puppet 6.21.1 → 7.4.1

data/lib/puppet/application/device.rb

@@ -260,119 +260,115 @@ Licensed under the Apache 2.0 License
         end
       end
       devices.collect do |devicename,device|
-        pool = Puppet.runtime[:http].pool
-        Puppet.override(:http_pool => pool) do
-          # TODO when we drop support for ruby < 2.5 we can remove the extra block here
-          begin
-            device_url = URI.parse(device.url)
-            # Handle nil scheme & port
-            scheme = "#{device_url.scheme}://" if device_url.scheme
-            port = ":#{device_url.port}" if device_url.port
-
-            # override local $vardir and $certname
-            Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
-            Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
-            Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
-            Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
-            Puppet[:certname] = device.name
-            ssl_context = nil
-
-            # create device directory under $deviceconfdir
-            Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
-
-            # this will reload and recompute default settings and create device-specific sub vardir
-            Puppet.settings.use :main, :agent, :ssl
-
-            # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
-            optssldir = File.join(Puppet[:confdir], 'ssl')
-            Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
-
-            unless options[:resource] || options[:facts] || options[:apply]
-              # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
-              # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
-              # This has to happen after `settings.use` above, so the directory is created and before `setup_host` below, where the SSL
-              # routines would fail with access errors
-              if Puppet.features.root? && !Puppet::Util::Platform.windows?
-                user = Puppet::Type.type(:user).new(name: Puppet[:user]).exists? ? Puppet[:user] : nil
-                group = Puppet::Type.type(:group).new(name: Puppet[:group]).exists? ? Puppet[:group] : nil
-                Puppet.debug("Fixing perms for #{user}:#{group} on #{Puppet[:confdir]}")
-                FileUtils.chown(user, group, Puppet[:confdir]) if user || group
-              end
+        # TODO when we drop support for ruby < 2.5 we can remove the extra block here
+        begin
+          device_url = URI.parse(device.url)
+          # Handle nil scheme & port
+          scheme = "#{device_url.scheme}://" if device_url.scheme
+          port = ":#{device_url.port}" if device_url.port
+
+          # override local $vardir and $certname
+          Puppet[:ssldir] = ::File.join(Puppet[:deviceconfdir], device.name, 'ssl')
+          Puppet[:confdir] = ::File.join(Puppet[:devicedir], device.name)
+          Puppet[:libdir] = options[:libdir] || ::File.join(Puppet[:devicedir], device.name, 'lib')
+          Puppet[:vardir] = ::File.join(Puppet[:devicedir], device.name)
+          Puppet[:certname] = device.name
+          ssl_context = nil
+
+          # create device directory under $deviceconfdir
+          Puppet::FileSystem.dir_mkpath(Puppet[:ssldir]) unless Puppet::FileSystem.dir_exist?(Puppet[:ssldir])
+
+          # this will reload and recompute default settings and create device-specific sub vardir
+          Puppet.settings.use :main, :agent, :ssl
+
+          # Workaround for PUP-8736: store ssl certs outside the cache directory to prevent accidental removal and keep the old path as symlink
+          optssldir = File.join(Puppet[:confdir], 'ssl')
+          Puppet::FileSystem.symlink(Puppet[:ssldir], optssldir) unless Puppet::FileSystem.exist?(optssldir)
+
+          unless options[:resource] || options[:facts] || options[:apply]
+            # Since it's too complicated to fix properly in the default settings, we workaround for PUP-9642 here.
+            # See https://github.com/puppetlabs/puppet/pull/7483#issuecomment-483455997 for details.
+            # This has to happen after `settings.use` above, so the directory is created and before `setup_host` below, where the SSL
+            # routines would fail with access errors
+            if Puppet.features.root? && !Puppet::Util::Platform.windows?
+              user = Puppet::Type.type(:user).new(name: Puppet[:user]).exists? ? Puppet[:user] : nil
+              group = Puppet::Type.type(:group).new(name: Puppet[:group]).exists? ? Puppet[:group] : nil
+              Puppet.debug("Fixing perms for #{user}:#{group} on #{Puppet[:confdir]}")
+              FileUtils.chown(user, group, Puppet[:confdir]) if user || group
+            end
 
-              ssl_context = setup_context
+            ssl_context = setup_context
 
