PE services and Puppet core known issues
This page lists known issues for Puppet and Puppet services in Puppet Enterprise.
Puppet release notes
This version of PE includes Puppet version 4.10.8. Refer to the Puppet release notes for more information.
Puppet agent release notes
bbe This version of PE includes Puppet agent version 1.10.8. Refer to the Puppet agent release notes for more information.
Restart shell after install for PE client tools subcommands
After installing PE, the commands in the PE client tools will not be available on the PATH until you restart your shell.
New reserved words:
Due to changes in the Puppet DSL for Application Orchestration, the following words have been reserved in the Puppet language:
Like all reserved words, you can’t use these as unquoted strings or as names for classes, defined types, resource types, or custom functions.
If enable Application Orchestration and use these words, you’ll encounter a parser error.
parser=future setting in
environment.conf not valid in PE 2015.2
If you enabled the Puppet 4 language parser in PE 3.8.x by setting
parser=future in any
environment.conf files, you’ll see warning messages during your upgrade, as this setting is no longer valid. After you upgrade, remove this setting from any
enable_future_parser parameter after upgrading
If you enabled the Puppet 4 language parser in PE 3.8 via the console, Hiera, or a third-party classification tool, after upgrading you must use the console to remove the
enable_future_parser paramater from the
puppet_enterprise::profile::master class, as this parameter is deprecated.
/opt/staging/ is no longer used
In PE 2015.2, the
/opt/staging/ directory is no longer used. Because users may have used either the
nanliu-staging modules, we did not delete the directory. If you are not using the directory, it is safe to delete it.
lsbmajdistrelease fact affects some manifests
In Facter 2.2.0, the
lsbmajdistrelease fact changed its value from the first two numbers to the full two-number.two-number version on Ubuntu systems. This might break manifests that were based on the previous behavior. For example, this fact changed from:
This change affects Ubuntu and Amazon Linux.
allow_no_actionpolicy parameter to enforce MCollective action policies
The MCollective ActionPolicy plugin is installed by default in PE. Within the configuration of MCollective, there is a setting that can be used to enforce the use of this ActionPolicy. By default this setting (
plugin.actionpolicy.allow_unconfigured) is hardcoded to
1. Unfortunately this prevents you from enforcing the use of configured Action Policies.
To change this setting, use the PE console to edit the value of the
allow_no_actionpolicy parameter of the
puppet_enterprise::profile::mcollective::agent class located in the PE MCollective node group. To allow ActionPolicy, enter
"0". (Be sure to use quote marks, as Puppet expects a string for this value.)
Enabling NIO and Stomp for ActiveMQ performance improvements will introduce security Issues
Enabling ActiveMQ’s use of the NIO protocol in PE can improve the speed at which messages are sent across your deployment. However, when this is enabled, any parameters that you define for which SSL protocols to use will be ignored, and SSL version 3 will be enabled. Apache has fixed this bug, but they have not yet released a version of ActiveMQ that contains the fix. For more information, refer to their public ticket.
Considering security over performance, PE 2015.2 ships with NIO disabled. You can enable it with the following procedure:
- In the console, click Classification, and in the PE Infrastructure node group, select the PE ActiveMQ Broker node group.
- On the Classes tab, find
puppet_enterprise::profile::amq::brokerin the list of classes.
- From the parameter drop-down menu, choose
openwire_protocol, and in the value field add nio+ssl.
- Click Add parameter.
- From the parameter drop-down menu, choose
stomp_protocol, and in the value field add stomp+nio+ssl.
- Click Add parameter, and commit changes.
site.pp must be duplicated for each environment
You can no longer have a universal or global
site.pp. The default main filebucket is configured as a resource default in
site.pp. This means that
site.pp must be duplicated for each environment. See the Puppet environments documentation for more information.
puppet module list --tree shows incorrect dependencies after uninstalling modules
If you uninstall a module with
puppet module uninstall <module name> and then run
puppet module list --tree, you will get a tree that does not accurately reflect module dependencies.
The Puppet module tool (PMT) does not support Solaris 10
When attempting to use the PMT on Solaris 10, you’ll get an error like the following:
Error: Could not connect via HTTPS to https://forgeapi.puppetlabs.com Unable to verify the SSL certificate The certificate may not be signed by a valid CA The CA bundle included with OpenSSL may not be valid or up to date
This error occurs because there is no CA-cert bundle on Solaris 10 to trust the Puppet Forge certificate. To work around this issue, we recommend that you download directly from the Forge website and then use the Puppet module tool to install from a local tarball.