puppet 6.16.0 → 7.0.0

data/lib/puppet/application/ssl.rb

@@ -248,7 +248,7 @@ END
     paths = {
       'private key' => Puppet[:hostprivkey],
       'public key'  => Puppet[:hostpubkey],
-      'certificate request' => File.join(Puppet[:requestdir], "#{Puppet[:certname]}.pem"),
+      'certificate request' => Puppet[:hostcsr],
       'certificate' => Puppet[:hostcert],
       'private key password file' => Puppet[:passfile]
     }

data/lib/puppet/configurer.rb

@@ -53,6 +53,7 @@ class Puppet::Configurer
   def initialize(transaction_uuid = nil, job_id = nil)
     @running = false
     @splayed = false
+    @running_failure = false
     @cached_catalog_status = 'not_used'
     @environment = Puppet[:environment]
     @transaction_uuid = transaction_uuid || SecureRandom.uuid
@@ -65,9 +66,16 @@ class Puppet::Configurer
   # Get the remote catalog, yo.  Returns nil if no catalog can be found.
   def retrieve_catalog(facts, query_options)
     query_options ||= {}
-    result = retrieve_catalog_from_cache(query_options) if Puppet[:use_cached_catalog]
+    if Puppet[:use_cached_catalog] || @running_failure
+      result = retrieve_catalog_from_cache(query_options)
+    end
+
     if result
-      @cached_catalog_status = 'explicitly_requested'
+      if Puppet[:use_cached_catalog]
+        @cached_catalog_status = 'explicitly_requested'
+      elsif @running_failure
+        @cached_catalog_status = 'on_failure'
+      end
 
       Puppet.info _("Using cached catalog from environment '%{environment}'") % { environment: result.environment }
     else
@@ -194,7 +202,6 @@ class Puppet::Configurer
   # This just passes any options on to the catalog,
   # which accepts :tags and :ignoreschedules.
   def run(options = {})
-    pool = Puppet.runtime[:http].pool
     # We create the report pre-populated with default settings for
     # environment and transaction_uuid very early, this is to ensure
     # they are sent regardless of any catalog compilation failures or
@@ -207,28 +214,40 @@ class Puppet::Configurer
 
     completed = nil
     begin
-      Puppet.override(:http_pool => pool) do
-        # Skip failover logic if the server_list setting is empty
-        do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
-
-        # When we are passed a catalog, that means we're in apply
-        # mode. We shouldn't try to do any failover in that case.
-        if options[:catalog].nil? && do_failover
-          server, port = find_functional_server
-          if server.nil?
-            raise Puppet::Error, _("Could not select a functional puppet master from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
+      # Skip failover logic if the server_list setting is empty
+      do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
+
+      # When we are passed a catalog, that means we're in apply
+      # mode. We shouldn't try to do any failover in that case.
+      if options[:catalog].nil? && do_failover
+        server, port = find_functional_server
+        if server.nil?
+          detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
+          if Puppet[:usecacheonfailure]
+            options[:pluginsync] = false
+            @running_failure = true
+
+            server = Puppet[:server_list].first[0]
+            port = Puppet[:server_list].first[1] || Puppet[:serverport]
+
+            Puppet.err(detail)
           else
-            report.master_used = "#{server}:#{port}"
-          end
-          Puppet.override(server: server, serverport: port) do
-            completed = run_internal(options)
+            raise Puppet::Error, detail
           end
         else
+          #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+          Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
+          report.server_used = "#{server}:#{port}"
+        end
+        Puppet.override(server: server, serverport: port) do
           completed = run_internal(options)
         end
+      else
+        completed = run_internal(options)
       end
     ensure
-      pool.close
+      # we may sleep for awhile, close connections now
+      Puppet.runtime[:http].close
     end
 
     completed ? report.exit_status : nil
@@ -303,6 +322,15 @@ class Puppet::Configurer
               report.environment = @environment
               query_options = nil
               facts = nil
+
+              new_env = Puppet::Node::Environment.remote(@environment)
+              Puppet.push_context(
+                {
+                  current_environment: new_env,
+                  loaders: Puppet::Pops::Loaders.new(new_env, true)
+                },
+                "Local node environment #{@environment} for configurer transaction"
+              )
             else
               Puppet.info _("Using configured environment '%{env}'") % { env: @environment }
             end
@@ -313,19 +341,18 @@ class Puppet::Configurer
         end
       end
 
