puppet 6.25.0-x64-mingw32 → 7.0.0-x64-mingw32

data/lib/puppet/defaults.rb

@@ -3,7 +3,7 @@ require 'puppet/util/platform'
 module Puppet
 
   def self.default_diffargs
-    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
+    if (Facter.value(:kernel) == "AIX" && Facter.value(:kernelmajversion) == "5300")
       ""
     else
       "-u"
@@ -11,25 +11,60 @@ module Puppet
   end
 
   def self.default_digest_algorithm
-    Puppet::Util::Platform.fips_enabled? ? 'sha256' : 'md5'
+    'sha256'
   end
 
   def self.valid_digest_algorithms
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.default_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha384 sha512 sha224] :
-      %w[md5 sha256 sha384 sha512 sha224]
+      %w[sha256 sha384 sha512 sha224 md5]
   end
 
   def self.valid_file_checksum_types
     Puppet::Util::Platform.fips_enabled? ?
       %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime] :
-      %w[md5 md5lite sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite mtime ctime]
+      %w[sha256 sha256lite sha384 sha512 sha224 sha1 sha1lite md5 md5lite mtime ctime]
+  end
+
+  def self.log_ca_migration_warning
+    urge_to_migrate = <<-UTM
+The cadir is currently configured to be inside the #{Puppet[:ssldir]} directory. This config
+setting and the directory location will not be used in a future version of puppet. Please run the
+puppetserver ca tool to migrate out from the puppet confdir to the /etc/puppetlabs/puppetserver/ca
+directory. Use `puppetserver ca migrate --help` for more info.
+UTM
+    Puppet.warn_once('deprecations',
+                     'CA migration message',
+                     urge_to_migrate,
+                     :default,
+                     :default)
+  end
+
+  def self.default_cadir
+    return "" if Puppet::Util::Platform.windows?
+    old_ca_dir = "#{Puppet[:ssldir]}/ca"
+    new_ca_dir = "/etc/puppetlabs/puppetserver/ca"
+
+    if File.exist?(old_ca_dir)
+      if File.symlink?(old_ca_dir)
+        target = File.readlink(old_ca_dir)
+        if target.start_with?(Puppet[:ssldir])
+          Puppet.log_ca_migration_warning
+        end
+        target
+      else
+        Puppet.log_ca_migration_warning
+        old_ca_dir
+      end
+    else
+      new_ca_dir
+    end
   end
 
   def self.default_basemodulepath
@@ -58,18 +93,6 @@ module Puppet
     end
   end
 
-  def self.default_cadir
-    return "" if Puppet::Util::Platform.windows?
-    old_ca_dir = "#{Puppet[:ssldir]}/ca"
-    new_ca_dir = '/etc/puppetlabs/puppetserver/ca'
-
-    if File.exist?("#{new_ca_dir}/ca_crt.pem")
-      new_ca_dir
-    else
-      old_ca_dir
-    end
-  end
-
   ############################################################################################
   # NOTE: For information about the available values for the ":type" property of settings,
   #   see the docs for Settings.define_settings
@@ -82,29 +105,6 @@ module Puppet
   # @return void
   def self.initialize_default_settings!(settings)
     settings.define_settings(:main,
-      :facterng => {
-        :default => false,
-        :type    => :boolean,
-        :desc    => 'Whether to enable a pre-Facter 4.0 release of Facter (distributed as
-          the "facter-ng" gem). This is not necessary if Facter 3.x or later is installed.
-          This setting is still experimental.',
-        :hook    => proc do |value|
-          value = munge(value)
-          if value && Puppet::Util::Package.versioncmp(Puppet.runtime[:facter].value('facterversion'), '4.0.0') < 0
-            begin
-              original_facter = Object.const_get(:Facter)
-              Object.send(:remove_const, :Facter)
-
-              require 'facter-ng'
-              # It is required to re-setup logger for facter-ng
-              Puppet::Util::Logging.setup_facter_logging!
-            rescue LoadError
-              Object.const_set(:Facter, original_facter)
-              raise ArgumentError, 'facter-ng could not be loaded'
-            end
-          end
-        end
-    },
     :confdir  => {
         :default  => nil,
         :type     => :directory,
@@ -218,7 +218,7 @@ module Puppet
 
         The strictness level is for both language semantics and runtime
         evaluation validation. In addition to controlling the behavior with
-        this primary server switch some individual warnings may also be controlled
+        this master switch some individual warnings may also be controlled
         by the disable_warnings setting.
 