-              unless options[:libdir]
-                Puppet.override(ssl_context: ssl_context) do
-                  Puppet::Configurer::PluginHandler.new.download_plugins(env) if Puppet::Configurer.should_pluginsync?
-                end
+            unless options[:libdir]
+              Puppet.override(ssl_context: ssl_context) do
+                Puppet::Configurer::PluginHandler.new.download_plugins(env) if Puppet::Configurer.should_pluginsync?
               end
             end
+          end
 
-            # this inits the device singleton, so that the facts terminus
-            # and the various network_device provider can use it
-            Puppet::Util::NetworkDevice.init(device)
-
-            if options[:resource]
-              type, name = parse_args(command_line.args)
-              Puppet.info _("retrieving resource: %{resource} from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
-              resources = find_resources(type, name)
-              if options[:to_yaml]
-                data = resources.map do |resource|
-                  resource.prune_parameters(:parameters_to_include => @extra_params).to_hiera_hash
-                end.inject(:merge!)
-                text = YAML.dump(type.downcase => data)
-              else
-                text = resources.map do |resource|
-                  resource.prune_parameters(:parameters_to_include => @extra_params).to_manifest.force_encoding(Encoding.default_external)
-                end.join("\n")
-              end
-              (puts text)
-              0
-            elsif options[:facts]
-              Puppet.info _("retrieving facts from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
-              remote_facts = Puppet::Node::Facts.indirection.find(name, :environment => env)
-              # Give a proper name to the facts
-              remote_facts.name = remote_facts.values['clientcert']
-              renderer = Puppet::Network::FormatHandler.format(:console)
-              puts renderer.render(remote_facts)
-              0
-            elsif options[:apply]
-              # avoid reporting to server
-              Puppet::Transaction::Report.indirection.terminus_class = :yaml
-              Puppet::Resource::Catalog.indirection.cache_class = nil
-
-              require 'puppet/application/apply'
-              begin
-                Puppet[:node_terminus] = :plain
-                Puppet[:catalog_terminus] = :compiler
-                Puppet[:catalog_cache_terminus] = nil
-                Puppet[:facts_terminus] = :network_device
-                Puppet.override(:network_device => true) do
-                  Puppet::Application::Apply.new(Puppet::Util::CommandLine.new('puppet', ["apply", options[:apply]])).run_command
-                end
-              end
+          # this inits the device singleton, so that the facts terminus
+          # and the various network_device provider can use it
+          Puppet::Util::NetworkDevice.init(device)
+
+          if options[:resource]
+            type, name = parse_args(command_line.args)
+            Puppet.info _("retrieving resource: %{resource} from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
+            resources = find_resources(type, name)
+            if options[:to_yaml]
+              data = resources.map do |resource|
+                resource.prune_parameters(:parameters_to_include => @extra_params).to_hiera_hash
+              end.inject(:merge!)
+              text = YAML.dump(type.downcase => data)
             else
-              Puppet.info _("starting applying configuration to %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
-
-              overrides = {}
-              overrides[:ssl_context] = ssl_context if ssl_context
-              Puppet.override(overrides) do
-                configurer = Puppet::Configurer.new
-                configurer.run(:network_device => true, :pluginsync => false)
+              text = resources.map do |resource|
+                resource.prune_parameters(:parameters_to_include => @extra_params).to_manifest.force_encoding(Encoding.default_external)
+              end.join("\n")
+            end
+            (puts text)
+            0
+          elsif options[:facts]
+            Puppet.info _("retrieving facts from %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { resource: type, target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
+            remote_facts = Puppet::Node::Facts.indirection.find(name, :environment => env)
+            # Give a proper name to the facts
+            remote_facts.name = remote_facts.values['clientcert']
+            renderer = Puppet::Network::FormatHandler.format(:console)
+            puts renderer.render(remote_facts)
+            0
+          elsif options[:apply]
+            # avoid reporting to server
+            Puppet::Transaction::Report.indirection.terminus_class = :yaml
+            Puppet::Resource::Catalog.indirection.cache_class = nil
+
+            require 'puppet/application/apply'
+            begin
+              Puppet[:node_terminus] = :plain
+              Puppet[:catalog_terminus] = :compiler
+              Puppet[:catalog_cache_terminus] = nil
+              Puppet[:facts_terminus] = :network_device
+              Puppet.override(:network_device => true) do
+                Puppet::Application::Apply.new(Puppet::Util::CommandLine.new('puppet', ["apply", options[:apply]])).run_command
               end
             end
-          rescue => detail
-            Puppet.log_exception(detail)
-            # If we rescued an error, then we return 1 as the exit code
-            1
-          ensure
-            pool.close
-            Puppet[:libdir] = libdir
-            Puppet[:vardir] = vardir
-            Puppet[:confdir] = confdir
-            Puppet[:ssldir] = ssldir
-            Puppet[:certname] = certname
+          else
+            Puppet.info _("starting applying configuration to %{target} at %{scheme}%{url_host}%{port}%{url_path}") % { target: device.name, scheme: scheme, url_host: device_url.host, port: port, url_path: device_url.path }
+
+            overrides = {}
+            overrides[:ssl_context] = ssl_context if ssl_context
+            Puppet.override(overrides) do
+              configurer = Puppet::Configurer.new
+              configurer.run(:network_device => true, :pluginsync => false)
+            end
           end
+        rescue => detail
+          Puppet.log_exception(detail)
+          # If we rescued an error, then we return 1 as the exit code
+          1
+        ensure
+          Puppet[:libdir] = libdir
+          Puppet[:vardir] = vardir
+          Puppet[:confdir] = confdir
+          Puppet[:ssldir] = ssldir
+          Puppet[:certname] = certname
         end
       end
     end

