Puppet release notes
These are the new features, resolved issues, and deprecations in this version of Puppet.
Puppet 8.6.0
Released April 2024.
GitHub Releases
More details about what has changed in this release are available on GitHub. Visit the following links for more information:
Enhancements
Option to disable catalog messages
Added a boolean Puppet setting to disable "notice" level messages specifying which server the agent requests a catalog from and which server actually handles the request. Catalog messages are enabled by default. PUP-12023
package: pacman provider: Add purgeable feature
Added an option to the pacman provider to purge config files. This feature was contributed by community member bastelfreak.
Update core modules
- Removal of concurrent-ruby as a dependency
- Support for Amazon Linux
Resolved issues
Non-literal class parameter types need to be deprecated.
Previously, non-literal class parameters caused errors due to the
different default values of the strict
setting. puppet parser validate
also returned
non-zero exit codes. Now the issue is a language
deprecation, so a warning is generated and puppet parser validate
returns 0. All language deprecation warnings can be disabled
by setting disable_warnings=deprecations
in the
main
section of
puppet.conf. PUP-12026
Package provider "pip" not fully functional with network urls on Ubuntu 22.04.
Puppet's pip package provider now
supports installing python modules via network URLs, e.g.
source =>
'git+https://github.com/<org>/<repo>.git'
.
Fix contributed by community member smokris. PUP-12027
Provider dnfmodule prompts user to trust gpg key when performing module list.
Added assumeyes
option to dnf
module list. Fix contributed by community member loopiv.
Puppet resource returns zero if it fails to make changes
Added new --fail
command line flag
for Puppet resource.
Remove Accept-Encoding header on redirect
Previously, Puppet copied all request headers in an HTTP redirect, including Accept-Encoding. In some cases when HTTP compression was enabled, the response failed to decompress, then failed to parse and triggered a vague error. This change strips the Accept-Encoding headers on redirect, allowing Ruby's built-in Net::HTTP to both compress and decompress the traffic.
Accept UnaryMinusExpression as class parameter type
Previously, class parameters of the form Integer[-1]
$param
failed compilation, because the
value -1
was lexed as a
UnaryMinusExpression containing a LiteralInteger. And since
the LiteralEvaluator didn't implement
theliteral_UnaryMinusExpression
method, the visitor called literal_XXX
for
each ancestor class, until reaching
literal_Object
, which always
raises.
This adds the literal_UnaryMinusExpression
method
and returns -1 times the expression it wraps.
If strict
is off, the issue is
ignored. If strict
is
warning, a warning is reported, but compilation continues.
If strict
is error,
compilation fails.
Security
Upgrade OpenSSL
Upgraded openssl to version 3.0.13 to address the following CVEs: CVE-2023-5678; CVE-2023-6129; CVE-2023-6237; CVE-2024-0727. PA-6131
Vulnerabilities in curl
Backported patches for CVE-2024-2004 and CVE-2024-2398 in curl 7.88.1. PA-6291
New Digicert code-signing cert
Windows MSI are now signed with a new certificate, valid until March 2027. The Issuing CA is "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1".
Puppet 8.5.1
Released March 2024.
Resolved issues
Using a negative value with the integer
type assertion on a class causes
a compilation error.
Previously, negative values caused a compilation errors when used
with the integer
type
assertion on a class. This has been fixed. PUP-12024
Puppet 8.5.0
Released February 2024.
Enhancements
Debian 12 (x86_64) support
Added support for Debian 12 (x86_64). PA-5549
Debian 12 (ARM) support
Resolved issues
Syntactically incorrect types cause nil types in Puppet::InfoService::ClassInformationService
Previously, when a type was incorrectly specified, Puppet’s class_information_service
ignored the error and produced an empty
type
specification. Puppet now
produces a warning and assigns a default type
in the nil
case. PUP-11981.
Puppet 8.4.0
Released January 2024.
