Puppet 4.6 Release Notes
This version of Puppet is not included in Puppet Enterprise. The latest version of PE includes Puppet 4.10. A newer version is available; see the version menu above for details.
This page lists the changes in Puppet 4.6 and its patch releases.
Puppet’s version numbers use the format X.Y.Z, where:
- X must increase for major backwards-incompatible changes
- Y can increase for backwards-compatible new functionality
- Z can increase for bug fixes
If you’re upgrading from Puppet 3.x
Read the Puppet 4.0 release notes, since they cover breaking changes since Puppet 3.8.
Released September 1, 2016.
This release fixes a few more regressions relative to Puppet 4.5, as well as bugs in features introduced in 4.6.
PUP-6629: Puppet 4.6 was causing hard failures in Puppet runs that worked fine in 4.5. These failures happened whenever certain resource types were used, most notably the
acltype from the
This was a side effect of corrective change reporting: if a resource type didn’t handle deserialization well, Puppet couldn’t cope with the error and the run would fail. With this fix, Puppet will still finish the run gracefully if it can’t identify corrective changes for one resource type.
We plan to fix the ACL module’s serialization handling in MODULES-3766.
Fixes for older bugs
- PUP-6647: Functions that use the modern Ruby function API (
Puppet::Functionsor “4x functions”) can do different things depending on how many arguments they’re called with. Unfortunately, functions that can be called with zero arguments would always use their zero-argument behavior, regardless of how they were actually called. This is now fixed, and zero-argument dispatches are only be used when no arguments are provided.
Bugs with new features
PUP-6662: Classes and defined types can specify a Sensitive data type for any of their parameters. But prior to this change, it was impossible to pass Sensitive values when declaring them: they would get erroneously transformed to plain strings.
PUP-6653: Environment isolation for resource types wasn’t working properly — even if PCore resource type data was found, Puppet would load the Ruby implementation anyway. This is now fixed, and the presence of a PCore resource type will prevent the Ruby version from loading.
Released August 23, 2016.
A critical bug was reported affecting a significant number of users in the Puppet 4.6.0 release.
A regression in evaluation of resource-like class inclusion caused evaluation of the class to be lazy as opposed to the correct immediate evaluation. This led to problems with missing variables, which could lead to further problems. The order of evaluation is now restored. (PUP-6608)
Other bug fixes and a new function are also included in this release in the Puppet 4.6 series.
unwrap was added that allows
Sensitive data to be obtained in clear text in a controlled way. Learn more about the
Sensitive type in the 4.6.0 release notes.
PUP-6627: Prior to this change,
puppet applycould problematically show redacted data when a resource contained a Senstive data type.
PUP-6597: When the ‘generate type’ command reported that it generated output to a path the path was always wrong. This had no other consequences than misinforming the user watching the generate commands output.
PUP-6621: Corrective change would incorrectly fail a catalog application when a type or property was incompatible with it. It now logs this information at info level.
PUP-6613: A regression made it impossible to give an attribute as undef when there is no default value expression for a resource parameter and using
create_resourcesto create the resource. There was no regression when doing the same from a manifest directly.
PUP-6622: Function loading and calling was hit by a performance regression that caused a 300% degradation in performance as observed by benchmarks. This is now fixed.
PUP-6628: Corrective change calculation is now more robust when properties have complex munge and validate methods.
PUP-6574: Camel-cased class names such as
myTypewere allowed but could not be included in the catalog. Now they can.
PUP-6397: Overly aggressive auto relationships between mount and file types have been scaled back.
PUP-6582: Under certain circumstances, when
environment_timeoutwas set to a value greater than 0 the top scope of the first used compilation request would become sticky and lookups of variables made by functions would get values from the first compilation in that environment. This also caused memory to leak and could in some situations lead to an
Out of Memoryerror.
PUP-2018: This fixes a bug in the
puppet certificate generatecommand where it attempted to generate a CSR for the FQDN for the host when the same FQDN was provided as the remote.
Released August 10, 2016.
A feature and bug fix release for Puppet.
Identify manual change corrected by Puppet
This release adds a new report event field called
corrective_change that is designed to detect manual change that has been corrected by a Puppet run.
