Puppet release notes

Ship FIPS compatible Java key store in fips agents

FIPS Puppet agent builds now include a FIPS-compatibile java keystore.

PA-4813

Bump augeas to 1.14.1

Updated the augeas component of Puppet agent to from 1.13.0 to 1.14.1. PA-4938

Add RHEL 9 (ARM64) support

Puppet now supports RHEL 9 (ARM64). PA-4998

Add Ubuntu 22.04 (ARM64) support

Puppet now supports Ubuntu 22.04 (ARM64). PA-5050

Make split() sensitive aware

The split function now accepts sensitive values and returns a Sensitive[Array]. This change was contributed by community user cocker-cc. PUP-11429

Freeze string literals

String literals are now frozen or immutable by default. PUP-11841

Log openssl version and fips mode

Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930

Monkey patch {File,Dir}.exists?

Added a monkey patch in Ruby for Puppet code using older Ruby language exists? method. PUP-11945

puppet ssl clean <REMOTE CERT> clears local private key and local certificate

puppet ssl clean <argument> now prints an error that <argument> is unexpected instead of deleting the local certificate and private key. PUP-11895

100% usage of a CPU core when an exec command sends EOF

Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897

string.new generates strings with unexpected encoding

A regression was introduced in Puppet 8.0.0 which caused the epp and inline_epp functions to return a binary string. If the value was assigned to the parameter of an exported resource, then the parameter's value was converted to base64 in PuppetDB. Any agents that collected the resource then received the base64 encoded value. This release fixes the regression so the functions return a UTF-8 string. PUP-11932

puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to String#codepoints is deprecated

Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934

Correct inaccurate comment in find_file() function

Updated find_file function documentation. This fix was contributed by community member pillarsdotnet. PUP-11940

epp and inline_epp functions return binary strings

Fixed a regression that caused the epp and inline_epp functions to return binary strings instead of UTF-8 encoded strings. This resulted in exported resources being stored as base64 in puppetdb, breaking any node that collected those resources. Fix contributed by community member smortex. PUP-11943

Update host_autorenewal_interval Puppet setting documentation

Previously documentation implied that host_autorenewal_interval refreshes in 30 days regardless of when it expires by default. Documentation was updated to better reflect actual behavior where implementation only attempts to renew its client cert if the cert expires within N days from now. PUP-11944

Error when using {File,Dir}.exists? in Ruby

Added a patch for some Puppet code using older Ruby language exists? method.

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38545. PA-5848

Remove TrustCor CA certs

macOS 13 support

Added support for macOS 13. PA-4772

Upgrade hiera-eyaml to 3.4+

Upgraded the hiera-eyaml component to 3.4. PA-5633

Add agent renew REST implementation

Added a method to send a client certificate renewal request to puppetserver. PUP-11854

Add Puppet setting to configure renewal interval

Added a setting for how often a node attempts to automatically renew its client certificate. PUP-11855

Retry failed CA & CRL refreshes sooner than the next interval

Puppet now attempts to refresh its CA and CRL sooner if initial attempts fail. PUP-11869

Send auto-renew attribute in CSR

Puppet now has an auto-renew attribute. If the agent supports auto-renewal, this attribute is added to the CSR (Certificate Signing Request) when it is generated and is used by Puppet Server to determine if auto-renewal TTL needs to be enabled for a given agent.

Agents that either do not have the hostcert_renewal_interval setting or have it set to 0 do not support auto-renewal and do not have the auto-renew attribute. PUP-11896

ffi and nokogiri gem use the wrong architecture when cross compiling

Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666

certname with .pp in the middle doesn't pick up its own manifest

Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788

The --no-preprocess_deferred option breaks deferring of Sensitive file content

It is now possible to specify the content property for file resources as containing a Deferred function that returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred('new', [Sensitive, "password"]). PUP-11846

"Sleeping" agents raise "attempt to read body out of block (IOError)"

Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853

puppet-resource_api bug with ruby 3.2 and integer munging

Updated puppet-resource_api to enable Ruby 3.2 compatibility. PA-5641

CRL authorityKeyIdentifier is not printed in Puppet 8

Fixed a regression in Puppet 8.x which caused the agent to omit the authorityKeyIdentifier extension for its CRL. PUP-11849

Upgrade OpenSSL

Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975, CVE-2023-0464). PA-5699

Bump Ruby URI component for CVE-2023-36617

Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638

Refresh cached Puppet CA on Puppet client

Puppet agents will now attempt to refresh their CA certificate(s) once per day. The frequency is controlled by a new Puppet setting: ca_refresh_interval. PUP-10639

Removed dependency on private class Concurrent::RubyThreadLocalVar

The Puppet::ThreadLocal class no longer relies on concurrent-ruby's private Concurrent::RubyThreadLocalVar class and instead uses Concurrent::ThreadLocalVar. PUP-11723

Yumrepo target attribute does not work

Using the yumrepo resource, enables the target parameter to set the filepath for a Yum repository to an arbitrary filepath or to an existing repository file. Thank you to community member nabertrand for this contribution. PA-5187

Bump curl to 7.88.1

Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393

Freeze string literals

String literals are now immutable by default. PUP-11841

Strict mode enabled by default

For Puppet 8, strict mode is on by default, meaning strict defaults to error and strict_variables defaults to true. With strict set to error, extra validation & checks are performed and fail as an error. This change could be a breaking change if your code does not conform to strict mode.

