puppet 6.19.1-universal-darwin → 7.0.0-universal-darwin

data/lib/puppet/application/filebucket.rb

@@ -16,6 +16,10 @@ class Puppet::Application::Filebucket < Puppet::Application
     _("Store and retrieve files in a filebucket")
   end
 
+  def digest_algorithm
+    Puppet.default_digest_algorithm
+  end
+
   def help
     <<-HELP
 
@@ -38,14 +42,14 @@ Puppet filebucket can operate in three modes, with only one mode per call:
 
 backup:
   Send one or more files to the specified file bucket. Each sent file is
-  printed with its resulting md5 sum.
+  printed with its resulting #{digest_algorithm} sum.
 
 get:
-  Return the text associated with an md5 sum. The text is printed to
+  Return the text associated with an #{digest_algorithm} sum. The text is printed to
   stdout, and only one file can be retrieved at a time.
 
 restore:
-  Given a file path and an md5 sum, store the content associated with
+  Given a file path and an #{digest_algorithm} sum, store the content associated with
   the sum into the specified file path. You can specify an entirely new
   path to this argument; you are not restricted to restoring the content
   to its original location.
@@ -186,8 +190,8 @@ EXAMPLES
     $ puppet filebucket -b /tmp/TestBucket list
     d41d8cd98f00b204e9800998ecf8427e 2015-05-11 09:33:22 /tmp/TestFile2
 
-    ## From a Puppet master, list files in the master bucketdir
-    $ puppet filebucket -b $(puppet config print bucketdir --section master) list
+    ## From a Puppet Server, list files in the server bucketdir
+    $ puppet filebucket -b $(puppet config print bucketdir --section server) list
     d43a6ecaa892a1962398ac9170ea9bf2 2015-05-11 09:27:56 /tmp/TestFile
     7ae322f5791217e031dc60188f4521ef 2015-05-11 09:52:15 /tmp/TestFile
 
@@ -212,8 +216,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def get
-    md5 = args.shift
-    out = @client.getfile(md5)
+    digest = args.shift
+    out = @client.getfile(digest)
     print out
   end
 
@@ -229,8 +233,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         $stderr.puts _("%{file}: cannot read file") % { file: file }
         next
       end
-      md5 = @client.backup(file)
-      puts "#{file}: #{md5}"
+      digest = @client.backup(file)
+      puts "#{file}: #{digest}"
     end
   end
 
@@ -243,8 +247,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
   def restore
     file = args.shift
-    md5 = args.shift
-    @client.restore(file, md5)
+    digest = args.shift
+    @client.restore(file, digest)
   end
 
   def diff

data/lib/puppet/application/ssl.rb

@@ -248,7 +248,7 @@ END
     paths = {
       'private key' => Puppet[:hostprivkey],
       'public key'  => Puppet[:hostpubkey],
-      'certificate request' => File.join(Puppet[:requestdir], "#{Puppet[:certname]}.pem"),
+      'certificate request' => Puppet[:hostcsr],
       'certificate' => Puppet[:hostcert],
       'private key password file' => Puppet[:passfile]
     }

data/lib/puppet/configurer.rb

@@ -202,7 +202,6 @@ class Puppet::Configurer
   # This just passes any options on to the catalog,
   # which accepts :tags and :ignoreschedules.
   def run(options = {})
-    pool = Puppet.runtime[:http].pool
     # We create the report pre-populated with default settings for
     # environment and transaction_uuid very early, this is to ensure
     # they are sent regardless of any catalog compilation failures or
@@ -215,44 +214,40 @@ class Puppet::Configurer
 
