-ciscopuppet module

Catalog application failed when using a custom resource type whose automatic relationship method, such as autorequire or autobefore, returned an instance of Puppet::Type instead of a resource name. This occurred in particular when using the puppetlabs-ciscopuppet module. This issue was caused by a regression in Puppet 6.7.0. PUP-9926

Use of the mailalias resource type returned errors

Could not prefetch mailalias provider 'aliases': Could not 
parse line "mailer-daemon: postmaster" (file: /etc/aliases, line: 12

New ca_fingerprint setting verifies the CA bundle download against a fingerprint

openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '

Some commands could not be found

Some Puppet commands, such as puppet-infra, might not be found in the system PATH. This fix ensures that the relevant directory, opt/puppetlabs/bin, is available in the PATH. PA-2750

Custom MSI actions are logged

Custom MSI actions did not correctly log STDERR to the MSI log. PA-2691

--evaltrace option now shows total number of resources to be evaluated

The --evaltrace argument, used with the puppet agent and puppet apply commands, now returns the number of resources evaluated and the total number of resources to be evaluated. This option is useful for showing which resource in the catalog is being evaluated and the progress through the current catalog. PUP-9465

Provider autoloading issue fixed

In the 6.5.0 release, Puppet was unable to autoloading providers on some systems. This issue has been fixed. PUP-9794

pip provider error fixed

In the 6.5.0 release, Puppet encountered an undefined method error when running the pip provider. This issue has been fixed. PUP-9790

puppet agent --fingerprint returns the CSR hash

When you run the puppet agent --fingerprint command, if the agent doesn't have a client cert yet, thePuppet returns the SHA256 digest of the certificate request (CSR). This functionality was broken as of Puppet 6.4.0, and is now fixed. PUP-9720

Recurring Puppet runs exited on some SSL bootstrap errors

Recurring Puppet runs wait a specified amount of time while bootstrapping the SSL system, and then retry if an error is encountered. This behavior was broken as of Puppet 6.4.0, and this release restores the behavior.

The wait interval is controlled by the waitforce setting. One-time Puppet runs such as puppet agent --test or puppet agent --onetime do not retry, and instead exit when the first error occurs. PUP-9717

Lockfile retained old PID, causing agent failure

This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691

Puppet now registers OIDs in the SSL application

SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746

Use the staging_location parameter to customize the temporary location for new files

You can now use the staging_location parameter to render a file in a different location before you validate it with the validate_cms parameter. PUP-9389

Use puppet catalog compile to compile catalogs

The puppet catalog compile action works in the same way puppet master --compile worked before it was removed in Puppet 6.0.0. You must run the command on the puppetserver with access to your environments, modules, manifests, and Hiera data. PUP-9055

Create a Regexp with all special characters escaped

Create a Regexp that escapes all regexp special characters by adding a Boolean true as a second argument in a call to new. For example, Regexp(".[/", true) or Regexp.new(".[/", true). The default value is false. PUP-9554

Package providers now support an alternative gem command

Previously, package providers relied on $PATH for the default gem. This release adds a targetable feature to the package type, allowing package providers to implement a command attribute. The gem and pip providers now implement that attribute. This feature allows Puppet to manage packages in software collections, such as Red Hat Software Collections. PUP-6488

package { 'colorize':
  name     => 'colorize',
  provider => gem,
}

package { 'colorize-opt':
  name     => 'colorize',
  provider => gem,
  command  => '/opt/ruby/bin/gem',
}

Manage multiple Python installations with pip and pip3 package providers

You can now add a custom path to your pip and pip3 providers using a package command. If you have multiple Python installations, this allows you to point to a specific installation. PUP-1082

Specify the maximum amount of time an agent should wait for its certificate

By default, Puppet agents attempt to download their signed certificate indefinitely. This release adds a maxwaitforcert setting, which specifies the maximum amount of time an agent should wait for its certificate. Acceptable values are unlimited (the current behavior), or a duration such as 10m, or 1h. If you specify a duration, the agent waits the full amount of time and, if the certificate is not downloaded, exits with an error. PUP-3237

Elliptic-curve cryptography (ECC) key support

Specify a refresh interval for certificate revocation lists (CRLs)

Improved server_list output and error messaging

Previously, using config print to view your server_list would output a nested array that was difficult to read. Using config print now outputs the text in the same human-readable format as its entry in puppet.conf. Puppet uses the same human-readable output for errors you receive from being unable to connect to a server in server_list. PUP-9495