Enhancements
Bump concurrent-ruby to 1.2.2
Bumped concurrent-ruby gem to 1.2.2. PA-5960
Add logging of server hostnames when requesting configuration
Puppet agents now log server hostnames when requesting catalogs. PUP-11899
Add logging of which Puppet Server handled catalog requests
Puppet agents now log the FQDN name of the server that compiled the catalog. This is useful when there are multiple compilers behind a load balancer. PUP-11900
Update package & service providers for Amazon Linux 2023
Updates Amazon Linux 2023's default package and service providers to DNF and SystemD, respectively. Contributed by GitHub user vchepkov. PUP-11976
Debian 11 (ARM) support
Added support for Debian 11 (ARM).
Amazon Linux 2023 support
Added support for Amazon Linux 2023.
MacOS 14 support
Added support for MacOS 14.
Resolved issues
puppet-agent-7.25: selinux Bindings broken on RHEL9.1
Fixed an issue introduced in 7.25.0 that prevented Puppet from managing selinux if the system libselinux libraries were previous to version 3.5. PA-5632
RHEL 8 FIPS agent fails to start after upgrade to Puppet 8
Fixed an issue that prevented the RHEL 8 FIPS agent from starting after upgrading to Puppet 8. PA-5786
/opt/puppetlabs/puppet/bin/openssl
fails
to load library dependencies on AIX
Set RPATH for openssl 1.1.1 to load dependencies from Puppetlabs
libdir in order to ensure that /opt/puppetlabs/puppet/bin/openssl
loads
its library dependencies that were shipped in the
puppet-agent package. PA-5925
Puppet agent on Solaris 11 x86 fails when updated to SRU >= 57
Fixed a regression that prevented the ffi gem's native extension from loading on newer versions of Solaris 11.4. PA-5929
Puppet chooses wrong service default provider on Gentoo if systemd is used
Systemd is now the default service provider on Gentoo. Fix contributed by community member bastelfreak. PUP-11593
Resources
resource type
should be marked as apply_to_all
Enables resources metatype compatibility with both hosts and devices. Contributed by GitHub user seanmil. PUP-11666
"Total number of facts" warning not counting array elements
Puppet incorrectly counted array elements and hash keys when determining if the number of facts exceeded the total fact count soft limit. This has been fixed. PUP-11685
Lazily deferred evaluation may not work if type implements autorequire, etc
The command
parameter for an
exec
resource can
now be deferred. PUP-11937
dnfmodule fails to enable module with ensure version and no default stream
Puppet can now manage dnfmodule
packages with ensure
values
other than present
such as
ensure => '1.4'
.
Fix contributed by community member evgeni. PUP-11985
Security
Upgrade OpenSSL
Upgraded OpenSSL to 3.0.12. PA-5864
Patch Curl in puppet-runtime
Patched Curl to address CVE-2023-38546. PA-5861
Puppet 8.3.1
Released November 2023.
Enhancements
Ship FIPS compatible Java key store in fips agents
FIPS Puppet agent builds now include a FIPS-compatibile java keystore.
- create Atos_TrustedRoot_Root_CA_ECC_TLS_2021:2.16.61.152.59.166.102.61.144.99.247.126.38.87.56.4.239.0.crt
- create Atos_TrustedRoot_Root_CA_RSA_TLS_2021:2.16.83.213.207.230.25.147.11.251.43.5.18.216.194.42.162.164.crt
- create BJCA_Global_Root_CA1:2.16.85.111.101.227.180.217.144.106.27.9.209.108.62.192.108.32.crt
- create BJCA_Global_Root_CA2:2.16.44.23.8.125.100.42.192.254.133.24.89.6.207.180.74.235.crt
- create Certainly_Root_E1:2.16.6.37.51.177.71.3.51.39.92.249.141.154.185.191.204.248.crt
- create Certainly_Root_R1:2.17.0.142.15.249.75.144.113.104.101.51.84.244.212.68.57.183.224.crt
- create DigiCert_TLS_ECC_P384_Root_G5:2.16.9.224.147.101.172.247.217.200.185.62.28.11.4.42.46.243.crt
- create DigiCert_TLS_RSA4096_Root_G5:2.16.8.249.180.120.168.250.126.218.106.51.55.137.222.124.207.138.crt
- delete E-Tugra_Certification_Authority:2.8.106.104.62.156.81.155.203.83.crt