data/lib/puppet/application/filebucket.rb

@@ -16,6 +16,10 @@ class Puppet::Application::Filebucket < Puppet::Application
     _("Store and retrieve files in a filebucket")
   end
 
+  def digest_algorithm
+    Puppet.default_digest_algorithm
+  end
+
   def help
     <<-HELP
 
@@ -38,14 +42,14 @@ Puppet filebucket can operate in three modes, with only one mode per call:
 
 backup:
   Send one or more files to the specified file bucket. Each sent file is
-  printed with its resulting md5 sum.
+  printed with its resulting #{digest_algorithm} sum.
 
 get:
-  Return the text associated with an md5 sum. The text is printed to
+  Return the text associated with an #{digest_algorithm} sum. The text is printed to
   stdout, and only one file can be retrieved at a time.
 
 restore:
-  Given a file path and an md5 sum, store the content associated with
+  Given a file path and an #{digest_algorithm} sum, store the content associated with
   the sum into the specified file path. You can specify an entirely new
   path to this argument; you are not restricted to restoring the content
   to its original location.
@@ -212,8 +216,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
   end
 
   def get
-    md5 = args.shift
-    out = @client.getfile(md5)
+    digest = args.shift
+    out = @client.getfile(digest)
     print out
   end
 
@@ -229,8 +233,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
         $stderr.puts _("%{file}: cannot read file") % { file: file }
         next
       end
-      md5 = @client.backup(file)
-      puts "#{file}: #{md5}"
+      digest = @client.backup(file)
+      puts "#{file}: #{digest}"
     end
   end
 
@@ -243,8 +247,8 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
 
   def restore
     file = args.shift
-    md5 = args.shift
-    @client.restore(file, md5)
+    digest = args.shift
+    @client.restore(file, digest)
   end
 
   def diff

data/lib/puppet/application/ssl.rb

@@ -248,7 +248,7 @@ END
     paths = {
       'private key' => Puppet[:hostprivkey],
       'public key'  => Puppet[:hostpubkey],
-      'certificate request' => File.join(Puppet[:requestdir], "#{Puppet[:certname]}.pem"),
+      'certificate request' => Puppet[:hostcsr],
       'certificate' => Puppet[:hostcert],
       'private key password file' => Puppet[:passfile]
     }

data/lib/puppet/configurer.rb

@@ -202,7 +202,6 @@ class Puppet::Configurer
   # This just passes any options on to the catalog,
   # which accepts :tags and :ignoreschedules.
   def run(options = {})
-    pool = Puppet.runtime[:http].pool
     # We create the report pre-populated with default settings for
     # environment and transaction_uuid very early, this is to ensure
     # they are sent regardless of any catalog compilation failures or
@@ -215,41 +214,40 @@ class Puppet::Configurer
 