-      current_environment = Puppet.lookup(:current_environment)
-      if current_environment.name == @environment.intern
-        local_node_environment = current_environment
-      else
-        local_node_environment = Puppet::Node::Environment.create(@environment,
-                                         current_environment.modulepath,
-                                         current_environment.manifest,
-                                         current_environment.config_version)
+      # This is to maintain compatibility with anyone using this class
+      # aside from agent, apply, device.
+      unless Puppet.lookup(:loaders) { nil }
+        new_env = Puppet::Node::Environment.remote(@environment)
+        Puppet.push_context(
+          {
+            current_environment: new_env,
+            loaders: Puppet::Pops::Loaders.new(new_env, true)
+          },
+          "Local node environment #{@environment} for configurer transaction"
+        )
       end
-      Puppet.push_context({
-        :current_environment => local_node_environment, 
-        :loaders => Puppet::Pops::Loaders.new(local_node_environment, true)
-      }, "Local node environment for configurer transaction")
 
       query_options, facts = get_facts(options) unless query_options
       query_options[:configured_environment] = configured_environment
@@ -530,6 +557,14 @@ class Puppet::Configurer
   end
 
   def download_plugins(remote_environment_for_plugins)
-    @handler.download_plugins(remote_environment_for_plugins)
+    begin
+      @handler.download_plugins(remote_environment_for_plugins)
+    rescue Puppet::Error => detail
+      if !Puppet[:ignore_plugin_errors] && Puppet[:usecacheonfailure]
+        @running_failure = true
+      else
+        raise detail
+      end
+    end
   end
 end

data/lib/puppet/configurer/downloader.rb

@@ -11,32 +11,53 @@ class Puppet::Configurer::Downloader
     files = []
     begin
       catalog.apply do |trans|
+        unless Puppet[:ignore_plugin_errors]
+          # Propagate the first failure associated with the transaction. The any_failed?
+          # method returns the first resource status that failed or nil, not a boolean.
+          first_failure = trans.any_failed?
+          if first_failure
+            event = (first_failure.events || []).first
+            detail = event ? event.message : 'unknown'
+            raise Puppet::Error.new(_("Failed to retrieve %{name}: %{detail}") % { name: name, detail: detail })
+          end
+        end
+
         trans.changed?.each do |resource|
           yield resource if block_given?
           files << resource[:path]
         end
       end
     rescue Puppet::Error => detail
-      Puppet.log_exception(detail, _("Could not retrieve %{name}: %{detail}") % { name: name, detail: detail })
+      if Puppet[:ignore_plugin_errors]
+        Puppet.log_exception(detail, _("Could not retrieve %{name}: %{detail}") % { name: name, detail: detail })
+      else
+        raise detail
+      end
     end
     files
   end
 
   def initialize(name, path, source, ignore = nil, environment = nil, source_permissions = :ignore)
     @name, @path, @source, @ignore, @environment, @source_permissions = name, path, source, ignore, environment, source_permissions
-  end
 
-  def catalog
-    catalog = Puppet::Resource::Catalog.new("PluginSync", @environment)
-    catalog.host_config = false
-    catalog.add_resource(file)
-    catalog
   end
 
   def file
-    args = default_arguments.merge(:path => path, :source => source)
-    args[:ignore] = ignore.split if ignore
-    Puppet::Type.type(:file).new(args)
+    unless @file
+      args = default_arguments.merge(:path => path, :source => source)
+      args[:ignore] = ignore.split if ignore
+      @file = Puppet::Type.type(:file).new(args)
+    end
+    @file
+  end
+
+  def catalog
+    unless @catalog
+      @catalog = Puppet::Resource::Catalog.new("PluginSync", @environment)
+      @catalog.host_config = false
+      @catalog.add_resource(file)
+    end
+    @catalog
   end
 
   private

data/lib/puppet/configurer/plugin_handler.rb

@@ -29,25 +29,27 @@ class Puppet::Configurer::PluginHandler
     result += plugin_fact_downloader.evaluate
     result += plugin_downloader.evaluate
 
