Puppet 4.3 Release Notes

Included in Puppet Enterprise 2015.3. A newer version is available; see the version menu above for details.

This page lists the changes in Puppet 4.3 and its patch releases.

Puppet’s version numbers use the format X.Y.Z, where:

  • X must increase for major backwards-incompatible changes
  • Y can increase for backwards-compatible new functionality
  • Z can increase for bug fixes

If You’re Upgrading from Puppet 3.x

Read the Puppet 4.0 release notes, since they cover breaking changes since Puppet 3.8.

Also of interest: the Puppet 4.2 release notes and Puppet 4.1 release notes.

Puppet 4.3.2

Released January 25, 2016.

Puppet 4.3.2 is a bug fix release.

New Platform: Ubuntu Wily 15.10

As of Puppet 4.3.2, packages are available for Ubuntu Wily 15.10. Puppet 4.3.2 also modifies systemd to be the default service provider on Wily.

Improvements: Speed!

Faster Puppet lexer and parser

The lexer and parser in this version of Puppet complete tasks in less time when compared to Puppet 4.3.1. In limited testing, we’ve seen CPU time reduced by up to 55% in JRuby and by up to 13% in Ruby MRI.

Faster service queries on OS X

Puppet 4.3.2 queries service enablement status on OS X several times faster than previous versions of Puppet.

Faster compilation when environment_timeout = 0

In previous versions of Puppet, an environment with an environment_timeout set to 0 that used many automatically bound default values would perform poorly, as each lookup caused the environment cache to be evicted and recreated. Puppet 4.3.2 greatly reduces the number of times it evicts the environment and significantly improves compilation performance.

New Feature: Use fact files with puppet lookup

Puppet 4.3.2 adds the ability to declare a JSON or YAML file containing key-value pairs (a fact file) when running the puppet lookup command. This populates a scope with facts from the fact file that Puppet can use when looking up data. For more information, see the [Puppet lookup quick reference][puppet lookup].

New Feature: Set HTTP proxy host and port for the pip provider

In previous versions of Puppet, the pip package provider could fail if used behind an HTTP proxy. This version adds the http_proxy_host and http_proxy_port settings to the provider.

New Feature: No catalog compilation on puppet lookup without the --compile flag

In previous versions of Puppet 4.3, the puppet lookup command always compiles the entire catalog before performing looking up a key. While correct, it can potentially be very time-consuming and produce unwanted logging. In Puppet 4.3.2, running puppet lookup instead uses an empty catalog (as --noop), and Puppet only compiles the entire catalog when run with the new --compile flag.

Regression Fix: Allow resource collectors to use resource references

Puppet 4.0 introduced a regression where resource collectors using resource references would produce an error. Puppet 4.3.2 fixes that regression.

Regression Fix: Retrieve resource state at evaluation time

In previous versions of Puppet 4.3, Puppet prematurely retrieves generated resources when they are generated, rather than during evaluation. This could cause certain types or providers to behave inconsistently. For instance, changing only the mode on an existing remote_file resource might lead to Puppet unnecessarily recreate the file on each Puppet run. This is a regression from Puppet 4.2, and Puppet 4.3.2 correctly retrieves generated resources when it evaluates the resource.

Regression Fix: Perform Hiera lookup on undef class parameters

In previous versions of Puppet 4.3, a Hiera lookup for a class parameter wouldn’t occur if the parameter value was set to undef in the resource declaration. This is a regression from Puppet 4.2, and Puppet 4.3.2 correctly performs the lookup.

Regression Fix: Correctly interoplate default values

Puppet should interpolate default values from keys where the value is intentionally missing. However, this functionality stopped working in Puppet 4 due to the new distinction it makes between empty strings and undefined values, affecting lookups of missing variables. Puppet 4.3.2 fixes this by recognizing when a key has an undefined value and correctly interpolating its default value.

Regression Fix: Fix yum provider’s handling of epoch-versioned RPM packages

Puppet 4.3.0 attempted to resolve an issue in handling epoch tags in DNF package names (PUP-5025). However, the fix broke the yum provider’s handling of epoch-versioned packages. This regression is fixed in Puppet 4.3.2.

Regression Fix: Make --profile flag compatible with Puppet 3

In Puppet 4, functions converted to the Puppet 4 function API were not included in the profiling information produced by the --profile flag. This caused the profiling output to produce less information than in Puppet 3. Puppet 4.3.2 restores this missing information.

Bug Fix: Unterminated C-style comments cause Puppet to hang

In previous versions of Puppet, an unterminated C-style comment in a Puppet manifest could lead to the puppet master process hanging indefinitely. Puppet 4.3.2 resolves this issue.

Bug Fix: Handle non-ASCII Unicode characters in inlined file content

In previous versions of Puppet, when a catalog contained inlined file content (typically from a template) with non-ASCII unicode characters, those characters could be corrupted when the agent used a cached catalog. Puppet 4.3.2 resolves this issue for the JSON cache.