     completed = nil
     begin
-      Puppet.override(:http_pool => pool) do
-        # Skip failover logic if the server_list setting is empty
-        do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
-
-        # When we are passed a catalog, that means we're in apply
-        # mode. We shouldn't try to do any failover in that case.
-        if options[:catalog].nil? && do_failover
-          server, port = find_functional_server
-          if server.nil?
-            detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
-            if Puppet[:usecacheonfailure]
-              options[:pluginsync] = false
-              @running_failure = true
-
-              server = Puppet[:server_list].first[0]
-              port = Puppet[:server_list].first[1] || Puppet[:serverport]
-
-              Puppet.err(detail)
-            else
-              raise Puppet::Error, detail
-            end
+      # Skip failover logic if the server_list setting is empty
+      do_failover = Puppet.settings[:server_list] && !Puppet.settings[:server_list].empty?
+
+      # When we are passed a catalog, that means we're in apply
+      # mode. We shouldn't try to do any failover in that case.
+      if options[:catalog].nil? && do_failover
+        server, port = find_functional_server
+        if server.nil?
+          detail = _("Could not select a functional puppet server from server_list: '%{server_list}'") % { server_list: Puppet.settings.value(:server_list, Puppet[:environment].to_sym, true) }
+          if Puppet[:usecacheonfailure]
+            options[:pluginsync] = false
+            @running_failure = true
+
+            server = Puppet[:server_list].first[0]
+            port = Puppet[:server_list].first[1] || Puppet[:serverport]
+
+            Puppet.err(detail)
           else
-            #TRANSLATORS 'server_list' is the name of a setting and should not be translated
-            Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
-            report.server_used = "#{server}:#{port}"
-          end
-          Puppet.override(server: server, serverport: port) do
-            completed = run_internal(options)
+            raise Puppet::Error, detail
           end
         else
+          #TRANSLATORS 'server_list' is the name of a setting and should not be translated
+          Puppet.debug _("Selected puppet server from the `server_list` setting: %{server}:%{port}") % { server: server, port: port }
+          report.server_used = "#{server}:#{port}"
+        end
+        Puppet.override(server: server, serverport: port) do
           completed = run_internal(options)
         end
+      else
+        completed = run_internal(options)
       end
     ensure
-      pool.close
+      # we may sleep for awhile, close connections now
+      Puppet.runtime[:http].close
     end
 
     completed ? report.exit_status : nil

data/lib/puppet/configurer/plugin_handler.rb

@@ -29,25 +29,27 @@ class Puppet::Configurer::PluginHandler
     result += plugin_fact_downloader.evaluate
     result += plugin_downloader.evaluate
 
-    # until file metadata/content are using the rest client, we need to check
-    # both :server_agent_version and the session to see if the server supports
-    # the "locales" mount
-    server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
-    locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
-    unless locales
-      session = Puppet.lookup(:http_session)
-      locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
-    end
-
-    if locales
-      locales_downloader = Puppet::Configurer::Downloader.new(
-        "locales",
-        Puppet[:localedest],
-        Puppet[:localesource],
-        Puppet[:pluginsignore] + " *.pot config.yaml",
-        environment
-      )
-      result += locales_downloader.evaluate
+    unless Puppet[:disable_i18n]
+      # until file metadata/content are using the rest client, we need to check
+      # both :server_agent_version and the session to see if the server supports
+      # the "locales" mount
+      server_agent_version = Puppet.lookup(:server_agent_version) { "0.0" }
+      locales = Gem::Version.new(server_agent_version) >= SUPPORTED_LOCALES_MOUNT_AGENT_VERSION
+      unless locales
+        session = Puppet.lookup(:http_session)
+        locales = session.supports?(:fileserver, 'locales') || session.supports?(:puppet, 'locales')
+      end
+
+      if locales
+        locales_downloader = Puppet::Configurer::Downloader.new(
+          "locales",
+          Puppet[:localedest],
+          Puppet[:localesource],
+          Puppet[:pluginsignore] + " *.pot config.yaml",
+          environment
+        )
+        result += locales_downloader.evaluate
+      end
     end
 