This feature should help users to detect when an unexpected change occurred outside of Puppet, allowing better auditing and understanding around changes.
This feature achieves this by storing the last best known value for each property that is applied by Puppet, and comparing that against the values in the next Puppet run.
As part of the requirement to store values, this feature also introduces a new local storage mechanism, and introduces a new configuration option
transactionstorefile which points at the YAML file used. This storage is queried for each run for old values during comparison, and persists the new values for next transaction to do its calculation.
While we’ve done our best to ensure this feature works well, this entire process is still in development and is quite new, and has some known points of interest:
For noop events in particular, these are treated especially. We will continue to return a positive
corrective_changeflag if there will be a corrective_change, if Puppet was to be ran in enforcement mode.
Today, idempotency issues are raised as a
corrective_changebecause Puppet can’t tell the difference. An idempotency issue is when either a provider has a bug applying a change twice consistently, or when Puppet DSL code (or external dependences) is used that has idempotency issues (common in service, and exec resources for example). For properties that have known idempotency issues, we have introduced an
idempotentflag for declaring that corrective_change calculation can be skipped. An example can be found in the notify type, as the message property on notify has been a long-standing and well known non-idempotent property: notify type source code.
The API for comparison in Puppet for older arbitrary values is brittle, and some custom Puppet types may show the incorrect value for corrective_change as a consequence. We ask users to raise bugs when these cases are discovered.
For now, if there is any exception during value comparison Puppet still runs, but returns an error to the user so it can be debugged. Also, Puppet returns a
corrective_changeas nil instead, indicating an unknown state. Any cases where this occurs should be raised as bugs to the appropriate project.
Comparison of secret values is currently out of scope. For us to ensure we could compare these values, we would have to store them in doing so leak secret information. We’ve decided we would step back from this problem, and for now secret properties are not supported for being flagged as corrective.
Along with flagging each event with the
corrective_change field, we also flag a resource that has such events, and the entire report. Metrics have been included to allow report consumers to see a count of events that are marked as
Sensitive type added
A new type
Sensitive[T] has been added to the Puppet type system. New sensitive instances can be created with
Sensitive.new(value). Such an instance signals to the running system that the information contained in the Sensitive object should not be leaked in clear text.
Specify multiple masters with
This change adds master failover functionality to the puppet agent. Using the new
server_list option to specify multiple masters, an agent will now attempt to fall back to a functional master should a failure to download a catalog occur. The
server_list setting can be either provided on the command line or configured in
puppet.conf, and has the format
server_list = master1_hostname:port,master2_hostname:port,master3_hostname:port.
server option can still be used to specify a single master, in which case failover will not be attempted and Puppet will behave as it always has. Specifying a single server with the
server_list option has the same effect.
PUP-6391: The default service provider for ubuntu 16.10 is now systemd.
PUP-5604: The systemd service provider now asks journalctl why something failed and reports it back to the user for aid in debugging.
PUP-6042: Now using the
--testoption with puppet agent overrides the
--use_cached_catalogsetting. Declaring these options in combination does not result in the use of a cached catalog.
PUP-6378: This adds a field to the report indicating which master was contacted during the run.
PUP-2802: Gentoo supports ‘slotting’ packages which allows multiple different versions of the same package to live alongside one another. The portage package provider now understands and supports these slots.
puppet cert printnow displays long names for extensions.
- PUP-6083: The notation Class[Foo] where the name of the class is given with an upper case letter has been deprecated and will result in an error in the next major release of puppet. The deprecation warning (or optionally an error) is controlled by the
PUP-6530: When creating resources using the
create_resourcesfunction there were no file and line information included in the resulting catalog for the resources created by the function. This is now fixed and this will improve downstream tooling that requires such information.
PUP-5849: When starting a new line with a
(this would be interpreted as an attempt to continue the last expression on the preceding line as if it was the name of a function to call. This is now changed so that for a
(to be recognized as a parenthesis opening an argument list it must be placed on the same line as the name of the function. Otherwise it will be taken as the end of the previous expression and starting a new parenthesized/grouping expression.
PUP-6361: Naming a class or a define with a leading :: (making the name absolute) lead to not being able to use that class/define. Now, such names are treated as illegal.