Improved JSON output support for validation errors

Fedora 30 support

This release adds puppet-agent support for Fedora 30. PA-2675

puppet device failed to manage multiple devices

The puppet device command would not manage multiple network devices in a single run. This was a regression introduced in Puppet 6.0.5. PUP-9587

Security update to curl

This release includes an update to curl to address security issues. See https://curl.haxx.se/docs/CVE-2019-5435.html and https://curl.haxx.se/docs/CVE-2019-5436.html for information about the CVEs. PA-2689

Amazon platforms now use yum as the default provider

Prior to this release, Amazon platforms did not have a default provider set. This resulted in Puppet trying to use the gem provider to install Amazon packages. PUP-9724

On Windows, Puppet no longer applies corrective changes to the administrator password on every Puppet run

Puppet now applies corrective changes to the administrator password only on the first run. PUP-9688

Improved syntax error feedback for legacy Ruby functions

If you loaded a legacy Ruby function with syntax errors, you'd get an error saying that your function "does not seem to be a Puppet 3x API function." Puppet now alerts you to syntax errors. PUP-9643

Password protected private key support for agent-only nodes

If a private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, the agent generates a key and uses the contents of the passfile to encrypt the key on disk using AES-128-CBC. If the agent already has an unencrypted private key, no change occurs. PUP-9466

Temporary files created from validate_cmd use the same permissions as the file resource

Prior to this release, the permissions of temporary files created by validate_cmd were different to the permissions defined on the file resource. PUP-8983

Uninstall an rpm package without specifying a version or build number

You can now remove a package with rpm package provider using ensure => absent without specifying a version or build number. PUP-8664

Tags specified via --skip_tags are no longer expanded by splitting on the namespace

Using --skip_tags split tags on the namespace separator (::) and caused Puppet to expand and skip all resources in the specified namespace. For example, using fruit:apples expanded and skipped ['fruit::apples', 'fruit', 'apples'] . PUP-8215

Improved error message when listing provider resources

You now get a more helpful error message if you try to list resources for a provider type that does not have the instances class method defined. PUP-4930

Performing two or more rapid-fire Puppet runs no longer results in a race condition

When an additional Puppet run was triggered immediately after Puppet had requested a certificate from the master, the master receive the original Certificate Signing Request (CSR) and continuously return the original certificate, which wouldn't match the new keys generated by the second Puppet run. PUP-2958

Removing a user resource on Solaris 11 installations with home directory configurations

Previously, trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706

Hiera 3 lookups with convert_to keys

If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with convert_to, you'd get an error: "undefined method 'call_function' for Hiera::Scope". PUP-9693

Perform string to integer conversions on decimal strings with leading zeros

Converting a decimal string with leading zeros – for example, Integer("08", 10)– to an integer would result in an error. PUP-9689

puppet device always initializes SSL directories with the correct permissions

When initializing new device certificates, puppet device would sometimes set permissions in a way that prevented the pe-puppet user from reading some directories PUP-9642.

The Windows package resource removes trailing whitespace

This release updates the Windows registry read method to replace null byte sequences with a space. This issue caused PuppetDB to discard updated facts from affected nodes. PUP-9639

Puppet no longer upgrades Debian upgrade packages before setting them on hold

Prior to this release, if you set a Debian package on hold with ensure => held and the package had a pending upgrade, Puppet installed the upgrade before locking the package. PUP-9564

Disabled Ruby 2.5.1 automatic HTTP retry mechanism

This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the Puppet Server report processor. PUP-3905

System updates to Ruby in the Puppet agent conflicted with other software

This release fixes an issue where the gem update --system command used in the Puppet agent caused conflicts with software that depends on gems in Puppet's vendored Ruby directory, such as r10k. Now gem paths always contain the path for this directory, even after updating. PA-2628

Dependency issues when installing tools that require gems

This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670

HTTP certification requests

Debug: HTTP GET https://puppet.delivery.puppetlabs.net:8140/puppet/v3/file_metadatas/pluginfacts
returned 200 OK

Debug logging for the exec resource

• Running the exec resource with --debug and --noop now prints a debug message with the command if checks prevent it from being executed. If command, onlyif, or unless are marked as sensitive, all commands are redacted from the log output. PUP-9357

• Puppet now gives a debug message when checking the existence of a file specified by creates. PUP-9511

New method: Puppet::FileSystem.replace_file

Use Puppet::FileSystem.replace_file to replace a file. If a mode is specified, it will always be applied to the file. Otherwise, if the file being replaced exists, its mode will be preserved. If the file doesn't exist, then the mode will default to 0640. This method supersedes Puppet::Util.replace_file, which will be deprecated in a future release. PUP-9499