To return to the previous behavior, set, strict to warning and strict_variables to false. PUP-11725

Change default value of exclude_unchanged_resources

Puppet reports no longer contain detailed information about resources already matching their desired state. Doing so reduces the amount of data stored in PuppetDB in the most common case when nothing has changed. The previous behavior can be enabled by setting exclude_unchanged_resources=false in puppet.conf on each agent. PUP-11684

Drop Hiera 3 Requirement

Hiera 3 is no longer a hard dependency for Puppet. PUP-11621

Change default crl_refresh_interval to 1 day

Puppet agent now defaults to refreshing its certificate revocation list (CRL) once every 24 hours. PUP-11602

Evaluate deferred functions lazily by default

Deferred functions follow normal resource relationships and ordering, so it is now possible to install a dependency for a deferred function and call the deferred function in a single agent run. The previous behavior can be enabled by setting preprocess_deferred=false in puppet.conf on each agent. PUP-11526

Exclude legacy facts by default

Legacy facts are no longer collected on Puppet agent or sent to Puppet server. This saves network bandwidth and reduces Puppetserver's memory footprint when using templates.

Since legacy facts are not available during compilation, they cannot be referenced in Puppet code, ERB/EPP templates or Hiera configuration. The legacy_facts puppet-lint plugin can help identify and automatically correct legacy fact usage in Puppet code. For more information visit https://github.com/puppetlabs/puppet-lint/blob/main/lib/puppet-lint/plugins/legacy_facts/legacy_facts.rb.

Legacy facts can be re-enabled by setting include_legacy_facts=true in puppet.conf on each agent. PUP-11430

Replace c_rehash script with native openssl implementation

Puppet agent 8 no longer bundles the c_rehash binary. Instead, users must rely on the bundled openssl binary's subcommand rehash. Example: /opt/puppetlabs/puppet/bin/openssl rehash. PA-4265

MRI Ruby 3.2

Puppet agent vendors Ruby 3.2. Ruby 3.2 has several notable breaking changes that may affect Puppet extensions, such as functions, custom facts, types & providers, report processors, etc. For a complete list visit: https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#ruby-32-compatibility

If Puppet is installed as a gem, then it requires Ruby 3.1 or greater.

OpenSSL 3.0

Puppet agent vendors OpenSSL 3.0. If an application compiles against Puppet's openssl, then the application must be recompiled. For more information visit https://www.openssl.org/docs/man3.0/man7/migration_guide.html

selinux: undefining the allocator of T_DATA class swig_runtime_data

Patch selinux ruby native extension for Ruby 3.2 compatibility. PA-4844

ruby-shadow failing in Ruby 3.2

Patch shadow ruby native extension for Ruby 3.2. PA-4843

Remove Windows ENV patches on Ruby 3

The Puppet::Util methods for getting, setting, clearing and merging environment variables are still available, but are deprecated and will be removed in the next major release. Puppet 8 now uses Ruby's built-in ENV class to manage environment variables on Windows. PUP-11348

Remove extra cli option

The extra CLI option, which was previously hidden, has been entirely removed. PUP-11119

Drop openssl man pages and html docs

OpenSSL man pages and html docs are no longer included in Puppet agent. PA-4908

Drop Hiera 3 Component

This is a breaking change. The Hiera 3 gem is no longer vendored in puppet-agent packages, but may be installed separately.

If you rely on a Hiera 3 backend (a class that extends Hiera::Backend), you must convert your backend to Hiera 5 using the steps found at https://www.puppet.com/docs/puppet/latest/hiera_migrate.html, or manually install the Hiera 3 gem on all Puppet Server hosts. This change does not affect Hiera 5, puppet lookup or the hiera_include, hiera_hash, etc set of functions. PA-4646

Drop PSON support

Support for the PSON (Pure JSON) serialization format has been removed. Puppet agents may fail if binary data is accidentally added to the catalog without using the Binary data type or binary_file function. For more information visit https://www.puppet.com/docs/puppet/latest/lang_data_binary.html.

It is possible, but not recommended, to reenable PSON support by installing the puppet-pson gem on all agents and server hosts and setting preferred_serialization_format=pson in puppet.conf on each agent.