     completed = nil
     begin
-      Puppet.override(:http_pool => pool) do
-        # Skip failover logic if the server_list setting is empty
-        do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
-
-        # When we are passed a catalog, that means we're in apply
-        # mode. We shouldn't try to do any failover in that case.
-        if options[:catalog].nil? && do_failover
-          server, port = find_functional_server
-          begin
-            if server.nil?
-              raise Puppet::Error, _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
-            else
-              #TRANSLATORS 'server_list' is the name of a setting and should not be translated
-              Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
-              report.server_used = "#{server}:#{port}"
-            end
-          rescue Puppet::Error => detail
-            if Puppet[:usecacheonfailure]
-              options[:pluginsync] = false
-              @running_failure = true
-              if server.nil?
-                server = Puppet[:server_list].first[0]
-                port = Puppet[:server_list].first[1] || Puppet[:serverport]
-              end
-              Puppet.log_exception(detail)
-            else
-              raise detail
-            end
-          end
-          Puppet.override(server: server, serverport: port) do
-            completed = run_internal(options)
+      # Skip failover logic if the server_list setting is empty
+      do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
+
+      # When we are passed a catalog, that means we're in apply
+      # mode. We shouldn't try to do any failover in that case.
+      if options[:catalog].nil? && do_failover
+        server, port = find_functional_server
+        if server.nil?
+          detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
+          if Puppet[:usecacheonfailure]
+            options[:pluginsync] = false
+            @running_failure = true
+
+            server = Puppet[:server_list].first[0]
+            port = Puppet[:server_list].first[1] || Puppet[:serverport]
+
+            Puppet.err(detail)
+          else
+            raise Puppet::Error, detail
           end
         else
+          #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+          Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
+          report.server_used = "#{server}:#{port}"
+        end
+        Puppet.override(server: server, serverport: port) do
           completed = run_internal(options)
         end
+      else
+        completed = run_internal(options)
       end
     ensure
-      pool.close
+      # we may sleep for awhile, close connections now
+      Puppet.runtime[:http].close
     end
 
     completed ? report.exit_status : nil

data/lib/puppet/configurer/plugin_handler.rb

@@ -29,25 +29,27 @@ class Puppet::Configurer::PluginHandler
     result += plugin_fact_downloader.evaluate
     result += plugin_downloader.evaluate
 
-    # until file metadata/content are using the rest client, we need to check
-    # both :server_agent_version and the session to see if the server supports
-    # the "locales" mount
-    server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
-    locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
-    unless locales
-      session = Puppet.lookup(:http_session)
-      locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
-    end
-
-    if locales
-      locales_downloader = Puppet::Configurer::Downloader.new(
-        "locales",
-        Puppet[:localedest],
-        Puppet[:localesource],
-        Puppet[:pluginsignore] + " *.pot config.yaml",
-        environment
-      )
-      result += locales_downloader.evaluate
+    unless Puppet[:disable_i18n]
+      # until file metadata/content are using the rest client, we need to check
+      # both :server_agent_version and the session to see if the server supports
+      # the "locales" mount
+      server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
+      locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
+      unless locales
+        session = Puppet.lookup(:http_session)
+        locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
+      end
+
+      if locales
+        locales_downloader = Puppet::Configurer::Downloader.new(
+          "locales",
+          Puppet[:localedest],
+          Puppet[:localesource],
+          Puppet[:pluginsignore] + " *.pot config.yaml",
+          environment
+        )
+        result += locales_downloader.evaluate
+      end
     end
 
     Puppet::Util::Autoload.reload_changed(Puppet.lookup(:current_environment))

data/lib/puppet/defaults.rb

@@ -11,25 +11,60 @@ module Puppet
   end
 
   def self.default_digest_algorithm
-    Puppet::Util::Platform.fips_enabled? ? 'sha256' : 'md5'
+    'sha256'
   end
 
   def self.valid_digest_algorithms
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.default_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.valid_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime] :
-      %w[md5 md5lite sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime]
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime]
+  end
+
+  def self.log_ca_migration_warning
+    urge_to_migrate = <<-UTM
+The cadir is currently configured to be inside the #{Puppet[:ssldir]} directory. This config
+setting and the directory location will not be used in a future version of puppet. Please run the
+puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppetlabs/puppetserver/ca
+directory. Use `puppetserver ca migrate --help` for more info.
+UTM
+    Puppet.warn_once('deprecations',
+                     'CA migration message',
+                     urge_to_migrate,
+                     :default,
+                     :default)
+  end
+
+  def self.default_cadir
+    return "" if Puppet::Util::Platform.windows?
+    old_ca_dir = "#{Puppet[:ssldir]}/ca"
+    new_ca_dir = "/etc/puppetlabs/puppetserver/ca"
+
+    if File.exist?(old_ca_dir)
+      if File.symlink?(old_ca_dir)
+        target = File.readlink(old_ca_dir)
+        if target.start_with?(Puppet[:ssldir])
+          Puppet.log_ca_migration_warning
+        end
+        target
+      else
+        Puppet.log_ca_migration_warning
+        old_ca_dir
+      end
+    else
+      new_ca_dir
+    end
   end
 