-    # until file metadata/content are using the rest client, we need to check
-    # both :server_agent_version and the session to see if the server supports
-    # the "locales" mount
-    server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
-    locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
-    unless locales
-      session = Puppet.lookup(:http_session)
-      locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
-    end
-
-    if locales
-      locales_downloader = Puppet::Configurer::Downloader.new(
-        "locales",
-        Puppet[:localedest],
-        Puppet[:localesource],
-        Puppet[:pluginsignore] + " *.pot config.yaml",
-        environment
-      )
-      result += locales_downloader.evaluate
+    unless Puppet[:disable_i18n]
+      # until file metadata/content are using the rest client, we need to check
+      # both :server_agent_version and the session to see if the server supports
+      # the "locales" mount
+      server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
+      locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
+      unless locales
+        session = Puppet.lookup(:http_session)
+        locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
+      end
+
+      if locales
+        locales_downloader = Puppet::Configurer::Downloader.new(
+          "locales",
+          Puppet[:localedest],
+          Puppet[:localesource],
+          Puppet[:pluginsignore] + " *.pot config.yaml",
+          environment
+        )
+        result += locales_downloader.evaluate
+      end
     end
 
     Puppet::Util::Autoload.reload_changed(Puppet.lookup(:current_environment))

data/lib/puppet/confine.rb

@@ -26,7 +26,7 @@ class Puppet::Confine
         require "puppet/confine/#{name}"
       rescue LoadError => detail
         unless detail.to_s =~ /No such file|cannot load such file/i
-          warn "Could not load confine test '#{name}': #{detail}"
+          Puppet.warning("Could not load confine test '#{name}': #{detail}")
         end
         # Could not find file
         if !Puppet[:always_retry_plugins]
@@ -67,7 +67,7 @@ class Puppet::Confine
   def valid?
     values.each do |value|
       unless pass?(value)
-        Puppet.debug(label + ": " + message(value))
+        Puppet.debug { label + ": " + message(value) }
         return false
       end
     end

data/lib/puppet/confine/any.rb

@@ -19,7 +19,7 @@ class Puppet::Confine::Any < Puppet::Confine
     if @values.any? { |value| pass?(value) }
       true
     else
-      Puppet.debug("#{label}: #{message(@values)}")
+      Puppet.debug { "#{label}: #{message(@values)}" }
       false
     end
   end

data/lib/puppet/defaults.rb

@@ -11,25 +11,60 @@ module Puppet
   end
 
   def self.default_digest_algorithm
-    Puppet::Util::Platform.fips_enabled? ? 'sha256' : 'md5'
+    'sha256'
   end
 
   def self.valid_digest_algorithms
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.default_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.valid_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime] :
-      %w[md5 md5lite sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime]
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime]
+  end
+
+  def self.log_ca_migration_warning
+    urge_to_migrate = <<-UTM
+The cadir is currently configured to be inside the #{Puppet[:ssldir]} directory. This config
+setting and the directory location will not be used in a future version of puppet. Please run the
+puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppetlabs/puppetserver/ca
+directory. Use `puppetserver ca migrate --help` for more info.
+UTM
+    Puppet.warn_once('deprecations',
+                     'CA migration message',
+                     urge_to_migrate,
+                     :default,
+                     :default)
+  end
+
+  def self.default_cadir
+    return "" if Puppet::Util::Platform.windows?
+    old_ca_dir = "#{Puppet[:ssldir]}/ca"
+    new_ca_dir = "/etc/puppetlabs/puppetserver/ca"
+
+    if File.exist?(old_ca_dir)
+      if File.symlink?(old_ca_dir)
+        target = File.readlink(old_ca_dir)
+        if target.start_with?(Puppet[:ssldir])
+          Puppet.log_ca_migration_warning
+        end
+        target
+      else
+        Puppet.log_ca_migration_warning
+        old_ca_dir
+      end
+    else
+      new_ca_dir
+    end
   end
 