SSL Improvements

• Puppet no longer uses Puppet::SSL::Host. Puppet::SSL::Host will be deprecated in a future release. PUP-9459

• Puppet no longer saves its public key to disk, because the public key is derivable from its private key and is contained in its certificate. If you need to, you can extract the public key using $ openssl rsa -in $(puppet config print hostprivkey) -pubout. PUP-9459

• The puppet ssl, puppet device, and puppet agent applications are now the only applications that can initialize SSL. Puppet applications other than puppet agent, puppet device, and puppet ssl now raise an error if they attempt to make an SSL connection while the SSL bootstrap process is incomplete. PUP-9461 PUP-9459

• Added an API for loading certificates, keys, and certificate revocation lists (CRLs). PUP-9455

• Added an API for creating an SSLContext containing certificates and keys needed to make an SSL connection. PUP-9456

• Added a method to Puppet::Network::HttpPool to create an HTTPS connection using a specified SSLContext. PUP-9457

• Instead of using Puppet::SSL::HOST, puppet ssl now uses an SSL state machine to download certificate authority (CA) and certificate revocation list (CRL) bundles. PUP-9458

• Puppet preserves existing user and group behavior when saving SSL-related files. PUP-9463

• The new puppet ssl bootstrap action submits a CSR and downloads the client certificate without running puppet agent -t. PUP-9556

SUSE Linux Enterprise Server support removed

This release of the puppet-agent package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489

Ruby security patch in puppet-agent package

This puppet-agent package release includes a security patch for Ruby 2.5.3. To learn more about the CVEs that this patch address, see the Ruby security advisories. PA-2512

Resolved SSL issues

• Puppet no longer conditionally sends its certificate signing request (CSRs) based on the presence or absence of the file on disk. Instead it generates and sends the CSR whenever it needs to check for a certificate. Puppet still saves the CSR to disk, but it never reads it back in. PUP-4568

• Puppet no longer downloads the CSR from the server, so it can never get into a state where it saves the wrong CSR to disk, causing it to be stuck. As a result, it's now possible to enable allow_duplicate_certs=true and have the agent submit a CSR with the same name as a previous instance of the node. The admin still needs to revoke the old cert and sign the new CSR in order for the agent to get its certificate. PUP-2354

• Puppet no longer uses the indirector to handle certificates or keys. PUP-6207

• Puppet was too permissive about skipping SSL verification if no client certificate was found. Puppet now never downgrades verification based on the absence of a client certificate. PUP-7295

• Mismatched certificates were cached on the host, causing Puppet to print an error on each run until an admin removed the files. If a client certificate, Certificate Authority (CA) bundle, or certificate revocation list (CRL) bundle are invalid, Puppet now discards them. PUP-7903

• The error message for a mismatched certificates name was not helpful. When a Puppet agent tries to connect to an SSL server where the certificate does not match the hostname it is trying to connect to, it will now return the expected error message. PUP-8213

• The Puppet agent was not verifying its peer in an SSL connection when downloading a CRL. Puppet now verifies the server's SSL certificate when retrieving a CRL. PUP-9142

filebucket type server and port settings no longer have explicit defaults

For the filebucket type, server and port no longer have explicit default values in the type definition. If server is not set, it defaults to the first entry in server_list if set; otherwise, it defaults to server. If port is not set, it defaults to the port in the first entry of server_list if set; otherwise, it defaults to masterport. PUP-9025

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Puppet agent now produces an error when a functional server is not found

If server_list is set and a functional server is not found, Puppet returns an error rather than falling back to the server setting. PUP-9076

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. Supply a type argument with the desired type if the value is not undef. PUP-9467

Fixed remote MSI package installation on Windows

This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496

Corrective changes explicitly logged

Prior to this release, agent runs provided the same output for both intentional and corrective changes. Now corrective changes are now explicitly called out in the logs as corrective. PUP-9324

New collections and index functions

This release adds group_by and partition functions that operate on collections.

The group_by function is useful for separating targets into categories based on properties of those targets. The partition function allows you to use a Boolean condition to separate targets that otherwise be two opposite filter operations. PUP-9372

This release also adds an index() function that can return the index of a specified element in an Array, Hash, String, or other iterable value that is either equal to a given value or for which a given lambda returns a truthy value. PUP-9482

puppet-agent package added for macOS 10.14 Mojave

This release adds a puppet-agent package for macOS 10.14 Mojave.