         No new validations will be added to a micro (x.y.z) release,
@@ -231,7 +231,7 @@ module Puppet
       end
     },
     :disable_i18n => {
-      :default => false,
+      :default => true,
       :type    => :boolean,
       :desc    => "If true, turns off all translations of Puppet and module
         log messages, which affects error, warning, and info log messages,
@@ -262,7 +262,7 @@ module Puppet
           internal Ruby stack trace interleaved with Puppet function frames.",
         :hook     => proc do |value|
           # Enable or disable Facter's trace option too
-          Puppet.runtime[:facter].trace(value)
+          Facter.trace(value) if Facter.respond_to? :trace
         end
     },
     :puppet_trace => {
@@ -276,13 +276,6 @@ module Puppet
         :type     => :boolean,
         :desc     => "Whether to enable experimental performance profiling",
     },
-    :future_features => {
-      :default => false,
-      :type => :boolean,
-      :desc => "Whether or not to enable all features currently being developed for future
-        major releases of Puppet. Should be used with caution, as in development
-        features are experimental and can have unexpected effects."
-    },
     :versioned_environment_dirs => {
       :default => false,
       :type => :boolean,
@@ -294,9 +287,14 @@ module Puppet
       :default    => true,
       :type       => :boolean,
       :desc       => "Whether to compile a [static catalog](https://puppet.com/docs/puppet/latest/static_catalogs.html#enabling-or-disabling-static-catalogs),
-        which occurs only on Puppet Server when the `code-id-command` and
+        which occurs only on a Puppet Server master when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
+    :settings_catalog => {
+      :default    => true,
+      :type       => :boolean,
+      :desc       => "Whether to compile and apply the settings catalog",
+    },
     :strict_environment_mode => {
       :default    => false,
       :type       => :boolean,
@@ -412,13 +410,13 @@ module Puppet
         :default  => "production",
         :desc     => "The environment in which Puppet is running. For clients,
           such as `puppet agent`, this determines the environment itself, which
-          Puppet uses to find modules and much more. For servers, such as `puppet server`,
+          Puppet uses to find modules and much more. For servers, such as `puppet master`,
           this provides the default environment for nodes that Puppet knows nothing about.
 
           When defining an environment in the `[agent]` section, this refers to the
-          environment that the agent requests from the primary server. The environment doesn't
+          environment that the agent requests from the master. The environment doesn't
           have to exist on the local filesystem because the agent fetches it from the
-          primary server. This definition is used when running `puppet agent`.
+          master. This definition is used when running `puppet agent`.
 
           When defined in the `[user]` section, the environment refers to the path that
           Puppet uses to search for code and modules related to its execution. This
@@ -719,9 +717,8 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       A value of `0` will disable caching. This setting can also be set to
       `unlimited`, which will cache environments until the server is restarted
       or told to refresh the cache. All other values will result in Puppet
-      server evicting expired environments. The expiration time is computed
-      based on either when the environment was created or last accessed, see
-      `environment_timeout_mode`.
+      server evicting environments that haven't been used within the last
+      `environment_timeout` seconds.
 
       You should change this setting once your Puppet deployment is doing
       non-trivial work. We chose the default value of `0` because it lets new
@@ -734,32 +731,13 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
       * Setting this to a number that will keep your most actively used
         environments cached, but allow testing environments to fall out of the
         cache and reduce memory usage. A value of 3 minutes (3m) is a reasonable
-        value. This option requires setting `environment_timeout_mode` to
-        `from_last_used`.
+        value.
 