   def self.default_basemodulepath
@@ -70,28 +105,6 @@ module Puppet
   # @return void
   def self.initialize_default_settings!(settings)
     settings.define_settings(:main,
-      :facterng => {
-        :default => false,
-        :type    => :boolean,
-        :desc    => 'Whether to enable a pre-Facter 4.0 release of Facter (distributed as
-          the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
-          This setting is still experimental.',
-        :hook    => proc do |value|
-          if value
-            begin
-              original_facter = Object.const_get(:Facter)
-              Object.send(:remove_const, :Facter)
-
-              require 'facter-ng'
-              # It is required to re-setup logger for facter-ng
-              Puppet::Util::Logging.setup_facter_logging!
-            rescue LoadError
-              Object.const_set(:Facter, original_facter)
-              raise ArgumentError, 'facter-ng could not be loaded'
-            end
-          end
-        end
-    },
     :confdir  => {
         :default  => nil,
         :type     => :directory,
@@ -218,7 +231,7 @@ module Puppet
       end
     },
     :disable_i18n => {
-      :default => false,
+      :default => true,
       :type    => :boolean,
       :desc    => "If true, turns off all translations of Puppet and module
         log messages, which affects error, warning, and info log messages,
@@ -263,13 +276,6 @@ module Puppet
         :type     => :boolean,
         :desc     => "Whether to enable experimental performance profiling",
     },
-    :future_features => {
-      :default => false,
-      :type => :boolean,
-      :desc => "Whether or not to enable all features currently being developed for future
-        major releases of Puppet. Should be used with caution, as in development
-        features are experimental and can have unexpected effects."
-    },
     :versioned_environment_dirs => {
       :default => false,
       :type => :boolean,
@@ -284,6 +290,11 @@ module Puppet
         which occurs only on a Puppet Server master when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
+    :settings_catalog => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Whether to compile and apply the settings catalog",
+    },
     :strict_environment_mode => {
       :default    => false,
       :type       => :boolean,
@@ -632,7 +643,7 @@ module Puppet
     :http_proxy_password =>{
       :default    => "none",
       :hook       => proc do |value|
-        if settings[:http_proxy_password] =~ /[@!# \/]/
+        if value =~ /[@!# \/]/
           raise "Passwords set in the http_proxy_password setting must be valid as part of a URL, and any reserved characters must be URL-encoded. We received: #{value}"
         end
       end,
@@ -706,9 +717,8 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       A value of `0` will disable caching. This setting can also be set to
       `unlimited`, which will cache environments until the server is restarted
       or told to refresh the cache. All other values will result in Puppet
-      server evicting expired environments. The expiration time is computed
-      based on either when the environment was created or last accessed, see
-      `environment_timeout_mode`.
+      server evicting environments that haven't been used within the last
+      `environment_timeout` seconds.
 
       You should change this setting once your Puppet deployment is doing
       non-trivial work. We chose the default value of `0` because it lets new
@@ -721,32 +731,13 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       * Setting this to a number that will keep your most actively used
         environments cached, but allow testing environments to fall out of the
         cache and reduce memory usage. A value of 3 minutes (3m) is a reasonable
-        value. This option requires setting `environment_timeout_mode` to
-        `from_last_used`.
+        value.
 
       Once you set `environment_timeout` to a non-zero value, you need to tell
       Puppet server to read new code from disk using the `environment-cache` API
       endpoint after you deploy new code. See the docs for the Puppet Server
       [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
-      ",
-      :hook => proc do |val|
-        if Puppet[:environment_timeout_mode] == :from_created
-          unless [0, 'unlimited', Float::INFINITY].include?(val)
-            Puppet.deprecation_warning("Evicting environments based on their creation time is deprecated, please set `environment_timeout_mode` to `from_last_used` instead.")
-          end
-        end
-      end
-    },
-    :environment_timeout_mode => {
-      :default => :from_created,
-      :type    => :symbolic_enum,
-      :values  => [:from_created, :from_last_used],
-      :desc => "How Puppet interprets the `environment_timeout` setting when
-      `environment_timeout` is neither `0` nor `unlimited`. If set to
-      `from_created`, then the environment will be evicted `environment_timeout`
-      seconds from when it was created. If set to `from_last_used` then the
-      environment will be evicted `environment_timeout` seconds from when it
-      was last used."
+      "
     },
     :environment_data_provider => {
       :desc       => "The name of a registered environment data provider used when obtaining environment
@@ -821,7 +812,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
-        [auth.conf](https://puppet.com/docs/puppet/latest/config_file_auth.html).
+        Puppet Server's [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).
         In most cases, it is also used as the node's name when matching
         [node definitions](https://puppet.com/docs/puppet/latest/lang_node_definitions.html)
         and requesting data from an ENC. (This can be changed with the `node_name_value`
@@ -836,12 +827,15 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
           only use lowercase letters, numbers, periods, underscores, and dashes. (That is,
           it should match `/\A[a-z0-9._-]+\Z/`.)
         * The special value `ca` is reserved, and can't be used as the certname
-          for a normal node.         
+          for a normal node.
 