   def self.default_basemodulepath
@@ -70,28 +105,6 @@ module Puppet
   # @return void
   def self.initialize_default_settings!(settings)
     settings.define_settings(:main,
-      :facterng => {
-        :default => false,
-        :type    => :boolean,
-        :desc    => 'Whether to enable a pre-Facter 4.0 release of Facter (distributed as
-          the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
-          This setting is still experimental.',
-        :hook    => proc do |value|
-          if value
-            begin
-              original_facter = Object.const_get(:Facter)
-              Object.send(:remove_const, :Facter)
-
-              require 'facter-ng'
-              # It is required to re-setup logger for facter-ng
-              Puppet::Util::Logging.setup_facter_logging!
-            rescue LoadError
-              Object.const_set(:Facter, original_facter)
-              raise ArgumentError, 'facter-ng could not be loaded'
-            end
-          end
-        end
-    },
     :confdir  => {
         :default  => nil,
         :type     => :directory,
@@ -218,7 +231,7 @@ module Puppet
       end
     },
     :disable_i18n => {
-      :default => false,
+      :default => true,
       :type    => :boolean,
       :desc    => "If true, turns off all translations of Puppet and module
         log messages, which affects error, warning, and info log messages,
@@ -263,13 +276,6 @@ module Puppet
         :type     => :boolean,
         :desc     => "Whether to enable experimental performance profiling",
     },
-    :future_features => {
-      :default => false,
-      :type => :boolean,
-      :desc => "Whether or not to enable all features currently being developed for future
-        major releases of Puppet. Should be used with caution, as in development
-        features are experimental and can have unexpected effects."
-    },
     :versioned_environment_dirs => {
       :default => false,
       :type => :boolean,
@@ -284,6 +290,11 @@ module Puppet
         which occurs only on a Puppet Server master when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
+    :settings_catalog => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Whether to compile and apply the settings catalog",
+    },
     :strict_environment_mode => {
       :default    => false,
       :type       => :boolean,
@@ -347,8 +358,7 @@ module Puppet
       :default => "ansi",
       :type    => :string,
       :desc    => "Whether to use colors when logging to the console.  Valid values are
-        `ansi` (equivalent to `true`), `html`, and `false`, which produces no color.
-        Defaults to false on Windows, as its console does not support ansi colors.",
+        `ansi` (equivalent to `true`), `html`, and `false`, which produces no color."
     },
     :mkusers => {
         :default  => false,
@@ -375,7 +385,7 @@ module Puppet
           from the parent process.
 
           This setting can only be set in the `[main]` section of puppet.conf; it cannot
-          be set in `[master]`, `[agent]`, or an environment config section.",
+          be set in `[server]`, `[agent]`, or an environment config section.",
         :call_hook => :on_define_and_write,
         :hook             => proc do |value|
           Puppet::Util.set_env('PATH', '') if Puppet::Util.get_env('PATH').nil?
@@ -563,7 +573,7 @@ module Puppet
         config = File.expand_path(File.join(settings[:confdir], 'hiera.yaml')) if config.nil?
         config
       end,
-      :desc    => "The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet master every time you edit it.",
+      :desc    => "The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet server every time you edit it.",
       :type    => :file,
     },
     :binder_config => {
@@ -590,13 +600,22 @@ module Puppet
     },
     :trusted_external_command => {
       :default  => nil,
-      :desc     => "The external trusted facts script to use.
+      :type     => :file_or_directory,
+      :desc     => "The external trusted facts script or directory to use.
         This setting's value can be set to the path to an executable command that
-        can produce external trusted facts. The command must:
+        can produce external trusted facts or to a directory containing those
+        executable commands. The command(s) must:
 
