puppet 7.7.0 → 7.11.0

data/lib/puppet/configurer.rb

@@ -91,7 +91,7 @@ class Puppet::Configurer
 
         if result
           # don't use use cached catalog if it doesn't match server specified environment
-          if @node_environment && result.environment != @environment
+          if result.environment != @environment
             Puppet.err _("Not using cached catalog because its environment '%{catalog_env}' does not match '%{local_env}'") % { catalog_env: result.environment, local_env: @environment }
             return nil
           end
@@ -118,14 +118,105 @@ class Puppet::Configurer
       catalog = result.to_ral
       catalog.finalize
       catalog.retrieval_duration = duration
-      catalog.write_class_file
-      catalog.write_resource_file
+
+      if Puppet[:write_catalog_summary]
+        catalog.write_class_file
+        catalog.write_resource_file
+      end
     end
     options[:report].add_times(:convert_catalog, catalog_conversion_time) if options[:report]
 
     catalog
   end
 
+  def warn_number_of_facts(size, max_number)
+    Puppet.warning _("The current total number of facts: %{size} exceeds the number of facts limit: %{max_size}") % { size: size, max_size: max_number }
+  end
+
+  def warn_fact_name_length(name, max_length)
+    Puppet.warning _("Fact %{name} with length: '%{length}' exceeds the length limit: %{limit}") % { name: name, length: name.to_s.bytesize, limit: max_length }
+  end
+
+  def warn_number_of_top_level_facts(size, max_number)
+    Puppet.warning _("The current number of top level facts: %{size} exceeds the top facts limit: %{max_size}") % { size: size, max_size: max_number }
+  end
+
+  def warn_fact_value_length(value, max_length)
+    Puppet.warning _("Fact value '%{value}' with the value length: '%{length}' exceeds the value length limit: %{max_length}") % { value: value, length:value.to_s.bytesize, max_length: max_length }
+  end
+
+  def warn_fact_payload_size(payload, max_size)
+    Puppet.warning _("Payload with the current size of: '%{payload}' exceeds the payload size limit: %{max_size}") % { payload: payload, max_size: max_size }
+  end
+
+  def check_fact_name_length(name, number_of_dots)
+    max_length = Puppet[:fact_name_length_soft_limit]
+    return if max_length.zero?
+
+    # rough byte size estimations of fact path as a postgresql btree index 
+    size_as_btree_index = 8 + (number_of_dots * 2) + name.to_s.bytesize
+    warn_fact_name_length(name, max_length) if size_as_btree_index > max_length
+  end
+
+  def check_fact_values_length(values)
+    max_length = Puppet[:fact_value_length_soft_limit]
+    return if max_length.zero?
+
+    warn_fact_value_length(values, max_length) if values.to_s.bytesize > max_length
+  end
+
+  def check_top_level_number_limit(size)
+    max_size = Puppet[:top_level_facts_soft_limit]
+    return if max_size.zero?
+
+    warn_number_of_top_level_facts(size, max_size) if size > max_size
+  end
+
+  def check_total_number_limit(size)
+    max_size = Puppet[:number_of_facts_soft_limit]
+    return if max_size.zero?
+
+    warn_number_of_facts(size, max_size) if size > max_size
+  end
+
+  def check_payload_size(payload)
+    max_size = Puppet[:payload_soft_limit]
+    return if max_size.zero?
+
+    warn_fact_payload_size(payload, max_size) if payload > max_size
+    Puppet.debug _("The size of the payload is %{payload}") % {payload: payload}
+  end
+
+  def parse_fact_name_and_value_limits(object, path = [])
+    case object
+    when Hash
+      object.each do |key, value|
+        path.push(key)
+        parse_fact_name_and_value_limits(value, path)
+        path.pop
+        @number_of_facts += 1
+      end
+    when Array
+      object.each_with_index do |e, idx|
+        path.push(idx)
+        parse_fact_name_and_value_limits(e, path)
+        path.pop
+      end
+    else
+      check_fact_name_length(path.join(), path.size)
+      check_fact_values_length(object)
+    end
+  end
+
+  def check_facts_limits(facts)
+    @number_of_facts = 0
+    check_top_level_number_limit(facts.size)
+
+    parse_fact_name_and_value_limits(facts)
+    check_total_number_limit(@number_of_facts)
+    Puppet.debug _("The total number of facts registered is %{number_of_facts}") % {number_of_facts: @number_of_facts}
+  end
+
   def get_facts(options)
     if options[:pluginsync]
       plugin_sync_time = thinmark do
@@ -148,7 +239,9 @@ class Puppet::Configurer
       # facts_for_uploading may set Puppet[:node_name_value] as a side effect
       facter_time = thinmark do
         facts = find_facts
+        check_facts_limits(facts.to_data_hash['values'])
         facts_hash = encode_facts(facts) # encode for uploading # was: facts_for_uploading
+        check_payload_size(facts_hash[:facts].bytesize)
       end
       options[:report].add_times(:fact_generation, facter_time) if options[:report]
     end
@@ -255,6 +348,7 @@ class Puppet::Configurer
 
