Puppet release notes

Updated REXML

The REXML gem was updated to 3.3.9 in Ruby 2.7 and Ruby 3.2 for CVE-2024-49761.

PA-7106

Evaluated CVEs

The Puppet team has evaluated CVE-2025-0167, CVE-2025-0665, and CVE-2025-0725 and determined that the vulnerable path is not present in the Puppet Core platform. Therefore, Puppet Core is not impacted by these vulnerabilities.

An update was introduced to ensure that users are aware of the Puppet Serialized Object Notation (PSON) deprecation when planning an upgrade. Because Puppet 8 removed support for PSON, users who upgraded to Puppet 8 without awareness of the change sometimes experienced failed Puppet runs. To increase user awareness, PSON deprecation notices are now logged at the default NOTICE level instead of the INFO level.

PE-40352

The semantic_puppet version is bumped. This release bumps the semantic_puppet version to 1.1.1 to fix a typo in a method name.

Patch Curl in agent-runtime

Patched Curl to address CVE-2024-8096.

PA-6961

Update libxml2

Puppet agent's vendored libxml2 is upgraded to version 2.13.4 to address the following vulnerabilities: CVE-2024-25062, CVE-2024-34459, and CVE-2024-40896.

PA-6973

Update Ruby 2.7

Ruby 2.7 was updated to address CVE-2024-27281.

PA-7089

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the October 2024 releases.

Update REXML

The REXML gem was updated to version 3.3.6 to address the following security vulnerabilities: CVE-2024-41946, CVE-2024-35176, CVE-2024-41123, CVE-2024-39908, and CVE-2024-43398.

PA-6682, PA-6881, PA-6507, PA-6736, PA-6901

Patch RDoc vulnerability

Patched a vulnerability in the RDoc gem as distributed in Ruby 2.7.8 to address CVE-2024-27281.

PA-6282

Patch Curl in agent-runtime

Patched Curl to address CVE-2024-7264.

PA-6878

Update OpenSSL

OpenSSL was updated to address CVE-2024-5535.

PA-6889

Resolved issue with catalog download.

Addressed an issue where catalog download would fail when running the puppet catalog download command with the default options. The puppet catalog download command now correctly sends facts to download the catalog. Community member nabertrand submitted this issue.

PUP-12046

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the September 2024 releases.

New operating systems

StringIO vulnerability

Patched a vulnerability in the StringIO gem as distributed in Ruby 2.7 to address CVE-2024-27280.

OpenSSL vulnerability

Addressed CVE-2024-4741 to correct an OpenSSL issue.

Change related to splay limits was reverted.

In the Puppet 7.31.0 release, a defect was corrected to ensure that any splay setting updates in the Puppet configuration file (puppet.conf) would be applied to daemonized Puppet runs. However, the fix resulted in an unexpected side issue that caused splays to be frequently recalculated, potentially delaying Puppet startup times. For this reason, the change was reverted. In the Puppet 7.32.1 release, splay setting updates in the Puppet configuration file (puppet.conf) are not applied to daemonized Puppet runs.

Sensitive values returned by deferred functions are protected.

Previously, in certain circumstances, when a function of the Deferred type returned a value of the Sensitive type, the value was displayed in clear text. The issue is resolved to help ensure that sensitive values are protected.

Windows agents now run as expected.

Previously, when a value of 0 was specified for the runinterval setting, Windows agents ran every 30 minutes. Now, a setting of 0 causes the agents to run continuously as expected.

Resolved issue with catalog compilation.

Addressed an issue where catalog compilation would fail when running the puppet lookup command with the --compile option when server facts were present in the catalog.

Resolved issue to ensure that the Puppet agent service starts automatically.

In certain circumstances, when Puppet was successfully installed or upgraded on Microsoft Windows Server 2019 or 2022, the Puppet agent service did not restart automatically as expected. This fix helps to ensure that the service starts running without user intervention. Community member rismoney submitted the issue, which was fixed by another community member, vibe.

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the July 2024 releases and extends special thanks to the following first-time contributors: @jiwonaid and @jordanbreen28.

New operating systems

CVE-2024-2511 and CVE-2024-27282

Two security fixes are backported to 7.31.0. The fixes address CVE-2024-2511 and CVE-2024-27282.

Contributors

The Puppet team appreciates the Puppet Community members who contributed content for recent releases and extends special appreciation to these first-time contributors: anhpt37, Animeshz, garrettrowell, smokris, tlehman, and yakatz.

Fixed issue with splay limits

An issue was corrected to ensure that any splay setting updates in the Puppet configuration file (puppet.conf) are applied to daemonized Puppet runs.

Option to disable catalog messages

Added a boolean Puppet setting to disable "notice" level messages specifying which server the agent requests a catalog from and which server actually handles the request. Catalog messages are enabled by default. PUP-12023

package: pacman provider: Add purgeable feature

Added an option to the pacman provider to purge config files. This feature was contributed by community member bastelfreak.

Update core modules

Non-literal class parameter types need to be deprecated.

Previously, non-literal class parameters caused errors due to the different default values of the strict setting. puppet parser validate also returned non-zero exit codes. Now the issue is a language deprecation, so a warning is generated and puppet parser validate returns 0. All language deprecation warnings can be disabled by setting disable_warnings=deprecations in the main section of puppet.conf. PUP-12026

Package provider "pip" not fully functional with network urls on Ubuntu 22.04.

Puppet's pip package provider now supports installing python modules via network URLs, e.g. source => 'git+https://github.com/<org>/<repo>.git'. Fix contributed by community member smokris. PUP-12027

Provider dnfmodule prompts user to trust gpg key when performing module list.

Added assumeyes option to dnf module list. Fix contributed by community member loopiv.

Puppet resource returns zero if it fails to make changes

Added new --fail command line flag for Puppet resource.

Remove Accept-Encoding header on redirect

Previously, Puppet copied all request headers in an HTTP redirect, including Accept-Encoding. In some cases when HTTP compression was enabled, the response failed to decompress, then failed to parse and triggered a vague error. This change strips the Accept-Encoding headers on redirect, allowing Ruby's built-in Net::HTTP to both compress and decompress the traffic.

Accept UnaryMinusExpression as class parameter type

Previously, class parameters of the form Integer[-1] $param failed compilation, because the value -1 was lexed as a UnaryMinusExpression containing a LiteralInteger. And since the LiteralEvaluator didn't implement theliteral_UnaryMinusExpression method, the visitor called literal_XXX for each ancestor class, until reaching literal_Object, which always raises.

This adds the literal_UnaryMinusExpression method and returns -1 times the expression it wraps.

If strict is off, the issue is ignored. If strict is warning, a warning is reported, but compilation continues. If strict is error, compilation fails.

Vulnerabilities in curl

Backported patches for CVE-2024-2004 and CVE-2024-2398 in curl 7.88.1. PA-6291

Vulnerability in OpenSSL

Backported fixes to OpenSSL 1.1.1 to address CVE-2023-5678. PA-6132

Using a negative value with the integer type assertion on a class causes a compilation error.

Previously, negative values caused a compilation errors when used with the integer type assertion on a class. This has been fixed. PUP-12024

Debian 12 (x86_64) support

Added support for Debian 12 (x86_64). PA-5549

Debian 12 (ARM) support

Syntactically incorrect types cause nil types in Puppet::InfoService::ClassInformationService

Previously, when a type was incorrectly specified, Puppet’s class_information_service ignored the error and produced an empty type specification. Puppet now produces a warning and assigns a default type in the nil case. PUP-11981.

Bump concurrent-ruby to 1.2.2

Bumped concurrent-ruby gem to 1.2.2. PA-5960

Bump augueas to 1.14.1 for 7.x

augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address 192.168.0.3',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
   ]
}

Add logging of server hostnames when requesting configuration

Puppet agents now log server hostnames when requesting catalogs. PUP-11899

Add logging of which Puppet Server handled catalog requests

Puppet agents now log the FQDN name of the server that compiled the catalog. This is useful when there are multiple compilers behind a load balancer. PUP-11900

Update package & service providers for Amazon Linux 2023

Updates Amazon Linux 2023's default package and service providers to DNF and SystemD, respectively. Contributed by GitHub user vchepkov. PUP-11976

Debian 11 (ARM) support

Added support for Debian 11 (ARM).

Amazon Linux 2023 support

Added support for Amazon Linux 2023.