       Once you set `environment_timeout` to a non-zero value, you need to tell
       Puppet server to read new code from disk using the `environment-cache` API
       endpoint after you deploy new code. See the docs for the Puppet Server
       [administrative API](https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html).
-      ",
-      :hook => proc do |val|
-        if Puppet[:environment_timeout_mode] == :from_created
-          unless [0, 'unlimited', Float::INFINITY].include?(val)
-            Puppet.deprecation_warning("Evicting environments based on their creation time is deprecated, please set `environment_timeout_mode` to `from_last_used` instead.")
-          end
-        end
-      end
-    },
-    :environment_timeout_mode => {
-      :default => :from_created,
-      :type    => :symbolic_enum,
-      :values  => [:from_created, :from_last_used],
-      :desc => "How Puppet interprets the `environment_timeout` setting when
-      `environment_timeout` is neither `0` nor `unlimited`. If set to
-      `from_created`, then the environment will be evicted `environment_timeout`
-      seconds from when it was created. If set to `from_last_used` then the
-      environment will be evicted `environment_timeout` seconds from when it
-      was last used."
+      "
     },
     :environment_data_provider => {
       :desc       => "The name of a registered environment data provider used when obtaining environment
@@ -830,11 +808,11 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
     :certname => {
       :default => lambda { Puppet::Settings.default_certname.downcase },
       :desc => "The name to use when handling certificates. When a node
-        requests a certificate from the CA Puppet Server, it uses the value of the
+        requests a certificate from the CA puppet master, it uses the value of the
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
-        [auth.conf](https://puppet.com/docs/puppet/latest/config_file_auth.html).
+        Puppet Server's [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).
         In most cases, it is also used as the node's name when matching
         [node definitions](https://puppet.com/docs/puppet/latest/lang_node_definitions.html)
         and requesting data from an ENC. (This can be changed with the `node_name_value`
@@ -849,9 +827,9 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
           only use lowercase letters, numbers, periods, underscores, and dashes. (That is,
           it should match `/\A[a-z0-9._-]+\Z/`.)
         * The special value `ca` is reserved, and can't be used as the certname
-          for a normal node.         
+          for a normal node.
 
-          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
+          **Note:** You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes errors.
 
         Defaults to the node's fully qualified domain name.",
       :call_hook => :on_initialize_and_write,
@@ -878,8 +856,8 @@ names.
 **Note:** The list of alternate names is locked in when the server's
 certificate is signed. If you need to change the list later, you can't just
 change this setting; you also need to regenerate the certificate. For more
-information on that process, see the 
-[cert regen docs](https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
+information on that process, see the [cert regen docs]
+(https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html).
 
 To see all the alternate names your servers are using, log into your CA server
 and run `puppetserver ca list --all`, then check the output for `(alt names: ...)`.
@@ -893,7 +871,7 @@ EOT
       :desc => <<EOT
 An optional file containing custom attributes to add to certificate signing
 requests (CSRs). You should ensure that this file does not exist on your CA
-Puppet Server; if it does, unwanted certificate extensions may leak into
+puppet master; if it does, unwanted certificate extensions may leak into
 certificates created with the `puppetserver ca generate` command.
 