         * Take the name of a node as a command-line argument.
         * Return a JSON hash with the external trusted facts for this node.
-        * For unknown or invalid nodes, exit with a non-zero exit code.",
+        * For unknown or invalid nodes, exit with a non-zero exit code.
+
+        If the setting points to an executable command, then the external trusted
+        facts will be stored in the 'external' key of the trusted facts hash. Otherwise
+        for each executable file in the directory, the external trusted facts will be
+        stored in the `<basename>` key of the `trusted['external']` hash. For example,
+        if the files foo.rb and bar.sh are in the directory, then `trusted['external']`
+        will be the hash `{ 'foo' => <foo.rb output>, 'bar' => <bar.sh output> }`.",
     },
     :default_file_terminus => {
       :type       => :terminus,
@@ -624,7 +643,7 @@ module Puppet
     :http_proxy_password =>{
       :default    => "none",
       :hook       => proc do |value|
-        if settings[:http_proxy_password] =~ /[@!# \/]/
+        if value =~ /[@!# \/]/
           raise "Passwords set in the http_proxy_password setting must be valid as part of a URL, and any reserved characters must be URL-encoded. We received: #{value}"
         end
       end,
@@ -692,39 +711,33 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
     :environment_timeout => {
       :default    => "0",
       :type       => :ttl,
-      :desc       => "How long the Puppet master should cache data it loads from an
+      :desc       => "How long the Puppet server should cache data it loads from an
       environment.
 
       A value of `0` will disable caching. This setting can also be set to
-      `unlimited`, which will cache environments until the master is restarted
-      or told to refresh the cache.
+      `unlimited`, which will cache environments until the server is restarted
+      or told to refresh the cache. All other values will result in Puppet
+      server evicting environments that haven't been used within the last
+      `environment_timeout` seconds.
 
       You should change this setting once your Puppet deployment is doing
       non-trivial work. We chose the default value of `0` because it lets new
       users update their code without any extra steps, but it lowers the
-      performance of your Puppet master.
+      performance of your Puppet server. We recommend either:
 
-      We recommend setting this to `unlimited` and explicitly refreshing your
-      Puppet master as part of your code deployment process.
+      * Setting this to `unlimited` and explicitly refreshing your Puppet server
+        as part of your code deployment process.
 
-      * With Puppet Server, you should refresh environments by calling the
-        `environment-cache` API endpoint. See the docs for the Puppet Server
-        [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
+      * Setting this to a number that will keep your most actively used
+        environments cached, but allow testing environments to fall out of the
+        cache and reduce memory usage. A value of 3 minutes (3m) is a reasonable
+        value.
 
-      Any value other than `0` or `unlimited` is deprecated, since most Puppet
-      servers use a pool of Ruby interpreters which all have their own cache
-      timers. When these timers drift out of sync, agents can be served
-      inconsistent catalogs.",
-      :hook => proc do |val|
-        unless [0, 'unlimited', Float::INFINITY].include?(val)
-          Puppet.deprecation_warning(<<-WARNING)
-Fine grained control of environment timeouts is deprecated,
-please use `0` or `unlimited` to control default caching behavior
-and the environment-cache endpoint in Puppet Server's administrative
-API to expire the cache as needed
-          WARNING
-        end
-      end
+      Once you set `environment_timeout` to a non-zero value, you need to tell
+      Puppet server to read new code from disk using the `environment-cache` API
+      endpoint after you deploy new code. See the docs for the Puppet Server
+      [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
+      "
     },
     :environment_data_provider => {
       :desc       => "The name of a registered environment data provider used when obtaining environment
@@ -799,7 +812,7 @@ API to expire the cache as needed
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
-        [auth.conf](https://puppet.com/docs/puppet/latest/config_file_auth.html).
+        Puppet Server's [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).
         In most cases, it is also used as the node's name when matching
         [node definitions](https://puppet.com/docs/puppet/latest/lang_node_definitions.html)
         and requesting data from an ENC. (This can be changed with the `node_name_value`
@@ -816,8 +829,13 @@ API to expire the cache as needed
         * The special value `ca` is reserved, and can't be used as the certname
           for a normal node.
 