MacOS 14 support

Added support for MacOS 14.

puppet-agent-7.25: selinux Bindings broken on RHEL9.1

Fixed an issue introduced in 7.25.0 that prevented Puppet from managing selinux if the system libselinux libraries were previous to version 3.5. PA-5632

RHEL 8 FIPS agent fails to start after upgrade to Puppet 8

Fixed an issue that prevented the RHEL 8 FIPS agent from starting after upgrading to Puppet 8. PA-5786

/opt/puppetlabs/puppet/bin/openssl fails to load library dependencies on AIX

Set RPATH for openssl 1.1.1 to load dependencies from Puppetlabs libdir in order to ensure that /opt/puppetlabs/puppet/bin/opensslloads its library dependencies that were shipped in the puppet-agent package. PA-5925

Puppet agent on Solaris 11 x86 fails when updated to SRU >= 57

Fixed a regression that prevented the ffi gem's native extension from loading on newer versions of Solaris 11.4. PA-5929

Resources resource type should be marked as apply_to_all

Enables resources metatype compatibility with both hosts and devices. Contributed by GitHub user seanmil. PUP-11666

"Total number of facts" warning not counting array elements

Puppet incorrectly counted array elements and hash keys when determining if the number of facts exceeded the total fact count soft limit. This has been fixed. PUP-11685

dnfmodule fails to enable module with ensure version and no default stream

Puppet can now manage dnfmodule packages with ensure values other than present such as ensure => '1.4'. Fix contributed by community member evgeni. PUP-11985

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.12. PA-5864

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38546. PA-5861

Ship FIPS compatible Java key store in fips agents

FIPS Puppet agent builds now include a FIPS-compatibile java keystore.

PA-4813

Add RHEL 9 (ARM64) support

Puppet now supports RHEL 9 (ARM64). PA-4998

Add Ubuntu 22.04 (ARM64) support

Puppet now supports Ubuntu 22.04 (ARM64). PA-5050

Make split() sensitive aware

The split function now accepts sensitive values and returns a Sensitive[Array]. This change was contributed by community user cocker-cc. PUP-11429

Log openssl version and fips mode

Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode. PUP-11930

puppet ssl clean <REMOTE CERT> clears local private key and local certificate

puppet ssl clean <argument> now prints an error that <argument> is unexpected instead of deleting the local certificate and private key. PUP-11895

100% usage of a CPU core when an exec command sends EOF

Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed. Fix contributed by community user bugfood. PUP-11897

puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to String#codepoints is deprecated

Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38545. PA-5848

Remove TrustCor CA certs

Upgrade hiera-eyaml to 3.4+

Upgraded the hiera-eyaml component to 3.4. PA-5633

macOS 13 support

Added support for macOS 13. PA-5420

ffi and nokogiri gem use the wrong architecture when cross compiling

Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666

certname with .pp in the middle doesn't pick up its own manifest

Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788

The --no-preprocess_deferred option breaks deferring of Sensitive file content

It is now possible to specify the content property for file resources as containing a Deferred function that returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred('new', [Sensitive, "password"]). PUP-11846

"Sleeping" agents raise "attempt to read body out of block (IOError)"

Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does not error trying to read the request body after closing the connection. PUP-11853

Upgrade OpenSSL

Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975, CVE-2023-0464). PA-5699

Bump Ruby URI component for CVE-2023-36617

Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638

Removed dependency on private class Concurrent::RubyThreadLocalVar

The Puppet::ThreadLocal class no longer relies on concurrent-ruby's private Concurrent::RubyThreadLocalVar class and instead uses Concurrent::ThreadLocalVar. PUP-11723

Setting to prevent falling back to non-rich data

Before, Puppet fell back to PSON when unable to serialize to JSON. This can cause issues because rich data types cannot be serialized vis PSON. A new setting, allow_pson_serialization, allows users to turn PSON serialization on or off.

allow_pson_serialization defaults to true in Puppet 7 and false in Puppet 8. When set to false, a warning is raised when falling back to PSON. When set to true, an error is raised instead. This option affects Puppet Server's configuration management service responses as well as when the agent saves its cached catalog. PUP-10928

Bump curl to 7.88.1

Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393

Support for macOS 10.15 removed

This release removes support for macOS 10.15 from puppet-agent. PA-5413

Support for RHEL 7 (aarch64) removed

This release removes support for RHEL 7 (aarch64) from puppet-agent. PA-5418

Puppet resource can't load time object to YAML

The file resource now supports puppet resource file <path> --to_yaml. PUP-11763

each, map, and filter functions are slow and buggy on jruby

Fixed an issue where the each, map, and filter built-in functions in Puppet language had poor performance and consumed unnecessary resources. PUP-11755

Warn if Puppet falls back to PSON

Puppet Server now logs a warning instead of debug message if it fails to serialize a catalog and falls back to PSON, which usually occurs when binary data is present in the catalog. PUP-11787

Setting to report non-versioned path to resource when using versioned dirs

When the versioned_environment_dirs setting is enabled, Puppet would previously report the full directory path to the environment after resolving symlinks as the source for resources in a catalog.

Puppet now reports the path to the resource before resolving symlinks in the environmentpath. You may revert to the previous behavior by setting the new configuration option report_configured_environmentpath to false. PUP-11691

Can't dig into facts when legacy facts are excluded

Catalog compilation no longer fails when using the dig function and excluding legacy facts. PUP-11717

concurrent-ruby 1.2.0 breaks Puppet

Updated Puppet to require versions of concurrent-ruby prior to 1.2. PUP-11722

fqdn_rand function relies on legacy fqdn fact

Puppet now allows disabling legacy facts when using the fqdn_rand. PUP-11752

Bump nokogiri to 1.13.10

Updated the Nokogiri component from version 1.13.9 to 1.13.10, addressing CVE-2022-23476. PA-4817

Allow legacy facts to be excluded

Added a Puppet setting include_legacy_facts to control whether legacy facts are sent to puppetserver when requesting a catalog. By default, Puppet continues to send legacy facts, but it can be disabled if all puppet manifests, hiera.yaml and hiera configuration layers are modified to no longer use legacy facts. PUP-11662

Allow omission of unchanged resources from reports

With the new setting exclude_unchanged_resources, Puppet can omit data about unchanged resources from reports. This can decrease the size of reports significantly. PUP-11654

Tasks are not listed when a single task in an environment has malformed metadata

Tasks containing invalid JSON metadata are skipped in the GET /tasks endpoint rather than the whole response returning 500. PUP-11683

Purging SSH keys on a user resource fails when alias is used

Catalog compilation no longer fails when using the purge_ssh_keys parameter on a user resource with an alias metaparameter. PUP-11631

puppet lookup –E does not execute the ENC

If you specify puppet lookup with an explicit environment ( --environment web ) then lookup did not call to the classifier, causing any node parameters set in the classifier to be omitted. This was because calling the classifier assigns a different environment to the node by default, returning a lookup result for a different environment than was requested. This issue has been fixed. It also affected open source (replace the word classifier with ENC). PUP-11527

Bump puppet-runtime's Ruby to 2.7.7

Updates puppet-agent's Ruby to 2.7.7, addressing CVE-2021-33621. PA-4805

Update libxml2 to 2.10.3

Updates puppet-agent's vendored libxml2 from 2.9.8 to 2.10.3, which addresses CVE-2021-3541, CVE-2022-23308, CVE-2022-29824, CVE-2022-40303, and CVE-2022-40304. Also updates puppet-agent's vendored libxslt from 1.1.33 to 1.1.37, which addresses CVE-2021-30560. PA-4770

osx-10.15-x86_64 - NULL pointer dereference in Nokogiri

Updates Nokogiri to 1.13.9, which addresses CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303 in Nokogiri's vendored libxml2 and CVE-2022-37434 in Nokogiri's vendored zlib. PA-4767

Tag and bump puppet-resource_api in Puppet 7

Bumps resource-api gem to 1.8.16. PA-4702

Puppet::Util::Json raises an error when reading an empty file

Puppet no longer errors when loading an empty task metadata file. PUP-11629

Augeas not working on M1 macOS Big Sur

Fixed a bug in the Augeas component of the puppet-agent platform on macOS. Contributed by Puppet community member h0tw1r3. PA-4704

Augtool packaged in puppet-agent 7.19.0 is broken

puppet-agent 7.19.0 had a broken Augeas packaged with it. This is fixed in puppet-agent 7.20.0. PA-4686

Support for Debian 9 removed

This release removes support for Debian 9 (x86 and x86-64) from puppet-agent. PA-4576

Support for Fedora 34 and 32 removed

This release removes support for Fedora 34 and 32 (x86-64) from puppet-agent. PA-4284, PA-4269

Support for Fedora 36 (x86_64)

This release adds support for Fedora 36 (x86_64). PA-4668

Updated Augeas to 1.13.0

Bumped Augeas to 1.13.0 for all supported platforms except for Solaris and AIX. Those two platforms remain on 1.12.0, as Augeas 1.13.0 fails to compile due to a few readline function calls that are not on Solaris or AIX. PA-4494

Puppet sends malformed PuppetDB reports with Oj

Reports sent to PuppetDB using the Oj JSON backend are now properly formatted. PUP-11620

puppet module list --render-as json does not report unmet dependencies

puppet module list --render-as json now includes information about unmet dependencies. PUP-11604

Puppet does not write SELinux labels on ZFS

Marked ZFS as an SELinux-capable filesystem. PUP-11603

Puppet::Util.safe_posix_fork fails if /proc/self is not a directory

Puppet now handles misconfigured /proc filesystems correctly. PUP-11594

Puppet on Ruby 3.1 warns about ERB passing safe_level as non-keyword argument

Puppet now passes ERB arguments as keywords. PUP-11552

FIPS OpenSSL: disable c_rehash binary

Fixed CVE-2022-1292 and CVE-2022-2068. PA-4621

Bump to openssl-fips-1.1.1k-6

Updated openssl-fips on RedHat to 1.1.1k-6. PA-4498

Update puppet-ca-bundle

Updated root certificate authority bundle included with puppet-agent. PA-4496

Support for macOS 12 (M1)

This release adds support for macOS 12 (M1). PA-4457

Support for Windows 11 Enterprise (x86_64)

This release adds support for Windows 11 Enterprise (x86_64). PA-4249

Support for Ubuntu 22.04 (x86_64)

This release adds support for Ubuntu 22.04 (x86_64). PA-4233

Sub-directory names returned as task names when listing tasks from a module

The puppet/v3/tasks REST API only returns files in the tasks directory of each module and no longer includes the names of subdirectories. PUP-11539

Puppet agent --disable is ignored with cron puppet agent (splay).