-          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
+          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
 
         Defaults to the node's fully qualified domain name.",
-      :hook => proc { |value| raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase }},
+      :call_hook => :on_initialize_and_write,
+      :hook => proc { |value|
+        raise(ArgumentError, _("Certificate names must be lower case")) unless value == value.downcase
+      }},
     :dns_alt_names => {
       :default => '',
       :desc    => <<EOT,
@@ -968,13 +962,13 @@ EOT
         Generally unused."
     },
     :hostcsr => {
-      :default => "$ssldir/csr_$certname.pem",
+      :default => "$requestdir/$certname.pem",
       :type   => :file,
       :mode => "0644",
       :owner => "service",
       :group => "service",
-      :deprecated  => :completely,
-      :desc => "This setting is deprecated."
+      :desc => "Where individual hosts store their certificate request (CSR)
+         while waiting for the CA to issue their certificate."
     },
     :hostcert => {
       :default => "$certdir/$certname.pem",
@@ -1025,29 +1019,6 @@ EOT
         puppet module tool and the 'http' report processor. This setting is ignored when
         making requests to puppet:// URLs such as catalog and report requests.",
     },
-    :ssl_client_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
-        considered authentic unless they possess a certificate issued by an authority
-        listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used.",
-      :hook => proc do |val|
-        Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
-      end
-    },
-    :ssl_server_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :deprecated  => :completely,
-      :desc => "The setting is deprecated and has no effect. Ensure all root and
-        intermediate certificate authorities used to issue client certificates are
-        contained in the server's `cacert` file on the server."
-    },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
       :type   => :file,
@@ -1138,9 +1109,16 @@ EOT
       :desc    => "The name to use the Certificate Authority certificate.",
     },
     :cadir => {
-      :default => "$ssldir/ca",
+      :default => lambda { default_cadir },
       :type => :directory,
       :desc => "The root directory for the certificate authority.",
+      :call_hook => :on_initialize_and_write,
+      :hook => proc do |value|
+        if value.start_with?(Puppet[:ssldir])
+          Puppet.log_ca_migration_warning
+        end
+        value
+      end
     },
     :cacert => {
       :default => "$cadir/ca_crt.pem",
@@ -1369,6 +1347,7 @@ EOT
     },
     :serverport => {
       :default    => 8140,
+      :type       => :port,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
@@ -1377,7 +1356,8 @@ EOT
       end
     },
     :masterport => {
-      :default    => 8140,
+      :default    => "$serverport",
+      :type       => :port,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
@@ -1385,25 +1365,6 @@ EOT
         Puppet[:serverport] = value unless Puppet.settings.set_by_config?(:serverport)
       end
     },
-    :node_name => {
-      :default    => 'cert',
-      :type       => :enum,
-      :values     => ['cert', 'facter'],
-      :deprecated => :completely,
-      :hook       => proc { |val|
-        if val != 'cert'
-          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
-        end
-      },
-      :desc       => "How the puppet master determines the client's identity
-      and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
-      in particular for determining which 'node' statement applies to the client.
-      Possible values are 'cert' (use the subject's CN in the client's
-      certificate) and 'facter' (use the hostname that the client
-      reported in its facts).
-
-      This setting is deprecated, please use explicit fact matching for classification.",
-    },
     :bucketdir => {
       :default => "$vardir/bucket",
       :type => :directory,
@@ -1412,15 +1373,6 @@ EOT
       :group => "service",
       :desc => "Where FileBucket files are stored."
     },
-    :rest_authconfig => {
-      :default    => "$confdir/auth.conf",
-      :type       => :file,
-      :deprecated  => :completely,
-      :desc       => "The configuration file that defines the rights to the different
-      rest indirections.  This can be used as a fine-grained authorization system for
-      `puppet master`.  The `puppet master` command is deprecated and Puppet Server
-      uses its own auth.conf that must be placed within its configuration directory.",
-    },
     :trusted_oid_mapping_file => {
       :default    => "$confdir/custom_trusted_oid_mapping.yaml",
       :type       => :file,
@@ -1523,23 +1475,7 @@ EOT
       :default    => "$confdir/fileserver.conf",
       :type       => :file,
       :desc       => "Where the fileserver configuration is stored.",
-    },
-    :strict_hostname_checking => {
-      :default    => true,
-      :type       => :boolean,
-      :desc       => "Whether to only search for the complete
-        hostname as it is in the certificate when searching for node information
-        in the catalogs or to match dot delimited segments of the cert's certname
-        and the hostname, fqdn, and/or domain facts.
-
-        This setting is deprecated and will be removed in a future release.",
-      :hook => proc { |val|
-        if val != true
-          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
-        end
-      }
-    }
-  )
+    })
 