- delete EC-ACC:2.16.238.43.61.235.212.33.222.20.168.98.172.4.243.221.196.1.crt
- delete Hellenic_Academic_and_Research_Institutions_RootCA_2011:2.1.0.crt
- delete Hongkong_Post_Root_CA_1:2.2.3.232.crt
- delete Network_Solutions_Certificate_Authority:2.16.87.203.51.111.194.92.22.230.71.22.23.227.144.49.104.224.crt
- create SSL.com_TLS_ECC_Root_CA_2022:2.16.20.3.245.171.251.55.139.23.64.91.226.67.178.165.209.196.crt
- create SSL.com_TLS_RSA_Root_CA_2022:2.16.111.190.218.173.115.189.8.64.226.139.77.190.212.247.91.145.crt
- create Sectigo_Public_Server_Authentication_Root_E46:2.16.66.242.204.218.27.105.55.68.95.21.254.117.40.16.184.244.crt
- create Sectigo_Public_Server_Authentication_Root_R46:2.16.117.141.253.139.174.124.7.0.250.169.37.167.225.199.173.20.crt
- create Security_Communication_ECC_RootCA1:2.9.0.214.93.155.179.120.129.46.235.crt
- create Security_Communication_RootCA3:2.9.0.225.124.55.64.253.27.254.103.crt
- delete Staat_der_Nederlanden_EV_Root_CA:2.4.0.152.150.141.crt
Bump augeas to 1.14.1
PubkeyAcceptedAlgorithms
setting in /etc/ssh/sshd_config
from a string to a
list. 'set
Settings/PubkeyAcceptedAlgorithms
+ssh-rsa'
in the following code block:
augeas { 'sshd_allow_rsa':
incl => '/etc/ssh/sshd_config',
lens => 'Sshd.lns',
context => '/files/etc/ssh/sshd_config/Match/',
changes => [
'set Condition/Address 192.168.0.3',
'set Condition/User user',
'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
]
}
must be changed to 'set
Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"]
ssh-rsa'
following this
update.Add RHEL 9 (ARM64) support
Puppet now supports RHEL 9 (ARM64). PA-4998
Add Ubuntu 22.04 (ARM64) support
Puppet now supports Ubuntu 22.04 (ARM64). PA-5050
Make split()
sensitive
aware
The split
function now accepts
sensitive values and returns a Sensitive[Array]
. This change was
contributed by community user cocker-cc. PUP-11429
Freeze string literals
String literals are now frozen or immutable by default. PUP-11841
Log openssl version and fips mode
Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930
Monkey patch {File,Dir}.exists?
Added a monkey patch in Ruby for Puppet code using older Ruby
language exists?
method.
PUP-11945
Resolved issues
puppet ssl clean <REMOTE
CERT>
clears local private key and local
certificate
puppet ssl clean <argument>
now
prints an error that <argument>
is unexpected instead of
deleting the local certificate and private key. PUP-11895
100% usage of a CPU core when an exec
command sends EOF
Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897
string.new
generates strings
with unexpected encoding
A regression was introduced in Puppet 8.0.0 which caused the epp
and inline_epp
functions to return a binary
string. If the value was assigned to the parameter of an
exported resource, then the parameter's value was converted
to base64 in PuppetDB. Any agents that collected the
resource then received the base64 encoded value. This
release fixes the regression so the functions return a UTF-8
string. PUP-11932
puppet/lib/puppet/pops/time/timespan.rb:637:
warning: passing a block to String#codepoints is
deprecated
Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934
Correct inaccurate comment in find_file()
function
Updated find_file
function
documentation. This fix was contributed by community member
pillarsdotnet. PUP-11940
epp
and inline_epp
functions return binary
strings
Fixed a regression that caused the epp
and inline_epp
functions to return binary
strings instead of UTF-8 encoded strings. This resulted in
exported resources being stored as base64 in puppetdb,
breaking any node that collected those resources. Fix
contributed by community member smortex. PUP-11943
Update host_autorenewal_interval
Puppet setting
documentation
Previously documentation implied that host_autorenewal_interval
refreshes in
30 days regardless of when it expires by default.