+          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
+
         Defaults to the node's fully qualified domain name.",
-      :hook => proc { |value| raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase }},
+      :call_hook => :on_initialize_and_write,
+      :hook => proc { |value|
+        raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase
+      }},
     :dns_alt_names => {
       :default => '',
       :desc    => <<EOT,
@@ -944,13 +962,13 @@ EOT
         Generally unused."
     },
     :hostcsr => {
-      :default => "$ssldir/csr_$certname.pem",
+      :default => "$requestdir/$certname.pem",
       :type   => :file,
       :mode => "0644",
       :owner => "service",
       :group => "service",
-      :deprecated  => :completely,
-      :desc => "This setting is deprecated."
+      :desc => "Where individual hosts store their certificate request (CSR)
+         while waiting for the CA to issue their certificate."
     },
     :hostcert => {
       :default => "$certdir/$certname.pem",
@@ -992,28 +1010,14 @@ EOT
         and reject the CA certificate if the values do not match. This only applies
         during the first download of the CA certificate."
     },
-    :ssl_client_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
-        considered authentic unless they possess a certificate issued by an authority
-        listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used.",
-      :hook => proc do |val|
-        Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
-      end
-    },
-    :ssl_server_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :deprecated  => :completely,
-      :desc => "The setting is deprecated and has no effect. Ensure all root and
-        intermediate certificate authorities used to issue client certificates are
-        contained in the server's `cacert` file on the server."
+    :ssl_trust_store => {
+      :default => nil,
+      :type => :file,
+      :desc => "A file containing CA certificates in PEM format that puppet should trust
+        when making HTTPS requests. This **only** applies to https requests to non-puppet
+        infrastructure, such as retrieving file metadata and content from https file sources,
+        puppet module tool and the 'http' report processor. This setting is ignored when
+        making requests to puppet:// URLs such as catalog and report requests.",
     },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
@@ -1105,9 +1109,16 @@ EOT
       :desc    => "The name to use the Certificate Authority certificate.",
     },
     :cadir => {
-      :default => "$ssldir/ca",
+      :default => lambda { default_cadir },
       :type => :directory,
       :desc => "The root directory for the certificate authority.",
+      :call_hook => :on_initialize_and_write,
+      :hook => proc do |value|
+        if value.start_with?(Puppet[:ssldir])
+          Puppet.log_ca_migration_warning
+        end
+        value
+      end
     },
     :cacert => {
       :default => "$cadir/ca_crt.pem",
@@ -1284,7 +1295,7 @@ EOT
     }
   )
 