   def run_internal(options)
     report = options[:report]
+    report.initial_environment = Puppet[:environment]
 
     if options[:start_time]
       startup_time = Time.now - options[:start_time]
@@ -294,53 +388,18 @@ class Puppet::Configurer
       configured_environment = Puppet[:environment] if Puppet.settings.set_by_config?(:environment)
 
       # We only need to find out the environment to run in if we don't already have a catalog
-      unless (cached_catalog || options[:catalog] || Puppet[:strict_environment_mode])
-        begin
-          node = nil
-          node_retr_time = thinmark do
-            node = Puppet::Node.indirection.find(Puppet[:node_name_value],
-              :environment => Puppet::Node::Environment.remote(@environment),
-              :configured_environment => configured_environment,
-              :ignore_cache => true,
-              :transaction_uuid => @transaction_uuid,
-              :fail_on_404 => true)
-          end
-          options[:report].add_times(:node_retrieval, node_retr_time)
-
-          if node
-            # If we have deserialized a node from a rest call, we want to set
-            # an environment instance as a simple 'remote' environment reference.
-            if !node.has_environment_instance? && node.environment_name
-              node.environment = Puppet::Node::Environment.remote(node.environment_name)
-            end
-
-            @node_environment = node.environment.to_s
-
-            if node.environment.to_s != @environment
-              Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: node.environment }
-              @environment = node.environment.to_s
-              report.environment = @environment
-              query_options = nil
-              facts = nil
-
-              new_env = Puppet::Node::Environment.remote(@environment)
-              Puppet.push_context(
-                {
-                  current_environment: new_env,
-                  loaders: Puppet::Pops::Loaders.new(new_env, true)
-                },
-                "Local node environment #{@environment} for configurer transaction"
-              )
-            else
-              Puppet.info _("Using configured environment '%{env}'") % { env: @environment }
-            end
-          end
-        rescue StandardError => detail
-          Puppet.warning(_("Unable to fetch my node definition, but the agent run will continue:"))
-          Puppet.warning(detail)
+      unless (cached_catalog || options[:catalog] || Puppet.settings.set_by_cli?(:environment) || Puppet[:strict_environment_mode])
+        Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
+        if last_server_specified_environment
+          @environment = last_server_specified_environment
+          report.environment = last_server_specified_environment
+        else
+          Puppet.debug(_("Could not find a usable environment in the lastrunfile. Either the file does not exist, does not have the required keys, or the values of 'initial_environment' and 'converged_environment' are identical."))
         end
       end
 
+      Puppet.info _("Using environment '%{env}'") % { env: @environment }
+
       # This is to maintain compatibility with anyone using this class
       # aside from agent, apply, device.
       unless Puppet.lookup(:loaders) { nil }
@@ -354,9 +413,15 @@ class Puppet::Configurer
         )
       end
 
+      temp_value = options[:pluginsync]
+
+      # only validate server environment if pluginsync is requested
+      options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
+
       query_options, facts = get_facts(options) unless query_options
+      options[:pluginsync] = temp_value
+
       query_options[:configured_environment] = configured_environment
-      options[:convert_for_node] = node
 
       catalog = prepare_and_retrieve_catalog(cached_catalog, facts, options, query_options)
       unless catalog
@@ -381,6 +446,15 @@ class Puppet::Configurer
         @environment = catalog.environment
         report.environment = @environment
 