Puppet agent now checks the disabled lock file after sleeping due to splay. PUP-9998

puppet-cacerts keystore is missing on Red Hat 9, SLES 15 and Ubuntu 20.04

If Puppet agent is installed, there is a java keystore file. PA-4440

Support for Operating Systems removed

This release removes support for Fedora 32, CentOS 8, and Ubuntu 16.04. PA-4328

Update puppet runtime's curl to 7.83.1

Updated runtime to fix CVE-2022-22576, CVE-2022-27774, and CVE-2022-27776. PA-4472

Resolve deferred values on demand instead of at catalog read time

It's now possible for deferred functions to be called on demand instead of being preprocessed. This way other resources in the catalog can serve as inputs to the deferred function. If the deferred function fails, then only that resource fails, while unrelated resources are still applied. To enable this behavior, set Puppet[:preprocess_deferred] = false or use --no-preprocess_deferred on the command line. PUP-9323

Add virt-what and dmidecode in Puppet Agent

Adds virt-what and dmidecode components to Puppet Agent. PA-4423

Nokogiri security vulnerability fix

Fix for CVE-2022-29181. PA-4489

Puppet::HTTP::Client cannot connect to a server requiring client cert authentication and whose server cert is issued by a CA in the ssl_trust_store

Puppet's http client can now establish a mutually authenticated TLS connection when passing include_system_store: true such as when retrieving file content from HTTPS servers. Previously Puppet did not add its client certificate to the SSL context, so the connection would fail if the HTTPS server required a client certificate. PUP-11522

Remove compiler errors for deferred function mismatched types

Before, it was not possible to compile a catalog that used a Deferred value for a typed parameter class. The compiler would give an error message stating that the type expected did not match Deferred. Now, the compiler inspects the Deferred class's return type and ensures it matches the class parameter type. If the Deferred function has no return type, the compiler warns that it cannot guarantee whether the type adheres to the type the class specifies. PUP-11518

Yum provider does not properly update package using version range and install options

Yum provider now accepts disablerepo, enablerepo, and disableexcludes install options if a range is specified. PUP-11475

Legacy function error does not include the source ref

If a 3x function produces an error, the error message now includes the path to the file in which the function is defined. PUP-11472

Cannot login under user created by Puppet on macOS 12.1

On macOS, Puppet now validates that the salt parameter for the user resource is a hex encoded string of length 64 exactly. ​​PUP-11454

puppetserver_gem doesn't install gems when they are loaded by Facter

Fixed a bug that prevented the puppetserver_gem provider from managing gems that were first loaded by Facter. PUP-11452

Puppet Agent does not automatically refresh CRLs on crl_refresh_interval

Puppet Agent now reloads its CA and CRL bundles every 30 minutes during each run. Previously it only loaded it when the process started, which meant the service had to be restarted if the CA/CRL files changed on disk. PUP-11428

systemd: Puppet Agent starts before network-online.target is reached

Puppet Agent now waits for network-online.target and does not attempt to contact Puppet Server before having network connectivity. Previously, Puppet Agent on Ubuntu 15.04 started with a multi-user.target. If using NetworkManager with DHCP, the agent tried to apply configuration before the network connection was up, resulting in printing several errors to the logs. PUP-5402

Allow Puppet::HTTP::Client to connect to trusted server using the puppet certificate for client authentication

You can now specify an https URL as the source of a file resource when the TLS server requires a client certificate for authentication. PUP-11471

Ruby security fix

Bumped Ruby to 2.7.6 to fix CVE-2022-28739. PA-4364

puppet lookup fails to interpolate topscope variables when an environment is specified

Fixed an issue where Puppet 6.26 and 7.14 failed to resolve toplevel facts in Hiera configs when using the --environment option for puppet lookup. PUP-11437

Rspec tests with custom facts fail on some modules

This release fixes an issue where rspec module tests would compile with the runner node’s facts instead of using the custom facts supplied by the test. PUP-11435

Puppet::Util::Windows is undefined on non-Windows platforms

Fixed a bug that prevented pdk unit tests from working when trying to test a resource with a Windows provider, such as "service" resources. PUP-11459

No option to fail fast when agent-specified environment does not exist

When using strict_environment_mode=true, a run now fails early if the requested environment does not exist on the server, or if the server does not allow the agent to specify its own environment. PUP-11440

Nokigiri upgrade for macOS

Upgraded nokogiri gem to 1.13.2 on macOS due to upstream security fix. PA-4323

Some gemspecs are missing from puppet-agent MSI

On Windows, it is now possible to install a gem that has a dependency on Facter or Hiera into Puppet's vendored ruby. PA-4313

Support for RHEL 9

This release includes support for Red Hat Enterprise Linux (RHEL) 9. PUP-11364

Bump Ruby component

Upgraded Ruby component to 2.7.5. PA-4130

Puppet uses deprecated psych features

Puppet is now compatible with psych 4.0. PUP-11405

Agent no longer calls the Puppet::Node terminus to resolve the environment during the run

Introduced a Puppet setting use_last_environment=true|false and a corresponding puppet agent -t --no-use_last_environment boolean command line option that forces the agent to make a node request like it did prior to 7.12 and 6.25. By default, the agent does not make a node request. PUP-11379

Puppet user and service resources are slow on Mac OS X

Managing users and services on macOS is much faster. PUP-11332

Puppet::Node#environment_name may return the wrong value

Puppet::Node#environment_name now always returns the symbolic name of the environment (if one has been set on the node). PUP-11330

Puppet lookups failed due to missing certificates

The puppet lookup command now works if the agent does not have certificates available locally. PUP-11402

Lockups on servers running in multithreaded mode

This change fixes a deadlock that occurred when running puppetserver in multi-threaded mode. PUP-11373

The generate types command does not handle errors correctly

If the generate types command failed to generate a custom type, it logged an error and returned a 0 exit code instead of failing. The command now correctly fails with a non-zero exit code if the command cannot generate a type. PUP-11078

ENC-enforced environment bypass for lookup

You can now bypass the ENC-enforced environment when performing a lookup. To bypass the enforced environment, use lookup with the --environment option to specify the desired environment. Puppet always uses the environment you specified regardless of the ENC-enforced environment. PUP-7479

Support for Windows Server 2022

This release includes support for Windows Server 2022. PUP-11238

Puppet::FileSystem.chmod does not validate its arguments

Puppet::FileSystem.chmod now validates its arguments like other methods. PUP-11345

Warning: #<Puppet::Transaction::Persistence after upgrading to Puppet agent 6.25.0

Fixes a regression introduced in 6.25.0 and 7.10.0 that caused a Puppet::Transaction::Persistence warning during each agent run. PUP-11321

User resource tries to create rather than modify users created by a utility

This release moves the ssh_authorized_key resource's creation to the end of the user type flow, after all user properties and parameters were resolved, to avoid order dependency errors. PUP-11320

Puppet code merger using incorrect command

Reduces memory usage when parsing manifests. PUP-11318

Failure when using the names "apply" and "plan" within an apply() block in a plan

The names "apply" and "plan" can now be used as resource parameter names in all cases. Previously, using them within an apply() block in a plan would fail. PUP-11315

Puppet attempts to execute directories from /etc/init.d/

Prevents Puppet from considering directories from /etc/init.d/ as services. PUP-11313

Puppet creates excessive Pathname instances

Reduces the number of Pathname allocations when parsing Puppet manifests. PUP-11312

Pathname.absolute? uses excessive memory

Backported Ruby patch to Pathname.absolute? to reduce memory usage. PUP-11311

High memory consumption from lib/puppet/pops/parser/lexer2.rb

Reduced lexer2 memory usage. PUP-11236

versioncmp() treats 11.0 as greater than 11

versioncmp() now strips redundant numbers. PUP-11235

puppet lookup --facts {filename} fails if filename does not contain a dot

Before this release, puppet lookup --facts {filename} failed early when the filename given did not contain a dot. This fix removes the early extensions check and adds a fallback instead: tries both formats (JSON then YAML) to read the given facts file when its path doesn't end with any of the expected extensions (yaml/yml/json). Otherwise, it follows previous implementation and respects the given extension. PUP-11204