On macOS 10.14 Mojave, you must grant Puppet Full Disk Access to be able to manage users and groups. To give Puppet access on a machine running macOS 10.14, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

Syntax errors on interpolated heredocs are resolved

Heredoc expressions with interpolation using an access expression such as $facts['somefact'] sometimes failed with a syntax error. This error was related to the relative location of the heredoc and surrounding whitespace and is now resolved. PUP-9303

Restarting pxp-agent service kills all processes when restarted

This release modifies the pxp-agent service to kill all pxp-agent processes when the service is restarted, rather than only the current process. PCP-833

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. Always supply a type argument with the desired type if the value is not undef. PUP-9467

Invalid path to --logdest option was ignored

Now if you give a --logdest location that Puppet cannot find or write to, the run fails with an error. PUP-6571

Upstart provider evaluated during provider check instead of during loading

The upstart provider was being evaluated when loaded, causing issues with testing and availability during transactions. This has been fixed so that the provider is evaluated only when provider suitability is being checked. PUP-9336

Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

SublocatedExpression class

The AST SublocatedExpression class is no longer generated by the parser. The SublocatedExpressionclass itself will be removed from Puppet in a future release. PUP-9303

Improved support for Solaris pkg provider

This release adds support for install_options for the pkg provider on Solaris. PUP-5287

puppet-agent package available for Red Hat 8 beta

A puppet-agent package is available for the beta release of Red Hat 8. Because this Red Hat version is a beta release, not all functions are verified to work correctly. Do not use this version of puppet-agent in production.

Added protection against illegal methods in legacy functions

Puppet now protects against illegal method definitions in loaded legacy functions. Illegal methods in legacy functionsdisrupt the entire system and can cause difficult-to-diagnose issues. For information on how to remove such methods from legacy functions, see the topic about refactoring legacy functions. PUP-9294

Puppet logs JSON in newline-delimited format

For newline-delimited JSON logs, set the logdest setting or command line option to an absolute path ending with the .jsonl extension, such as puppet agent --logdest /var/log/puppet.jsonl. This is preferable to the JSON format, since the generated log is not valid JSON and requires an appended closing ] to make it valid. PUP-8687

Fedora 27 puppet-agent package no longer available

Fedora 27 reached end of life in November 2018. Updated puppet-agent packages for this version are no longer available.

Fix for specifying package versions in portage provider

Prior to this release, you could not specify package versions when managing packages with the portage package provider. The provider now accepts and honors a version string for managing packages. PUP-9071

Exceptions encountered during resource pre-fetch are logged

If the Puppet agent encounters exceptions when pre-fetching resources for catalog application, it now logs the exceptions and returns a more useful error message. PUP-8962

Puppet commands fail if the puppet.conf file is unreadable

Puppet commands now fail if Puppet Server is unable to read the puppet.conf file. Only the --help and --version commands work if the puppet.conf file is unreadable. PUP-5575

Improved error handling for PNTransformer

When parsing Puppet into structured AST, the Puppet parser produced an error on some empty constructs because the PNTransformer could not resolve them. Now it generates a Nop expression instead. PUP-9400

Failed dependency resources are reported only once

After a failed resource has been reported, other resources that depend on the failed resource will not be reported again. However, you still get the skip message for each skipped resource. PUP-6562

Command line module installation improved

The puppet module install command now downloads only the release metadata it needs to perform dependency resolution, drastically reducing data download and improving installation time. For the puppetlabs-stdlib module, this change reduces the data download from 25MB to 68KB, and any module that depends on stdlib installs faster. PUP-9364

Puppet no longer ignores the srv_domain setting

This release fixes an issue where Puppet 6.0 ignored the srv_domain setting when using DNS SRV records to connect to the ca_server. PUP-9399

Package provider included in puppet resource default output

The puppet resource <package-name> command now includes the package provider as part of its output.

Clean certificates for remote nodes

The puppet ssl clean command now accepts a --target CERTNAME parameter to clean certificates for remote nodes configured through device.conf. PUP-9248

puppet-agent package available for Fedora 29

A puppet-agent package is now available for Fedora 29.

The systemd provider checks for new and changed units

When Puppet starts or restarts a service, the systemd provider checks to see whether the service requires a daemon reload, and reloads the systemd daemon if necessary. This ensures the service runs with the latest configuration on disk. PUP-3483

New service timeout parameter for Windows

On Windows systems, you can now specify a service timeout parameter that configures how long, in seconds, Puppet should wait when syncing service properties. PUP-9132

service { "service-name":
 enable => true,
   ensure => running,
   timeout => 45
}

Format strings with double quotes

You can now force strings to have double quotes when formatting strings with the String.new function. Previously, this function dynamically determined whether to use single quotes or double quotes for the string.