+        new_env = Puppet::Node::Environment.remote(@environment)
+        Puppet.push_context(
+          {
+            :current_environment => new_env,
+            :loaders => Puppet::Pops::Loaders.new(new_env, true)
+          },
+          "Local node environment #{@environment} for configurer transaction"
+        )
+
         query_options, facts = get_facts(options)
         query_options[:configured_environment] = configured_environment
 
@@ -454,6 +528,25 @@ class Puppet::Configurer
   end
   private :run_internal
 
+  def valid_server_environment?
+    session = Puppet.lookup(:http_session)
+    begin
+      fs = session.route_to(:fileserver)
+      fs.get_file_metadatas(path: URI(Puppet[:pluginsource]).path, recurse: :false, environment: @environment)
+      true
+    rescue Puppet::HTTP::ResponseError => detail
+      if detail.response.code == 404
+        Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+      else
+        Puppet.log_exception(detail, detail.message)
+      end
+      false
+    rescue => detail
+      Puppet.log_exception(detail, detail.message)
+      false
+    end
+  end
+
   def find_functional_server
     begin
       session = Puppet.lookup(:http_session)
@@ -470,10 +563,35 @@ class Puppet::Configurer
   end
   private :find_functional_server
 
+  def last_server_specified_environment
+    return @last_server_specified_environment if @last_server_specified_environment
+    if Puppet::FileSystem.exist?(Puppet[:lastrunfile])
+      summary = Puppet::Util::Yaml.safe_load_file(Puppet[:lastrunfile])
+      return unless summary.dig('application', 'run_mode') == 'agent'
+      initial_environment = summary.dig('application', 'initial_environment')
+      converged_environment = summary.dig('application', 'converged_environment')
+      @last_server_specified_environment = converged_environment if initial_environment != converged_environment
+    end
+
+    Puppet.debug(_("Found last server-specified environment: %{environment}") % { environment: @last_server_specified_environment }) if @last_server_specified_environment
+    @last_server_specified_environment
+  rescue => detail
+    Puppet.debug(_("Could not find last server-specified environment: %{detail}") % { detail: detail })
+    nil
+  end
+  private :last_server_specified_environment
+
   def send_report(report)
     puts report.summary if Puppet[:summarize]
     save_last_run_summary(report)
-    Puppet::Transaction::Report.indirection.save(report, nil, :environment => Puppet::Node::Environment.remote(@environment)) if Puppet[:report]
+    if Puppet[:report]
+      remote = Puppet::Node::Environment.remote(@environment)
+      begin
+        Puppet::Transaction::Report.indirection.save(report, nil, ignore_cache: true, environment: remote)
+      ensure
+        Puppet::Transaction::Report.indirection.save(report, nil, ignore_terminus: true, environment: remote)
+      end
+    end
   rescue => detail
     Puppet.log_exception(detail, _("Could not send report: %{detail}") % { detail: detail })
   end
@@ -496,7 +614,7 @@ class Puppet::Configurer
   # @return [false] If an exception is raised during fact generation or
   #   submission.
   def resubmit_facts
-    ::Facter.clear
+    Puppet.runtime[:facter].clear
     facts = find_facts
 
     client = Puppet.runtime[:http]
@@ -558,6 +676,7 @@ class Puppet::Configurer
           # don't update cache until after environment converges
           :ignore_cache_save => true,
           :environment       => Puppet::Node::Environment.remote(@environment),
+          :check_environment => true,
           :fail_on_404       => true,
           :facts_for_catalog => facts
         )

data/lib/puppet/confine/variable.rb

@@ -18,7 +18,7 @@ class Puppet::Confine::Variable < Puppet::Confine
 
   # Retrieve the value from facter
   def facter_value
-    @facter_value ||= ::Facter.value(name).to_s.downcase
+    @facter_value ||= Puppet.runtime[:facter].value(name).to_s.downcase
   end
 
   def initialize(values)

data/lib/puppet/defaults.rb

@@ -3,7 +3,7 @@ require_relative '../puppet/util/platform'
 module Puppet
 
   def self.default_diffargs
-    if (Facter.value(:kernel) == "AIX" && Facter.value(:kernelmajversion) == "5300")
+    if (Puppet.runtime[:facter].value(:kernel) == "AIX" && Puppet.runtime[:facter].value(:kernelmajversion) == "5300")
       ""
     else
       "-u"
@@ -199,7 +199,7 @@ module Puppet
 
         The strictness level is for both language semantics and runtime
         evaluation validation. In addition to controlling the behavior with
-        this master switch some individual warnings may also be controlled
+        this primary server switch some individual warnings may also be controlled
         by the disable_warnings setting.
 