Facts provided in a file cannot be used for classification

Fixed a bug where facts provided in a file were not being merged with the facts used for classification. This is because Puppet collected and merged the said facts after the classification happened. To fix this, we ensured that Puppet resolves the facts being used for classification before the node request. PUP-10435

Inconsistent handling of trusted facts in the lookup CLI

When using puppet lookup with --facts, if the facts file overrides any of hostname, domain, fqdn, clientcert, then it must override all of them. Also, if a value for certname is provided in a fact file for the lookup application, use it when creating the trusted information object. This makes it possible to override trusted.certname for classification. PUP-8220

Lookup ignores environment from the classifier when using a rule with trusted facts

Fixed an issue where trusted facts could not be used as rules for classification. This was fixed by gathering the trusted facts from the PuppetDB query result, and overriding the trusted facts context. PUP-8094

Misleading results when using --node flag in puppet lookup

Fixed an issue where puppet lookup would result in misleading results when using the --node flag. This happened because there can be cases where the target node does not have any facts cached. To avoid this, the fix implemented checks for the node facts/facts given in a fact file, and if it doesn't find any it raises an error. PUP-7362

Files starting with "~" in recursive directories are evaluated as usernames

Puppet can now manage files whose names start with tilde "~" characters. PUP-5800

Puppet could not retrieve attributes from fifo and socket files

This release allows Puppet to retrieve attributes for fifo and socket files and manage them when the given manifest has a file resource which is recursing over a given path. PUP-4045

Noop changes to file ownership generate failures if required user or group does not exist

Puppet now correctly reports when a file's owner or group would change in noop mode, even if the owner or group would be created in the same run. PUP-3907

Puppet hangs trying to replace a FIFO

Puppet no longer hangs when trying to replace a fifo with a file, directory or symlink. PUP-1460

Puppet can leak credentials when following HTTP redirects

Previously, when Puppet followed HTTP redirects, the Authentication and Cookie headers were passed to different hosts, which could leak sensitive information. Now the Authentication and Cookie headers are only sent when redirecting to the same hosts. This fixes CVE-2021-27023. PUP-11188

Puppet agent silently skips unknown resources

Previously, all unknown resources were converted into a component (Puppet::Type::Component) by default and skipped when applying a catalog. This release adds a new resource attribute that specifies the type of resource — this is used to differentiate between built-in types and user defined types. Resources that are known and available on the server node are also verified on the agent node, which now fails when something unknown is found in the received catalog. This fixes CVE-2021-27025. PUP-11209

Puppet gem and rspec-puppet failures

This release moves the DEFAULT_TIMEOUT constant from lib/puppet/util/windows/service.rb to lib/puppet/util/windows.rb in a non-OS guarded code area. This change avoids uninitialized constant errors when compiling catalogs on non-Windows operating systems. PUP-11319

Puppet agent downloads all plugins after updating

Puppet 6.25.0 and 7.12.0 introduced a regression which caused a newly upgraded agent to download all of its plugins. Now the agent performs a single node request to resynchronize its environment with the server. PUP-11328

Support for AlmaLinux 8 (x86_64)

This release adds support for AlmaLinux 8 (x86_64). PUP-11242

Support for Rocky Linux 8 (x86_64)

This release adds support for Rocky Linux 8 (x86_64). PUP-11231

Faster iterative functions

This release speeds up the amount of time it takes to type check arguments passed to blocks of iterative functions, such as reduce and merge. (PUP-9561)

The autoloader is confused by short Windows paths

This release fixes a regression that prevented Puppet from running when the current working directory was a short Windows path (8.3). PUP-11184

Superclass mismatch causes regression

A performance patch and require_relative caused a regression on systems where Ruby paths included symlinks. This release reverts the performance patch on *nix systems. PA-4037

Default timeout ignores Windows services

Previously, default timeouts caused issues on Windows when services took longer than 10 seconds to change state. You can now specify the default timeout value for syncing service properties. PUP-10925

User attributes ignores forcelocal

This release fixes an issue where setting forcelocal => true on a user resource checked the resource's home and shell attributes against their values from the directory service provider. Contributed by Puppet community member natemccurdy. PUP-11241

Puppet fails to install packages on Solaris if another pkg install is running

Installing packages on Solaris with the pkg command does not work if another instance of pkg is already running. Now Puppet tries the install command 5 times, and only fails if the package cannot be installed. PUP-11208

The facter_interactive.bat and run_facter_interactive.bat files are missing

This release packages the missing facter_interactive.bat and run_facter_interactive.bat files on Windows. These files already existed in the repository, but they were not packaged in the MSI. PA-3700

The concat module ignores the ENC environment

This release fixes an issue where an ENC-specified environment was not pushed during a Puppet run. This caused indirector requests with no specified environment to default to using an incorrect environment. PUP-11265

Util::JSON.dump receives non-hash options

Previously, Puppet's /puppet/v3/file_metadatas REST API failed if the multi_json gem was uninstalled or when it was running puppetserver from source. PUP-11237

The write-catalog-summary setting

This release adds the write_catalog_summary setting to control whether the resources.txt and classes.txt files are written to disk after applying a catalog. By default, puppet agent and puppet apply behave the same as before — puppet agent writes the files, and puppet apply does not. PUP-1042

Support for Ubuntu 18.04 aarch64

This release adds support for Ubuntu 18.04 aarch64. PUP-11162

Lower memory consumption in Ruby files

This release lowers memory consumption by 10%. PUP-11232

Support for multiple Facter implementations

You can now register a Facter implementation when initializing Puppet via the Puppet.initialize_settings. PUP-11216

Facter.value replaced by Puppet.runtime[:facter]

OpenSSL updates

• On windowsfips-2012r2-x64), OpenSSL 1.0.2 has been patched for CVE-2020-1971, CVE-2021-23839, CVE-2021-23840, CVE-2021-23841 and CVE-2021-3712 - PA-3976

• On redhatfips-7-x86_64, OpenSSL has been bumped to 1.1.1k and patched for CVE-2021-3712 and CVE-2021-3711 - PA-3974

• On all other platforms, OpenSSL has been bumped to 1.1.1l - PA-3925

Puppet agent does not save local copy of last_run_report.yaml

The agent now saves a local copy of its last run report, even if it fails to submit the report to the primary Puppet server. PUP-6708

A lookup fails if lookup_options is empty

Previously, when lookup_options were defined at the global or environment layer, and the module defined an empty hash, the compilation failed. This is now fixed and the empty hash is ignored. PUP-10890

User resource not removing password on AIX agents

This release fixes an issue where deleting an AIX user with Puppet would not clean up the user's password. PUP-11190

User resource unable to remove the home directory when set to absent in AIX

This release fixes an issue where the user home directory was not removed when managehome was set to true. PUP-11170

Puppet sends warning for BOM and US-ASCII encoding

This release removes BOM for non-UTF encoding and its warnings. ASCII characters are single bytes, which means there is no need for a BOM to detect byte ordering (LSB/MSB). PUP-11196

The puppet resource --to_yaml emits class tags

This release stops the resource --to_yaml command emitting Puppet class tags, such as Puppet::Util::Execution::ProcessOutput`, by ensuring that the PScalarDataType only checks the instance of String, and not other subclasses. PUP-10105

Scripts file serving mount

When using Puppet APIs to load file content and metadata, you can access files in the scripts/ directory of a module using the scripts file mount. PUP-11187

Load Task files from scripts

Tasks can now load files from the scripts mount. PUP-11200

Cleaned up ext/ directory

This release removes unused files from the ext/ directory used by upstream Linux and Solaris packages. PUP-10685

Exec type's onlyif and unless in --noop documented

This release documents the noop behavior of the onlyif and unless parameters of the exec resource. PUP-11199

Option to enable long filename support in the Windows MSI installer

This release updates the MSI installer for Puppet agent to enable long filenames either through a checkbox in the installer or by setting the ENABLE_LONG_PATHS=true option in the command line. PA-3843

Settings to check fact limits

Each setting has a default limit, and if that is exceeded, Puppet emits a warning message. If the default limit is set to 0, Puppet does not emit a warning. The new settings include:

• fact_name_length_soft_limit(2560 bytes): The soft limit for the length of a fact name.

• fact_value_length_soft_limit(4096 bytes): The soft limit for the length of a fact value.

• top_level_facts_soft_limit(512): The soft limit for the number of top level facts

• number_of_facts_soft_limit(2048): The soft limit for the total number of facts.

