These are the new features, resolved issues, and deprecations in this version of Puppet.
Puppet 6.11.1
Released 20 November 2019
Resolved Issues
Fixed systemd
daemon-reload
issue
This release fixes a regression where
the daemon-reload
method returned all properties instead of the value
for a specific NeedDaemonReload
property. Contributed by alexjfisher. PUP-10149Puppet 6.11.0
Released 19 November 2019
New features
SSL state machine and application now use the Puppet HTTP client
This release modifies puppet ssl
, puppet device
, and
puppet agent
to use the Puppet HTTP client to bootstrap SSL
certificates on the node. PUP-10040
Virtual package support for apt and dpkg providers
To allow virtual packages, ensure that the packages
attribute
allow_virtual
is set to true
in your Puppet resource file. PUP-10023
Package support for DNF modules
Puppet now supports managing DNF modules, which are groups of packages that represent an application, a language runtime, or any logical group.
Modules can be available in multiple streams, usually representing a major version of the software they include. Profiles are package subsets representing a specific use case of the module (these are handled by the flavor parameter of the package type).
Due to the significant difference between a package and a module,
dnfmodule
is an opt-in provider and should be explicitly
specified in the manifest. PUP-9978
Boolean support for selboolean
The selboolean
value property now accepts true
and
false
values in addition to on
and
off
. PUP-9963
Windows improvements
This release removes a dependency on .bat files when running Puppet as a service on Windows. PUP-9940
Resubmit facts at the end of an agent's run
Puppet submits facts when requesting a catalog, but if
the agent modifies the system while applying the catalog, then the facts in PuppetDB won't be refreshed until the agent runs
again, which may be 30 minutes depending on how runinterval
is
configured. This feature makes it possible to submit facts again at the end of the
agent's run, after the catalog has been applied. To enable this feature, set
resubmit_facts=true
in the agent's
puppet.conf
. Resubmitting facts doubles the fact submission load on
PuppetDB, since each agent will submit facts
twice per run. This feature is disabled by default. PUP-5934
Experimental feature: catalog compilation with external trusted data from third parties
Use trusted_external_command
to add trusted facts from an external
source during catalog compilation.
trusted_external_command
is a path to an executable
command that can produce external trusted facts. The command must: - Take the name of a node as a command-line argument.
- Return a JSON hash with the external trusted facts for this node.
- Exit with a non-zero exit code for unknown or invalid nodes.
Hardened Linux Executable and Linkable Format (ELF) binaries
Linux ELF binaries and shared objects are now compiled with Position Independent Executables (PIE) support, stack canary, and Relocation Read-Only (RELRO). PA-2986
Resolved issues
Certificate requests sometimes raised confusing error messages
Previously, when Puppet encountered a connection error, it would create a new exception with additional contextual information around what was causing the error. However, this new exception could cause an additional "Wrong number of arguments" error. Puppet now raises the original error and logs it with any additional contextual information. PUP-10121
The no_proxy
setting ignored FQDN suffixes unless they had a
leading wildcard or period
Previously, Puppet would only bypass a proxy if
no_proxy
had a leading wildcard or period. For example,
*.example.com
or .example.com
. Puppet now bypasses the HTTP proxy if the
no_proxy
environment variable or puppet setting is a suffix of
the destination server FQDN. PUP-10106
Puppet device runs would fail when specifying
csr_attributes.yaml
The csr_attributes.yaml
file can now be specified when requesting a
certificate signing request for a device using puppet device --target
devicename
. PUP-10104
On certain Linux distributions, Puppet could
incorrectly handle the service
setting
On Linux distributions that do not have a default service provider, Puppet sometimes defaulted to using the
defpath
before verifying that runit
was
suitable. PUP-10102
Error messages for exec
commands with paths that could not be
resolved included sensitive data passed to the command
If an exec
resource's command is not executable or cannot be
resolved into a fully qualified path, Puppet now only
prints the command, and not the potentially sensitive arguments passed to the
command. Puppet also redacts the output of sensitive
commands when the logoutput
parameter is set to
true
, or the parameter is on_failure
(the
default), and the command fails. PUP-10100
Puppet wouldn't install dpkg sub-packages when
ensure
was set to held
Puppet now correctly installs dpkg sub-packages and sets them to
held
if ensure
is set to
held
. PUP-10059
skip_tags
was missing help
documentation
Added help
documentation for skip_tags
. Contributed
by cvquesty. PUP-10026
The deep_merge Ruby gem was vendored by Puppet
This release adds a runtime gem dependency for the deep_merge gem and ensures that the gem is no longer vendored. PUP-10014
Puppet couldn't manage pip resources if the pip command was in a directory containing spaces
Puppet can now manage pip resources in directories
containing spaces, such as C:\Program Files\Python27
on Windows. PUP-9647
User resource did not respect forcelocal
for the
comment
parameter
Prior to this release, a user resource configured with forcelocal
would still try to sync the comment
parameter with the external
directory services. PUP-9562
Pluginsynced module API improvements
If a module used a legacy Ruby (Puppet version 3) function, and it was pluginsynced
(via puppet agent -t
), the function could not be loaded when using
Puppet as a library.Puppet 3 API functions are now available from the
cached lib
directory. If a function exists in both version 3 and
version 4, Puppet uses the version 4 implementation.
PUP-9509
Improved handling of pip version detection during catalog compilation
Previously, the pip provider failed if pip --version
did not emit
the version on the first line of output. PUP-8986
The pip package provider did not use install_options
when
ensure
was set to latest
Puppet now uses install_options
whenever pip install
is executed. PUP-8949
The systemd
service provider failed on services whose names
started with a dash
The systemd
service provider can now manage services whose names
start with a dash. Contributed by j-collier. PUP-7218
Improvements to working directory handling
Previously, if the cwd
parameter was not specified, puppet would
change its working directory to the current working directory, which was redundant
and could fail if the current working directory was not accessible. Now,
wxec
resources only change the current working directory if the
cwd
parameter is specified in a manifest. PUP-5915
Puppet was unable to manage passwords for disabled Windows users
Puppet can now manage passwords for disabled Windows users. PUP-10021
Puppet 6.10.1
Released 15 October 2019
New features
Module installation performance with minitar improved
Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with the fsync option turned off by default. PUP-10013
Automatic (delayed start) is now an option for Windows services
Puppet can now set Windows
service
startup type
to Auto-Start (Delayed). To set a service to use this setting, set the enable
parameter of the
service
resource
to "delayed". PUP-6382
Resolved issues
Module repository credentials redacted during installation
When you install a module, if the module repository URL includes credentials, Puppet now redacts the credentials in the command line output. PUP-9787
Sensitive values redacted in notify
resource messages
Prior to this release, the notify
resource leaked data if the message was a sensitive
datatype with
a raw value, not encapsulated in quotes. Now sensitive values are redacted when they
are interpolated in a notify
resource's message.
PUP-9295
Ruby security update
- RDoc vulnerabilities
- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
- CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
- CVE-2019-16254: HTTP response splitting in WEBrick
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
Curl security update
This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.
OpenSSL security update
This version upgrades OpenSSL to 1.1.1d to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.
Puppet 6.10.0
Released 1 October 2019
Resolved issues
Puppet tried to install packages that were already installed
Previously, Puppet incorrectly
parsed the output of pip
freeze
when it reported package versions using the arbitrary equality
operator, ===
. As a
result, Puppet treated the package as not installed
and tried to reinstall it during every Puppet run.