         No new validations will be added to a micro (x.y.z) release,
@@ -243,7 +243,7 @@ module Puppet
           internal Ruby stack trace interleaved with Puppet function frames.",
         :hook     => proc do |value|
           # Enable or disable Facter's trace option too
-          Facter.trace(value) if Facter.respond_to? :trace
+          Puppet.runtime[:facter].trace(value)
         end
     },
     :puppet_trace => {
@@ -268,7 +268,7 @@ module Puppet
       :default    => true,
       :type       => :boolean,
       :desc       => "Whether to compile a [static catalog](https://puppet.com/docs/puppet/latest/static_catalogs.html#enabling-or-disabling-static-catalogs),
-        which occurs only on a Puppet Server master when the `code-id-command` and
+        which occurs only on Puppet Server when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
     :settings_catalog => {
@@ -391,13 +391,13 @@ module Puppet
         :default  => "production",
         :desc     => "The environment in which Puppet is running. For clients,
           such as `puppet agent`, this determines the environment itself, which
-          Puppet uses to find modules and much more. For servers, such as `puppet master`,
+          Puppet uses to find modules and much more. For servers, such as `puppet server`,
           this provides the default environment for nodes that Puppet knows nothing about.
 
           When defining an environment in the `[agent]` section, this refers to the
-          environment that the agent requests from the master. The environment doesn't
+          environment that the agent requests from the primary server. The environment doesn't
           have to exist on the local filesystem because the agent fetches it from the
-          master. This definition is used when running `puppet agent`.
+          primary server. This definition is used when running `puppet agent`.
 
           When defined in the `[user]` section, the environment refers to the path that
           Puppet uses to search for code and modules related to its execution. This
@@ -478,6 +478,7 @@ module Puppet
     },
     :maximum_uid => {
         :default  => 4294967290,
+        :type     => :integer,
         :desc     => "The maximum allowed UID.  Some platforms use negative UIDs
           but then ship with tools that do not know how to handle signed ints,
           so the UIDs show up as huge numbers that can then not be fed back into
@@ -615,6 +616,7 @@ module Puppet
     },
     :http_proxy_port => {
       :default    => 3128,
+      :type       => :port,
       :desc       => "The HTTP proxy port to use for outgoing connections",
     },
     :http_proxy_user => {
@@ -789,7 +791,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
     :certname => {
       :default => lambda { Puppet::Settings.default_certname.downcase },
       :desc => "The name to use when handling certificates. When a node
-        requests a certificate from the CA puppet master, it uses the value of the
+        requests a certificate from the CA Puppet Server, it uses the value of the
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
@@ -852,7 +854,7 @@ EOT
       :desc => <<EOT
 An optional file containing custom attributes to add to certificate signing
 requests (CSRs). You should ensure that this file does not exist on your CA
-puppet master; if it does, unwanted certificate extensions may leak into
+Puppet Server; if it does, unwanted certificate extensions may leak into
 certificates created with the `puppetserver ca generate` command.
 
 If present, this file must be a YAML hash containing a `custom_attributes` key
@@ -1141,7 +1143,7 @@ EOT
       :default => "$confdir/autosign.conf",
       :type => :autosign,
       :desc => "Whether (and how) to autosign certificate requests. This setting
-        is only relevant on a puppet master acting as a certificate authority (CA).
+        is only relevant on a Puppet Server acting as a certificate authority (CA).
 
         Valid values are true (autosigns all certificate requests; not recommended),
         false (disables autosigning certificates), or the absolute path to a file.
@@ -1152,7 +1154,7 @@ EOT
         file, it will be treated as a policy executable; otherwise, it will be
         treated as a config file.
 