• payload_soft_limit(16 MB): The soft limit for the size of the fact hash after its encoded. PUP-11088

RHEL9 support for services

Puppet now uses systemd as the default service provider for EL 9 variants, such as Red Hat or CentOS Stream. PUP-11168

Support for Fedora 30 (x86_64) removed

This release removes support for Fedora 30 (x86_64). PUP-11092

Support for Fedora 31 (x86_64) removed

This release removes support for Fedora 31 (x86_64). PUP-11093

Support for MacOSX 10.14 (x86_64) removed

This release removes support for MacOSX 10.14 (x86_64). PUP-11094

An environment reloaded during a single compilation could fail

Previously, Puppet Server could reload an environment while it was being used to compile a catalog. If translations were enabled (Puppet[:disable_i18n] set to false), compilation could fail. Now Puppet Server prevents environments from being reloaded while they are in use, and instead reloads the environment the next time it is requested. PUP-11158

Catalog failure on first run due to pluginsync and environment switch

Previously, an agent failed its run if it switched to a new environment where the manifests relied on a fact that only existed in the new environment. Now the agent redirects to the server-specified environment and the run continues using that environment. PUP-9570

Changes to current working directory when listing modules

Puppet Server and agent no longer change their current working directories when listing modules in an environment directory. PUP-11166

Static catalogs not working for file resources when versioned_deploys is enabled

Previously, when :versioned_environment_dirs was set to true, catalog compilation failed to add metadata for static catalog file resources; this meant that an agent receiving a catalog would not attempt to request that static file content. This has been fixed and the metadata is now correctly added to the catalog when :versioned_environment_dirs is set to true. PUP-11169

Agent cannot compile catalog if it specifies an non-existent environment in puppet.conf

This release fixes an issue that caused the agent run to fail if the agent requested an environment that did not exist on the server ​​— even when the classifier controlled the environment. PUP-6802

Rich data types can corrupt the transaction store

This release fixes an issue that prevented Puppet from reporting corrective changes when using rich data types such as Deferred, Binary, and Sensitive. PUP-10820

Environment caches string and symbol environment names differently

This release fixes an issue that resulted in Puppet caching duplicate copies of an environment. PUP-10955

Failure to fetch node definition results in bad pluginsync and cascading failure

Previously, Puppet agents would make a node definition request to the server to find out the correct environment to run in. This request has now been removed, and the agent saves its last used environment in the last_run_summary.yaml file. If the environment is not set in the CLI or config, agents attempt to use the environment in last_run_summary.yaml — only if the previous run had an agent/server environment mismatch. PUP-10216

Puppet.lookup(:current_environment) is wrong if the environment changes during convergence

This release fixes an issue where an old environment could be used if the environment had changed due to pluginsync. PUP-10308

User resource exposes hashed password when changing password or adding a user

Previously, when managing passwords with the useradd provider, the password hash appeared when listing running processes. Now the password is set with the chpasswd command that uses stdin to receive the password from a temporary file, so it no longer appears in the process list. PUP-3634

The launchd service provider fails if a parsable but invalid LaunchAgent or LaunchDaemon plist file exists

This release fixes an issue where the launchd service provider failed if a parsable but invalid LaunchAgent or LaunchDaemon plist file exists. PUP-11164

The pkg provider cannot unhold and update package in the same run

Previously, the pkg package provider was unable to handle manifests where a package was updated and marked as unhold at the same time. This is now fixed. PUP-10956

Undefined method '[]' for nil:NilClass when handling SemanticPuppet::Dependency::UnsatisfiableGraph

Previously, the puppet module install command broke when dependencies could not be resolved. Puppet now emits an error message instead. PUP-11172

Support for HTTPS as a package source

Puppet now supports installing .exe packages on Windows using HTTPS as a package source. PUP-3317

The puppet ssl show command prints custom object identifiers (OID)

The puppet ssl show command now shows the names of certificate extensions containing custom OIDs — when the trusted_oid_mapping_file exists. This functionality used to exist in the puppet cert print command. PUP-11120

Updated argument error message

If you call a function with an argument Puppet does not accept, the error message provides a list of acceptable function signatures. PUP-7792

Updated error message for incorrect module name

If the author component of a module name is omitted, the puppet module install <author-module> command provides a name suggestion in the error message. PUP-10641

Puppet reports the license gem on Apache

Puppet now reports the Apache 2.0 license when installed as a gem. PUP-11118

Support for Debian 11 Bullseye amd64

This release adds support for Debian 11 Bullseye amd64. PUP-11030

macOS puppet-agent code-signs executables

The macOS puppet-agent AIO packages now provide code-signed executables for puppet and pxp-agent. PA-3756

Solaris OpenSSL patching replaced with compiler arguments

This release adds AES CTR-DRGB performance improvements to Puppet’s vendored OpenSSL. PA-3698

The empty function accepts Sensitive data types

The empty function now accepts Sensitive data types, which allows you to test a Sensitive variable that is neither nil or empty. For example, a variable in an ERB template. Contributed by Puppet community member cocker-cc. PUP-11124

The unwrap function accepts Any data type

The unwrap function now accepts the Any data type. This means that the component modules, such as puppetlabs-postgresql, can migrate to using Sensitive values, while still accepting non-Sensitive values. You do not need to special case when unwrapping the value. Contributed by Puppet community member cocker-cc. PUP-11123

The exec provider supports commands as an Array

When a command is an Array of Strings, passed as [cmdname, arg1, ...], it is now executed directly instead of being passed to the standard shell. This is supported for the following exec parameters: comand, onlyif, unless, refresh. Note that onlyif and unless already accept multiple commands as an Array — you need to pass the value as an Array of Array to use this new behaviour. PUP-5704

Embedded Ruby (ERB) templates allow a leading Byte Order Mark (BOM)

Previously, when a template contained a BOM, it was preserved by the template function and included in the resulting file or PowerShell command. Puppet now passes the bom option when reading the file, removing the BOM as it is read. PUP-8243

Puppet Module Tool (PMT) does not install a module when module_working_dir contains backslashes

This release fixes an issue that prevented the puppet module install command working on Windows when module_working_dir contained backslashes, for example, C:\modules. PUP-4884

Node resource names are overlapping with other resources

Previously, if a node statement had the same name as the included class, Puppet ignored the class, as it thought it had already been included. This issue is now fixed. PUP-3995

Puppet fails if the setting value is numbers

Puppet settings can now contain all numbers, for example, certname=000000000180. PUP-7785

The Puppet user type does not honor purge_ssh_keys: false

Puppet no longer emits a warning if the purge_ssh_keys parameter for the user type is set to false (the default) and the sshkeys_core module is not installed. PUP-11131

The --extra cli option is not functional

The puppet help command no longer displays the --extra command line option. PUP-8700

The parsedfile provider produces an undefined method each for nil:NilClass

Puppet now prints an error if a parsedfile provider returns nil, for example, when using the nagios_core module. PUP-9369

Unclear error message if user or group providers are not suitable

Puppet now prints a more detailed error message if the user or group providers are not functional. PUP-9825

The Puppet::Resources.search method fails when conditions are provided

This release fixes an issue that prevented the Puppet::Resource.indirection.search method from accepting conditions when filtering results. PUP-7799

Repository error message URL is missing part of the path

Previously, the puppet module command reported an incorrect URL in the error message when the module_repository setting was overridden. This is now fixed. PUP-8650

The desired_value file mode is reported without leading zeros

Puppet now reports file modes with a leading zero in the desired_value field ⁠— for example, 0755 ⁠— which is consistent with the previous_value. PUP-7493

Filebucket fails when using a non-default environment from the server

The filebucket application no longer requires an environment to exist locally. PUP-10796

Unable to load PKey.read with private keys

Puppet agent now loads private keys in the PKCS#8 format. PUP-11082

Cached environments are not deleted when the directory is removed

Puppet now removes environments that are no longer on disk. PUP-11129

Unable to run the puppet resource command when the environment is specified

Previously, running puppet resource on the agent with an invalid environment would fail. With this release, the application falls back to the default environment, if the specified one does not exist. PUP-6554

Puppet prints unnecessary errors in debug

Puppet no longer prints an unnecessary error message when resolving account names to security identifiers on Windows. PUP-10967

Setting age=0 on a tidy resource does not remove all files

Previously, the age parameter of the tidy resource only removed files older than those specified. This is now fixed and Puppet removes all files. PUP-11079

The agent_specified_environment fact is not populating

This release fixes an issue where the agent_specified_environment fact did not populate when the environment was set in the [agent] section. This is now fixed and populates in the following order: CLI, agent section, main section. PUP-6801

pip ensure=>latest fails with pip>=20.3.0

In version 20.3b1, pip removed the ability to list available versions of a package. This release adds the --use-deprecated=legacy-resolver argument so that you can query available versions. PUP-11029

The pxp-agent does not use the wrapper script

The pxp-agent service script on the AIX, OSX, and Solaris platforms now manipulates the service using the wrapper script located in /opt/puppetlabs/bin/pxp-agent, which cleans up the linker environment before calling the actual environment. This prevent failures due to incompatible libraries being loaded. To modify the pxp-agent linker environment, directly call the pxp-agent binary, for example, /opt/puppetlabs/puppet/bin/pxp-agent. PCP-890

Support for Ruby 3

Puppet adds experimental support for Ruby 3 and is now tested in CI. PUP-11076

Improve enable=delayed_start error message

This release improves an error message to properly convey that you cannot set a systemd service to delayed_start on operating systems other than Windows. PUP-11062

Ruby support long paths on Windows

This release adds the following patch into the Puppet Agent vendored Ruby. The patch implements long path support on Windows. PA-3759

Bump semantic_puppet version to 1.0.4

This release bumps semantic_puppet to version 1.0.4 in order to support Ruby 3. PA-3827