     Puppet::Util::Autoload.reload_changed(Puppet.lookup(:current_environment))

data/lib/puppet/defaults.rb

@@ -11,25 +11,41 @@ module Puppet
   end
 
   def self.default_digest_algorithm
-    Puppet::Util::Platform.fips_enabled? ? 'sha256' : 'md5'
+    'sha256'
   end
 
   def self.valid_digest_algorithms
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.default_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.valid_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime] :
-      %w[md5 md5lite sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime]
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime]
+  end
+
+  def self.default_cadir
+    return "" if Puppet::Util::Platform.windows?
+    old_ca_dir = "#{Puppet[:ssldir]}/ca"
+    new_ca_dir = "/etc/puppetlabs/puppetserver/ca"
+
+    if File.exist?(old_ca_dir)
+      if File.symlink?(old_ca_dir)
+        File.readlink(old_ca_dir)
+      else
+        old_ca_dir
+      end
+    else
+      new_ca_dir
+    end
   end
 
   def self.default_basemodulepath
@@ -70,29 +86,6 @@ module Puppet
   # @return void
   def self.initialize_default_settings!(settings)
     settings.define_settings(:main,
-      :facterng => {
-        :default => false,
-        :type    => :boolean,
-        :desc    => 'Whether to enable a pre-Facter 4.0 release of Facter (distributed as
-          the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
-          This setting is still experimental.',
-        :hook    => proc do |value|
-          value = munge(value)
-          if value && Puppet::Util::Package.versioncmp(Facter.value('facterversion'), '4.0.0') < 0
-            begin
-              original_facter = Object.const_get(:Facter)
-              Object.send(:remove_const, :Facter)
-
-              require 'facter-ng'
-              # It is required to re-setup logger for facter-ng
-              Puppet::Util::Logging.setup_facter_logging!
-            rescue LoadError
-              Object.const_set(:Facter, original_facter)
-              raise ArgumentError, 'facter-ng could not be loaded'
-            end
-          end
-        end
-    },
     :confdir  => {
         :default  => nil,
         :type     => :directory,
@@ -219,7 +212,7 @@ module Puppet
       end
     },
     :disable_i18n => {
-      :default => false,
+      :default => true,
       :type    => :boolean,
       :desc    => "If true, turns off all translations of Puppet and module
         log messages, which affects error, warning, and info log messages,
@@ -264,13 +257,6 @@ module Puppet
         :type     => :boolean,
         :desc     => "Whether to enable experimental performance profiling",
     },
-    :future_features => {
-      :default => false,
-      :type => :boolean,
-      :desc => "Whether or not to enable all features currently being developed for future
-        major releases of Puppet. Should be used with caution, as in development
-        features are experimental and can have unexpected effects."
-    },
     :versioned_environment_dirs => {
       :default => false,
       :type => :boolean,
@@ -285,6 +271,11 @@ module Puppet
         which occurs only on a Puppet Server master when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
+    :settings_catalog => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Whether to compile and apply the settings catalog",
+    },
     :strict_environment_mode => {
       :default    => false,
       :type       => :boolean,
@@ -707,9 +698,8 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       A value of `0` will disable caching. This setting can also be set to
       `unlimited`, which will cache environments until the server is restarted
       or told to refresh the cache. All other values will result in Puppet
-      server evicting expired environments. The expiration time is computed
-      based on either when the environment was created or last accessed, see
-      `environment_timeout_mode`.
+      server evicting environments that haven't been used within the last
+      `environment_timeout` seconds.
 
       You should change this setting once your Puppet deployment is doing
       non-trivial work. We chose the default value of `0` because it lets new
@@ -722,32 +712,13 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       * Setting this to a number that will keep your most actively used
         environments cached, but allow testing environments to fall out of the
         cache and reduce memory usage. A value of 3 minutes (3m) is a reasonable
-        value. This option requires setting `environment_timeout_mode` to
-        `from_last_used`.
+        value.
 