-  settings.define_settings(:master,
+  settings.define_settings(:server,
     :user => {
       :default    => "puppet",
       :desc       => "The user Puppet Server will run as. Used to ensure
@@ -1334,30 +1345,25 @@ EOT
       by `puppet`, and should only be set if you're writing your own Puppet
       executable.",
     },
-    :masterport => {
+    :serverport => {
       :default    => 8140,
+      :type       => :port,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
+      :hook       => proc do |value|
+        Puppet[:masterport] = value unless Puppet.settings.set_by_config?(:masterport)
+      end
     },
-    :node_name => {
-      :default    => 'cert',
-      :type       => :enum,
-      :values     => ['cert', 'facter'],
-      :deprecated => :completely,
-      :hook       => proc { |val|
-        if val != 'cert'
-          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
-        end
-      },
-      :desc       => "How the puppet master determines the client's identity
-      and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
-      in particular for determining which 'node' statement applies to the client.
-      Possible values are 'cert' (use the subject's CN in the client's
-      certificate) and 'facter' (use the hostname that the client
-      reported in its facts).
-
-      This setting is deprecated, please use explicit fact matching for classification.",
+    :masterport => {
+      :default    => "$serverport",
+      :type       => :port,
+      :desc       => "The default port puppet subcommands use to communicate
+      with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
+      overridden by more specific settings (see `ca_port`, `report_port`).",
+      :hook => proc do |value|
+        Puppet[:serverport] = value unless Puppet.settings.set_by_config?(:serverport)
+      end
     },
     :bucketdir => {
       :default => "$vardir/bucket",
@@ -1367,15 +1373,6 @@ EOT
       :group => "service",
       :desc => "Where FileBucket files are stored."
     },
-    :rest_authconfig => {
-      :default    => "$confdir/auth.conf",
-      :type       => :file,
-      :deprecated  => :completely,
-      :desc       => "The configuration file that defines the rights to the different
-      rest indirections.  This can be used as a fine-grained authorization system for
-      `puppet master`.  The `puppet master` command is deprecated and Puppet Server
-      uses its own auth.conf that must be placed within its configuration directory.",
-    },
     :trusted_oid_mapping_file => {
       :default    => "$confdir/custom_trusted_oid_mapping.yaml",
       :type       => :file,
@@ -1478,23 +1475,7 @@ EOT
       :default    => "$confdir/fileserver.conf",
       :type       => :file,
       :desc       => "Where the fileserver configuration is stored.",
-    },
-    :strict_hostname_checking => {
-      :default    => true,
-      :type       => :boolean,
-      :desc       => "Whether to only search for the complete
-        hostname as it is in the certificate when searching for node information
-        in the catalogs or to match dot delimited segments of the cert's certname
-        and the hostname, fqdn, and/or domain facts.
-
-        This setting is deprecated and will be removed in a future release.",
-      :hook => proc { |val|
-        if val != true
-          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
-        end
-      }
-    }
-  )
+    })
 
   settings.define_settings(:device,
     :devicedir =>  {
@@ -1516,17 +1497,15 @@ EOT
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
         makes to the master. WARNING: This setting is mutually exclusive with
-        node_name_fact.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_value for more information."
+        node_name_fact.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html)."
     },
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
         makes to the master. WARNING: This setting is mutually exclusive with
-        node_name_value.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_fact for more information.",
+        node_name_value.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).",
       :hook => proc do |value|
         if !value.empty? and Puppet[:node_name_value] != Puppet[:certname]
           raise "Cannot specify both the node_name_value and node_name_fact settings"
@@ -1536,7 +1515,7 @@ EOT
     :statefile => {
       :default => "$statedir/state.yaml",
       :type => :file,
-      :mode => "0660",
+      :mode => "0640",
       :desc => "Where puppet agent and puppet master store state associated
         with the running configuration.  In the case of puppet master,
         this file reflects the state discovered through interacting
@@ -1558,7 +1537,7 @@ EOT
     :transactionstorefile => {
       :default => "$statedir/transactionstore.yaml",
       :type => :file,
-      :mode => "0660",
+      :mode => "0640",
       :desc => "Transactional storage file for persisting data between
         transactions for the purposes of infering information (such as
         corrective_change) on new data received."
@@ -1624,8 +1603,8 @@ EOT
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of puppet master servers to which the puppet agent should connect,
-        in the order that they will be tried.",
+      :desc => "The list of Puppet master servers to which the Puppet agent should connect,
+        in the order that they will be tried. Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted, Puppet uses masterport for that host.",
     },
     :use_srv_records => {
       :default    => false,
@@ -1684,8 +1663,7 @@ EOT
       :type     => :duration,
       :desc     => "How often puppet agent applies the catalog.
           Note that a runinterval of 0 means \"run continuously\" rather than
-          \"never run.\" If you want puppet agent to never run, you should start
-          it with the `--no-client` option. #{AS_DURATION}",
+          \"never run.\" #{AS_DURATION}",
     },
     :runtimeout => {
       :default  => "1h",
@@ -1701,7 +1679,8 @@ EOT
       and does not need to horizontally scale.",
     },
     :ca_port => {
-      :default    => "$masterport",
+      :default    => "$serverport",
+      :type       => :port,
       :desc       => "The port to use for the certificate authority.",
     },
     :preferred_serialization_format => {
@@ -1790,7 +1769,8 @@ EOT
       :desc     => "The server to send transaction reports to.",
     },
     :report_port => {
-      :default  => "$masterport",
+      :default  => "$serverport",
+      :type     => :port,
       :desc     => "The port to communicate with the report_server.",
     },
     :report => {
@@ -1820,17 +1800,27 @@ EOT
         for the node stored in puppetdb are current. However, this will double the fact
         submission load on puppetdb, so it is disabled by default.",
     },
+    :publicdir => {
+      :default  => nil,
+      :type     => :directory,
+      :mode     => "0755",
+      :desc     => "Where Puppet stores public files."
+    },
     :lastrunfile =>  {
-      :default  => "$statedir/last_run_summary.yaml",
+      :default  => "$publicdir/last_run_summary.yaml",
       :type     => :file,
-      :mode     => "0644",
+      :mode     => "0640",
       :desc     => "Where puppet agent stores the last run report summary in yaml format."
     },
     :lastrunreport =>  {
       :default  => "$statedir/last_run_report.yaml",
       :type     => :file,
       :mode     => "0640",
-      :desc     => "Where puppet agent stores the last run report in yaml format."
+      :desc     => "Where Puppet Agent stores the last run report, by default, in yaml format.
+        The format of the report can be changed by setting the `cache` key of the `report` terminus
+        in the [routes.yaml](https://puppet.com/docs/puppet/latest/config_file_routes.html) file.
+        To avoid mismatches between content and file extension, this setting needs to be
+        manually updated to reflect the terminus changes."
     },
     :graph => {
       :default  => false,
@@ -1890,7 +1880,7 @@ EOT
       already ongoing puppet agent instance.
 