Bump curl to 7.77.0

This release bumps the curl dependency to 7.77.0. PA-3762

Support for Fedora 34 FOSS

This release adds support for Fedora 34 (64-bit package) FOSS. PA-3600

NIM provider used very restrictive regular expressions

Previously, the NIM provider only allowed numbers when parsing RPM release tags and didn't accept bff (installp) packages marked as security updates in the header. In this release, Puppet allows installation of such packages. PUP-3631

Sensitive instances shared the same value yet weren’t equal

Previously, two type Sensitive instances failed to compare as equal—despite sharing the same underlying strings. In this release, comparisons such as $a = Sensitive("secret"); $b = Sensitive("secret"); notice($a == $b) now return as true. PUP-11061

User keychains were inaccessible to Puppet Agent

Previously, user keychains were inaccessible to Puppet Agent if you ran Puppet Agent through the macOS daemon. This bug is now fixed. PUP-11081

SemVer datatype components failed to pass as hash or argument list

Previously, the build or prerelease components of the SemVer datatype failed to pass as a hash or list of arguments. This bug is now fixed. PUP-11077

Nil vertices caused resource management errors

Previously, managing resources that call the generate method — failed when using the puppet resource subcommand— due to the presence of a nil vertex in the catalog. To fix this bug, Puppet can no longer add nil vertices to the catalog. PUP-11074

Puppet returned an error when specifying the purge_ssh_keys parameter

Previously, Puppet returned an error if you specified the purge_ssh_keys parameter for a user resource that didn’t previously exist. To fix this bug, Puppet prioritizes the ensure property of a user before the purge_ssh_keys parameter. PUP-11067

Puppet cannot change/set new user passwords on macOS Big Sur

Previously, you could not set or change the password of a new user created on macOS Big Sur. This bug is now fixed by ensuring the ApplicationAuthority field exists whenever you create a new user. PUP-11026

Puppet returned an error when creating new users on macOS 10.14

Previously, if you created a new user on macOS 10.14, Puppet returned an Operation not permitted @ rb_sysopen error. This bug is now fixed.PUP-11095

Masking service failed

Previously, Puppet failed to mask a systemd service that did not exist. This bug is now fixed. PUP-10974

Puppet loads internal files using the require_relative method

When loading internal files, Puppet now uses the require_relative method, eliminating thousands of file system calls. This accounts for between 5 to 15% of the total number of file system calls for different platforms. PUP-11055

Case sensitive parameter for the fqdn_rand() function

The fqdn_rand() function now accepts an optional parameter to downcase the FQDN fact, so that the function's result is not case sensitive. You must pass the parameter after the seed string, for example, fqdn_rand(100, 'expensive job 1', true). By default, the function remains case-sensitive. PUP-10922

File limit with the max_files parameter

By default, the file and tidy resource types generate a warning on the Puppet Enterprise (PE) console and report when Puppet tries to manage more than 1000 files with the recurse parameter set to true. The file and tidy resource types now support a new parameter — max_files — that enforces a hard limit. If the number of recursive files is greater than the limit, the agent run fails. You can set the max_files parameter to -1 to disable the warning. PUP-10946

Improved Ruby performance

This release improves the performance of Ruby, resulting in the follow changes:

• Puppet now loads and runs faster — particularly on Windows. PA-3732
• New Ruby performance patches — reducing 50-90% of file IO when loading Puppet and Facter. PA-3732

Support for macOS 11 and Red Hat 8 Power

This release adds support for macOS 11 Big Sur (64-bit packages only) and Red Hat 8 on IBM Power. PA-3529, PA-3612.

Ruby 3 freezes CHILD_STATUS and cannot be stubbed

This release eliminates the usage of the $CHILD_STATUS global variable in the built-in service and package providers. PUP-11048

Ruby 3 removed URI.escape/unescape

This release eliminates calls to URI.escape/unescape, which was deprecated in Ruby 2.x and removed in Ruby 3. PUP-11046

Agent failures with server_list

Previously, when Puppet processed server_list and tried to find a functional server, it threw an error if it could not connect, causing the agent to fail. This is now fixed. PUP-10844

Puppet does not specify SELinux filetype when getting the default context

Previously, Puppet created files with the wrong default SELinux context, which was only corrected after a subsequent Puppet run. This is now fixed. Contributed by Puppet community member tobias-urdin. PUP-7559

Unable to mask a static systemd service

This release fixes an issue where the systemd provider did not mask static systemd services. Contributed by Puppet community member nmaludy. PUP-11034

Unable to update UserRightAssignment

Previously, validating the logonaccount and logonpassword parameters for the service resource on Windows failed too early. This release moves the parameters further down the catalog compilation order list to avoid early errors. PUP-10999

PUPPET_SERVER MSI install property does not work

Previously, using PUPPET_SERVER as an MSI property did not set the server setting. This is now fixed. PA-3667

Puppet module type scripts directory

This release adds a new subdirectory to the scripts/ module class. It automatically generates the functions in the class and retrieves the available scripts. This helps to standardize specific file loading from either the files directory or scripts directory. PUP-10996

Backport logic to detect migrated CA directory location

After migrating the CA directory, Puppet now reports the correct cadir setting value. PUP-11004

Curl bumped to 7.76.0

• CVE-2021-22890

• CVE-2021-22876

PA-3690

Ruby bumped to 2.7.3

This release bumps Ruby to 2.7.3, fixing the following CVEs:

• CVE-2020-25613

• CVE-2021-28966

PA-3696

Race condition with agent_disabled_lockfile

This release fixes a race condition that caused the agent to become disabled and no longer enforce desired state. Contributed by Puppet community member gcampbell12. PUP-11000

User resource with forcelocal and groups attributes set fails if /etc/group contains empty lines

This release fixes an issue where Puppet failed when applying user resources with forcelocal if there were empty lines in /etc/group. PUP-10997

Unable to install gems with the puppet_gem provider on Windows

Previously, if you used Puppet as a library, environment.bat was not sourced and led to an unset PUPPET_DIR. As puppet_gem relied on this to build the gem.bat path, it used a non-existing path, making this provider unsuitable. This release updates the puppet_gem provider to use Gem.default_bindir, which determines the location of the executables. To avoid accidental usage of the puppet_gem provider with system Ruby, we have also added a confine to the aio_agent_version fact. PUP-10964

Changing a Puppet setting in a catalog invalidates the environment cache in multithreaded mode

You can now change the value of Puppet's rich_data setting at runtime, without it invalidating the environment cache. PUP-10952

Puppet cannot parse systemd instances when list-unit-files output has an additional column

This release fixes an issue affecting the parsing of systemd service instances caused by a change in the systemctl list-unit-files command output. PUP-10949

Cannot ensure dnfmodule with no default profile

Previously, using the dnfmodule provider to install a module with no default profile — without passing the enable_only parameter — failed with newer versions of DNF. PUP-11024

The puppet ssl show command

The puppet ssl show command prints the full-text version of a host's certificate, including extensions. PUP-10888

The ciphers setting

The ciphers setting configures which TLS ciphersuites the agent supports. The default set of ciphersuites is the same, but you can now make the list of ciphersuites more restricted, for example, to only accept TLS v1.2 or greater ciphersuites. PUP-10889

The GlobalSignRoot CA R3

This release adds the GlobalSignRoot CA R3 certificate for rubygems.org. PA-3525

The splat operator in a virtual query is not supported

This release fixes a regression in Puppet 7.x that prevented the splat operator from being used to override resource attributes in a resource collector. PUP-10951

Windows package provider continues to read DisplayVersion key after it is embedded NULL

Previously, Puppet would not stop reading the registry at the correct WCHAR_NULL because it was encoded to UTF-16LE, causing Puppet to read bad data and fail. This is now fixed. PUP-10943

Listing environments during code deploys prevents environment cache invalidation

Previously, catalog compilations for a newly created environment directory could fail if the environment was listed while the directory was being created. This issue only occurred when using an environment_timeout value greater than 0 and less than unlimited. This is now fixed. PUP-10942

Syntax error in previously valid Puppet code due to removal of keywords

The application, consumes, produces and site application orchestration keywords were previously removed from the reserved keywords list, causing syntax errors in Puppet code. This is now fixed. PUP-10929

Retrieve SID for users under APPLICATION PACKAGE AUTHORITY

A known issue with LookupAccountNameW caused Puppet to fail when managing Windows users under APPLICATION PACKAGE AUTHORITY with fully qualified names. This is now fixed and an account name sanitization step has been added to prevent faulty queries. PUP-10899

Retrieving the current user with the fully-qualified username fails on Windows

Previously, retrieving the current username SID on Windows caused Puppet to fail in certain scenarios, for example, when the user was a secondary domain controller. This release adds a fallback mechanism that uses the fully qualified domain name for lookup. PUP-10898

Puppet users with forcelocal are no longer idempotent

This release fixes a regression where setting the gid parameter on a user resource with forcelocal was not idempotent. PUP-10896

New --timing option in puppet facts show

This release adds a --timing option in the puppet facts show command. This flag shows you how much time it takes to resolve each fact. PUP-10858