To force double quotes, specify the alternative format flag # when you specify the string format. PUP-9344

Service support for systemd on Linux Mint 18 and newer

This release adds support for services on Linux Mint 18 and newer, which use the init systemd instead of upstart for services. PUP-9326

Parser validation finds and reports syntax issues in heredocs

Heredoc syntax checking is now performed during validation, unless the heredoc contains any interpolated expressions. This includes manifest and EPP template syntax checks. Heredocs with interpolation are checked during evaluation. Prior to this release, heredoc syntax checks were run only during evaluation.

By default, heredocs are treated as text unless otherwise specified with the end-of-text tag, such as @(EOT:json), @(EOT:pp), or @(EOT:epp). To check syntax in heredocs, run puppet parser validate. PUP-9257

Improved handling of incompletely configured services

Puppet now treats incomplete services the same way as nonexistent services, returning enabled => false and ensure => :stopped in either case. If you try to set ensure => running or enabled => true on an incomplete or nonexistent service, Puppet raises an error. PUP-9240

Refreshed resource status now included in event report

This release fixes an issue where refreshed resources, such as reboot or some execs, did not create a status event in the event report. PUP-9339

Catalog compilation error fixed

When compiling a catalog, Puppet sometimes raised the error "Attempt to redefine entity." This issue has been fixed with an update to the internal logic. PUP-8002

The exec provider supports empty environment variables

Prior to this release, the exec provider did not support empty environment variables. If an empty environment variable is set on the system, Puppet temporarily overwrites it during execution.. PUP-1209

Puppet recognizes tmpfs support for SELinux labels

SELinux utilities within the Puppet codebase now recognize that the tmpfs supports extended attributes and SELinux labels. The query selinux_label_support? returns true for a file mounted on tmpfs. PUP-9330

Fixed recognition of short form Arrays and Hashes

This release fixes a regression in the string formatting rules that caused a short form for an Array or Hash to not be recognized. For example, String([1,[2,3],4], '%#a") would not format with indentation, but would format the long form String([1,[2,3],4], {Array => { format => '%#a"}}). Now the short form works for Array and Hash as intended. PUP-9329

puppet ssl clean now deletes local certificate requests

This release fixes an issue where the puppet ssl clean command did not correctly delete local certificate requests. PUP-9327

Resolved Timestamp and Timespan data type errors

Prior to this release, the data types Timestamp and Timespan raised errors if time range was specified with Integer or Float values. These data types now support time ranges specified with these values. PUP-9310

Select types moved to modules

In this release, many types were moved out of the Puppet codebase, and into modules on the Forge. This change enables easier composability and reusability of the Puppet codebase and enables development to proceed more quickly without risk of destabilizing the rest of Puppet. Some types are now in supported modules and are repackaged back into the agent. Some are now in modules that are updated, but are not repackaged into the agent. And some are in modules that are deprecated, not updated, and not repackaged back into the agent.

See the Resource Type Reference page for the full list and links to the Forge modules for those types that moved.

Resource API

Resource API has been added, providing a new, recommended method to create custom types and providers. The Resource API is built on top of the Puppet core and is easier, faster, and safer than the old types and providers method. See the Resource API documentation for more information.

Upgrade to Ruby 2.3 or later

Puppet now requires Ruby 2.3 or later, and reports an error when running older Ruby versions. We removed code paths for older Ruby support, such as 1.8.7, relaxed our gem dependencies to include gems that require Ruby 2 or up, and now test Puppet pull requests against JRuby 9k. PUP-6893, PUP-8483, PUP-8484

puppetserver ca command

The new puppetserver ca command replaces the puppet cert command. Running the puppet cert command results in an error, with instructions on alternative commands to use. Some actions (fingerprint, print) have not been directly replaced, because OpenSSL provides good equivalents. For verifying certificates, use puppet ssl verify. For more usage details, see the intermediate CA documentation. PUP-9022

node clean uses the Puppet Server CA API

The puppet node clean command now goes through the Puppet Server CA API to clean up certificates for a given node. This avoids issues where multiple entities attempt to revoke certs at once, because all of these updates are now funneled through the API, which handles concurrent requests correctly. See SERVER-115 and PUP-9108 for more information.