Documentation was updated to better reflect actual behavior
where implementation only attempts to renew its client cert
if the cert expires within N days from now. PUP-11944
Error when using {File,Dir}.exists?
in Ruby
Added a patch for some Puppet code
using older Ruby language exists?
method.
Security
Deprecations and removals
Remove TrustCor CA certs
- TrustCor_ECA-1:2.9.0.132.130.44.95.28.98.208.64.crt
- TrustCor_RootCert_CA-1:2.9.0.218.155.236.113.243.3.176.25.crt
- TrustCor_RootCert_CA-2:2.8.37.161.223.202.51.203.89.2.crt
Puppet 8.3.0
This version was never released.
Puppet 8.2.0
Released August 2023.
Enhancements
macOS 13 support
Added support for macOS 13. PA-4772
Upgrade hiera-eyaml to 3.4+
Upgraded the hiera-eyaml component to 3.4. PA-5633
Add agent renew REST implementation
Added a method to send a client certificate renewal request to puppetserver. PUP-11854
Add Puppet setting to configure renewal interval
Added a setting for how often a node attempts to automatically renew its client certificate. PUP-11855
Retry failed CA & CRL refreshes sooner than the next interval
Puppet now attempts to refresh its CA and CRL sooner if initial attempts fail. PUP-11869
Send auto-renew attribute in CSR
Puppet now has an auto-renew attribute. If the agent supports auto-renewal, this attribute is added to the CSR (Certificate Signing Request) when it is generated and is used by Puppet Server to determine if auto-renewal TTL needs to be enabled for a given agent.
Agents that either do not have the hostcert_renewal_interval
setting or
have it set to 0 do not support auto-renewal and do not have
the auto-renew attribute. PUP-11896
Resolved issues
ffi and nokogiri gem use the wrong architecture when cross compiling
Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666
certname with .pp
in the
middle doesn't pick up its own
manifest
Fixed an issue where manifests with .pp
in their file names were not
imported. PUP-11788
The --no-preprocess_deferred
option breaks deferring of Sensitive file
content
It is now possible to specify the content property for file
resources as containing a Deferred function that returns a
Sensitive value when lazily evaluating deferred values (the
default behavior in 8.x or when setting Puppet[:preprocess_deferred]
false in
7.x). For example: content =>
Deferred('new', [Sensitive, "password"])
.
PUP-11846
"Sleeping" agents raise "attempt to read body out of block (IOError)"
Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853
puppet-resource_api bug with ruby 3.2 and integer munging
Updated puppet-resource_api to enable Ruby 3.2 compatibility. PA-5641
CRL authorityKeyIdentifier is not printed in Puppet 8
Fixed a regression in Puppet 8.x which caused the agent to omit the authorityKeyIdentifier extension for its CRL. PUP-11849
Security
Puppet 8.1.0
Released June 2023.
Enhancements
Refresh cached Puppet CA on Puppet client
Puppet agents will now attempt to
refresh their CA certificate(s) once per day. The frequency
is controlled by a new Puppet
setting: ca_refresh_interval
. PUP-10639
Resolved issues
Removed dependency on private class Concurrent::RubyThreadLocalVar
The Puppet::ThreadLocal
class no
longer relies on concurrent-ruby's private Concurrent::RubyThreadLocalVar
class and
instead uses Concurrent::ThreadLocalVar
. PUP-11723
Yumrepo target attribute does not work
Using the yumrepo
resource, enables
the target parameter to set the filepath for a Yum
repository to an arbitrary filepath or to an existing
repository file. Thank you to community member nabertrand for this
contribution. PA-5187
Security
Bump curl to 7.88.1
Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393
Puppet 8.0.0
Released April 2023.
Enhancements
Freeze string literals
String literals are now immutable by default. PUP-11841
Strict mode enabled by default
For Puppet 8, strict mode is on by
default, meaning strict
defaults to error
and
strict_variables
defaults to true
. With
strict
set to
error, extra validation & checks are performed and fail
as an error. This change could be a breaking change if your
code does not conform to strict mode.