PUP-10015
Query parameters for HTTP and HTTPS file resources are preserved
When retrieving metadata and content for HTTP
or HTTPS
file resources, Puppet now preserves query parameters. Previously,
Puppet requested only the path
element of the URI and
skipped the query parameters. PUP-9109
YAML output with special characters was not valid
Previously, the puppet resource --to_yaml
and puppet device --to_yaml
commands did not
generate valid YAML if the output contained special characters such as a single
quote. PUP-7808
Puppet 6.9.0
Released 17 September 2019
New features
serverip6
fact added
This release adds the serverip6
fact, which returns the server's IPv6 address.
If Puppet cannot find either serverip
or serverip6
facts, it returns a
warning. PUP-5109
Agent startup logged at debug level in daemon mode
When running in daemon mode, Puppet
logs the configuration used on agent startup at the debug level. The log is sent to
the output specified by the --logdest
option. Configuration is reloaded and also logged on SIGHUP.
PUP-9754
puppet plugin
information was not included in help
The puppet
help
command did not include help information for puppet plugin
Now the plugin
command is
included in puppet
help
output. PUP-9959
Resolved issues
system.d
could not
run as non-root
This release fixes a regression introduced in Puppet 6.8.0, where the systemd
provider was prevented from
working when running as non-root. For example, the command puppet resource service
did not include
systemd
services. PUP-10016
puppet module uninstall
now works in FIPS mode
Previously, the puppet module uninstall
command failed if you ran it in
FIPS mode. With the release, puppet module uninstall
now works in FIPS mode, provided you specify
either the --ignore_changes
or --force
arguments. If you do not specify one of these
arguments, then uninstall fails, so that local changes to the module are not lost.
PUP-9991
no_proxy
setting correctly bypasses proxy even when HTTP_PROXY
environment is
set
Fixes a bug where Puppet attempted
to use a proxy specified in the HTTP_PROXY
environment variable, even though the no_proxy
setting was set
to bypass the proxy. PUP-9990
exec
conditionals respect sensitive types
The exec
type's onlyif
and unless
checks now return redacted output if it is marked sensitive.
PUP-9956
install_only
parameter added for yum
, dnf
providers
This release adds a new parameter, install_only
, for yum
and dnf
package providers. Set this parameter
for packages that should only be installed, but never updated, such as kernels.
PUP-9605
Plug-in download speed improved
The puppet
plugin download
command now reuses HTTPS connections. This
significantly speeds up the download process. PUP-8662
Puppet no longer ignores truncated file downloads caused by a Ruby issue
Prior to this release, Puppet
silently ignored truncated file downloads, such as when using a file resource whose
source parameter contained a puppet://
, http://
, or https://
URL. This issue was caused by a Ruby issue and is fixed in this release. PA-2849
Puppet 6.8.1
Released 28 August 2019
Resolved issues
Virtual package support removed for apt
and dpkg
providers
This release removes the virtual package support added for the
dpkg
and apt
providers in the
previous release.
Puppet 6.8.0 added virtual package
support to these providers with an allow_virtual
setting that defaulted to true
. This caused issues because
virtual packages are not enabled by default on apt
and dpkg
. PUP-9974
Fixed command execution with certain sensitive non-string arguments
Puppet could not execute commands
with non-string arguments if the command was also marked as sensitive and the
arguments were passed as an Array to the execute
method. The issue is fixed for all providers,
including the useradd
provider. PUP-9973
Puppet 6.8.0
Released 21 August 2019
New features
puppet module
install
command prefers SHA-256 for verifying tarball
The puppet
module install
command now prefers SHA-256 when verifying the
downloaded module tarball, but falls back to MD5 if necessary. PUP-9909
puppet-agent packages for Debian 10 added
A
puppet-agent
package for Debian is now available.
Virtual packages support for
apt
, dpkg
This release allows apt
and dpkg
providers to install virtual packages. By default,
the allow_virtual
setting defaults to true
, which enables the ability to install virtual packages.
rubygems
: package { 'rubygems': ensure => 'latest' }
Puppet finds and installs the real package ruby
. You can also
uninstall a virtual package this way, by setting the package's ensure
attribute to absent
:
package {'rubygems':
ensure => 'absent'
allow_virtual => false
}
By default, this removes the ruby
package. To disable virtual packages, set allow_virtual
to false
.This feature also address the Ubuntu reporting issue in MODULES-2047. PUP-9909
New no_proxy
setting available in
puppet.conf
You can now specify no_proxy
as a Puppet
setting, consistent with other http_proxy_*
Puppet settings. The NO_PROXY
environment variable takes
precedence over the no_proxy
Puppet setting. PUP-9316
bolt-shim
module no
longer required to run scripts over pxp-agent
Previously, to run a script over a pxp-agent
, you had to first
install the bolt_shim
module. This fix allows pxp-agent
to respond to requests to
execute a script run action without the module. PUP-869
Resolved issues
Agents now connect directly if target host is set to
NO_PROXY
If the agent is configured to use an HTTP proxy, and it attempts
to connect to a host that matches an entry in the NO_PROXY
environment variable, then Puppet connects directly to the host instead of using
the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942
Windows components restarted on agent upgrades
During puppet-agent
upgrades, Windows Network
Components were sometimes restarted. This occurred when the upgrade process tried to
modify a DLL file that was already loaded. This release fixes the issue, and Windows components no longer restart during upgrades.
PA-2701
Conflict between puppet-agent
and puppetserver
packages resolved
Puppet might fail to load under JRuby 9.1, if puppet-agent
6.4 or greater and puppetserver
6.0.x were installed
on the same host. PUP-9927
Services incorrectly reported as absent after change
When Puppet runs a resource service
that changes the state of the service, the returned status would always fail,
causing the ensure
status of the service to be absent. Now Puppet
correctly returns the service status when a change of the service is requested.
PUP-9908
Passing code to the parser failed on STDIN
Resolved an issue where puppet parser validate
failed with an error when a valid
manifest was passed in through the STDIN pipe. PUP-9816
Puppet selects systemd
as the default service
provider on Debian 10, "buster". PUP-9752
Puppet repeated file mode changes on some Windows files
When puppet
apply
changes the mode on a file inside a protected Windows directory, Puppet changes the mode on every run, even if the
desired mode matches the current mode. This fix improves the analysis of the file
mode, so that if the desired mode matches the current mode, Puppet does not set the mode. PUP-9722
Passwords for the user type were output in Debug logging
User providers will not output exec command lines with passwords
during debugging level logging. Instead, the passwords are now marked [redacted]
. PUP-9585
Device certificates could be lost in backup and restore
Prior to this change, Puppet device certificates were stored under the cache directory. When the proxy agent for a device is the master, and the user executes a backup and restore, either manually or automated as in OpsWorks, the certificate and keys were lost, requiring certificate regeneration for those devices.
This fix moves the device certificate directory to a persistent path, leaving the old path as a symbolic link for compatibility purposes.