Agents can use CA and CRL bundles

The agent now correctly saves and loads chained SSL certificates and certificate revocation lists when in an environment where its certificates are issued by Puppet acting as an intermediate CA. PUP-8652

Load files from pluginsync during catalog application

Use the Deferred data type in a catalog to call functions on the agent before the catalog is applied. It is now possible to call all functions implemented in Ruby on the agent side. It is not possible to call functions written in the Puppet language, as they are not available on the agent. PUP-9035

puppet ssl subcommand

There is a new Puppet subcommand for working with SSL certificates. The puppet ssl command supports the submit_request, download_cert, and verify actions for working with SSL certificates on the agent. PUP-9028

File requirements included in task infoservice files responses

When requesting task details, the master now returns a list of all files from the tasks metadata files and implementations['files'] keys. PUP-9081

Devuan default service provider

The Devuan service provider now defaults to the Debian init provider. PUP-9048

apply statement in plan language

An apply keyword has been added to the Puppet parser when running with tasks enabled. See Puppet specifications for details. PUP-8977

Updated default input_method for task object type

The input_method property of tasks now defaults to undef rather than the string both. This allows more flexibility in defaults and what input_methods we choose to support in the future. PUP-8898

convert_to() function accepts additional arguments

convert_to() function now accepts additional arguments. Previously, it accepted only the data type to convert to. PUP-8761

compare function

A compare(a,b) function has been added. It returns -1, 0, or 1 depending on if a is before b, same as b, or after b. The function works with the comparable types: String, Numeric, Semver, Timestamp, and Timespan. For String comparison it is possible to ignore or take case into account. PUP-8693

Deferred data type

A new data type Deferred has been added. It is used to describe a function call that can be invoked at a later point in time. PUP-8635

Call function resolves Deferred values

It is now possible to resolve a Deferred value by using the call function. It can resolve a deferred function call, and a deferred variable dereference (with support to dig into a structured value). PUP-8641

Concatenate with + on Binary type

It is now possible to use the plus operator + to concatenate two Binary data type values. (PUP-8605) The sort() function has been moved from stdlib to Puppet. The function now also accepts a lambda for the purpose of using a custom compare. PUP-8622

Select string functions moved from stdlib to Puppet

The functions upcase(), downcase(), capitalize(), camelcase(), lstrip(), rstrip(), strip(), chop(), chomp(), and size() have been updated to the modern function API and the new versions are in Puppet and no longer require stdlib. The functions are generally backward compatible. PUP-8604

Select math functions moved from stdlib to Puppet

The math functions abs, ceil, floor, round, min, and max are now available in Puppet. The functions are compatible with the functions with the same name in stdlib with the added feature in min and max of calling them with a single array and being able to use a lambda with a custom compare. These stdlib math functions used inconsistent string to numeric conversions that were also unintentionally making the functions compare values in strange ways. The automatic conversions are now deprecated and will issue a warning. PUP-8603

Agent support for rich data content negotiation

The rich_data setting is now enabled by default. Catalog requests have two new content types, application/vnd.puppet.rich+json and application/vnd.puppet.rich+msgpack, that are used when both master and agent have this enabled (and depending on whether preferred_serialization_format is json or msgpack). PUP-8601

vendor_modules added to basemodulepath

The default basemodulepath now includes a vendored modules directory, which enables Puppet to load modules that are vendored in the puppet-agent package. To prevent Puppet from loading modules from this directory, change the basemodulepath back to its previous value, for example, on *nix: $codedir/modules:/opt/puppetlabs/puppet/modules. On Windows: $codedir/modules. PUP-8582

environment.conf modulepath accepts globs

The modulepath as defined in environment.conf can now accept globs in the path name. PUP-8556

Customize default package providers

This change adds a notdefaultfor that prevents a provider from being a default for a given set of facts. notdefaultfor overrides any defaultfor and should be defined more narrowly. PUP-8552

Define properties or parameters for types as sensitive

Parameters can now be marked sensitive at the class level rather than just the instance level. PUP-8514

Update default provider for Ubuntu

SystemD is now the default provider for Ubuntu 17.04 and 17.10. PUP-8495

Functions to use dot notation to dig into a hash or array

It is now possible to use dot notation to dig out a value from a structure, like in Hiera lookup and elsewhere in Puppet. To support this, the getvar() function has moved from stdlib to Puppet, and we have added a new function get(). You can now for example use getvar('facts.os.family') starting with the variable name. The get function is the general function which takes a value and a dot-notation string. PUP-7822

Puppet 4.x functions available to all modules

It is no longer required to have a dependency listed in a module’s metadata.json on another module in order to use functions or data types from the other module. PUP-6964

Updated addressable Ruby gem

Updated the version of the addressable Ruby gem now that JRuby 1.9.3 support has been removed. PUP-6894