       This argument is by default disabled (value set to 0). In this case puppet agent will
-      immediatly exit if it cannot run at that moment. When a value other than 0 is set, this
+      immediately exit if it cannot run at that moment. When a value other than 0 is set, this
       can also be used in combination with the `maxwaitforlock` argument.
       #{AS_DURATION}",
     },
@@ -1899,7 +1889,7 @@ EOT
       :type     => :ttl,
       :desc     => "The maximum amount of time the puppet agent should wait for an
       already running puppet agent to finish before starting a new one. This is set by default to 1 minute.
-      A value of `unlimited` will cause puppet agent to wait indefinitely. 
+      A value of `unlimited` will cause puppet agent to wait indefinitely.
       #{AS_DURATION}",
     }
   )
@@ -1941,9 +1931,26 @@ EOT
       is used for retrieval, so anything that is a valid file source can
       be used here.",
     },
+    :pluginsync => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Whether plugins should be synced with the central server. This setting is
+        deprecated.",
+      :hook => proc { |value|
+        #TRANSLATORS 'pluginsync' is a setting and should not be translated
+        Puppet.deprecation_warning(_("Setting 'pluginsync' is deprecated."))
+      }
+    },
     :pluginsignore => {
         :default  => ".svn CVS .git .hg",
         :desc     => "What files to ignore when pulling down plugins.",
+    },
+    :ignore_plugin_errors => {
+      :default    => false,
+      :type       => :boolean,
+      :desc       => "Whether the puppet run should ignore errors during pluginsync. If the setting
+        is false and there are errors during pluginsync, then the agent will abort the run and
+        submit a report containing information about the failed run."
     }
   )
 
@@ -2088,7 +2095,7 @@ EOT
     }
   )
 
-  settings.define_settings(:master,
+  settings.define_settings(:server,
     :storeconfigs => {
       :default  => false,
       :type     => :boolean,
@@ -2154,16 +2161,6 @@ EOT
       referencing variables that are explicitly set to undef).
     EOT
     },
-   :func3x_check => {
-     :default => true,
-     :type => :boolean,
-     :desc => <<-'EOT'
-       Causes validation of loaded legacy Ruby functions (3x API) to raise errors about illegal constructs that
-       could cause harm or that simply does not work. This flag is on by default. This flag is made available
-       so that the validation can be turned off in case the method of validation is faulty - if encountered, please
-       file a bug report.
-     EOT
-     },
   :tasks => {
     :default => false,
     :type => :boolean,