If you are using the device_manager
module to manage your devices, upgrade to
3.0.1 or later to avoid deleting certificates from their new location. PUP-8736
systemd provider confined to init system matching systemd
This change allows the systemd provider to work in a chrooted environment. PUP-7312
HTTP connections did not support authenticating proxies
Agents could not connect through an authenticating HTTP proxy when
making REST requests to Puppet infrastructure, such
as when requesting a catalog. Now agents will observe the http_proxy_user
and http_proxy_password
settings or
HTTP_PROXY_USER/PASSWORD
environment variables when making those
requests. PUP-4470
Puppet does not use proxy to connect to localhost
If an HTTP proxy is configured either in Puppet settings or the HTTP_PROXY_*
environment variables, then
Puppet does not use the proxy when connecting to
localhost or 127.0.0.1. This behavior can be modified by changing the no_proxy
setting in
puppet.conf
or
the NO_PROXY
environment variable. PUP-2172
Puppet was unable to appropriately manage SELinux file contexts
Previously, Puppet was unable to effectively manage the SELinux file context without restarting the Puppet service. This issue was due to an infinitely cached default context for each file. Now Puppet clears this cache after each catalog apply. PUP-2169
Deprecations
SSL-related API classes deprecated
Various classes are marked as deprecated in API documentation, and
will be removed in a future major version of Puppet.
Constructing an instance of Puppet::SSL::Host
, attempting to get or set Puppet[:ssl_server_ca_auth]
, or attempting
to set Puppet[:ssl_client_ca_auth]
now generates a deprecation warning. PUP-9513
The following classes or methods are deprecated and will be removed in a future version of Puppet:
- Puppet::Network::HttpPool.http_instance
- Puppet::Network::HttpPool.http_ssl_instance
- Puppet::SSL::Host
- Puppet::SSL::Base
- Puppet::SSL::Key
- Puppet::SSL::Certificate
- Puppet::SSL::CertificateRequest (just the indirector related stuff, the rest is ok)
- Puppet::Indirector::SslFile
- Puppet::SSL::Key::*
- Puppet::SSL::Certificate::*
- Puppet::SSL::CertificateRequest::*
- Puppet::SSL::Validator
- Puppet::SSL::Validator::*
- Puppet::SSL::VerifierAdapter
- ssl_client_ca_auth
- ssl_server_ca_auth
Puppet 6.7.2
Released 26 July 2019
Resolved issues
Catalog application failed with puppetlabs-ciscopuppet
module
Catalog application failed when using a custom resource type whose
automatic relationship method, such as autorequire
or autobefore
, returned an instance of Puppet::Type
instead of a resource name. This occurred in
particular when using the puppetlabs-ciscopuppet
module. This issue was caused by a regression
in Puppet 6.7.0. PUP-9926
Use of the mailalias
resource type returned errors
mailalias
resource type. Puppet was unable to correctly parse files, resulting
in errors such as:
Could not prefetch mailalias provider 'aliases': Could not
parse line "mailer-daemon: postmaster" (file: /etc/aliases, line: 12
This
issue was caused by a regression introduced inPuppet
6.7.0. PUP-9914
Puppet 6.7.1
This version of Puppet was never released.
Puppet 6.7.0
Released 23 July 2019
New features
New ca_fingerprint
setting verifies the CA bundle download
against a fingerprint
ca_fingerprint
setting to specify that newly provisioned
agents should verify the CA certificate when it is initially downloaded. This
provides a way to securely bootstrap new agents. To enable this verification, set
ca_fingerprint
to the SHA256 digest of the CA certificate, which can be calculated on the Puppet Server. To calculate this SHA, run the following
command on the master, or on the CA server if you have specified a server other than
the master: openssl dgst -sha256 -r /etc/puppetlabs/puppet/ssl/certs/ca.pem | cut -f1 -d' '
PUP-9638Resolved issues
Some commands could not be found
Some Puppet commands, such as
puppet-infra
,
might not be found in the system PATH. This fix ensures that the relevant directory,
opt/puppetlabs/bin
, is available in the PATH. PA-2750
Custom MSI actions are logged
Custom MSI actions did not correctly log STDERR
to the MSI log. PA-2691
Puppet 6.6.0
Released 1 July 2019
New features
--evaltrace option now shows total number of resources to be evaluated
The --evaltrace
argument, used with the puppet
agent and puppet
apply commands, now returns the number of resources evaluated and the
total number of resources to be evaluated. This option is useful for showing which
resource in the catalog is being evaluated and the progress through the current
catalog. PUP-9465
Resolved issues
Provider autoloading issue fixed
In the 6.5.0 release, Puppet was unable to autoloading providers on some systems. This issue has been fixed. PUP-9794
pip
provider error fixed
In the 6.5.0 release, Puppet
encountered an undefined method error when running the pip
provider. This issue has been fixed. PUP-9790
puppet agent
--fingerprint
returns the CSR hash
When you run the puppet
agent --fingerprint
command, if the agent doesn't have a client cert
yet, thePuppet returns the SHA256 digest of the
certificate request (CSR). This functionality was broken as of Puppet 6.4.0, and is now fixed. PUP-9720
Recurring Puppet runs exited on some SSL bootstrap errors
Recurring Puppet runs wait a specified amount of time while bootstrapping the SSL system, and then retry if an error is encountered. This behavior was broken as of Puppet 6.4.0, and this release restores the behavior.
The wait interval is controlled by the waitforce
setting. One-time Puppet runs such as puppet agent --test
or puppet agent --onetime
do not retry, and instead exit
when the first error occurs. PUP-9717
Lockfile retained old PID, causing agent failure
This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691
Puppet now registers OIDs in the SSL application
SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746
Puppet 6.5.0
Released 19 June 2019
New features
Use the staging_location
parameter to customize the temporary location for new
files
You can now use the staging_location
parameter to render a file in a different location
before you validate it with the validate_cms
parameter. PUP-9389
Use puppet catalog
compile
to compile catalogs
The puppet catalog
compile
action works in the same way puppet master --compile
worked before it was removed in
Puppet 6.0.0. You must run the command on the
puppetserver
with access to
your environments, modules, manifests, and Hiera
data. PUP-9055
Create a Regexp
with all special characters escaped
Create a Regexp
that escapes all regexp special characters by adding a Boolean true
as a second argument in a call to new
. For example, Regexp(".[/", true)
or Regexp.new(".[/", true)
. The default value is false
. PUP-9554
Package providers now support an alternative gem
command
Previously, package providers relied on $PATH
for the default gem. This release adds a targetable
feature to the package
type, allowing package
providers to implement a command
attribute. The gem
and pip
providers now implement that
attribute. This feature allows Puppet to manage
packages in software collections, such as Red Hat
Software Collections. PUP-6488
package { 'colorize':
name => 'colorize',
provider => gem,
}
package { 'colorize-opt':
name => 'colorize',
provider => gem,
command => '/opt/ruby/bin/gem',
}
Manage multiple Python installations with pip
and pip3
package providers
You can now add a custom path to your pip
and pip3
providers using a package command
. If you have multiple Python installations, this allows you to
point to a specific installation. PUP-1082
Specify the maximum amount of time an agent should wait for its certificate
By default, Puppet agents attempt
to download their signed certificate indefinitely. This release adds a maxwaitforcert
setting, which specifies
the maximum amount of time an agent should wait for its certificate. Acceptable
values are unlimited
(the current
behavior), or a duration such as 10m
, or 1h
. If you
specify a duration, the agent waits the full amount of time and, if the certificate
is not downloaded, exits with an error. PUP-3237
Elliptic-curve cryptography (ECC) key support
key_type=ec
setting. By
default, Puppet uses the prime256v1
elliptic curve, but you can specify an
alternate curve using the named_curve
setting if the curve is supported by Ruby and OpenSSL. See OpenSSL::PKey::EC.builtin_curves
for a list of supported
curves. PUP-2606key_type
and
named_curve
settings if the
agent already has a private key. These settings only control the type of private
key that the agent generates. The settings do not affect which curve is selected
in the TLS protocol.Specify a refresh interval for certificate revocation lists (CRLs)
crl_refresh_interval
setting to specify a refresh interval for CRLs.