 If present, this file must be a YAML hash containing a `custom_attributes` key
@@ -984,13 +962,13 @@ EOT
         Generally unused."
     },
     :hostcsr => {
-      :default => "$ssldir/csr_$certname.pem",
+      :default => "$requestdir/$certname.pem",
       :type   => :file,
       :mode => "0644",
       :owner => "service",
       :group => "service",
-      :deprecated  => :completely,
-      :desc => "This setting is deprecated."
+      :desc => "Where individual hosts store their certificate request (CSR)
+         while waiting for the CA to issue their certificate."
     },
     :hostcert => {
       :default => "$certdir/$certname.pem",
@@ -1041,29 +1019,6 @@ EOT
         puppet module tool and the 'http' report processor. This setting is ignored when
         making requests to puppet:// URLs such as catalog and report requests.",
     },
-    :ssl_client_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :desc  => "Certificate authorities who issue server certificates.  SSL servers will not be
-        considered authentic unless they possess a certificate issued by an authority
-        listed in this file.  If this setting has no value then the Puppet master's CA
-        certificate (localcacert) will be used.",
-      :hook => proc do |val|
-        Puppet.deprecation_warning(_("Setting 'ssl_client_ca_auth' is deprecated."))
-      end
-    },
-    :ssl_server_ca_auth => {
-      :type  => :file,
-      :mode  => "0644",
-      :owner => "service",
-      :group => "service",
-      :deprecated  => :completely,
-      :desc => "The setting is deprecated and has no effect. Ensure all root and
-        intermediate certificate authorities used to issue client certificates are
-        contained in the server's `cacert` file on the server."
-    },
     :hostcrl => {
       :default => "$ssldir/crl.pem",
       :type   => :file,
@@ -1097,14 +1052,6 @@ EOT
           certificate revocation checking and does not attempt to download the CRL.
         EOT
     },
-    :ciphers => {
-      :default => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256',
-      :type => :string,
-      :desc => "The list of ciphersuites for TLS connections initiated by puppet. The
-                default value is chosen to support TLS 1.0 and up, but can be made
-                more restrictive if needed. The ciphersuites must be specified in OpenSSL
-                format, not IANA."
-    },
     :key_type => {
       :default => 'rsa',
       :type    => :enum,
@@ -1148,7 +1095,7 @@ EOT
       :type      => :string,
       :desc      => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
       service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
-      file. Multiple destinations can be set using a comma separated list (eg: `/path/file1,console,/path/file2`)"
+      file."
       # Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
       # unfortunately we have a large number of tests that rely on the logging not resetting itself when the
       # settings are initialized as they test what gets logged during settings initialization.
@@ -1165,6 +1112,13 @@ EOT
       :default => lambda { default_cadir },
       :type => :directory,
       :desc => "The root directory for the certificate authority.",
+      :call_hook => :on_initialize_and_write,
+      :hook => proc do |value|
+        if value.start_with?(Puppet[:ssldir])
+          Puppet.log_ca_migration_warning
+        end
+        value
+      end
     },
     :cacert => {
       :default => "$cadir/ca_crt.pem",
@@ -1205,7 +1159,7 @@ EOT
       :default => "$confdir/autosign.conf",
       :type => :autosign,
       :desc => "Whether (and how) to autosign certificate requests. This setting
-        is only relevant on a Puppet Server acting as a certificate authority (CA).
+        is only relevant on a puppet master acting as a certificate authority (CA).
 
         Valid values are true (autosigns all certificate requests; not recommended),
         false (disables autosigning certificates), or the absolute path to a file.
@@ -1216,7 +1170,7 @@ EOT
         file, it will be treated as a policy executable; otherwise, it will be
         treated as a config file.
 
-        If a custom policy executable is configured, the CA Puppet Server will run it
+        If a custom policy executable is configured, the CA puppet master will run it
         every time it receives a CSR. The executable will be passed the subject CN of the
         request _as a command line argument,_ and the contents of the CSR in PEM format
         _on stdin._ It should exit with a status of 0 if the cert should be autosigned
@@ -1302,7 +1256,7 @@ EOT
     :manifest => {
       :default    => nil,
       :type       => :file_or_directory,
-      :desc       => "The entry-point manifest for the primary server. This can be one file
+      :desc       => "The entry-point manifest for puppet master. This can be one file
         or a directory of manifests to be evaluated in alphabetical order. Puppet manages
         this path as a directory if one exists or if the path ends with a / or \\.
 