Bug Fix: Correctly handle yum warnings

When run without an internet connection, the yum package manager returns a non-zero exit code. The yum package provider failed to handle this properly in previous versions of Puppet 4, resulting in an exception and failed resource. Puppet 4.3.2 updates the yum provider to gracefully warn the user instead of failing.

Bug Fix: Use service command to determine service status on Debian 8 and Ubuntu 15.04

If systemd is purged from a Debian 8 or Ubuntu 15.04 system running Puppet 4.3.1, the service provider failed to determine the state of a service because systemctl didn’t exist. Puppet 4.3.1 instead uses the service command, which is an abstraction around each of the available init systems in the Debian family of platforms, to power the service provider.

Bug Fix: Always restore full trusted information from data stores

When trusted information was stored in PuppetDB, caches, or a file, and later retrieved, the value of the authenticated key was modified depending on whether the process ran as root. In Puppet 4.3.2, there is no difference, and the same information is always retrieved.

Therefore, the authenticated flag should be interpreted as “how the trusted information was authenticated when it entered the system”. Historical data retains how it was authenticated in the past, and Puppet can obtain this information when reading it.

Bug Fixes: Puppet Language

Bug Fixes: Puppet lookup

  • PUP-5502: Lookup adapter lookup_global produces bad error messages for faulty hiera.yaml: In Puppet 4.3.1, errors in hiera.yaml produce vague error messages when handled during lookup actions. Puppet 4.3.2 produces a more concise error message, and includes the name of the key, location of the broken hiera.yaml file, and the location in hiera.yaml where the evaluation failed.
  • PUP-5511: puppet lookup rejects --merge first: In Puppet 4.3.1, the [puppet lookup][] command’s --merge option only accepted unique even though the lookup() function also accepted first. That made it impossible to override the lookup merge options provided in data files when performing a lookup from the command line. Puppet 4.3.2 resolves this by implementing the --merge first option for puppet lookup.
  • PUP-5618: Puppet ignores nested lookup_options in modules: When a module using lookup_options includes another module using lookup_options, Puppet 4.3.1 ignores the nested options. Puppet 4.3.2 correctly respects the nested options.
  • PUP-5644: Puppet lookup creates new SSL hierarchy with self-signed CA: When running puppet lookup under Puppet 4.3.1, Puppet created an unnecessary SSL hierarchy and self-signed certificate authority. Besides not being useful, these unnecessary creations could also cause lookups on masterless Puppet nodes to fail. Puppet 4.3.2 doesn’t do this.

Bug Fixes: Miscellaneous

  • PUP-5520: Exclude unsafe Yocto scripts from service init provider: Gathering the status of service resources on Yocto Linux can cause unintended consequences, such as sending shutdown signals to daemons. Puppet 4.3.2 blacklists a series of unsafe init scripts shipped by Yocto so that Puppet does not try to execute them.

  • PUP-5522: Puppet::Node attributes not kept consistent with its parameters: In some Puppet-related applications, or in certain cases when using Puppet from Ruby, a Node object could use one environment but report that it was in another, resulting in the node having the wrong set of parameters. This doesn’t affect regular catalog compilation, and is resolved in Puppet 4.3.2.

Puppet 4.3.1

Released November 30, 2015.

Puppet 4.3.1 is a bug fix release.

Bug Fixes: Miscellaneous

  • PUP-5525: Hiera special pseudo-variables breaking with Puppet 4.3: Puppet 4.3.0 does not initialize Hiera for use with automatic class parameter lookups in the correct order, and does not correctly set special pseudovariables like calling_module. This led to lookups not finding values when the special variables were interpolated in hierarchy data paths.

Puppet 4.3.0

Released November 17, 2015.

Puppet 4.3.0 is a feature and bug fix release in the Puppet 4 series. It adds OS X 10.11 (El Capitan) and Fedora 22 packages, introduces the experimental lookup system, support for new language features used by Application Orchestration, augeas improvements, and many bug fixes.

New Feature: Puppet Lookup

Puppet lookup is a new and improved Hiera-like data lookup system, with lots of room for interesting future growth. It integrates with the existing Hiera system but fixes a lot of its most frustrating limitations.

Note: Puppet lookup is an experimental feature in this version of Puppet. We might change its interface in subsequent releases before we declare it stable. Please use it and tell us if you see a way to make it better.

Today, the summary of Puppet lookup is:

  • You can keep your hierarchy configuration in your environments, so it can be versioned alongside the data it controls.
  • Modules can use Hiera-like data files to specify default values for their parameters.
  • There’s a new lookup function and puppet lookup command, with more powerful features and a more useful interface.
    • MUCH more powerful. Check out puppet lookup’s --node and --explain options.
  • Automatic class parameter lookup can finally fetch merged data! You can specify merge behavior in your data sources with the new lookup_options metadata key.

Custom Hiera backends don’t work with Puppet lookup.

