Puppet Server: Release Notes
Included in Puppet Enterprise 3.7. A newer version is available; see the version menu above for details.
Puppet Server 1.0.8
In addition to several bug fixes, this release adds new HTTP client timeout settings, a special logfile to capture only HTTP traffic, and a JRuby tuning guide to help you get the best performance from Puppet Server.
####Added new http-client timeout settings
We’ve exposed two new HTTP client timeout settings:
connect-timeout-milliseconds. These new settings can be configured in the http-client section of the puppetserver.conf file.
- SERVER-449 - Expose http-client timeouts from Puppet Server http_connect_timeout and http_read_timeout.
####Enabled HTTP traffic logs
This version of Puppet Server has a special-purpose logfile to capture only the HTTP traffic. This should work out of the box, but you can configure the location and the format of the logfile.
####Added new JRuby default borrow timeout setting
Previously, the JRuby pool borrow timeout was indefinite and wasn’t configurable. As of SERVER 1.0.8, there is a new
borrow-timeout setting in the http-client section of the puppetserver.conf file. If you don’t specify a value for that setting, Puppet Server will use 20 minutes as a default. This allows enough time for realistic expensive catalog compilations while avoiding indefinite hanging.
- SERVER-408 - Expose configurable
borrow-timeoutto allow JRuby pool borrows to timeout
Added Puppet Server JRuby tuning guide
We’ve added a new Tuning Guide to help you improve your Puppet Server performance by tuning your number of JRubies and your JVM heap size.
- SERVER-379 - Tuning guide for JRubies, Heap size, etc.
####Fixed an issue where Puppet Server couldn’t start after reboot
Previously, Puppet Server failed to start after a reboot on some systems (notably RHEL 7 and Ubuntu 14.4). This was because the
/var/run/ directory, needed by Puppet Server, was being destroyed on reboot. This issue has been fixed.
- SERVER-404 - Properly create /var/run/puppetserver dir in FOSS packaging
Startup scripts now use ‘runuser’.
We’ve added ‘runuser’ to the startup scripts to allow Puppet Server command line utilities to run on systems with restricted login capability. The scripts will first try to use ‘runuser’, then ‘sudo’, then ‘su’.
- SERVER-344 - Startup scripts should use ‘runuser’ not ‘su’.
puppetserver foreground now produces output
puppetserver foreground subcommand produced no output. It should now provide its usual output again.
- SERVER-356 - puppetserver foreground produces no output
CA handling fixed
Previously, Puppet Server was mishandling some CAs. Specifically, if you brought up a Puppet CA on a master where you wanted to use an external Puppet CA, but you hadn’t already configured the disabled CA service in the
bootstrap.cfg file, the local CA superseded the certificate from the external CA. This issue has now been fixed.
- SERVER-345 - Fixup usages of cacert / localcacert in master
Default maximum JRuby instances capped at 4
The default maximum number of JRuby instances has been capped at 4. This is a safer maximum for use with the default 2GB JVM memory.
- SERVER-448 - Change default max-active-instances to not exceed 4 JRubies
Puppet Server 1.0.3 – 1.0.7
Puppet Server versions 1.0.3 – 1.0.7 were never released.
However, Puppet Enterprise 3.7.2 included a version of Puppet Server that was labeled as version 1.0.6. The only change from Puppet Server 1.0.2 was that the fix for SERVER-262 was reverted in SERVER-522. This change is also included in the release of Puppet Server 1.0.8.
Puppet Server 1.0.2
The 1.0.2 release of Puppet Server includes several bug fixes. It also improves logging functionality by allowing Logback changes to take effect without a restart.
Filebucket files treated as binary data
Puppet Server now treats filebucket files as binary data. This prevents possible data alteration resulting from Puppet Server inappropriately treating all filebucket files as text data.
- SERVER-269: Puppet Server aggressively coerces request data to UTF-8
puppetserver gem env command now works
This release fixes functionality of the
puppetserver gem env command. Previously, this command was throwing an error because the entire system environment was being cleared.
puppetserver gem envdoes not work, useful for troubleshooting
Startup time extended for systemd
In 1.0.0, we extended the allowed startup time from 60 to 120 seconds, but we missed the systemd configuration. Now both the init script and systemd configs have the same timeout.
- SERVER-166: Set START_TIMEOUT to 120 seconds for sysv init scripts and systemd.
Puppet Server now picks up changes to logging levels at runtime, rather than requiring a system restart to detect Logback changes.
- SERVER-275: Fixed an issue where logback levels weren’t changed unless you restarted Puppet Server.
Puppet Server 1.0.1 (Skipped)
This version number was not released.
Puppet Server 1.0.0
This release is the official “one point oh” version of Puppet Server. In accordance with the Semantic Versioning specification, we’re declaring the existing public API of this version to be the baseline for backwards-incompatible changes, which will trigger another major version number. (No backwards-incompatible changes were introduced between 0.4.0 and this version.)