   settings.define_settings(:device,
     :devicedir =>  {
@@ -1561,17 +1497,15 @@ EOT
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
         makes to the master. WARNING: This setting is mutually exclusive with
-        node_name_fact.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_value for more information."
+        node_name_fact.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html)."
     },
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
         makes to the master. WARNING: This setting is mutually exclusive with
-        node_name_value.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_fact for more information.",
+        node_name_value.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).",
       :hook => proc do |value|
         if !value.empty? and Puppet[:node_name_value] != Puppet[:certname]
           raise "Cannot specify both the node_name_value and node_name_fact settings"
@@ -1669,8 +1603,8 @@ EOT
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of puppet master servers to which the puppet agent should connect,
-        in the order that they will be tried.",
+      :desc => "The list of Puppet master servers to which the Puppet agent should connect,
+        in the order that they will be tried. Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted, Puppet uses masterport for that host.",
     },
     :use_srv_records => {
       :default    => false,
@@ -1746,6 +1680,7 @@ EOT
     },
     :ca_port => {
       :default    => "$serverport",
+      :type       => :port,
       :desc       => "The port to use for the certificate authority.",
     },
     :preferred_serialization_format => {
@@ -1835,6 +1770,7 @@ EOT
     },
     :report_port => {
       :default  => "$serverport",
+      :type     => :port,
       :desc     => "The port to communicate with the report_server.",
     },
     :report => {
@@ -1864,17 +1800,27 @@ EOT
         for the node stored in puppetdb are current. However, this will double the fact
         submission load on puppetdb, so it is disabled by default.",
     },
+    :publicdir => {
+      :default  => nil,
+      :type     => :directory,
+      :mode     => "0755",
+      :desc     => "Where Puppet stores public files."
+    },
     :lastrunfile =>  {
-      :default  => "$statedir/last_run_summary.yaml",
+      :default  => "$publicdir/last_run_summary.yaml",
       :type     => :file,
-      :mode     => "0644",
+      :mode     => "0640",
       :desc     => "Where puppet agent stores the last run report summary in yaml format."
     },
     :lastrunreport =>  {
       :default  => "$statedir/last_run_report.yaml",
       :type     => :file,
       :mode     => "0640",
-      :desc     => "Where puppet agent stores the last run report in yaml format."
+      :desc     => "Where Puppet Agent stores the last run report, by default, in yaml format.
+        The format of the report can be changed by setting the `cache` key of the `report` terminus
+        in the [routes.yaml](https://puppet.com/docs/puppet/latest/config_file_routes.html) file.
+        To avoid mismatches between content and file extension, this setting needs to be
+        manually updated to reflect the terminus changes."
     },
     :graph => {
       :default  => false,
@@ -1943,7 +1889,7 @@ EOT
       :type     => :ttl,
       :desc     => "The maximum amount of time the puppet agent should wait for an
       already running puppet agent to finish before starting a new one. This is set by default to 1 minute.
-      A value of `unlimited` will cause puppet agent to wait indefinitely. 
+      A value of `unlimited` will cause puppet agent to wait indefinitely.
       #{AS_DURATION}",
     }
   )
@@ -2000,7 +1946,7 @@ EOT
         :desc     => "What files to ignore when pulling down plugins.",
     },
     :ignore_plugin_errors => {
-      :default    => true,
+      :default    => false,
       :type       => :boolean,
       :desc       => "Whether the puppet run should ignore errors during pluginsync. If the setting
         is false and there are errors during pluginsync, then the agent will abort the run and
@@ -2215,16 +2161,6 @@ EOT
       referencing variables that are explicitly set to undef).
     EOT
     },
-   :func3x_check => {
-     :default => true,
-     :type => :boolean,
-     :desc => <<-'EOT'
-       Causes validation of loaded legacy Ruby functions (3x API) to raise errors about illegal constructs that
-       could cause harm or that simply does not work. This flag is on by default. This flag is made available
-       so that the validation can be turned off in case the method of validation is faulty - if encountered, please
-       file a bug report.
-     EOT
-     },
   :tasks => {
     :default => false,
     :type => :boolean,