@@ -1391,34 +1345,25 @@ EOT
       by `puppet`, and should only be set if you're writing your own Puppet
       executable.",
     },
-    :masterport => {
+    :serverport => {
       :default    => 8140,
+      :type       => :port,
       :desc       => "The default port puppet subcommands use to communicate
       with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
       overridden by more specific settings (see `ca_port`, `report_port`).",
+      :hook       => proc do |value|
+        Puppet[:masterport] = value unless Puppet.settings.set_by_config?(:masterport)
+      end
     },
-    :serverport => {
-      :type => :alias,
-      :alias_for => :masterport
-    },
-    :node_name => {
-      :default    => 'cert',
-      :type       => :enum,
-      :values     => ['cert', 'facter'],
-      :deprecated => :completely,
-      :hook       => proc { |val|
-        if val != 'cert'
-          Puppet.deprecation_warning("The node_name setting is deprecated and will be removed in a future release.")
-        end
-      },
-      :desc       => "How the puppet master determines the client's identity
-      and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
-      in particular for determining which 'node' statement applies to the client.
-      Possible values are 'cert' (use the subject's CN in the client's
-      certificate) and 'facter' (use the hostname that the client
-      reported in its facts).
-
-      This setting is deprecated, please use explicit fact matching for classification.",
+    :masterport => {
+      :default    => "$serverport",
+      :type       => :port,
+      :desc       => "The default port puppet subcommands use to communicate
+      with Puppet Server. (eg `puppet facts upload`, `puppet agent`). May be
+      overridden by more specific settings (see `ca_port`, `report_port`).",
+      :hook => proc do |value|
+        Puppet[:serverport] = value unless Puppet.settings.set_by_config?(:serverport)
+      end
     },
     :bucketdir => {
       :default => "$vardir/bucket",
@@ -1428,15 +1373,6 @@ EOT
       :group => "service",
       :desc => "Where FileBucket files are stored."
     },
-    :rest_authconfig => {
-      :default    => "$confdir/auth.conf",
-      :type       => :file,
-      :deprecated  => :completely,
-      :desc       => "The configuration file that defines the rights to the different
-      rest indirections.  This can be used as a fine-grained authorization system for
-      `puppet master`.  The `puppet master` command is deprecated and Puppet Server
-      uses its own auth.conf that must be placed within its configuration directory.",
-    },
     :trusted_oid_mapping_file => {
       :default    => "$confdir/custom_trusted_oid_mapping.yaml",
       :type       => :file,
@@ -1509,17 +1445,15 @@ EOT
         their names should be comma-separated, with whitespace allowed. (For example,
         `reports = http, store`.)
 
-        This setting is relevant to puppet server and puppet apply. The primary Puppet
-        server will call these report handlers with the reports it receives from
+        This setting is relevant to puppet master and puppet apply. The puppet
+        master will call these report handlers with the reports it receives from
         agent nodes, and puppet apply will call them with its own report. (In
         all cases, the node applying the catalog must have `report = true`.)
 
         See the report reference for information on the built-in report
         handlers; custom report handlers can also be loaded from modules.
         (Report handlers are loaded from the lib directory, at
-        `puppet/reports/NAME.rb`.)
-
-        To turn off reports entirely, set this to `none`",
+        `puppet/reports/NAME.rb`.)",
     },
     :reportdir => {
       :default => "$vardir/reports",
@@ -1541,23 +1475,7 @@ EOT
       :default    => "$confdir/fileserver.conf",
       :type       => :file,
       :desc       => "Where the fileserver configuration is stored.",
-    },
-    :strict_hostname_checking => {
-      :default    => true,
-      :type       => :boolean,
-      :desc       => "Whether to only search for the complete
-        hostname as it is in the certificate when searching for node information
-        in the catalogs or to match dot delimited segments of the cert's certname
-        and the hostname, fqdn, and/or domain facts.
-
-        This setting is deprecated and will be removed in a future release.",
-      :hook => proc { |val|
-        if val != true
-          Puppet.deprecation_warning("Setting strict_hostname_checking to false is deprecated and will be removed in a future release. Please use regular expressions in your node declarations or explicit fact matching for classification (though be warned that fact based classification may be considered insecure).")
-        end
-      }
-    }
-  )
+    })
 