If specified as a duration, such as 8h
, or 7d
, the agent
refreshes its CRL on its first run after the specified duration has elapsed. If the
agent downloads a new CRL, it uses the new CRL for all subsequent network requests.
If the refresh request fails or if the CRL is unchanged on the certificate authority
(CA), the agent run continues using the local CRL. PUP-2310runinterval
. Setting runinterval
to an equal or lesser value than the duration causes
Puppet to refresh the CRL on every agent
run.Improved server_list
output and error messaging
Previously, using config
print
to view your server_list
would output a nested array that was difficult to read.
Using config print
now outputs the
text in the same human-readable format as its entry in puppet.conf
. Puppet uses
the same human-readable output for errors you receive from being unable to connect
to a server in server_list
. PUP-9495
Improved JSON output support for validation errors
puppet parser
validate
subcommand now supports a --render-as=json
option to output validate errors in a
machine readable JSON format. Additionally, if you use the command with multiple
files, Puppet continues to validate additional files
when it finds a parse error, instead of halting immediately on the first error
encountered. PUP-8984puppet parser validate
returns
a maximum of one parse error per file.Fedora 30 support
This release adds puppet-agent
support for Fedora 30.
PA-2675
Resolved issues
puppet
device
failed to manage multiple devices
The puppet device
command would not manage multiple network devices in a single run. This was a
regression introduced in Puppet 6.0.5. PUP-9587
Security update to curl
This release includes an update to curl to address security issues. See https://curl.haxx.se/docs/CVE-2019-5435.html and https://curl.haxx.se/docs/CVE-2019-5436.html for information about the CVEs. PA-2689
Amazon platforms now use
yum
as the default
provider
Prior to this release, Amazon
platforms did not have a default provider set. This resulted in Puppet trying to use the gem
provider to install Amazon packages. PUP-9724
On Windows, Puppet no longer applies corrective changes to the administrator password on every Puppet run
Puppet now applies corrective changes to the administrator password only on the first run. PUP-9688
Improved syntax error feedback for legacy Ruby functions
If you loaded a legacy Ruby function with syntax errors, you'd get an error saying that your function "does not seem to be a Puppet 3x API function." Puppet now alerts you to syntax errors. PUP-9643
Password protected private key support for agent-only nodes
If a private key password file (Puppet[:passfile]
) exists and the agent doesn't yet have
a private key, the agent generates a key and uses the contents of the passfile
to encrypt the key on disk
using AES-128-CBC. If the agent already has an unencrypted private key, no change
occurs. PUP-9466
Temporary files created from validate_cmd
use the same permissions as the file
resource
Prior to this release, the permissions of temporary files created
by validate_cmd
were different to
the permissions defined on the file resource. PUP-8983
Uninstall an rpm package without specifying a version or build number
You can now remove a package with rpm
package provider using ensure => absent
without specifying a version or build
number. PUP-8664
Tags specified via --skip_tags
are no longer expanded by splitting on the
namespace
Using --skip_tags
split tags on the namespace separator (::
) and caused Puppet to expand and
skip all resources in the specified namespace. For example, using fruit:apples
expanded and skipped ['fruit::apples', 'fruit', 'apples'
] .
PUP-8215
Improved error message when listing provider resources
You now get a more helpful error message if you try to list resources for a provider type that does not have the instances class method defined. PUP-4930
Performing two or more rapid-fire Puppet runs no longer results in a race condition
When an additional Puppet run was triggered immediately after Puppet had requested a certificate from the master, the master receive the original Certificate Signing Request (CSR) and continuously return the original certificate, which wouldn't match the new keys generated by the second Puppet run. PUP-2958
Removing a user resource on Solaris 11 installations with home directory configurations
Previously, trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706
Hiera 3 lookups with
convert_to
keys
If you used a Hiera 3 lookup
or Hiera handled an alias
and the key was configured with convert_to
, you'd get an error: "undefined
method 'call_function' for Hiera::Scope
". PUP-9693
Perform string to integer conversions on decimal strings with leading zeros
Converting a decimal string with leading zeros – for example,
Integer("08", 10)
– to an
integer would result in an error. PUP-9689
puppet
device
always initializes SSL directories with the correct permissions
When initializing new device certificates, puppet device
would sometimes set permissions in
a way that prevented the pe-puppet
user from reading some directories PUP-9642.
The Windows package resource removes trailing whitespace
This release updates the Windows registry read
method to replace null byte sequences with
a space. This issue caused PuppetDB to discard
updated facts from affected nodes. PUP-9639
Puppet no longer upgrades Debian upgrade packages before setting them on hold
Prior to this release, if you set a Debian package on hold with ensure => held
and the package had a pending upgrade,
Puppet installed the upgrade before locking the
package. PUP-9564
Disabled Ruby 2.5.1 automatic HTTP retry mechanism
This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the Puppet Server report processor. PUP-3905
System updates to Ruby in the Puppet agent conflicted with other software
This release fixes an issue where the gem update --system
command used in the Puppet agent caused conflicts with software that
depends on gems in Puppet's vendored Ruby directory, such as r10k. Now gem paths always contain the path for this
directory, even after updating. PA-2628
Dependency issues when installing tools that require gems
This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670
Puppet 6.4.0
Released 26 March 2019
New features
HTTP certification requests
Debug: HTTP GET https://puppet.delivery.puppetlabs.net:8140/puppet/v3/file_metadatas/pluginfacts
returned 200 OK
PUP-8769
Debug logging for the exec
resource
This version introduces the
following improvements to debug logging for the exec
resource: -
Running the
exec
resource with--debug
and--noop
now prints a debug message with the command if checks prevent it from being executed. Ifcommand
,onlyif
, orunless
are marked as sensitive, all commands are redacted from the log output. PUP-9357 -
Puppet now gives a debug message when checking the existence of a file specified by
creates
. PUP-9511
New method: Puppet::FileSystem.replace_file
Use Puppet::FileSystem.replace_file
to replace a file. If a mode
is specified, it will always be
applied to the file. Otherwise, if the file being replaced exists, its mode
will be preserved. If the file
doesn't exist, then the mode
will
default to 0640
. This method
supersedes Puppet::Util.replace_file
, which will be deprecated in a future
release. PUP-9499
SSL Improvements
This version introduces several features to improvePuppet
agent's SSL
subsystem, including the introduction of an SSL state machine. For information on
agent-side checks and HTTPS requests, see agent-master HTTPS communications.