       Once you set `environment_timeout` to a non-zero value, you need to tell
       Puppet server to read new code from disk using the `environment-cache` API
       endpoint after you deploy new code. See the docs for the Puppet Server
       [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
-      ",
-      :hook => proc do |val|
-        if Puppet[:environment_timeout_mode] == :from_created
-          unless [0, 'unlimited', Float::INFINITY].include?(val)
-            Puppet.deprecation_warning("Evicting environments based on their creation time is deprecated, please set `environment_timeout_mode` to `from_last_used` instead.")
-          end
-        end
-      end
-    },
-    :environment_timeout_mode => {
-      :default => :from_created,
-      :type    => :symbolic_enum,
-      :values  => [:from_created, :from_last_used],
-      :desc => "How Puppet interprets the `environment_timeout` setting when
-      `environment_timeout` is neither `0` nor `unlimited`. If set to
-      `from_created`, then the environment will be evicted `environment_timeout`
-      seconds from when it was created. If set to `from_last_used` then the
-      environment will be evicted `environment_timeout` seconds from when it
-      was last used."
+      "
     },
     :environment_data_provider => {
       :desc       => "The name of a registered environment data provider used when obtaining environment
@@ -822,7 +793,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
-        [auth.conf](https://puppet.com/docs/puppet/latest/config_file_auth.html).
+        Puppet Server's [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).
         In most cases, it is also used as the node's name when matching
         [node definitions](https://puppet.com/docs/puppet/latest/lang_node_definitions.html)
         and requesting data from an ENC. (This can be changed with the `node_name_value`
@@ -837,9 +808,9 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
           only use lowercase letters, numbers, periods, underscores, and dashes. (That is,
           it should match `/\A[a-z0-9._-]+\Z/`.)
         * The special value `ca` is reserved, and can't be used as the certname
-          for a normal node.         
+          for a normal node.
 
-          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
+          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
 
         Defaults to the node's fully qualified domain name.",
       :call_hook => :on_initialize_and_write,
@@ -972,13 +943,13 @@ EOT
         Generally unused."
     },
     :hostcsr => {
-      :default => "$ssldir/csr_$certname.pem",
+      :default => "$requestdir/$certname.pem",
       :type   => :file,
       :mode => "0644",
       :owner => "service",
       :group => "service",
-      :deprecated  => :completely,
-      :desc => "This setting is deprecated."
+      :desc => "Where individual hosts store their certificate request (CSR)
+         while waiting for the CA to issue their certificate."
     },
     :hostcert => {
       :default => "$certdir/$certname.pem",
@@ -1029,29 +1000,6 @@ EOT
         puppet module tool and the 'http' report processor. This setting is ignored when
         making requests to puppet:// URLs such as catalog and report requests.",
     },
-    :ssl_client_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
-        considered authentic unless they possess a certificate issued by an authority
-        listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used.",
-      :hook => proc do |val|
-        Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
-      end
-    },
-    :ssl_server_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :deprecated  => :completely,
-      :desc => "The setting is deprecated and has no effect. Ensure all root and
-        intermediate certificate authorities used to issue client certificates are
-        contained in the server's `cacert` file on the server."
-    },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
       :type   => :file,
@@ -1142,7 +1090,7 @@ EOT
       :desc    => "The name to use the Certificate Authority certificate.",
     },
     :cadir => {
-      :default => "$ssldir/ca",
+      :default => lambda { default_cadir },
       :type => :directory,
       :desc => "The root directory for the certificate authority.",
     },
@@ -1373,6 +1321,7 @@ EOT
     },
     :masterport => {
       :default    => 8140,
+      :type       => :port,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
@@ -1381,25 +1330,6 @@ EOT
       :type => :alias,
       :alias_for => :masterport
     },
-    :node_name => {
-      :default    => 'cert',
-      :type       => :enum,
-      :values     => ['cert', 'facter'],
-      :deprecated => :completely,
-      :hook       => proc { |val|
-        if val != 'cert'
-          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
-        end
-      },
-      :desc       => "How the puppet master determines the client's identity
-      and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
-      in particular for determining which 'node' statement applies to the client.
-      Possible values are 'cert' (use the subject's CN in the client's
-      certificate) and 'facter' (use the hostname that the client
-      reported in its facts).
-
-      This setting is deprecated, please use explicit fact matching for classification.",
-    },
     :bucketdir => {
       :default => "$vardir/bucket",
       :type => :directory,
@@ -1408,15 +1338,6 @@ EOT
       :group => "service",
       :desc => "Where FileBucket files are stored."
     },
-    :rest_authconfig => {
-      :default    => "$confdir/auth.conf",
-      :type       => :file,
-      :deprecated  => :completely,
-      :desc       => "The configuration file that defines the rights to the different
-      rest indirections.  This can be used as a fine-grained authorization system for
-      `puppet master`.  The `puppet master` command is deprecated and Puppet Server
-      uses its own auth.conf that must be placed within its configuration directory.",
-    },
     :trusted_oid_mapping_file => {
       :default    => "$confdir/custom_trusted_oid_mapping.yaml",
       :type       => :file,
@@ -1519,23 +1440,7 @@ EOT
       :default    => "$confdir/fileserver.conf",
       :type       => :file,
       :desc       => "Where the fileserver configuration is stored.",
-    },
-    :strict_hostname_checking => {
-      :default    => true,
-      :type       => :boolean,
-      :desc       => "Whether to only search for the complete
-        hostname as it is in the certificate when searching for node information
-        in the catalogs or to match dot delimited segments of the cert's certname
-        and the hostname, fqdn, and/or domain facts.
-
-        This setting is deprecated and will be removed in a future release.",
-      :hook => proc { |val|
-        if val != true
-          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
-        end
-      }
-    }
-  )
+    })
 
