Puppet known issues

These are the known issues in this version of Puppet.

Puppet lookup omits parameters when using --environment

If you specify puppet lookup with an explicit environment using the --environment flag, puppet lookup does not call to the ENC, causing any node parameters set in the ENC to be omitted. PUP-11595

Puppet lookups fail to interpolate topscope variables when an environment is specified

In Puppet 6.26 and 7.14, the lookup command fails to resolve toplevel facts in hiera configs if you're using the --environment option. For example, if you use a toplevel variable like "nodes/%{fqdn}.yaml", Puppet interpolates the variable as an empty string. As a workaround, use trusted facts or specify the fact value using the "facts" hash, such as "%{facts.hostname}" PUP-11437

User and group management on macOS 10.14 requires Full Disk Access

To manage users and groups with Puppet on macOS 10.14, you must grant Puppet Full Disk Access (FDA). You must also grant FDA to the parent process that triggers your Puppet run. For example:
  • To run Puppet in a server-agent infrastructure, you must grant FDA to the pxp-agent.

  • To run Puppet from a remote machine with SSH commands, you must grant FDA to sshd.

  • To run Puppet commands from the terminal, you must grant FDA to terminal.app.

To give Puppet access on a machine running macOS10.14, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable, along with any other parent processes you use to run. For detailed steps, see Add full disk access for Puppet on macOS 10.14 and newer. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

Hiera knockout_prefix is ineffective in hierarchies more than three levels deep

When specifying a deep merge behaviour in Hiera, the knockout_prefix identifier is effective only against values in an adjacent array, and not in hierarchies more than three levels deep. HI-223

Specify the epoch when using version ranges with the yum package provider

When using version ranges with the yum package provider, there is a limitation which requires you to specify the epoch as part of the version in the range, otherwise it will use the implicit epoch `0`. For more information, see the RPM packaging guide. PUP-10298

Deferred functions can only use built-in Puppet types

Deferred functions can only use types that are built into Puppet (for example String). They cannot use types from modules like stdlib because Puppet does not plugin-sync these types to the agent. PUP-8600

The Puppet agent installer fails when systemd is not present on Debian 9

The puppet-agent package does not include sysv init scripts for Debian 9 (Stretch) and newer. If you have disabled or removed systemd, puppet-agent installation and Puppet agent runs can fail.

Upgrading Windows agent fails with ScriptHalted error

Registry references to nssm.exe were removed in PA-3263. Upgrading from a version without this update to a version that contains it triggers a Windows SecureRepair sequence that fails if any of the files delivered in the original *.msi package are missing. This is an issue when upgrading to one of the following Puppet agent versions: 5.5.21, 5.5.22, 6.17.0, 6.18.0, 6.19.0, 6.19.1, 6.20.0, 7.0.0, 7.1.0 or 7.3.0. To work around this issue, put the *.msi file for the currently installed version in the C:\Windows\Installer folder before you upgrade. Starting with Puppet agent 6.21.0 and 7.4.0, the nssm.exe registry value will be replaced with an empty string, instead of the registry key being removed, to avoid triggering Windows SecureRepair. PA-3545