Puppet 3.6 Release Notes
Included in Puppet Enterprise 3.3. A newer version is available; see the version menu above for details.
This page tells the history of the Puppet 3.6 series. (Elsewhere: release notes for Puppet 3.0 – 3.4 and Puppet 3.5.)
Puppet’s version numbers use the format X.Y.Z, where:
- X must increase for major backwards-incompatible changes
- Y may increase for backwards-compatible new functionality
- Z may increase for bug fixes
How to Upgrade
If you’re upgrading from a 3.x version of Puppet, you can usually just go for it. Upgrade your puppet master servers before upgrading the agents they serve. (But do look at the table of contents above and see if there are any “Upgrade Warning” notes for the new version.)
If you’re upgrading from Puppet 2.x, please learn about major upgrades of Puppet first! We have important advice about upgrade plans and package management practices. The short version is: test first, roll out in stages, give yourself plenty of time to work with. Also, read the release notes for Puppet 3 for a list of all the breaking changes made between the 2.x and 3.x series.
Puppet 3.6.2
Released June 10, 2014.
Puppet 3.6.2 is a security and bug fix release in the Puppet 3.6 series. It addresses two security vulnerabilities and includes fixes for a number of fairly recent bugs. It also introduces a new disable_warnings
setting to squelch deprecation messages.
Security Fixes
CVE-2014-3248 (An attacker could convince an administrator to unknowingly execute malicious code on platforms with Ruby 1.9.1 and earlier)
On platforms running Ruby 1.9.1 and earlier, previous code would load Ruby source files from the current working directory. This could lead to the execution of arbitrary code during puppet runs.
CVE-2014-3250 (Information Leakage Vulnerability)
Apache 2.4+ uses the SSLCARevocationCheck
setting to determine how to check the certificate revocation list (CRL) when establishing a connection. Unfortunately, the default setting is none
, so a puppet master running Apache 2.4+ and Passenger will ignore the CRL by default. This release updates the Apache vhost settings to enable CRL checking.
Feature: Disabling Deprecation Warnings
Puppet 3.6.0 deprecated config-file environments, leading to warnings during every puppet run for people who haven’t yet switched to the new and improved directory environments. The high volume of duplicate deprecation warnings was deemed annoying enough that we’ve added a new feature to allow people to disable them.
You can now use the new (optional) disable_warnings
setting in puppet.conf or on the command line to suppress certain types of warnings. For now, disable_warnings
can only be set to deprecations
, but other warning types may be added in future versions. All warnings are still enabled by default.
Related issue:
Fix for Directory Environments Under Webrick
Puppet 3.6.1 introduced a bug that prevented directory environments from functioning correctly under Webrick, causing this error: “Attempted to pop, but already at root of the context stack.” This release fixes the bug.
Related issue:
Fixes to purge_ssh_keys
Two bugs were discovered with the new (as of 3.6.0) purge_ssh_keys
attribute for the user type. These bugs could prevent SSH keys from being purged under certain circumstances, and have been fixed.
Related issues:
- PUP-2635: user purge_ssh_keys not purged
- PUP-2660: purging ssh_authorized_key fails because of missing user value
Default environment_timeout
increased
The previous default value for environment_timeout
was 5s, which turns out to be way too short for a typical production environment. This release changes the default environment_timeout
to 3m.
Related issue:
General Bug Fixes
- PUP-2689: A node can’t always collect its own exported resources
- PUP-2692: Puppet master passenger processes keep growing
- PUP-2705: Regression with external facts pluginsync not preserving executable bit
Puppet 3.6.1
Released May 22, 2014.
Puppet 3.6.1 is a bug fix release in the Puppet 3.6 series. It also makes the transaction_uuid
more reliably available to extensions.
Changes to RPM Behavior With Virtual Packages
In Puppet 3.5, the RPM package provider gained support for virtual packages. (That is, Puppet would handle package names the same way Yum does.) In this release, we added a new allow_virtual
attribute for package
, which defaults to false
. You’ll have to set it to true
to manage virtual packages.
We did this because there are a few cases where a virtual package name can conflict with a non-virtual package name, and Puppet will manage the wrong thing. (Again, just like Yum would.) For example, if you set ensure => absent
on the inetd
package, Puppet might uninstall the xinetd
package, since it provides the inetd
virtual package.