User resource with forcelocal uses getent for groups

The useradd provider now checks the forcelocal parameter and gets local information on the groups (from /etc/groups) and gid (from etc/passwd) of the user when requested. PUP-10857

Slow Puppet agent run after upgrade to version 6

This release improves the performance of the apt package provider when removing packages by reducing the calls to apt-mark showmanual. PUP-10856

The apt provider does not work with local packages

The apt package provider now allows you to install packages from a local file using source parameter. PUP-10854

The puppet facts show --value-only command displays a quoted value

Previously, the puppet facts show --value-only <fact> command emitted the value as a JSON string, which included quotes around the value, such as {{"RedHat"}}. It now only emits the value. PUP-10861

The serverport setting

The serverport setting is an alias for masterport. PUP-10725

Multiple logdest locations in puppet.conf accepted

You can set multiple logdest locations using a comma separated list. For example: /path/file1,console,/path/file2. PUP-10795

The puppet module install command lists unsatisfiable dependencies

If the puppet module install command fails, Puppet returns a more detailed error, including the unsatisfiable module(s) and its ranges. PUP-9176

New --no-legacy option to disable legacy facts

By default, puppet facts show displays all facts, including legacy facts. This release adds a --no-legacy option to disable legacy facts when querying all facts. PUP-10850

The puppet apply command creates warnings

This release eliminates Ruby 2.7.x warnings when running puppet apply with node statements. PUP-10845

Remove Pathname#cleanpath workaround

This release removes an unnecessary workaround when cleaning file paths, as Ruby 1.9 is no longer supported. PUP-10840

The allow * error message shown during PE upgrade

Puppet no longer prints an error if fileserver.conf contains allow * rules. It continues to print an error for all other rules, as Puppet's legacy authorization is no longer supported and is superseded by Puppetserver's authorization. PUP-10851

3x functions cannot be called from deferred functions in Puppet agent

This release allows deferred 3.x functions, like sprintf, to be called during a Puppet agent run. PUP-10819

Cached catalog contains the result of deferred evaluation instead of the deferred function

Puppet 6.12.0 introduced a regression that caused the result of a deferred function to be stored in the cached catalog. As a result, an agent running with a cached catalog would not re-evaluate the deferred function. This is now fixed. PUP-10818

puppet facts show fact output differs from facter fact

The output format is different between Facter and Puppet facts when a query for a single fact is provided. This is now fixed. PUP-10847

Issue with Puppet creating production folder when multiple environment paths are set

Previously, the production environment folder was automatically created at every Puppet ran in the first search path, if it did not already exist. This release ensures Puppet searches all the given paths before creating a new production environment folder. PUP-10842

Reduced query time for system user groups

The time it takes to query groups of a system user has been reduced on Linux operating systems with FFI. The getgrouplist method is also available. PUP-10774

Log rotation for Windows based platforms

You can now configure the pxp-agent to use the Windows Event Log service by setting thelogfile value to eventlog. PA-3492

Log rotation for macOS based platforms

This release enables log rotation for the pxp-agent on OSX platforms. PA-3491

Added server alias for routes.yaml

When routes.yaml is parsed, it accepts either server or master applications. PUP-10773

OpenSSL bumped to 1.1.1i

This release bumps OpenSSL to 1.1.1i. PA-3513

Curl bumped to 7.74.0

This release bumps Curl to 7.74.0. PA-3512

The Puppet 7 gem is missing runtime dependency on scanf

This is fixed and you can now run module tests against the Puppet gem on Ruby 2.7. PUP-10797

The puppet node clean action LoggerIO needs to implement warn

In Puppet 7.0.0, the puppet node clean action failed if you had cadir in the legacy location or inside the ssldir. This was a regression and is now fixed. PUP-10786

Calling scope#tags results in undefined method

Previously, calling the tags method within an ERB template resulted in a confusing error message. The error message now makes it clear that this method is not supported. PUP-10779

User resource is not idempotent on AIX

The AIX user resource now allows for password lines with arbitrary whitespace in the passwd file. PUP-10778

Fine grained environment timeout issues

Previously, if the environment.conf for an environment was updated and the environment was cleared, puppetserver used old values for per-environment settings. This happened if the environment timed out or if the environment was explicitly cleared using puppetserver's environment cache REST API. With this fix, if an environment is cleared, Puppet reloads the per-environment settings from the updated environment.conf. PUP-10713

FIPS compliant nodes are returning an error

This release fixes an issue on Windows FIPS where Leatherman libraries loaded at the predefined address of the OpenSSL library. This caused the OpenSSL library to relocate to a different address, failing the FIPS validation. This is fixed and leatherman compiled with dynamicbase is disabled on Windows. PA-3474

User provider with uid/gid as Integer raises warning

This release fixes a warning introduced in Ruby 2.7 that checked invalid objects (such as Integer) against a regular expression. PUP-10790

The puppet facts show command

You can use the puppet facts show command to retrieve a list of facts. By default, it does not return legacy facts, but you can enable it to with the --show legacy option. This command replaces puppet facts find as the default Puppet facts action. PUP-10644 and PUP-10715

JSON terminus for node and report

This release implements JSON termini for node and report indirection. The format of the last_run_report.yaml report can be affected by the cache setting key of the report terminus in the routes.yaml file. To ensure the file extension matches the content, update the lastrunreport configuration to reflect the terminus changes (lastrunreport = $statedir/last_run_report.json). PUP-10712

JSON terminus for facts

This release adds a new JSON terminus for facts, allowing them to be stored and loaded as JSON. Puppet agents continue to default to YAML, but you can use JSON by configuring the agent application in routes.yaml. Puppet Server 7 also caches facts as JSON instead of YAML by default. You can re-enable the old YAML terminus in routes.yaml. PUP-10656

Public folder (default location for last_run_summary.yaml)

There is a new folder with 0755 access rights named public, which is now the default location for the last_run_summary.yaml report. It has 640 file permissions. This makes it possible for a non-privileged process to read the file. To relax permissions on the last run summary, set the group permission on the file in puppet.conf to the following: lastrunsummary = $publicdir/last_run_summary.yaml { owner = root, group = monitoring, mode = 0640 }. Note that if you use tools that expect to find last_run_summary.yaml in vardir instead of publicdir, you might experience breaking changes.PUP-10627

The settings_catalog setting

To load Puppet more quickly, you can set the settings_catalog setting to false to skip applying the settings catalog. The setting defaults to true. PUP-8682

New numeric and port setting types

This release adds a new port setting type, which turns the given value to an integer, and validates it if the value is in the range of 0-65535. Puppet port can use this setting type. PUP-10711

MSI PUPPET_SERVER and alias

This release adds a new Windows Installer property called PUPPET_SERVER. You can use this as an alias to the existing PUPPET_MASTER_SERVER property. PA-3440

New GPG signing key

Puppet has a new GPG signing key. See verify packages for the new key.

Ruby version bumped to 2.7

The default version of Ruby is now 2.7. The minimum Ruby version required to run Puppet 7 is now 2.5. After upgrading to Puppet 7, you may need to use the puppet_gem provider to ensure all your gems are installed. PUP-10625

Default digest algorithm changed to sha256

Puppet 7 now uses sha256 as the default digest algorithm. PUP-10583

Gem provider installs gems in Ruby

The gem provider now installs gems in Ruby by default. Use the puppet_gem provider to reinstall gems in the Ruby distribution vendored in Puppet. For example, if custom providers or deferred functions require gems during catalog application. PUP-10677

FFI functions, structs and constants moved to a separate Windows module

To increase speed, we have moved FFI functions, constants and structures out of Puppet::Util::Windows. PUP-10606

Default value of ignore_plugin_errors changed from true to false

The default value for ignore_plugin_errors is now false. This stops Puppet agents failing to pluginsync. PUP-10598

Interpolation of sensitive values in EPP templates

Previously, if you interpolated a sensitive value in a template, you were required to unwrap the sensitive value and rewrap the result. Now the epp and inline_epp functions automatically return a Sensitive value if any interpolated variables are sensitive. For example: inline_epp("Password is <%= Sensitive('opensesame') %>" ). Note that these changes just apply to EPP templates, not ERB templates. PUP-8969

shkeys_core module bumped to 2.2.0

Puppet 7 bumps the sshkeys_core modules to 2.2.0 in the Puppet agent. The default namevar for keys now includes the encryption type in addition to the hostname. PA-3473

Call simple server status endpoint

Puppet updates the endpoint for checking the server status to /status/v1/simple/server. If the call returns a 404, it makes a new call to /status/v1/simple/master, and ensures backwards compatibility. PUP-10673

Default value of disable_i18n changed from false to true

Pathspec no longer vendored

The pathspec Ruby library is no longer vendored in Puppet. If you require this functionality, you need to install the pathspec Ruby gem. PUP-10107

func3x_check setting removed

The func3x_check setting has been removed. PUP-10724

master_used report parameter removed

The deprecated master_used parameter has been removed. Instead use server_used. PUP-10714

facterng feature flag removed

The facterng feature flag has been removed. It is not needed anymore as Puppet 7 uses Facter 4 by default. PUP-10605

held removed from apt provider

The apt provider no longer accepts deprecated ensure=held. Use the mark attribute instead. PUP-10597