-        If a custom policy executable is configured, the CA puppet master will run it
+        If a custom policy executable is configured, the CA Puppet Server will run it
         every time it receives a CSR. The executable will be passed the subject CN of the
         request _as a command line argument,_ and the contents of the CSR in PEM format
         _on stdin._ It should exit with a status of 0 if the cert should be autosigned
@@ -1197,6 +1199,7 @@ EOT
     },
     :keylength => {
       :default    => 4096,
+      :type       => :integer,
       :desc       => "The bit length of keys.",
     },
     :cert_inventory => {
@@ -1238,7 +1241,7 @@ EOT
     :manifest => {
       :default    => nil,
       :type       => :file_or_directory,
-      :desc       => "The entry-point manifest for puppet master. This can be one file
+      :desc       => "The entry-point manifest for the primary server. This can be one file
         or a directory of manifests to be evaluated in alphabetical order. Puppet manages
         this path as a directory if one exists or if the path ends with a / or \\.
 
@@ -1418,15 +1421,17 @@ EOT
         their names should be comma-separated, with whitespace allowed. (For example,
         `reports = http, store`.)
 
-        This setting is relevant to puppet master and puppet apply. The puppet
-        master will call these report handlers with the reports it receives from
+        This setting is relevant to puppet server and puppet apply. The primary Puppet
+        server will call these report handlers with the reports it receives from
         agent nodes, and puppet apply will call them with its own report. (In
         all cases, the node applying the catalog must have `report = true`.)
 
         See the report reference for information on the built-in report
         handlers; custom report handlers can also be loaded from modules.
         (Report handlers are loaded from the lib directory, at
-        `puppet/reports/NAME.rb`.)",
+        `puppet/reports/NAME.rb`.)
+
+        To turn off reports entirely, set this to `none`",
     },
     :reportdir => {
       :default => "$vardir/reports",
@@ -1469,14 +1474,14 @@ EOT
     :node_name_value => {
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_fact.  Changing this setting also requires changes to
         Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html)."
     },
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_value.  Changing this setting also requires changes to
         Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).",
       :hook => proc do |value|
@@ -1489,8 +1494,8 @@ EOT
       :default => "$statedir/state.yaml",
       :type => :file,
       :mode => "0640",
-      :desc => "Where puppet agent and puppet master store state associated
-        with the running configuration.  In the case of puppet master,
+      :desc => "Where Puppet agent and Puppet Server store state associated
+        with the running configuration.  In the case of Puppet Server,
         this file reflects the state discovered through interacting
         with clients."
     },
@@ -1527,6 +1532,12 @@ EOT
       :mode => "0750",
       :desc => "The directory in which serialized data is stored on the client."
     },
+    :write_catalog_summary => {
+      :default => true,
+      :type => :boolean,
+      :desc => "Whether to write the `classfile` and `resourcefile` after applying
+        the catalog. It is enabled by default, except when running `puppet apply`.",
+    },
     :classfile => {
       :default => "$statedir/classes.txt",
       :type => :file,
@@ -1553,11 +1564,11 @@ EOT
         the POSIX syslog service and the Windows Event Log are unavailable. (Currently,
         no supported operating systems match that description.)
 
-        Despite the name, both puppet agent and puppet master will use this file
+        Despite the name, both puppet agent and puppet server will use this file
         as the fallback logging destination.
 