Undeprecated certificate authority settings

Settings related to certificate authorities are no longer being deprecated as planned in PUP-9027. Warnings related to these planned deprecations have been removed. PUP-9116

Reported events didn't stringify rich data

With rich data turned on for a catalog (now the default), a report could contain rich data in reported events, but nothing downstream from the agent was prepared to handle rich data. This is now fixed so that data in reported events are stringified when needed. PUP-9093

Illegal top-level constructs didn't produce an appropriate error

The deprecation for illegal top-level constructs is now an error. PUP-9091

__ptype and __pvalue were allowed as attribute names

Attempt to use the reserved attribute names __ptype and __pvalue in custom Object data types now raises an error instead of producing a bad result when serializing such objects. PUP-9079

A hash containing the key __ptype couldn't be serialized using human-readable JSON

It was not possible to use a hash key __pcore_type in a hash because that triggered the special handling during serialization. Now, the special key has changed to __ptype and it is not possible to also use that as a key in a hash and still be able to serialize it, such as using it in a catalog. PUP-8976

Status endpoint wasn't used to determine if Puppet Server was available

When the agent is configured with a list of servers (using server_list), it now requests server status from the status endpoint instead of the node endpoint. PUP-8967

Selmodule thought 'foo' existed if 'myfoo' was loaded

The selmodule type is more strict about checking if a module has already been loaded, and no longer considers modules such as "bar" and "foobar" to be the same module. PUP-8943

Resource status of failed_to_restart wasn't included in reports

Puppet considers resources that have failed to restart when notified from another resource as failed, and marks them as such in reports. Reports also now include the failed_to_restart status for individual resources, instead of only including a total count of failed_to_restart resources in the resource metrics section. This bumps the report format version to 10. PUP-8908

File type wasn't redefined when required in code

Fixed an issue running in JRuby where we didn’t store autoloaded paths in the same way that the JRuby implementation did, leading to a bug where a type or provider could get loaded more than once. PUP-8733

Puppet lost track of the current environment

Puppet autoloader methods now require a non-nil environment. This is a breaking API change, but

not affect any user extensions like 3x functions. Puppet sometimes used the configured environment instead of the current environment to autoload. This mainly affected agents when loading provider features. Calling Puppet::Parser::Functions.autoloader.load* methods are deprecated, and issue a warning if strict mode is set to warning or error. Instead use Scope#call_function("myfunction") to call other functions from within a function. PUP-8696

Comparison of numeric to timestamp or timespan failed

When comparing numeric to timestamp or timespan it did not work to compare with the numeric value first. This is now fixed. PUP-8694

http_read_timeout and runtimeout defaults were limited

The http_read_timeout default changed from infinite to 10 minutes. This prevents the agent from hanging if there are network disruptions after the agent has sent an HTTP request and is waiting for a response that might never arrive. Similarly, the runtimeout default also changed from infinite to 1 hour. PUP-8683

tidy resource was too chatty

The tidy resource type now uses the debug log level for its File does not exist message, instead of the info level. This means that resources of this type will no longer emit the message by default when the target of the resource has already been cleaned from disk. PUP-8667

Agents didn't use the CRL bundle to verify master revocation status

With this change, if the user has distributed the CRL chain out-of-band, then the agent successfully loads it and uses it to verify its connection to other Puppet infrastructure (for example, the master). It expects the CRL chain to be one or more PEM-encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat in the Puppet 5 External CA documentation. PUP-8656

Puppet 5 and Ruby 2.4 couldn't handle invalid plists

When processing malformed plist files, we used to use /dev/stdout, which can cause Ruby to complain. We now use - instead which means to use stdout when processing the plist file with plutil. PUP-8545

White space surrounding comments in EPP were handled incorrectly

EPP comments <%# Like this %> always trimmed preceding whitespace. This is different from ERB making it more difficult to migrate ERB templates to EPP. There was also no way of making EPP preserve those spaces. Now, EPP comment does not trim preceding whitespace by default, and a new left trimming tag <%#- has been added. This is a backwards incompatibility in that code such as "Before <%# comment %>after" resulted in the string "Beforeafter", whereas now it will be "Before after". PUP-8476

filter function didn't accept truthy values

The filter function did not accept truthy value returned from the block as indication of values to include in the result. Only exactly Boolean true was accepted. PUP-8320

Unsafe YAML data could be loaded

Puppet now uses YAML.safe_load consistently to ensure only known classes are loaded. PUP-7834