PUP-9459
-
Puppet no longer uses
Puppet::SSL::Host
.Puppet::SSL::Host
will be deprecated in a future release. PUP-9459 -
Puppet no longer saves its public key to disk, because the public key is derivable from its private key and is contained in its certificate. If you need to, you can extract the public key using
$ openssl rsa -in $(puppet config print hostprivkey) -pubout
. PUP-9459 -
The
puppet ssl
,puppet device
, andpuppet agent
applications are now the only applications that can initialize SSL. Puppet applications other thanpuppet agent
,puppet device
, andpuppet ssl
now raise an error if they attempt to make an SSL connection while the SSL bootstrap process is incomplete. PUP-9461 PUP-9459 -
Added an API for loading certificates, keys, and certificate revocation lists (CRLs). PUP-9455
-
Added an API for creating an
SSLContext
containing certificates and keys needed to make an SSL connection. PUP-9456 -
Added a method to
Puppet::Network::HttpPool
to create an HTTPS connection using a specified SSLContext. PUP-9457 -
Instead of using
Puppet::SSL::HOST
,puppet ssl
now uses an SSL state machine to download certificate authority (CA) and certificate revocation list (CRL) bundles. PUP-9458 -
Puppet preserves existing
user
andgroup
behavior when saving SSL-related files. PUP-9463 -
The new
puppet ssl bootstrap
action submits a CSR and downloads the client certificate without runningpuppet agent -t
. PUP-9556
SUSE Linux Enterprise Server support removed
This release of the puppet-agent
package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489
Resolved issues
Ruby security patch in puppet-agent
package
This puppet-agent
package release includes a security patch for Ruby
2.5.3. To learn more about the CVEs that this patch address, see the Ruby
security advisories. PA-2512
Resolved SSL issues
Improvements in the SSL subsystem ( PUP-9459) have resolved the following issues:Puppet no longer conditionally sends its certificate signing request (CSRs) based on the presence or absence of the file on disk. Instead it generates and sends the CSR whenever it needs to check for a certificate. Puppet still saves the CSR to disk, but it never reads it back in. PUP-4568
Puppet no longer downloads the CSR from the server, so it can never get into a state where it saves the wrong CSR to disk, causing it to be stuck. As a result, it's now possible to enable
allow_duplicate_certs=true
and have the agent submit a CSR with the same name as a previous instance of the node. The admin still needs to revoke the old cert and sign the new CSR in order for the agent to get its certificate. PUP-2354Puppet no longer uses the indirector to handle certificates or keys. PUP-6207
Puppet was too permissive about skipping SSL verification if no client certificate was found. Puppet now never downgrades verification based on the absence of a client certificate. PUP-7295
Mismatched certificates were cached on the host, causing Puppet to print an error on each run until an admin removed the files. If a client certificate, Certificate Authority (CA) bundle, or certificate revocation list (CRL) bundle are invalid, Puppet now discards them. PUP-7903
The error message for a mismatched certificates name was not helpful. When a Puppet agent tries to connect to an SSL server where the certificate does not match the hostname it is trying to connect to, it will now return the expected error message. PUP-8213
The Puppet agent was not verifying its peer in an SSL connection when downloading a CRL. Puppet now verifies the server's SSL certificate when retrieving a CRL. PUP-9142
filebucket
type server
and port
settings no longer have explicit defaults
For the filebucket
type, server
and port
no
longer have explicit default values in the type definition. If server
is not set, it defaults to the first
entry in server_list
if set;
otherwise, it defaults to server
.
If port
is not set, it defaults to
the port in the first entry of server_list
if set; otherwise, it defaults to masterport
. PUP-9025
Custom functions can now be correctly called
This release fixes an issue where the call()
function could call only functions that existed in
Puppet core; custom functions could not be
called. Now any function in the environment is visible and can be called. PUP-9477
Puppet agent now produces an error when a functional server is not found
If server_list
is
set and a functional server is not found, Puppet
returns an error rather than falling back to the server
setting. PUP-9076
Optional
type without arguments no
longer returns an error
Previously, if you used the type Optional
without any arguments, it could result in an
internal error. This is now fixed. On its own, Optional
means the same as Any
. Supply a type argument with the desired type if the value is not
undef
. PUP-9467
Fixed remote MSI package installation on Windows
This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496
Puppet 6.3.0
Released 20 February 2019
New features
Corrective changes explicitly logged
Prior to this release, agent runs provided the same output for both intentional and corrective changes. Now corrective changes are now explicitly called out in the logs as corrective. PUP-9324
New collections and index functions
This release adds group_by
and partition
functions that operate on collections.
The group_by
function is useful for separating targets into categories based on properties of
those targets. The partition
function allows you to use a Boolean condition to separate targets that otherwise be
two opposite filter operations. PUP-9372
This release also adds an index()
function that can return the index of a specified element in
an Array, Hash, String, or other iterable value that is either equal to a given
value or for which a given lambda returns a truthy value. PUP-9482
puppet-agent
package added for macOS
10.14 Mojave
This release adds a puppet-agent
package for macOS 10.14
Mojave.
On macOS 10.14 Mojave, you must grant Puppet Full Disk Access to be able to manage users and groups. To give Puppet access on a machine running macOS 10.14, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227
Resolved issues
Syntax errors on interpolated heredocs are resolved
Heredoc expressions with interpolation using an access expression
such as $facts['somefact']
sometimes failed with a syntax error. This error was related to the relative
location of the heredoc and surrounding whitespace and is now resolved. PUP-9303
Restarting pxp-agent
service kills all processes when restarted
This release modifies the pxp-agent
service to kill all pxp-agent
processes when the service is restarted, rather than only
the current process. PCP-833
Custom functions can now be correctly called
This release fixes an issue where the call()
function could call only functions that existed in
Puppet core; custom functions could not be
called. Now any function in the environment is visible and can be called. PUP-9477
Optional
type without arguments no longer returns an error
Previously, if you used the type Optional
without any arguments, it could result in an
internal error. This is now fixed. On its own, Optional
means the same as Any
. Always supply a type argument with the desired type if the value
is not undef
. PUP-9467
Invalid path to --logdest
option was ignored
Now if you give a --logdest
location that Puppet cannot
find or write to, the run fails with an error. PUP-6571
Upstart provider evaluated during provider check instead of during loading
The upstart provider was being evaluated when loaded, causing issues with testing and availability during transactions. This has been fixed so that the provider is evaluated only when provider suitability is being checked. PUP-9336
Deprecations
Fine grained control of file and environment timeouts deprecated
Fine grained control of file and environment timeouts is
deprecated. Instead, use 0
or
unlimited
to control default
caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as
needed. PUP-9497
SublocatedExpression
class
The AST SublocatedExpression
class is no longer generated by the parser. The
SublocatedExpression
class
itself will be removed from Puppet in a future
release. PUP-9303
Puppet 6.2.0
Released 24 January 2019
New features
Improved support for Solaris
pkg
provider
This release adds support for install_options
for the pkg
provider on Solaris.
PUP-5287
puppet-agent
package available for Red Hat 8 beta
A puppet-agent
package is available for the beta release of Red Hat
8. Because this Red Hat version is a beta release, not
all functions are verified to work correctly. Do not use this version of puppet-agent
in production.
Added protection against illegal methods in legacy functions
Puppet now protects against illegal method definitions in loaded legacy functions. Illegal methods in legacy functionsdisrupt the entire system and can cause difficult-to-diagnose issues. For information on how to remove such methods from legacy functions, see the topic about refactoring legacy functions. PUP-9294
Puppet logs JSON in newline-delimited format
For newline-delimited JSON logs, set the logdest
setting or command line option to an
absolute path ending with the .jsonl
extension, such as puppet agent --logdest /var/log/puppet.jsonl
. This is preferable to
the JSON format, since the generated log is not valid JSON and requires an appended
closing ]
to make it valid. PUP-8687
Fedora 27 puppet-agent
package no longer available
Fedora 27 reached end of life in November 2018. Updated puppet-agent
packages for this version
are no longer available.
Resolved issues
Fix for specifying package versions in portage
provider
Prior to this release, you could not specify package versions when
managing packages with the portage
package provider. The provider now accepts and honors a version string for managing
packages. PUP-9071
Exceptions encountered during resource pre-fetch are logged
If the Puppet agent encounters exceptions when pre-fetching resources for catalog application, it now logs the exceptions and returns a more useful error message. PUP-8962
Puppet commands fail if the
puppet.conf
file is
unreadable
Puppet commands now fail if Puppet Server is unable to read the puppet.conf
file. Only the --help
and --version
commands work if the
puppet.conf
file is unreadable.