For more details, see:

Related tickets:

New Feature: Control the Execution of Augeas Resources

  • PUP-4629: Augeas onlyif does not work when using arrays to match against: Makes it possible to control execution of an Augeas resource based on whether a property in the file being managed has a particular value. For example, you can ensure Augeas only applies changes to /etc/nagios/nagios.cfg if the cfg_file property in the nagios.cfg file does not equal a list of values.
augeas { 'configure-nagios-cfg_file':
incl => '/etc/nagios/nagios.cfg',
lens => 'NagiosCfg.lns',
changes => [ "rm cfg_file",
"ins cfg_file",
"set cfg_file[1] /etc/nagios/commands.cfg",
"ins cfg_file after /files/etc/nagios/nagios.cfg/cfg_file[last()]",
"set cfg_file[2] /etc/nagios/anotherconfig.cfg" ],
onlyif => "values cfg_file != ['/etc/nagios/commands.cfg', '/etc/nagios/anotherconfig.cfg']"
}

New Features: Miscellaneous

Bug Fixes: Language

Bug Fixes: Resource Types and Providers

  • PUP-2573: Puppet::Agent::Locker#lock doesn’t return whether it acquired the lock or not: The Puppet agent uses a lock file to ensure that only one instance is running at a time. However, the agent was susceptible to a race condition that could cause two agents to try to acquire the lock at the same time, and have one of them fail with a generic “Could not run” error. Now the agent will atomically try to acquire the lock, and if that fails, log a meaningful error.

  • PUP-2509: puppet resource service on Solaris needs -H flag: This change was necessary on Solaris 11 due to a new format for service listings when calling svcs. Puppet was fooled into thinking that the literal column headers of the command output were services, when they clearly were not.

  • PUP-5016: SysV init script managed by ‘init’ provider instead of ‘debian’ provider on Debian8: In Debian 8 and Ubuntu 15.04, Systemd was introduced as the default service manager. However, many packages and services still utilize older SysVInit scripts to manage services, necessitating the systemd-sysv-init compatibility layer.

    This layer confused Puppet into improperly managing SysVInit services on these platforms. The final outcome of this ticket is that Puppet now falls back to the Debian service provider when managing a service without a Systemd unit file. All services should be enable-able, which they were not before due to Puppet incorrectly falling back to the Init provider.

    In another, closely related scenario (on versions of Ubuntu before 15.04), the init provider was erroneously being favored over the debian provider when managing the ‘enable’ attribute of upstart services. This meant that puppet resource service <name> would not show whether the service was enabled or not.

    This change causes the debian provider to be used instead, which utilizes upstart rather than init to manage these services. Thus, the enable attribute is always displayed when a service is queried.

  • PUP-5271: Windows user resource should not manage password unless specified: When you are attempting to create users without specifying the password and you have the Windows Password Policy for Password must meet complexity requirements set to Enabled, it caused Puppet to fail to create the user. Now it works appropriately.

    Note: When the Windows Password Policy Minimum password length is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once that password policy is set.

    It is also important to note that when a user is specified with managehome => true, the password must always be specified if it is not an already existing user on the system.

  • PUP-4633: User resource fails with UTF-8 comment on 2nd run: Failure to parse existing non-ASCII characters in user comment field - performed when comment is set by the user type - has been fixed.

  • PUP-4738: launchd enable/disable on OS X 10.11: On OS X 10.10+, the launchd provider would fail to update the correct plist. On OS X 10.11 this would result in an error when trying to update a service registered in /System because permission is restricted on /System. Fixed so that the launchd provider now updates the correct override plist rather than falling back to attempting to modify the service plist.

  • PUP-5058: The sshkey Type’s Default Target for Mac OS X 10.11 (El Capitan) is Incorrect: In OSX 10.11, the ssh_known_hosts file is in /etc/ssh, whereas it’s in /etc in older OSX versions. This fix allows Puppet to manage the file on 10.11, while continuing to manage the file at the previous location on 10.9 and 10.10.

  • PUP-4917: puppet resource package does not display installs that use QuietDisplayName: Previously, puppet resource package didn’t display all installed programs as there was a new field added to the registry keys named QuietDisplayName. We’ve now fixed that so those items can now be managed with the Puppet built-in Windows package resource.

Bug Fixes: Miscellaneous

Regression: Puppet retrieves resource state prematurely

In Puppet 4.3.0, Puppet prematurely retrieves generated resources when they are generated, rather than during evaluation. This could cause certain types or providers to behave inconsistently. For instance, changing only the mode on an existing remote_file resource might lead to Puppet unnecessarily recreate the file on each Puppet run. This is a regression from Puppet 4.2 and is fixed in Puppet 4.3.2.

Regression: Puppet doesn’t perform Hiera lookups on undef class parameters

In Puppet 4.3.0, a Hiera lookup for a class parameter wouldn’t occur if the parameter value was set to undef in the resource declaration. This is a regression from Puppet 4.2 and is fixed in Puppet 4.3.2.

Regression: Package version behavior is broken for epoch-versioned RPM packages

Puppet 4.3.0 attempted to resolve an issue in handling epoch tags in DNF package names (PUP-5025). However, the fix broke the yum provider’s handling of epoch-versioned packages. This regression is fixed in Puppet 4.3.2.

↑ Back to top