In addition, this release adds HTTP endpoints to refresh data and CLI tools for working with the JRuby runtime.
Puppet Server 1.x works with Puppet 3.7.3 and all subsequent Puppet 3.x versions. (When Puppet 4 is released, we’ll release a new Puppet Server version to support it.)
New Feature: Admin API for Refreshing Environments
This release adds two new HTTP endpoints to speed up deployment of Puppet code changes. Previously, such changes might require a restart of the entire Puppet Server instance, which can be rather slow. These new endpoints allow you to refresh the environment without restarting it.
If you need this feature, you should probably use the
environment-cache endpoint, since it’s faster than the
jruby-pool endpoint. To use it, you’ll need to get a valid certificate from Puppet’s CA, add that certificate’s name to the
puppet-admin -> client-whitelist setting in
puppetserver.conf, and use that certificate to do an HTTP DELETE request at the
environment-cache endpoint. For more details, see the API docs for
- SERVER-150: Add functionality to JRuby service to trash instance.
- SERVER-151: Add an HTTP endpoint to call flush jruby pool function.
- SERVER-112: Create environment cache entry factory implementation that allows flushing all environments.
- SERVER-114: Add
puppetserver ruby and
puppetserver irb Commands
This release adds two new CLI commands:
puppetserver ruby and
puppetserver irb. These work like the normal
irb commands, except they use Puppet Server’s JRuby environment instead of your operating system’s version of Ruby. This makes it easier to develop and test Ruby code for use with Puppet Server.
puppetserver foreground Command
puppetserver foreground command will start an instance of Puppet Server in the foreground, which will log directly to the console with higher-than-normal detail.
This behavior is similar to the traditional
puppet master --verbose --no-daemonize command, and it’s useful for developing extensions, tracking down problems, and other tasks that are a little outside the day-to-day work of running Puppet.
- SERVER-141: Add
General Bug Fixes
service puppetserver start and
restart commands will now block until Puppet Server is actually started and ready to work. (Previously, the init script would return with success before Puppet Server was actually online.) This release also fixes bugs that could cause startup to hang or to timeout prematurely, and a subtle settings bug.
wait_for_appfunctions occasionally fails to read pidfile on debian and hangs indefinitely.
- SERVER-166: Set
START_TIMEOUTto 120 seconds for sysv init scripts and systemd.
- SERVER-221: Run mode not initialized properly
This release improves performance of the certificate status check. Previously, the CRL file was converted to an object once per CSR and signed certificate; as of this release, the object will be reused across checks instead of created for every check.
- SERVER-137: Compose X509CRL once and reuse for get-certificate-statuses.
For a list of all changes in this release, see the following Jira pages:
Puppet Server 0.4.0
This release contains improvements based on feedback from the community and Puppet Labs QA testing. It has usability and correctness improvements, mainly around SSL and our interaction with systemd. Notable changes:
- (SERVER-89) The Puppet Server CA now creates a ‘puppet’ Subject Alternate Name for master certificates for closer compatibility with the Ruby CA.
- (SERVER-86) The CA no longer uses the ‘ca_pub.pem’ (which isn’t guaranteed to exist) when signing or revoking; instead it extracts the key from the certificate directly (which IS guaranteed to be there).
- (SERVER-70, SERVER-8, SERVER-84) Improvements around packaging will make the Puppet Server behave better under OSes which use systemd and will now preserve local changes to the /etc/sysconfig/puppetserver config on upgrade.
For a full list of bugs fixed in this release, check out the JIRA release page: https://tickets.puppetlabs.com/browse/SERVER/fixforversion/12014
Puppet Server 0.3.0
This is the first feature update since the initial Puppet Server release. Notable user-facing improvements are:
- (SERVER-18, SERVER-39) Puppet Server now supports externally-terminated SSL in the same way as external termination on Apache+Passenger does.
- (SERVER-4) Improve error messages and user feedback when starting on systems with low memory. (We recommend at least 2GB RAM)
- (SERVER-43) Add support for HTTP “basic” authentication; this was preventing the ‘http’ report processor used by Dashboard from working.
For a full list of bugs fixed in the release, check out this JIRA page: https://tickets.puppetlabs.com/browse/SERVER/fixforversion/11955
Puppet Server 0.2.2
- (SERVER-13) Fix for file descriptor leak during report processing
- (SERVER-7) Add licensing and copyright info
- HTTP client connections from the master use the
localcacertpuppet.conf setting to find the CA certs to use for validating a server. Previously, the
cacertpuppet.conf setting was used to find the CA certs used to validate the server.
Puppet Server 0.2.1
- (SERVER-9) Privileged data is accessible to non-privileged local users [CVE-2014-7170]
Puppet Server 0.2.0
Initial Open Source Release