PUP-5575
Improved error handling for PNTransformer
When parsing Puppet into structured AST, the Puppet parser produced an error on some empty constructs because the PNTransformer could not resolve them. Now it generates a Nop expression instead. PUP-9400
Failed dependency resources are reported only once
After a failed resource has been reported, other resources that depend on the failed resource will not be reported again. However, you still get the skip message for each skipped resource. PUP-6562
Command line module installation improved
The puppet module
install
command now downloads only the release metadata it needs to
perform dependency resolution, drastically reducing data download and improving
installation time. For the puppetlabs-stdlib
module, this change reduces the data download from
25MB to 68KB, and any module that depends on stdlib
installs faster. PUP-9364
Puppet no longer ignores
the srv_domain
setting
This release fixes an issue where Puppet 6.0 ignored the srv_domain
setting when using DNS SRV records to connect
to the ca_server
. PUP-9399
Puppet 6.1.0
Released 18 December 2018
New features
Package provider included in puppet resource
default output
The puppet resource
<package-name>
command now includes the package provider as part
of its output.
Clean certificates for remote nodes
The puppet
ssl clean
command now accepts a --target CERTNAME
parameter to clean certificates for
remote nodes configured through device.conf
. PUP-9248
puppet-agent
package available for Fedora 29
A puppet-agent
package is now available for Fedora 29.
The systemd provider checks for new and changed units
When Puppet starts or restarts a
service, the systemd
provider checks to see whether the service requires a daemon reload, and reloads the
systemd daemon if necessary. This ensures the service runs with the latest
configuration on disk. PUP-3483
New service timeout
parameter for Windows
On Windows systems, you can now
specify a service timeout
parameter that configures how long, in seconds, Puppet should wait when syncing service properties.
PUP-9132
service { "service-name":
enable => true,
ensure => running,
timeout => 45
}
Format strings with double quotes
You can now force strings to have double quotes when formatting
strings with the String.new
function. Previously, this function dynamically determined
whether to use single quotes or double quotes for the string.
To force double quotes, specify the alternative format flag
#
when you
specify the string format. PUP-9344
Service support for systemd on Linux Mint 18 and newer
This release adds support for services on Linux Mint 18 and newer, which use the init systemd instead of upstart for services. PUP-9326
Parser validation finds and reports syntax issues in heredocs
Heredoc syntax checking is now performed during validation, unless the heredoc contains any interpolated expressions. This includes manifest and EPP template syntax checks. Heredocs with interpolation are checked during evaluation. Prior to this release, heredoc syntax checks were run only during evaluation.
By default, heredocs are treated as text unless otherwise
specified with the end-of-text tag, such as @(EOT:json)
, @(EOT:pp)
, or @(EOT:epp)
. To check syntax in heredocs, run puppet parser validate
.
PUP-9257
Resolved issues
Improved handling of incompletely configured services
Puppet now treats incomplete
services the same way as nonexistent services, returning enabled => false
and ensure => :stopped
in either case. If you try to set
ensure => running
or enabled => true
on an incomplete or
nonexistent service, Puppet raises an error. PUP-9240
Refreshed resource status now included in event report
This release fixes an issue where refreshed resources, such as reboot or some execs, did not create a status event in the event report. PUP-9339
Catalog compilation error fixed
When compiling a catalog, Puppet sometimes raised the error "Attempt to redefine entity." This issue has been fixed with an update to the internal logic. PUP-8002
The exec provider supports empty environment variables
Prior to this release, the exec provider did not support empty environment variables. If an empty environment variable is set on the system, Puppet temporarily overwrites it during execution.. PUP-1209
Puppet recognizes tmpfs
support for
SELinux labels
SELinux utilities within the Puppet
codebase now recognize that the tmpfs
supports extended attributes and SELinux labels.
The query selinux_label_support?
returns true
for a file mounted on tmpfs
. PUP-9330
Fixed recognition of short form Arrays and Hashes
This release fixes a regression in the string formatting rules
that caused a short form for an Array or Hash to not be recognized. For example,
String([1,[2,3],4],
'%#a")
would not format with indentation, but would format the long
form String([1,[2,3],4],
{Array => { format => '%#a"}})
. Now the short form works for
Array and Hash as intended. PUP-9329
puppet ssl clean
now deletes local certificate requests
This release fixes an issue where the puppet ssl clean
command did not correctly
delete local certificate requests. PUP-9327
Resolved Timestamp
and Timespan
data type errors
Prior to this release, the data types Timestamp
and Timespan
raised errors if time range was
specified with Integer
or Float
values. These data types now support time ranges specified with
these values. PUP-9310
Puppet 6.0.0
Released 18 September 2018
New features
Select types moved to modules
In this release, many types were moved out of the Puppet codebase, and into modules on the Forge. This change enables easier composability and reusability of the Puppet codebase and enables development to proceed more quickly without risk of destabilizing the rest of Puppet. Some types are now in supported modules and are repackaged back into the agent. Some are now in modules that are updated, but are not repackaged into the agent. And some are in modules that are deprecated, not updated, and not repackaged back into the agent.
See the Resource Type Reference page for the full list and links to the Forge modules for those types that moved.
Resource API
Resource API has been added, providing a new, recommended method to create custom types and providers. The Resource API is built on top of the Puppet core and is easier, faster, and safer than the old types and providers method. See the Resource API documentation for more information.
Upgrade to Ruby 2.3 or later
Puppet now requires Ruby 2.3 or later, and reports an error when running older Ruby versions. We removed code paths for older Ruby support, such as 1.8.7, relaxed our gem dependencies to include gems that require Ruby 2 or up, and now test Puppet pull requests against JRuby 9k. PUP-6893, PUP-8483, PUP-8484
puppetserver ca
command
The new puppetserver ca
command replaces the puppet cert
command. Running the puppet cert
command
results in an error, with instructions on alternative commands to use. Some actions
(fingerprint
,
print
) have not
been directly replaced, because OpenSSL provides good equivalents. For verifying
certificates, use puppet ssl
verify
. For more usage details, see the intermediate CA documentation. PUP-9022
node clean
uses the
Puppet Server CA API
The puppet
node clean
command now goes through the Puppet Server CA API to clean up certificates for a given
node. This avoids issues where multiple entities attempt to revoke certs at once,
because all of these updates are now funneled through the API, which handles
concurrent requests correctly. See SERVER-115 and PUP-9108 for more information.
Agents can use CA and CRL bundles
The agent now correctly saves and loads chained SSL certificates and certificate revocation lists when in an environment where its certificates are issued by Puppet acting as an intermediate CA. PUP-8652
Load files from pluginsync
during catalog application
Use the Deferred
data type in a catalog to call functions on the agent before
the catalog is applied. It is now possible to call all functions implemented in Ruby on the agent side. It is not possible to call
functions written in the Puppet language, as they are
not available on the agent. PUP-9035
puppet ssl
subcommand
There is a new Puppet subcommand
for working with SSL certificates. The puppet ssl
command supports the submit_request
, download_cert
, and verify
actions for
working with SSL certificates on the agent. PUP-9028
File requirements included in task infoservice files responses
When requesting task details, the master now returns a list of all
files from the tasks metadata files
and implementations['files']
keys. PUP-9081
Devuan default service provider
The Devuan service provider now defaults to the Debian init provider. PUP-9048
apply
statement in
plan language
An apply
keyword has been added to the Puppet parser when running with tasks enabled. See
Puppet specifications for details. PUP-8977
Updated default input_method
for task object type
The input_method
property of tasks now defaults to undef
rather than the string
both
. This
allows more flexibility in defaults and what input_methods
we choose to support in the future. PUP-8898
convert_to()
function accepts additional arguments
convert_to()
function now accepts additional arguments. Previously, it accepted only the data
type to convert to. PUP-8761
compare
function
A compare(a,b)
function has been added. It returns -1
, 0
, or 1
depending on if a
is before b
, same as b
, or after b
. The function works with the
comparable types: String
, Numeric
, Semver
, Timestamp
, and Timespan
. For String
comparison it is possible to ignore or take case into account.