         For control over logging destinations, see the `--logdest` command line
-        option in the manual pages for puppet master, puppet agent, and puppet
+        option in the manual pages for puppet server, puppet agent, and puppet
         apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
         or read them online at https://puppet.com/docs/puppet/latest/man/."
     },
@@ -1571,12 +1582,12 @@ EOT
     },
     :server => {
       :default => "puppet",
-      :desc => "The puppet master server to which the puppet agent should connect.",
+      :desc => "The primary Puppet server to which the Puppet agent should connect.",
     },
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of Puppet master servers to which the Puppet agent should connect,
+      :desc => "The list of primary Puppet servers to which the Puppet agent should connect,
         in the order that they will be tried. Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted, Puppet uses masterport for that host.",
     },
     :use_srv_records => {
@@ -1591,7 +1602,7 @@ EOT
     :http_extra_headers => {
       :default => [],
       :type => :http_extra_headers,
-      :desc => "The list of extra headers that will be sent with http requests to the master.
+      :desc => "The list of extra headers that will be sent with http requests to the primary server.
       The header definition consists of a name and a value separated by a colon."
     },
     :ignoreschedules => {
@@ -1617,7 +1628,7 @@ EOT
         like it does when running normally. However, if a resource attribute is not in
         the desired state (as declared in the catalog), Puppet will take no
         action, and will instead report the changes it _would_ have made. These
-        simulated changes will appear in the report sent to the puppet master, or
+        simulated changes will appear in the report sent to the primary Puppet server, or
         be shown on the console if running puppet agent or puppet apply in the
         foreground. The simulated changes will not send refresh events to any
         subscribing or notified resources, although Puppet will log that a refresh
@@ -1684,13 +1695,38 @@ EOT
         new configurations, where you want to fix the broken configuration
         rather than reverting to a known-good one.",
     },
+    :fact_name_length_soft_limit => {
+      :default    => 2560,
+      :type       => :integer,
+      :desc       => "The soft limit for the length of a fact name.",
+    },
+    :fact_value_length_soft_limit => {
+      :default    => 4096,
+      :type       => :integer,
+      :desc       => "The soft limit for the length of a fact value.",
+    },
+    :top_level_facts_soft_limit => {
+      :default    => 512,
+      :type       => :integer,
+      :desc       => "The soft limit for the number of top level facts.",
+    },
+    :number_of_facts_soft_limit => {
+      :default    => 2048,
+      :type       => :integer,
+      :desc       => "The soft limit for the total number of facts.",
+    },
+    :payload_soft_limit => {
+      :default    => 16 * 1024 * 1024,
+      :type       => :integer,
+      :desc       => "The soft limit for the size of the payload.",
+    },
     :use_cached_catalog => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Whether to only use the cached catalog rather than compiling a new catalog
         on every run.  Puppet can be run with this enabled by default and then selectively
         disabled when a recompile is desired. Because a Puppet agent using cached catalogs
-        does not contact the master for a new catalog, it also does not upload facts at
+        does not contact the primary server for a new catalog, it also does not upload facts at
         the beginning of the Puppet run.",
     },
     :ignoremissingtypes => {
@@ -1698,7 +1734,7 @@ EOT
       :type       => :boolean,
       :desc       => "Skip searching for classes and definitions that were missing during a
         prior compilation. The list of missing objects is maintained per-environment and
-        persists until the environment is cleared or the master is restarted.",
+        persists until the environment is cleared or the primary server is restarted.",
     },
     :splaylimit => {
       :default    => "$runinterval",
@@ -1728,7 +1764,7 @@ EOT
         If you restart an agent's puppet service with `splay` enabled, it
         recalculates its splay period and delays its first agent run after
         restarting for this new period. If you simultaneously restart a group of
-        puppet agents with `splay` enabled, their checkins to your puppet masters
+        puppet agents with `splay` enabled, their checkins to your primary servers
         can be distributed more evenly.",
     },
     :clientbucketdir => {
@@ -1827,7 +1863,7 @@ EOT
 
       When starting for the first time, puppet agent will submit a certificate
       signing request (CSR) to the server named in the `ca_server` setting
-      (usually the puppet master); this may be autosigned, or may need to be
+      (usually the primary Puppet server); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.
 
       Puppet agent cannot apply configurations until its approved certificate is
@@ -1941,7 +1977,7 @@ EOT
       :call_hook => :on_initialize_and_write, # Call our hook with the default value, so we always get the value added to facter.
       :hook => proc do |value|
         paths = value.split(File::PATH_SEPARATOR)
-        Facter.search(*paths)
+        Puppet.runtime[:facter].search(*paths)
       end
     }
   )
@@ -2021,6 +2057,7 @@ EOT
     },
     :ldapport => {
       :default  => 389,
+      :type     => :port,
       :desc     => "The LDAP port.",
     },
 
@@ -2104,6 +2141,7 @@ EOT
   settings.define_settings(:parser,
    :max_errors => {
      :default => 10,
+     :type => :integer,
      :desc => <<-'EOT'
        Sets the max number of logged/displayed parser validation errors in case
        multiple errors have been detected. A value of 0 is the same as a value of 1; a
@@ -2112,6 +2150,7 @@ EOT
    },
    :max_warnings => {
      :default => 10,
+     :type => :integer,
      :desc => <<-'EOT'
        Sets the max number of logged/displayed parser validation warnings in
        case multiple warnings have been detected. A value of 0 blocks logging of
@@ -2120,6 +2159,7 @@ EOT
      },
   :max_deprecations => {
     :default => 10,
+    :type => :integer,
     :desc => <<-'EOT'
       Sets the max number of logged/displayed parser validation deprecation
       warnings in case multiple deprecation warnings have been detected. A value of 0