We had to treat that change as a regression, so we’re currently defaulting allow_virtual => false
to preserve compatibility in the Puppet 3 series. The default will change to true
for Puppet 4. If you manage any packages with virtual/non-virtual name conflicts, you should set allow_virtual => false
on a per-resource basis.
If you don’t have any resources with ambiguous virtual/non-virtual package names, you can enable the Puppet 4 behavior today by setting a resource default in the main manifest:
Package {
allow_virtual => true,
}
Improvements to transaction_uuid
in Reports and Node Termini
Each catalog request from an agent node has a unique identifier, which persists through the entire run and ends up in the report. However, it was being omitted from reports when the catalog run failed, and node termini had no access to it. This release adds it to failed reports and node object requests.
(Note that transaction_uuid
isn’t available in the standard ENC interface, but it is available to custom node termini.)
- PUP-2522: The transaction_uuid should be available to a node terminus
- PUP-2508: Failed compilation does not populate environment, transaction_uuid in report
Windows Start Menu Fixes
If your Windows machine only had .NET 4.0 or higher, the “Run Facter” and “Run Puppet Agent” start menu items wouldn’t work, stating that they needed an older version of .NET installed. This is now fixed.
Improved Passenger Packages on Debian/Ubuntu
The Apache vhost config we ship in the Debian/Ubuntu puppetmaster-passenger
package had some non-optimal TLS settings. This has been improved.
HTTP API Fixes
A regression in Puppet 3.5 broke DELETE
requests to Puppet’s HTTP API. Also, a change in 3.6.0 made puppet agent log spurious warnings when using multiple values for the source
attribute. These bugs are both fixed.
- PUP-2505: REST API regression in DELETE request handling
- PUP-2584: Spurious warnings when using multiple file sources (regression in 3.6.0)
Directory Environment Fixes
If puppet master was running under Rack (e.g. with Passenger) and the environmentpath was configured in the [master]
section of puppet.conf (instead of in [main]
), Puppet would use the wrong set of environments. This has been fixed.
- PUP-2607: environmentpath does not work in master section of config
- PUP-2610: Rack masters lose track of environment loaders
Future Parser Improvements
This release fixes two compatibility bugs where the future parser conflicted with the 3.x parser. It also fixes a bug with the new EPP templating language.
- PUP-1894: Cannot render EPP templates from a module
- PUP-2568: Cannot use class references with upper cased strings
- PUP-2581: Interpolated variables with leading underscore regression (regression in 3.5.1)
Puppet 3.6.0
Released May 15, 2014. (RC1: May 6.)
Puppet 3.6.0 is a backward-compatible features and fixes release in the Puppet 3 series. The biggest things in this release are:
- Improvements to directory environments, and the deprecation of config file environments
- Support for purging unmanaged
ssh_authorized_key
resources - Support for installing gems for a custom provider as part of a Puppet run
- A configurable global logging level
- A configurable hashing algorithm (for FIPS compliance and other purposes)
- Improvements to the experimental future parser
Improvements for Directory Environments
Directory environments were introduced in Puppet 3.5 as a partially finished (but good enough for most people) feature. With Puppet 3.6, we consider them completed. We’re pretty sure they can now handle every use case for environments we’ve ever heard of.
The final piece is the environment.conf
file. This optional file allows any environment to override the manifest
, modulepath
, and config_version
settings, which is necessary for some people and wasn’t possible in Puppet 3.5. You can now exclude global module directories for some environments, or point all environments at a global main manifest file. For details, see the page on directory environments and the page on environment.conf.
It’s also now possible to tune the cache timeout for environments, to improve performance on your puppet master. See the note on timeout tuning in the directory environments page.
- PUP-1114: Deprecate environment configuration in puppet.conf
- PUP-2213: The environmentpath setting is ignored by puppet faces unless set in [main]
- PUP-2215: An existing directory environment will use config_version from an underlying legacy environment of the same name.
- PUP-2290: ca_server and directory based environments don’t play nice together
- PUP-1596: Make modulepath, manifest, and config_version configurable per-environment
- PUP-1699: Cache environments
- PUP-1433: Deprecate ‘implicit’ environment settings and update packaging
Deprecation: Config-File Environments and the Global manifest
/modulepath
/config_version
Settings
Now that directory environments are completed, config-file environments are deprecated. Defining environment blocks in puppet.conf will cause a deprecation warning, as will any use of the modulepath
, manifest
, and config_version
settings in puppet.conf.