PUP-8693
Deferred data type
A new data type Deferred
has been added. It is used to describe a
function call that can be invoked at a later point in time. PUP-8635
Call function resolves Deferred
values
It is now possible to resolve a Deferred
value by using the call
function. It can
resolve a deferred
function call, and a deferred
variable dereference (with support to dig
into a structured value).
PUP-8641
Concatenate with +
on Binary type
It is now possible to use the plus operator +
to concatenate two Binary
data type values.
(PUP-8605) The sort()
function has been moved from stdlib
to Puppet. The function now also accepts a lambda for
the purpose of using a custom compare. PUP-8622
Select string functions moved from stdlib
to Puppet
The functions upcase()
, downcase()
, capitalize()
, camelcase()
, lstrip()
, rstrip()
, strip()
, chop()
, chomp()
, and size()
have been updated to the modern function API and
the new versions are in Puppet and no longer require
stdlib
. The
functions are generally backward compatible. PUP-8604
Select math functions moved from stdlib
to Puppet
The math functions abs
, ceil
, floor
, round
, min
, and max
are now available in Puppet. The functions are compatible with the
functions with the same name in stdlib
with the added feature in min
and max
of calling them with a single array
and being able to use a lambda with a custom compare. These stdlib
math functions used
inconsistent string to numeric conversions that were also unintentionally making the
functions compare values in strange ways. The automatic conversions are now
deprecated and will issue a warning. PUP-8603
Agent support for rich data content negotiation
The rich_data
setting is now enabled by default. Catalog requests have two
new content types, application/vnd.puppet.rich+json
and application/vnd.puppet.rich+msgpack
, that
are used when both master and agent have this enabled (and depending on whether
preferred_serialization_format
is json
or msgpack
). PUP-8601
vendor_modules
added
to basemodulepath
The default basemodulepath
now includes a vendored modules directory, which
enables Puppet to load modules that are vendored in
the puppet-agent package. To prevent Puppet from
loading modules from this directory, change the basemodulepath
back to its previous value,
for example, on *nix: $codedir/modules:/opt/puppetlabs/puppet/modules
. On Windows: $codedir/modules
. PUP-8582
environment.conf
modulepath
accepts
globs
The modulepath
as defined in environment.conf
can now accept globs in the path name.
PUP-8556
Customize default package providers
This change adds a notdefaultfor
that prevents a provider from being a
default for a given set of facts. notdefaultfor
overrides any defaultfor
and should be defined more
narrowly. PUP-8552
Define properties or parameters for types as sensitive
Parameters can now be marked sensitive at the class level rather than just the instance level. PUP-8514
Update default provider for Ubuntu
SystemD is now the default provider for Ubuntu 17.04 and 17.10. PUP-8495
Functions to use dot notation to dig into a hash or array
It is now possible to use dot notation to dig out a value from a
structure, like in Hiera lookup and elsewhere in Puppet. To support this, the getvar()
function has moved from
stdlib
to Puppet, and we have added a new function get()
. You can now for
example use getvar('facts.os.family')
starting with the variable name. The get
function is the
general function which takes a value and a dot-notation string. PUP-7822
Puppet 4.x functions available to all modules
It is no longer required to have a dependency listed in a module’s
metadata.json
on
another module in order to use functions or data types from the other module. PUP-6964
Updated addressable Ruby gem
Updated the version of the addressable Ruby gem now that JRuby 1.9.3 support has been removed. PUP-6894
Undeprecated certificate authority settings
Settings related to certificate authorities are no longer being deprecated as planned in PUP-9027. Warnings related to these planned deprecations have been removed. PUP-9116
Resolved issues
Reported events didn't stringify rich data
With rich data turned on for a catalog (now the default), a report could contain rich data in reported events, but nothing downstream from the agent was prepared to handle rich data. This is now fixed so that data in reported events are stringified when needed. PUP-9093
Illegal top-level constructs didn't produce an appropriate error
The deprecation for illegal top-level constructs is now an error. PUP-9091
__ptype
and __pvalue
were allowed as attribute
names
Attempt to use
the reserved attribute names __ptype
and __pvalue
in
custom Object
data types now
raises an error instead of producing a bad result
when serializing such objects. PUP-9079
A hash containing the key __ptype
couldn't be serialized using
human-readable JSON
It was not possible to use a hash key __pcore_type
in a hash because that
triggered the special handling during
serialization. Now, the special key has changed to
__ptype
and it is not
possible to also use that as a key in a hash and
still be able to serialize it, such as using it in
a catalog. PUP-8976
Status endpoint wasn't used to determine if Puppet Server was available
When
the agent is configured with a list of servers
(using server_list
), it now
requests server status from the status
endpoint instead of the node
endpoint. PUP-8967
Selmodule
thought 'foo'
existed if 'myfoo' was loaded
The selmodule
type is more strict about checking if a module has
already been loaded, and no longer considers
modules such as "bar" and "foobar" to be the same
module. PUP-8943
Resource status of failed_to_restart
wasn't included in
reports
Puppet considers
resources that have failed to restart when
notified from another resource as failed, and
marks them as such in reports. Reports also now
include the failed_to_restart
status
for individual resources, instead of only
including a total count of failed_to_restart
resources in the
resource metrics section. This bumps the report
format version to 10. PUP-8908
File type wasn't redefined when required in code
Fixed an issue running in JRuby where we didn’t store autoloaded paths in the same way that the JRuby implementation did, leading to a bug where a type or provider could get loaded more than once. PUP-8733
Puppet lost track of the current environment
Puppet autoloader methods now require a non-nil environment. This is a breaking API change, but
not affect any user extensions like 3x
functions. Puppet
sometimes used the configured environment instead
of the current environment to autoload. This
mainly affected agents when loading provider
features. Calling Puppet::Parser::Functions.autoloader.load*
methods are deprecated, and issue a warning if
strict mode is set to warning or error. Instead
use Scope#call_function("myfunction")
to
call other functions from within a function. PUP-8696
Comparison of numeric to timestamp or timespan failed
When comparing numeric to timestamp or timespan it did not work to compare with the numeric value first. This is now fixed. PUP-8694
http_read_timeout
and
runtimeout
defaults were
limited
The http_read_timeout
default changed from
infinite to 10 minutes. This prevents the agent
from hanging if there are network disruptions
after the agent has sent an HTTP request and is
waiting for a response that might never arrive.
Similarly, the runtimeout
default also changed from infinite to 1 hour.