Gemfile didn't support consuming the Puppet gem via a Git reference

Restructure the Puppet Gemfile so that bundler installs Puppet’s runtime, feature-related, and test dependencies by default. The development and documentation groups can be installed using: bundle install –with development documentation. PUP-7433

Puppet didn't use shared gem dependency for semantic_puppet

Puppet now uses the shared gem dependency for semantic_puppet, rather than loading its own vendored version. PUP-7157

Puppet, the agent, and Puppet Server didn't use a shared gem directory for semantic_puppet

Puppet now loads semantic_puppet from a shared gem directory, so that Puppet, the agent, and Puppet Server all require and use the same version of the gem. (~>1.0.x) PUP-7115

metrics.time.total didn't correlate to time reported in log

Total time now reports the measured time of the run instead of a sum of other run times. PUP-6344

Features weren't re-evaluated when a block was used

Puppet.features.add(:my_feature) do require 'mylib' end

Puppet.features.add(:my_feature, libs: ['my_lib']) 

Previously the result of the block was always cached. With this change only true or false return values are cached. To indicate that the state of the feature is unknown and may become available later, the block returns nil. PUP-5985

Manifests that declared things in the wrong namespace didn't trigger errors

Errors will be reported for module files declarations that have a namespace inconsistent with their directory and file location. PUP-4242

Invalid .dot files were generated by missing escapes of quoted strings

Generating graphs of catalogs (such as puppet apply --graph) now correctly handles resources with double quotes in the title. PUP-2838

Outdated vendored semantic_pupet gem

We have updated the vendored semantic_puppet gem in the puppet-agent package to the most recent version, 1.0.2. PA-1881

Certificate authority subcommands and v1 CA HTTP API

Certificate authority subcommands have been removed from Puppet, including: cert, ca, certificate, certificate request, and certificate_revocation_list. Use puppetserver ca and puppet ssl instead. PUP-8998

As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650

For details on changes and the new commands, see our documentation about certificates and SSL.

Ruby certificate authority 

Puppet no longer has a Ruby CA. All CA actions now rely entirely on the Clojure implementation in Puppet Server. It can be interacted with by means of the CA API and the puppetserver ca command, which leverages the API using subcommands like those provided by puppet cert.  PUP-8912

Trusted server facts

Trusted server facts are always enabled and have been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530

write_only_yaml node terminus

The write_only_yaml node terminus was used to “determine the list of nodes that the master knows about” and predated widespread PuppetDB adoption. The write_only_yaml has been deprecated since 4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a compile. PUP-8528

LDAP node terminus

The LDAP node terminus has been removed. PUP-7601

computer, macauthorization, and mcx types and providers

The computer, macauthorization, and mcx types and providers have been moved to the macdslocal_core module. It is not repackaged into puppet-agent in the 6.0 series.

Nagios types

The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core module from the Forge.

Cisco network devices

The Cisco network device types no longer ship with Puppet. These types and providers have been deprecated in favor of the puppetlabs/cisco_ios module, which is available on the Forge. PUP-8575

:undef in types and providers

In previous versions, values from manifests assigned to resource attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef to represent those values. When using puppet apply types and providers would see those as :undef or as the string “undef” depending on the implementation of the type. When using a master, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level undef values are still encoded as empty string for backwards compatibility). PUP-9112

puppet module build command

To reduce the amount of developer tooling installed on all agents, this version of puppet removes the puppet module build command. To continue building module packages for the Forge and other repositories, install  Puppet Development Kit (PDK). PUP-8763

pcore_type and pcore_value

The earlier experimental -rich_data format used the tags pcore_type and pcore_value, these are now shortened to __ptype and __pvalue respectively. If you are using this experimental feature and have stored serializations you need to change them or write them again with the updated version. PUP-8597

Webrick

Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)

puppet master command

The puppet master command and its subcommands have been removed. Instead, use a  puppet-config command.  PE-24280

–strict flag in puppet module 

The –strict flag in puppet module has been removed. The default behavior remains intact, but the tool no longer accepts non-strict versioning (such as release candidates and beta versions). PUP-8558

Select settings

String duplication in 3x runtime converter

Types and provider implementations must not mutate the parameter values of a resource. With this release, it is more likely that the parameters of a resource have frozen (that is, immutable) string values and any type or provider that directly mutates a resource parameter might fail. Previously, every resource attribute was copied to not make application break even if they did mutate. Look for use of gsub! in your modules and replace logic with non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified. PUP-7141

Puppet.newtype method

The deprecated Puppet.newtype method (deprecated since 2011) has now been removed. ( PUP-7078)

Certificate handling commands deprecated but not removed