   settings.define_settings(:device,
     :devicedir =>  {
@@ -1578,18 +1496,16 @@ EOT
     :node_name_value => {
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
-        makes to the primary server. WARNING: This setting is mutually exclusive with
-        node_name_fact.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_value for more information."
+        makes to the master. WARNING: This setting is mutually exclusive with
+        node_name_fact.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html)."
     },
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
-        makes to the primary server. WARNING: This setting is mutually exclusive with
-        node_name_value.  Changing this setting also requires changes to the default
-        auth.conf configuration on the Puppet Master.  Please see
-        http://links.puppet.com/node_name_fact for more information.",
+        makes to the master. WARNING: This setting is mutually exclusive with
+        node_name_value.  Changing this setting also requires changes to
+        Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).",
       :hook => proc do |value|
         if !value.empty? and Puppet[:node_name_value] != Puppet[:certname]
           raise "Cannot specify both the node_name_value and node_name_fact settings"
@@ -1600,8 +1516,8 @@ EOT
       :default => "$statedir/state.yaml",
       :type => :file,
       :mode => "0640",
-      :desc => "Where Puppet agent and Puppet Server store state associated
-        with the running configuration.  In the case of Puppet Server,
+      :desc => "Where puppet agent and puppet master store state associated
+        with the running configuration.  In the case of puppet master,
         this file reflects the state discovered through interacting
         with clients."
     },
@@ -1638,12 +1554,6 @@ EOT
       :mode => "0750",
       :desc => "The directory in which serialized data is stored on the client."
     },
-    :write_catalog_summary => {
-      :default => true,
-      :type => :boolean,
-      :desc => "Whether to write the `classfile` and `resourcefile` after applying
-        the catalog. It is enabled by default, except when running `puppet apply`.",
-    },
     :classfile => {
       :default => "$statedir/classes.txt",
       :type => :file,
@@ -1670,11 +1580,11 @@ EOT
         the POSIX syslog service and the Windows Event Log are unavailable. (Currently,
         no supported operating systems match that description.)
 
-        Despite the name, both puppet agent and puppet server will use this file
+        Despite the name, both puppet agent and puppet master will use this file
         as the fallback logging destination.
 
         For control over logging destinations, see the `--logdest` command line
-        option in the manual pages for puppet server, puppet agent, and puppet
+        option in the manual pages for puppet master, puppet agent, and puppet
         apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
         or read them online at https://puppet.com/docs/puppet/latest/man/."
     },
@@ -1688,13 +1598,13 @@ EOT
     },
     :server => {
       :default => "puppet",
-      :desc => "The primary Puppet server to which the Puppet agent should connect.",
+      :desc => "The puppet master server to which the puppet agent should connect.",
     },
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of primary Puppet servers to which the Puppet agent should connect,
-        in the order that they will be tried.",
+      :desc => "The list of Puppet master servers to which the Puppet agent should connect,
+        in the order that they will be tried. Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted, Puppet uses masterport for that host.",
     },
     :use_srv_records => {
       :default    => false,
@@ -1708,7 +1618,7 @@ EOT
     :http_extra_headers => {
       :default => [],
       :type => :http_extra_headers,
-      :desc => "The list of extra headers that will be sent with http requests to the primary server.
+      :desc => "The list of extra headers that will be sent with http requests to the master.
       The header definition consists of a name and a value separated by a colon."
     },
     :ignoreschedules => {
@@ -1734,7 +1644,7 @@ EOT
         like it does when running normally. However, if a resource attribute is not in
         the desired state (as declared in the catalog), Puppet will take no
         action, and will instead report the changes it _would_ have made. These
-        simulated changes will appear in the report sent to the primary Puppet server, or
+        simulated changes will appear in the report sent to the puppet master, or
         be shown on the console if running puppet agent or puppet apply in the
         foreground. The simulated changes will not send refresh events to any
         subscribing or notified resources, although Puppet will log that a refresh
@@ -1770,6 +1680,7 @@ EOT
     },
     :ca_port => {
       :default    => "$serverport",
+      :type       => :port,
       :desc       => "The port to use for the certificate authority.",
     },
     :preferred_serialization_format => {
@@ -1788,7 +1699,7 @@ EOT
     },
     :agent_disabled_lockfile => {
         :default    => "$statedir/agent_disabled.lock",
-        :type       => :string,
+        :type       => :file,
         :desc       => "A lock file to indicate that puppet agent runs have been administratively
           disabled.  File contains a JSON object with state information.",
     },
@@ -1806,7 +1717,7 @@ EOT
       :desc       => "Whether to only use the cached catalog rather than compiling a new catalog
         on every run.  Puppet can be run with this enabled by default and then selectively
         disabled when a recompile is desired. Because a Puppet agent using cached catalogs
-        does not contact the primary server for a new catalog, it also does not upload facts at
+        does not contact the master for a new catalog, it also does not upload facts at
         the beginning of the Puppet run.",
     },
     :ignoremissingtypes => {
@@ -1814,7 +1725,7 @@ EOT
       :type       => :boolean,
       :desc       => "Skip searching for classes and definitions that were missing during a
         prior compilation. The list of missing objects is maintained per-environment and
-        persists until the environment is cleared or the primary server is restarted.",
+        persists until the environment is cleared or the master is restarted.",
     },
     :splaylimit => {
       :default    => "$runinterval",
@@ -1844,7 +1755,7 @@ EOT
         If you restart an agent's puppet service with `splay` enabled, it
         recalculates its splay period and delays its first agent run after
         restarting for this new period. If you simultaneously restart a group of
-        puppet agents with `splay` enabled, their checkins to your primary servers
+        puppet agents with `splay` enabled, their checkins to your puppet masters
         can be distributed more evenly.",
     },
     :clientbucketdir => {
@@ -1859,6 +1770,7 @@ EOT
     },
     :report_port => {
       :default  => "$serverport",
+      :type     => :port,
       :desc     => "The port to communicate with the report_server.",
     },
     :report => {
@@ -1888,10 +1800,16 @@ EOT
         for the node stored in puppetdb are current. However, this will double the fact
         submission load on puppetdb, so it is disabled by default.",
     },
+    :publicdir => {
+      :default  => nil,
+      :type     => :directory,
+      :mode     => "0755",
+      :desc     => "Where Puppet stores public files."
+    },
     :lastrunfile =>  {
-      :default  => "$statedir/last_run_summary.yaml",
+      :default  => "$publicdir/last_run_summary.yaml",
       :type     => :file,
-      :mode     => "0644",
+      :mode     => "0640",
       :desc     => "Where puppet agent stores the last run report summary in yaml format."
     },
     :lastrunreport =>  {
@@ -1936,7 +1854,7 @@ EOT
 
