Puppet Server: Release Notes
Included in Puppet Enterprise 2016.2.
Puppet Server 2.4
Released May 19, 2016.
This is a feature and bug-fix release of Puppet Server that also upgrades its included Trapperkeeper framework from version 1.3.1 to 1.4.0.
This release also adds packages for Ubuntu 15.10 (Wily Werewolf) and 16.04 LTS (Xenial Xerus), and no longer includes packages for Fedora 21, which reached its end of life in December.
New platforms: Ubuntu 15.10 (Wily Werewolf) and 16.04 LTS (Xenial Xerus)
Puppet Server 2.4.0 introduces Puppet-built packages for Ubuntu 15.10 (Wily Werewolf) and 16.04 LTS (Xenial Xerus). For details about Puppet’s package repositories, see the Puppet Collections documentation.
New feature: X.509-compliant certificate extensions can match authorization rules
When using the new authorization methods introduced in version 2.2.0, Puppet Server relied on matching a requester’s certificate name (certname) when authorizing HTTPS requests via SSL. Starting with version 2.4.0, Server can also match authorization rules to the content of X.509 certificate extensions.
Server 2.4.0 expands the syntax for
deny parameters in Server’s
auth.conf rules to allow for a map of
extensions to match.
Server 2.4.0 also reads custom OID shortname maps defined in Puppet’s
New feature: Integrate with systemd services on Debian and Ubuntu
Puppet Server 2.4.0 adds integration with
systemd on Debian 8 and newer, and Ubuntu 16.04 LTS.
Improvement: Responses to unauthenticated HTTPS requests include less information
When responding to unauthorized HTTPS requests, previous versions of Puppet Server 2.x returned the requester’s IP address and authorization rule in addition to logging the failed request. Puppet Server 2.4.0 removes this information from the response and directs the responder to consult the server logs for details.
always_retry_plugins setting to configure Puppet feature caching
Puppet Server 2.4.0 respects the new
always_retry_plugins setting introduced in Puppet 4.5, which determines how Puppet caches attempts to load Puppet resource types and features. However, Server changes this setting’s value from its default (true) to false, in order to take advantage of additional caching for failures when loading types.
always_retry_plugins setting also replaces the
always_cache_features setting, which is now deprecated. If you set
always_cache_features to true in previous versions of Puppet Server, set
always_retry_plugins to false.
New feature: Expanded logging for certificate autosigning attempts
Starting with version 2.4.0, Puppet Server logs message and warnings when an autosign command generates STDERR output or returns a non-zero exit code. Server 2.4.0 also logs autosigning attempts at the INFO level, rather than DEBUG, to help make autosigning issues easier to diagnose without changing Server’s logging level.
Bug fix: Closed memory leak when restarting Server via SIGHUP
The Trapperkeeper components included with Puppet Server 2.3.x leaked a small amount of memory when restarting Server with a HUP signal. Puppet Server 2.4.0 includes updated components that resolve this issue.
Bug fix: Implement DELETE request handling on the
Unlike the Ruby Puppet master, previous versions of Puppet Server couldn’t handle DELETE requests to the
certificate_request endpoint, even if authorization rules allowed for them. Server 2.4.0 resolves this by handling authorized DELETE requests in the same way that the Ruby master does.
Bug fixes: Certificate status endpoint behaviors
Puppet Server 2.4.0 resolves these issues with the
- Handle nil values in
desired_statemore gracefully (SERVER-542): If the
desired_stateof a PUT request to the
certificate_statusendpoint was nil, previous versions of Server threw a NullPointerException. Server 2.4.0 resolves this issue.
- Respect asterisks in
certificate_statusesrequests (SERVER-864): Previous versions of Server wouldn’t return a list of certificates to authenticated
certificate_statusesrequests if the request included an asterisk (
*). Server 2.4.0 resolves this issue.
- Remove hyphens in
puppet-server: We’ve changed the name of our GitHub repository from
puppetserverand removed the hyphen from many other references.
- Log Ruby backtraces (SERVER-1273): Previous versions of Server didn’t log Ruby backtraces. Server 2.4.0 does, just like a Ruby Puppet master.
- Don’t override the service startup timeout (SERVER-557): Previous versions of Server 2.x overrode the default 5-minute service startup timeout with a value of 120 seconds. Server 2.4.0 removes this override.
- Extend the default
ca_ttl(SERVER-615): Server 2.4.0 enforces a maximum time-to-live of 50 years (1,576,800,000 seconds) on