-
Accessing a variable without first defining it:
notice($myvar)
-
Accessing a legacy fact:
notice($facts['osfamily'])
-
Coercing a string into a numeric:
"1" + 1
To return to the previous behavior, set, strict
to warning
and strict_variables
to false
. PUP-11725
Change default value of exclude_unchanged_resources
Puppet reports no longer contain
detailed information about resources already matching their
desired state. Doing so reduces the amount of data stored in
PuppetDB in the
most common case when nothing has changed. The previous
behavior can be enabled by setting exclude_unchanged_resources=false
in
puppet.conf on each agent. PUP-11684
Drop Hiera 3 Requirement
Hiera 3 is no longer a hard dependency for Puppet. PUP-11621
Change default crl_refresh_interval
to 1 day
Puppet agent now defaults to refreshing its certificate revocation list (CRL) once every 24 hours. PUP-11602
Evaluate deferred functions lazily by default
Deferred functions follow normal resource relationships and
ordering, so it is now possible to install a dependency for
a deferred function and call the deferred function in a
single agent run. The previous behavior can be enabled by
setting preprocess_deferred=false
in puppet.conf
on each agent. PUP-11526
Exclude legacy facts by default
Legacy facts are no longer collected on Puppet agent or sent to Puppet server. This saves network bandwidth and reduces Puppetserver's memory footprint when using templates.
Since legacy facts are not available during compilation, they
cannot be referenced in Puppet code, ERB/EPP templates or Hiera configuration.
The legacy_facts
puppet-lint
plugin can help identify and automatically correct legacy
fact usage in Puppet code.
For more information visit https://github.com/puppetlabs/puppet-lint/blob/main/lib/puppet-lint/plugins/legacy_facts/legacy_facts.rb.
Legacy facts can be re-enabled by setting include_legacy_facts=true
in puppet.conf
on each agent. PUP-11430
Replace c_rehash
script with
native openssl implementation
Puppet agent 8 no longer bundles the
c_rehash
binary.
Instead, users must rely on the bundled openssl binary's
subcommand rehash. Example: /opt/puppetlabs/puppet/bin/openssl
rehash
. PA-4265
MRI Ruby 3.2
Puppet agent vendors Ruby 3.2. Ruby 3.2 has several notable breaking changes that may affect Puppet extensions, such as functions, custom facts, types & providers, report processors, etc. For a complete list visit: https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#ruby-32-compatibility
If Puppet is installed as a gem, then it requires Ruby 3.1 or greater.
OpenSSL 3.0
Puppet agent vendors OpenSSL 3.0. If an application compiles against Puppet's openssl, then the application must be recompiled. For more information visit https://www.openssl.org/docs/man3.0/man7/migration_guide.html
Resolved issues
Deprecations and removals
Remove Windows ENV patches on Ruby 3
The Puppet::Util
methods for getting,
setting, clearing and merging environment variables are still available, but are
deprecated and will be removed in the next major release. Puppet 8 now uses Ruby's built-in ENV class to manage
environment variables on Windows. PUP-11348
Remove extra
cli option
The extra
CLI option, which was previously hidden,
has been entirely removed. PUP-11119
Drop openssl man pages and html docs
OpenSSL man pages and html docs are no longer included in Puppet agent. PA-4908
Drop Hiera 3 Component
This is a breaking change. The Hiera 3 gem is no longer vendored in puppet-agent packages, but may be installed separately.
If you rely on a Hiera 3 backend (a class that extends
Hiera::Backend
), you must convert your backend
to Hiera 5 using the steps found at https://www.puppet.com/docs/puppet/latest/hiera_migrate.html,
or manually install the Hiera 3 gem on all Puppet Server hosts. This change does not affect Hiera 5, puppet lookup or the hiera_include
, hiera_hash
, etc set of
functions. PA-4646
Drop PSON support
Support for the PSON (Pure JSON) serialization format has been removed. Puppet agents may fail if binary data is accidentally
added to the catalog without using the Binary
data
type or binary_file
function. For more information
visit https://www.puppet.com/docs/puppet/latest/lang_data_binary.html.
It is possible, but not recommended, to reenable PSON support by installing the
puppet-pson gem on all agents and server hosts and setting preferred_serialization_format=pson
in puppet.conf on each agent.