PUP-8683
tidy
resource was too
chatty
The tidy
resource type now uses the debug
log level for its File does not exist message,
instead of the info level. This means that
resources of this type will no longer emit the
message by default when the target of the resource
has already been cleaned from disk. PUP-8667
Agents didn't use the CRL bundle to verify master revocation status
With this change, if the user has distributed the CRL chain out-of-band, then the agent successfully loads it and uses it to verify its connection to other Puppet infrastructure (for example, the master). It expects the CRL chain to be one or more PEM-encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat in the Puppet 5 External CA documentation. PUP-8656
Puppet 5 and Ruby 2.4 couldn't handle invalid plists
When processing malformed plist files, we used to
use /dev/stdout
, which can
cause Ruby to
complain. We now use -
instead
which means to use stdout
when
processing the plist file with plutil. PUP-8545
White space surrounding comments in EPP were handled incorrectly
EPP comments <%# Like this
%>
always trimmed preceding
whitespace. This is different from ERB making it
more difficult to migrate ERB templates to EPP.
There was also no way of making EPP preserve those
spaces. Now, EPP comment does not trim preceding
whitespace by default, and a new left trimming tag
<%#-
has been added.
This is a backwards incompatibility in that code
such as "Before <%# comment
%>after
" resulted in the string
"Beforeafter"
, whereas now
it will be "Before after"
. PUP-8476
filter
function
didn't accept truthy values
The filter
function did not accept truthy value returned from
the block as indication of values to include in
the result. Only exactly Boolean true
was accepted. PUP-8320
Unsafe YAML data could be loaded
Puppet now uses
YAML.safe_load
consistently to ensure only known classes are
loaded. PUP-7834
Gemfile didn't support consuming the Puppet gem via a Git reference
Restructure the Puppet Gemfile so that bundler installs Puppet’s runtime, feature-related, and test dependencies by default. The development and documentation groups can be installed using: bundle install –with development documentation. PUP-7433
Puppet didn't use
shared gem dependency for semantic_puppet
Puppet now uses the
shared gem dependency for semantic_puppet
, rather than loading its
own vendored version. PUP-7157
Puppet, the agent,
and Puppet Server didn't
use a shared gem directory for semantic_puppet
Puppet now loads
semantic_puppet
from a
shared gem directory, so that Puppet, the agent, and
Puppet Server all require
and use the same version of the gem. (~>1.0.x)
PUP-7115
metrics.time.total
didn't
correlate to time reported in log
Total time now reports the measured time of the run instead of a sum of other run times. PUP-6344
Features weren't re-evaluated when a block was used
Puppet.features.add(:my_feature) do require 'mylib' end
andPuppet.features.add(:my_feature, libs: ['my_lib'])
Previously the result of the block was always cached. With this change only true or false return values are cached. To indicate that the state of the feature is unknown and may become available later, the block returns nil. PUP-5985
Manifests that declared things in the wrong namespace didn't trigger errors
Errors will be reported for module files declarations that have a namespace inconsistent with their directory and file location. PUP-4242
Invalid .dot
files
were generated by missing escapes of quoted
strings
Generating
graphs of catalogs (such as puppet apply
--graph
) now correctly handles resources
with double quotes in the title. PUP-2838
Outdated vendored semantic_pupet gem
We have updated
the vendored semantic_puppet
gem in
the puppet-agent
package to
the most recent version, 1.0.2. PA-1881
Deprecations
Certificate authority subcommands and v1 CA HTTP API
Certificate authority subcommands have been removed from Puppet, including: cert
, ca
, certificate
, certificate request
, and certificate_revocation_list
. Use puppetserver ca
and
puppet ssl
instead. PUP-8998
As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650
For details on changes and the new commands, see our documentation about certificates and SSL.
Ruby certificate authority
Puppet no longer has a Ruby CA. All CA actions now rely entirely on the
Clojure implementation in Puppet Server. It can be
interacted with by means of the CA API and the puppetserver ca
command, which
leverages the API using subcommands like those provided by puppet cert
. PUP-8912
Trusted server facts
Trusted server facts are always enabled and have been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530
write_only_yaml
node terminus
The write_only_yaml
node terminus was used to “determine the list of nodes
that the master knows about” and predated widespread PuppetDB adoption. The write_only_yaml
has been deprecated since
4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize
node data as YAML to disk during a compile. PUP-8528
LDAP node terminus
The LDAP node terminus has been removed. PUP-7601
computer
, macauthorization
, and mcx
types and providers
The computer
, macauthorization
, and mcx
types and providers have been moved to the
macdslocal_core
module. It is not repackaged into
puppet-agent in the 6.0 series.
Nagios types
The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core
module from the Forge.
Cisco network devices
The Cisco network device types no longer ship with Puppet. These types and providers have been
deprecated in favor of the puppetlabs/cisco_ios
module, which is available on
the Forge. PUP-8575
:undef
in types and providers
In previous versions, values from manifests assigned to resource
attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef
to represent those values. When using puppet appl
y types and
providers would see those as :undef
or as the string “undef” depending on the implementation of the
type. When using a master, the same values were correctly handled. In this version,
Ruby nil is used consistently for this.
(Top level undef values are still encoded as empty string for backwards
compatibility). PUP-9112
puppet module build
command
To reduce the amount of developer tooling installed on all agents,
this version of puppet removes the puppet module build
command. To continue building module
packages for the Forge and other repositories,
install Puppet
Development Kit (PDK). PUP-8763
pcore_type
and pcore_value
The earlier experimental -rich_data
format used the tags pcore_type
and pcore_value
, these are
now shortened to __ptype
and __pvalue
respectively. If you are using this experimental feature and
have stored serializations you need to change them or write them again with the
updated version. PUP-8597
Webrick
Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)
puppet master
command
The puppet master
command and its subcommands have been removed.
Instead, use a
puppet-config
command. PE-24280
–strict
flag in puppet module
The –strict
flag in puppet module
has been removed. The default behavior remains
intact, but the tool no longer accepts non-strict versioning (such as release
candidates and beta versions). PUP-8558
Select settings
-
The previously deprecated
configtimeout
setting has been removed in favor of thehttp_connect_timeout
andhttp_read_timeout
setting. PUP-8534 -
The unused
ignorecache
setting has been removed. PUP-8533 -
The previously deprecated
pluginsync
setting has now been removed. The agent’s pluginsync behavior is controlled based on whether it is using a cached catalog or not. PUP-8532 -
The deprecated
app_management
setting has now been removed. Previously, this setting was ignored, and always treated as though it was set to be on. PUP-8531 -
The deprecated
ordering
setting has been removed, and catalogs now always have the ordering previously provided by themanifest
value of this setting. PUP-6165 - Settings related to the rack webserver from Puppet,
including
binaddress
andmasterhttplog
. PUP-3658
String duplication in 3x runtime converter
Types and provider implementations must not mutate the parameter
values of a resource. With this release, it is more likely that the parameters of a
resource have frozen (that is, immutable) string values and any type or provider
that directly mutates a resource parameter might fail. Previously, every resource
attribute was copied to not make application break even if they did mutate. Look for
use of gsub!
in your modules and replace logic with non-mutating version, or
operate on a copy of the value. All authors of Forge
modules having this problem have been notified. PUP-7141
Puppet.newtype
method
The deprecated Puppet.newtype
method (deprecated since 2011) has
now been removed. ( PUP-7078)
Certificate handling commands deprecated but not removed
-
ca_name
-
cadir
-
cacert
-
cakey
-
capub
-
cacrl
-
caprivatedir
-
csrdir
-
signeddir
-
capass
-
serial
-
autosign
-
allow_duplicate_certs
-
ca_ttl
-
cert_inventory