   settings.define_settings(:device,
     :devicedir =>  {
@@ -1557,17 +1462,15 @@ EOT
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
         makes to the master. WARNING: This setting is mutually exclusive with
-        node_name_fact.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_value for more information."
+        node_name_fact.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html)."
     },
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
         makes to the master. WARNING: This setting is mutually exclusive with
-        node_name_value.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_fact for more information.",
+        node_name_value.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).",
       :hook => proc do |value|
         if !value.empty? and Puppet[:node_name_value] != Puppet[:certname]
           raise "Cannot specify both the node_name_value and node_name_fact settings"
@@ -1665,8 +1568,8 @@ EOT
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of puppet master servers to which the puppet agent should connect,
-        in the order that they will be tried.",
+      :desc => "The list of Puppet master servers to which the Puppet agent should connect,
+        in the order that they will be tried. Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted, Puppet uses masterport for that host.",
     },
     :use_srv_records => {
       :default    => false,
@@ -1742,6 +1645,7 @@ EOT
     },
     :ca_port => {
       :default    => "$serverport",
+      :type       => :port,
       :desc       => "The port to use for the certificate authority.",
     },
     :preferred_serialization_format => {
@@ -1831,6 +1735,7 @@ EOT
     },
     :report_port => {
       :default  => "$serverport",
+      :type     => :port,
       :desc     => "The port to communicate with the report_server.",
     },
     :report => {
@@ -1860,10 +1765,16 @@ EOT
         for the node stored in puppetdb are current. However, this will double the fact
         submission load on puppetdb, so it is disabled by default.",
     },
+    :publicdir => {
+      :default  => nil,
+      :type     => :directory,
+      :mode     => "0755",
+      :desc     => "Where Puppet stores public files."
+    },
     :lastrunfile =>  {
-      :default  => "$statedir/last_run_summary.yaml",
+      :default  => "$publicdir/last_run_summary.yaml",
       :type     => :file,
-      :mode     => "0644",
+      :mode     => "0640",
       :desc     => "Where puppet agent stores the last run report summary in yaml format."
     },
     :lastrunreport =>  {
@@ -1943,7 +1854,7 @@ EOT
       :type     => :ttl,
       :desc     => "The maximum amount of time the puppet agent should wait for an
       already running puppet agent to finish before starting a new one. This is set by default to 1 minute.
-      A value of `unlimited` will cause puppet agent to wait indefinitely. 
+      A value of `unlimited` will cause puppet agent to wait indefinitely.
       #{AS_DURATION}",
     }
   )
@@ -2000,7 +1911,7 @@ EOT
         :desc     => "What files to ignore when pulling down plugins.",
     },
     :ignore_plugin_errors => {
-      :default    => true,
+      :default    => false,
       :type       => :boolean,
       :desc       => "Whether the puppet run should ignore errors during pluginsync. If the setting
         is false and there are errors during pluginsync, then the agent will abort the run and
@@ -2215,22 +2126,6 @@ EOT
       referencing variables that are explicitly set to undef).
     EOT
     },
-   :func3x_check => {
-     :default => true,
-     :type => :boolean,
-     :desc => <<-'EOT',
-       Causes validation of loaded legacy Ruby functions (3x API) to raise errors about illegal constructs that
-       could cause harm or that simply does not work. This flag is on by default. This flag is made available
-       so that the validation can be turned off in case the method of validation is faulty - if encountered, please
-       file a bug report.
-     EOT
-     :call_hook => :on_initialize_and_write,
-     :hook => proc do |value|
-       unless value
-         Puppet.deprecation_warning(_("The 'func3x_check' setting is deprecated and will be removed in a future release."))
-       end
-     end
-     },
   :tasks => {
     :default => false,
     :type => :boolean,