This also means that using no environments is deprecated. In a future version of Puppet (probably Puppet 4), directory environments will always be enabled, and the default production
environment will take the place of the global manifest
/modulepath
/config_version
settings.
Related issues:
- PUP-1114: Deprecate environment configuration in puppet.conf
- PUP-1433: Deprecate ‘implicit’ environment settings and update packaging
Feature: Purging Unmanaged SSH Authorized Keys
Purging unmanaged ssh_authorized_key
resources has been on the most-wanted features list for a very long time, and we haven’t been able to make the resources
meta-type accommodate it.
Fortunately, the user type accommodates it very nicely. You can now purge unmanaged SSH keys for a user by setting the purge_ssh_keys
attribute:
user { 'nick':
ensure => present,
purge_ssh_keys => true,
}
This will purge any keys in ~nick/.ssh/authorized_keys
that aren’t being managed as Puppet resources.
Related issues:
- PUP-1174: PR (2247) Ability to purge .ssh/authorized_keys
- PUP-1955: purge_ssh_keys causes stack trace when creating new users on redhat
Feature: Installing Gems for a Custom Provider During Puppet Runs
Previously, custom providers that required one or more gems would fail if at least one gem was missing before the current puppet run, even if they had been installed by the time the provider was actually called. This release fixes the behavior so that custom providers can rely on gems installed during the same puppet run.
Related issue:
Feature: Global log_level
Setting
You can now set the global log level using the log_level
setting in puppet.conf. It defaults to notice
, and can be set to debug
, info
, notice
, warning
, err
, alert
, emerg
, or crit
.
Related issue:
Feature: digest_algorithm
Setting
You can now change the hashing algorithm that puppet uses for file digests to sha256
using the new digest_algorithm
setting in puppet.conf. This is especially important for FIPS-compliant hosts, which would previously crash when puppet tried to use MD5 for hashing. Changing this setting won’t affect the md5
or fqdn_rand
functions.
This setting must be set to the same value on all agents and all masters simultaneously; if they mismatch, you’ll run into two problems:
- PUP-2427: Pluginsync will download every file every time if digest_algorithms do not agree — All files with a
source
attribute will download on every run, which wastes a lot of time and can swamp your puppet master. - PUP-2423: Filebucket server should warn, not fail, if checksum type is not supported — If you’re using a remote filebucket to back up file content, agent runs will fail.
Related issue:
Improvements to the Future Parser
It’s still experimental, but the future parser has gotten a lot of attention in this release. For example, functions can now accept lambdas as arguments using the new Callable type. There are also a few changes laying the groundwork for the upcoming catalog builder.
- PUP-1960: realizing an empty array of resources fails in future evaluator
- PUP-1964: Using undefined variable as class parameter default fails in future evaluator
- PUP-2190: Accessing resource metaparameters fails in future evaluator
- PUP-2317: Future parser does not error on import statements
- PUP-2302: New evaluator does not properly handle resource defaults
- PUP-2026: Add a LambdaType to the type system
- PUP-2027: Add support for Lambda in Function Call API
- PUP-1956: Add function loader for new function API
- PUP-2344: Functions unable to call functions in different modules
- PUP-485: Add assert_type functions for type checks
- PUP-1799: New Function API
- PUP-2035: Implement Loader infrastructure API
- PUP-2241: Add logging functions to static loader
- PUP-485: Add assert_type functions for type checks
- PUP-1799: New Function API
- PUP-2035: Implement Loader infrastructure API
- PUP-2241: Add logging functions to static loader
OS Support Changes
This release improves compatibility with Solaris 10 and adds support for Ubuntu 14.04 (Trusty Tahr).
Support for Ubuntu 13.04 (Raring Ringtail) has been discontinued; it was EOL’d in January 2014.
Related issues:
- PUP-1749: Puppet module tool does not work on Solaris
- PUP-2100: Allow Inheritance when setting Deny ACEs
- PUP-1711: Add Ubuntu 14.04 packages
- PUP-1712: Add Ubuntu 14.04 to acceptance
- PUP-2347: Remove raring from build_defaults, it is EOL
- PUP-2418: Remove Tar::Solaris from module_tool
Module Tool Changes
The puppet module tool has been updated to deprecate the Modulefile in favor of metadata.json. To help ease the transition, the module tool will automatically generate metadata.json based on a Modulefile if it finds one. If neither Modulefile nor metadata.json is available, it will kick off an interview and generate metadata.json based on your responses.