       When starting for the first time, puppet agent will submit a certificate
       signing request (CSR) to the server named in the `ca_server` setting
-      (usually the primary Puppet server); this may be autosigned, or may need to be
+      (usually the puppet master); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.
 
       Puppet agent cannot apply configurations until its approved certificate is
@@ -1971,7 +1889,7 @@ EOT
       :type     => :ttl,
       :desc     => "The maximum amount of time the puppet agent should wait for an
       already running puppet agent to finish before starting a new one. This is set by default to 1 minute.
-      A value of `unlimited` will cause puppet agent to wait indefinitely. 
+      A value of `unlimited` will cause puppet agent to wait indefinitely.
       #{AS_DURATION}",
     }
   )
@@ -2028,7 +1946,7 @@ EOT
         :desc     => "What files to ignore when pulling down plugins.",
     },
     :ignore_plugin_errors => {
-      :default    => true,
+      :default    => false,
       :type       => :boolean,
       :desc       => "Whether the puppet run should ignore errors during pluginsync. If the setting
         is false and there are errors during pluginsync, then the agent will abort the run and
@@ -2050,7 +1968,7 @@ EOT
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
-        Puppet.runtime[:facter].search(*paths)
+        Facter.search(*paths)
       end
     }
   )
@@ -2243,22 +2161,6 @@ EOT
       referencing variables that are explicitly set to undef).
     EOT
     },
-   :func3x_check => {
-     :default => true,
-     :type => :boolean,
-     :desc => <<-'EOT',
-       Causes validation of loaded legacy Ruby functions (3x API) to raise errors about illegal constructs that
-       could cause harm or that simply does not work. This flag is on by default. This flag is made available
-       so that the validation can be turned off in case the method of validation is faulty - if encountered, please
-       file a bug report.
-     EOT
-     :call_hook => :on_initialize_and_write,
-     :hook => proc do |value|
-       unless value
-         Puppet.deprecation_warning(_("The 'func3x_check' setting is deprecated and will be removed in a future release."))
-       end
-     end
-     },
   :tasks => {
     :default => false,
     :type => :boolean,