Method from DirectoryService removed

The deprecated DirectoryService#write_to_file method has been removed. PUP-10489

Method from Puppet::Provider::NameService removed

The deprecated Puppet::Provider::NameService#listbyname method has been removed. PUP-10488

Methods from TypeCalculator removed

The deprecated TypeCalculator.enumerable has been removed, and the functionality has been moved to Iterable. PUP-10487

Enumeration type removed

The deprecated Enumeration class has been removed, and its functionality has been moved to Iterable. PUP-10486

Puppet::Util::Yaml.load_file removed

The deprecated Puppet::Util::Yaml.load_file method has been removed. PUP-10475

Puppet::Resource methods removed

The following deprecated Puppet::Resource methods have been removed:

legacy auth.conf support removed

The legacy auth.conf has been deprecated for several major releases. Puppet 7 removes all support for legacy auth.conf. Instead, authorization to Puppet REST APIs is controlled by puppetserver auth.conf. In addition, the allow and deny rules in fileserver.conf are now ignored and Puppet logs an error for each entry. The rest_authconfig setting has also been removed. PUP-10473

Puppet.define_settings removed

The deprecated Puppet.define_settings method has been removed. PUP-10472

Application orchestration language features removed

The deprecated application orchestration language features have been removed. The keywords application, site, consumes and produces, and the export and consume metaparameters, now raise errors. The keywords are still reserved, but can’t be used as a custom resource type or attribute name. The environment catalog REST API has also been removed, along with supporting classes, such as the environment compiler and validators. PUP-10446

Puppet::Network::HTTP::ConnectionAdapter removed

The Puppet::Network::HTTP::ConnectionAdapter has been removed, and contains the following breaking changes:

environment_timeout_mode setting removed

The environment_timeout_mode setting has been removed. Puppet no longer supports environment timeouts based on when the environment was created. In Puppet 7, the environment_timeout setting is always interpreted as 0 (never cache), unlimited (always cache), or from when the environment was last used. PUP-10619

Networking code from the parent REST terminus removed

The Networking code from the parent REST terminus has been removed, and is a breaking change for any REST terminus that relies on the parent REST terminus to perform the network request and process the response. The REST termini must implement the find, search, save and destroy methods for their indirected model. PUP-10440

Dependency on http-client gem removed

The dependency on the http-client gem has been removed. If you have a Puppet provider that relies on this gem, you must install it. PUP-10490

HTTP file content terminus removed

The HTTP file content terminus has been removed. It is no longer possible to retrieve HTTP file content using the indirector. Instead, use Puppet's builtin HTTP client instead: response = Puppet.runtime[:http].get(URI("http://example.com/path")). PUP-10442

Puppet::Util::HttpProxy.request_with_redirects removed

The Puppet::Util::HttpProxy.request_with_redirects method has been removed, and moves the Puppet::Util::HttpProxy class to Puppet::HTTP::Proxy. The old constant is backwards compatible. PUP-10441

Puppet::Rest removed

Puppet::Rest removed and Puppet::Network::HTTP::Compression have been removed. This change moves Puppet::Network::Resolver to Puppet::HTTP::DNS and deprecates Puppet::Network::HttpPool methods. PUP-10438

Remove strict_hostname_checking removed

The deprecated strict_hostname_checking and node_name settings have been removed. The functionality of these settings is possible using explicit constructs within a site.pp or fully featured enc. PUP-10436

puppet module build, generate and search actions removed

The puppet module build, generate and search actions have been removed. Use Puppet Development Kit (PDK) instead.PUP-10387

puppet status application has been removed

The deprecated puppet status application has been removed. PUP-10386

The puppet cert and key commands removed

The non-functioning puppet cert and puppet key commands have been removed. Instead use puppet ssl on the agent node and puppetserver ca on the CA server. PUP-10369

SSL code, termini and settings removed

The following SSL code, termini and settings have been removed:

• Puppet::SSL::Host

• Puppet::SSL::Key

• Puppet::SSL::{Certificate,CertificateRequest}.indirection

• Puppet::SSL::Validator*

• ssl_client_ca_auth

• ssl_server_ca_auth PUP-10252

The func3x_check setting has been removed

The setting to turn off func 3x API validation has been removed. Now all 3x functions are validated. PUP-9469

The future_features logic has been removed

The unused future_features setting has been removed. PUP-9426

The puppet man application has been removed

The puppet man application is no longer needed and has been removed. The agent package now installs man pages so that man puppet produces useful results. Puppet's help system (puppet help) is also available. PUP-8446

The execfail method from util/execution has been removed

The following deprecated methods have been removed:

The win32-process has been removed

The Puppet dependency on the win32-process gem has been removed. You can implement the functionality using FFI. PUP-7445

The win32-service gem has been removed

The dependency on the win32-service gem has been removed and uses the Daemon class in Puppet instead. PUP-5758

The win32-security gem has been removed from Puppet

To improve Puppet's handling of Unicode user and group names on Windows, some of the code interacting with the Windows API has been rewritten to ensure wide character (UTF-16LE) API variants are called. As a result, Puppet no longer needs the win32-security gem. Any code based references to the gem have been removed. The gem currently remains for backward compatibility, but is to be removed in a future release. PUP-5735

The capability to install an agent on Windows 2008 and 2008 R2 has been removed

You can no longer install Puppet 7 agents on Windows versions lower than 2012. PA-3364

Support for Ruby versions older than 2.5 removed

Support for Ruby versions older than 2.5 has been removed, and Fixnum and Bignum have been replaced with Integer. PUP-10509

dir monkey-patch removed

This external dependency on the win32/dir gem has been removed and replaces CSIDL constants with environment variables. PUP-10653

Master removed from docs

Documentation for this release replaces the term master with primary server. This change is part of a company-wide effort to remove harmful terminology from our products. For the immediate future, you’ll continue to encounter master within the product, for example in parameters, commands, and preconfigured node groups. Where documentation references these codified product elements, we’ve left the term as-is. As a result of this update, if you’ve bookmarked or linked to specific sections of a docs page that include master in the URL, you’ll need to update your link.

Puppet agent installation fails when msgpack is enabled on puppetserver

Previously, the agent failed to deserialize the catalog and fail the run if the msgpack gem was enabled but not installed. Now the agent only supports that format when the msgpack gem is installed in the agents vendored Ruby. PUP-10772

Puppet feature detection leaves Ruby gems in a bad state

This release fixes a Ruby gem caching issue that prevented the agent from applying a catalog if a gem was managed using the native package manager, such as yum or apt. PUP-10719

Puppet 6 agents do not honor the usecacheonfailure setting when using server_list

Previously, when server_list was used when there was no server accessible, the Puppet run failed even if usecacheonfailure was set to true. Now Puppet only fails if usecacheonfailure is set to false. PUP-10648

Setting certname in multiple sections bypasses validation

Previously, Puppet only validated the certname setting when specified in the main setting, but not if the value was in a non-global setting like agent. As a result, it was possible to set the certname setting to a value containing uppercase letters and prevent the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in. PUP-9481

Issues caused by backup to the local filebucket

By default, Puppet won’t backup files it overwrites or deletes to the local filebucket, due to issues where it became unbounded. You can re-enable the local filebucket by setting File { backup => 'puppet' } as a resource default. PUP-9407

Remove future feature flag for prefetch_failed_providers in transaction.rb

If a provider prefetch method raises a LoadError or StandardError, the resources associated with the provider are marked as failed, but unrelated resources are applied. Previously this behavior was controlled by the future_features flag, and disabled by default. PUP-9405

Change default value of hostcsr setting

The default value of the hostcsr setting has been updated to match where Puppet stores the certificate request (CSR) when waiting for the CA to issue a certificate. PUP-9346

Refactor the SMF provider to implement enableable semantics

Previously, the SMF provider did not properly implement enableable semantics. Now enable and ensure are independent operations where enable handles whether a service starts or stops at boot time, and ensure handles whether a service starts or stops in the current running instance. PUP-9051

The list of reserved type names known to the parser validator is incomplete

A class or defined type in top scope can no longer be named init, object, sensitive, semver, semverrange, string, timestamp, timespan or typeset . You can continue to use these names in other scopes such as mymodule::object. PUP-7843

Export or virtualize class error

Previously, Puppet returned a warning or error if it encountered a virtual class or an exported class, but it still included resources from the virtual class in the catalog. Now Puppet always error on virtual and exported classes. PUP-7582

Puppet::Util::Windows::String.wide_string embeds a NULL char

This release removes a Ruby workaround for wide character strings on Windows. PUP-3970

puppet config set certname accepts upper-case names

Previously, the puppet config set command could set a value that was invalid, causing Puppet to fail the next time it ran or the service was restarted. Now the command validates the value before committing the change to puppet.conf. PUP-2173

Unable to read last_run_summary.yaml from user

Puppet agent code now aligns with the new last_run_summary.yaml location. PA-3253