The new module template has also been updated to include a basic README and spec tests. For more information, see Publishing Modules on the Puppet Forge.
Related issues:
- PUP-1976:
puppet module build
should usemetadata.json
as input format - PUP-1977:
puppet module build
should createmetadata.json
instead ofModulefile
- PUP-2045: puppet module generate should produce a skeleton Rakefile
- PUP-2093: PMT should use the Forge’s /v3 API
- PUP-2284: Add a user interview for creating a metadata.json file
- PUP-2285: Update PMT generate’s README template
Issues fixed during RC:
- PUP-2484:
puppet module build
should provide deprecated functionality with warning until Puppet v4 — this would cause the Modulefile to be ignored if a metadata.json file also existed. - PUP-2561: PMT may deadlock when packing or unpacking large tarballs
- PUP-2562: PMT will not install puppetlabs/openstack 4.0.0
Type and Provider Fixes
Package:
Several providers were updated to support the install_options
attribute, and the yum provider now has special behavior to make --enablerepo
and --disablerepo
work well when you set them as install_options
.
- PUP-748: PR (2067): Zypper provider install options - darix
- PUP-620: (PR 2429) Add install_options to gem provider
- PUP-1769: PR (2414) yum provider to support install_options
- PUP-772: PR (2082): Add install options to apt
- PUP-1060: enablerepo and disablerepo for yum type
Nagios:
Cron:
- PUP-1585: PR (2342) cron resources with target specified generate duplicate entries
- PUP-1586: PR (2331) Cron Type sanity check for the command parameter is broken
- PUP-1624: PR (2342) Cron handles crontab’s equality of target and user strangely
Service:
OpenBSD services can now be enabled and disabled, and we fixed some bugs on other platforms.
- PUP-1751: PR (2383): Suse chkconfig –check boot.<service> always returns 1 whether the service is enabled/disabled. - m4ce
- PUP-1932: systemd reports transient (in-memory) services
- PUP-1938: Remove Ubuntu default from Debian service provider
- PUP-1332: “puppet resource service” fails on Ubuntu 13.04 and higher
- PUP-2143: Allow OpenBSD service provider to implement :enableable
File:
We fixed a regression from Puppet 3.0 that broke file resources whose source
URL specified a server other than the default. (That is, puppet://myserver/modules/...
instead of puppet:///modules/...
.)
Yumrepo:
We fixed a few lingering regressions from the big yumrepo cleanup of Puppet 3.5, and added support for the skip_if_unavailable
parameter.
- PUP-2218: yumrepo can no longer manage repositories in yum.conf
- PUP-2291: yumrepo priority can not be sent to absent
- PUP-2292: Insufficient tests on yumrepo’s => absent
- PUP-2279: Add support for ‘skip_if_unavailable’ parameter to
yumrepo
Augeas:
We added better control over the way Augeas resources display diffs, for better security and less noise.
General Bug Fixes
- PUP-530: Installer for Puppet 3 does not check for hiera
- PUP-1547: PR (2311) Undefined method `groups’ for nil:NilClass
- PUP-1552: V2.0 API reports Not Authorized as a “RUNTIME_ERROR”
- PUP-1924: source function library before client sysconfig overrides
- PUP-1954: use of ‘attr’ causes deprecation warning
- PUP-1986: Permissions for libdir are set arbitrarily
- PUP-2073: PR (2477) Multiple values for diff_args causes diff execution failure
- PUP-2278: puppet module install fails when given path containing spaces
- PUP-2101: resource parser: add the resource name on the validation error message when using create_resources
- PUP-2282: Deprecation warnings issued with different messages from the same line are suppressed.
- PUP-2306: Puppet::Util::Execution.execute no longer returns a String
- PUP-2415: Puppet Agent Service - Rename /etc/sysconfig/puppetagent to /etc/sysconfig/puppet
- PUP-2416: Puppet Service - Use no-daemonize and no forking (Master and Agent)
- PUP-2417: Puppet Agent Should wait for Puppet Master to finish starting, if puppet master is installed
- PUP-2395: Installation problem for puppetmaster-puppet 3.5.1 on Ubuntu 13.10
All Resolved Issues for 3.6.0
Our ticket tracker has the list of all issues resolved in Puppet 3.6.0.