Types and Providers
PUP-5926: Previously, the launchd service provider did not support overriding
hasstatus => false. This change adds that capability.
PUP-1134: This fixes the init service provider to use the correct path for init scripts on AIX.
PUP-2316: This fixes allows the
attributesparameter for the
userresource to accept an array with a single value in AIX. Prior to this fix, an error would be thrown in the if the array only contained one value.
PUP-6159: The directoryservice user provider was failing to set a password and salt under certain circumstances on OSX. This has been fixed.
PUP-6323: Photon OS uses TDNF (a DNF variant) for its package manager. This bug fix adds Puppet package provider support for Photon OS.
PUP-6415: This change fixes an issue in the (now deprecated) static compiler where symlinks in recursed directories did not end up with
targetattributes, causing Puppet to fail to manage them. Note that this only affects the static compiler, and not the newer static catalog functionality which was added as part of the direct puppet workflow.
PUP-6461: This removes false package version update notices when using the pip provider and no actual change occurred.
PUP-6370: Previously, when checking whether a service was enabled, the systemd provider used hardcoded strings to compare to the output of
systemctl. Now, Puppet uses the exit code from
systemctl, which ensures that the provider’s view of a service is in line with that of the system.
PUP-6437: This change fixes an issue with the directoryservice user provider in OSX, where Puppet would crash in certain circumstances while fetching bad ShadowHashData from the system. Puppet now handles this gracefully.
PUP-6115: Fixed an erroneous command in instructions generated by Puppet to clean certs on Windows.
puppet resource servicecould fail on Windows when there were certain types of delayed auto start services. In particular, it would always fail on Windows 10 due to the
puppet resource groupor
puppet resource usercould previously fail on non-English editions of Windows when there were users or groups present containing Unicode characters. This commonly occurred on the French localized edition of Windows where the “Guest” account is localized as “Invité”.
PUP-5938: Fixed a minor performance issue when querying for Windows groups present on the host system.
- PUP-3827: In Puppet 4.0 many errors returned by our API were moved to follow best practices with regards to HTTP error codes and a JSON format that follows our documented JSON schema. However one major subsystem of Puppet (the indirector) was not converted to follow this pattern. As of this release, API endpoints that hit this subsystem will return proper HTTP error codes and message bodies that conform to our documented JSON standard. The previous behavior was to return a 400 Server Error for all issues with this subsystem.
Misc bug fixes
PUP-6413: Puppet now correctly connects to Pypi when managing packages with pip.
puppet describe -s ssh_authorized_keyproduced garbage output because of long lines of text.
puppet agent --verboseused to generate log output to both console and syslog (or eventlog on Windows). When adding
--logdest syslogoption, log output was still sent to both the console and syslog (eventlog). Now adding
--logdest syslogcauses logging to be delivered only to syslog (eventlog) and not to the console.
PUP-5887: This fixes a lexer error that prevented nesting string interpolation not to be properly interpolated.
PUP-6094: Fixed slight differences between the output of
PUP-6341: Semantic Puppet (support for semver) gem was updated with fixes for problems on Ruby >= 2.3.0.
PUP-1796: Puppet can now manage the root directory on unix-like systems.
PUP-1512: Fixed a problem where
puppet helpface-based application could silently fail when trying to display help for each installed application.
undefin a collector previously lead to an error. Literal
undefcan now be used in collector queries.
PUP-6233: Solaris 11.2+ SMF service restarts were returning prior to the service restarting. They will now be synchronous
PUP-6425: Fixed a regression which modified Puppet to not swallow errors silently, but it caused another regression when a puppet sub-application raises an error.
PUP-5948: The feature in this ticket is part of a larger feature (environment isolation). However - the work on this changes
create_resourcesslightly in that the created resources are not immediately evaluated - instead they follow the same rules as if the same resource had been created in the manifest at the point where the call to
create_resourcesis made. This changes the order of evaluation between the created resources and what follows after the call to
create_resourcesas the created resources are now lazily evaluated just like all other resources. Logic that depends on the order of evaluation between resources created in one call to
create_resourcesand a manifest created resource created directly thereafter may need to be changed.