puppet 7.9.0 → 7.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3a94d69b4fdb82daece239f631857956cb724f3f4582f50ecbec6a79dc83082
-  data.tar.gz: 3deb923bf30984f5543826b11c49d03d8b055c2135790447729e914e58840344
+  metadata.gz: bb14045c978960e4e7b09aed6c3520ec4de726569117031ae3ba5bd96c2e077a
+  data.tar.gz: 47e721bc33f5564e98fc4b7bb6a4127e209b64efcb921cd5be3e5becd99ae76b
 SHA512:
-  metadata.gz: 9bcd1f23664896b430462ffc78a1fc63621017f76a96681f89e625685e58a2cc85ab06907b55320298864102c87f3bb621af73a057c63da8204927a6d7cabf84
-  data.tar.gz: a6f338d559652ebe22d656af5c6b4623a22bf69dea46bda83f676580b06595b5ed5fa02addb7b97bd1bafb4b332a53f4295d78ff02c2b08f593677055f9403dc
+  metadata.gz: b655140a24ba14e21ab4ae9b4587d450058e147cad7bf3670fb3a518359b8a5d1457ffe1d5adc1e655ffff3d1a89a0b2687a4713f07844f3110b5114f6969b2a
+  data.tar.gz: '02850db07816869af5f43502f101f6fbcc7d395522721f3181f4a0b75c5729edbe75a880e324de5079e4a5ae38d221439e6557adda107d99b17c5a0870f64ca7'

data/Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: git://github.com/puppetlabs/packaging
-  revision: 4d6d51947f44bfa2fc282658836c15f69672e757
+  revision: 804ad19a32455079917eaabd73fcec65078e8cee
   branch: 1.0.x
   specs:
-    packaging (0.99.78.4.g4d6d519)
+    packaging (0.99.79.2.g804ad19)
       artifactory (~> 2)
       csv (= 3.1.5)
       rake (>= 12.3)
@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    puppet (7.9.0)
+    puppet (7.10.0)
       CFPropertyList (~> 2.2)
       concurrent-ruby (~> 1.0)
       deep_merge (~> 1.0)
@@ -80,7 +80,7 @@ GEM
     public_suffix (4.0.6)
     puppet-resource_api (1.8.14)
       hocon (>= 1.0)
-    puppetserver-ca (2.2.0)
+    puppetserver-ca (2.3.1)
       facter (>= 2.0.1, < 5)
     racc (1.4.9)
     rainbow (2.2.2)
@@ -129,8 +129,8 @@ GEM
     thor (1.1.0)
     unicode-display_width (1.7.0)
     vcr (5.1.0)
-    webmock (3.13.0)
-      addressable (>= 2.3.6)
+    webmock (3.14.0)
+      addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
     yard (0.9.26)

data/{ext → examples}/nagios/check_puppet.rb

@@ -11,8 +11,8 @@ class CheckPuppet
 
   # default options
   OPTIONS = {
-    :statefile => "/var/lib/puppet/state/state.yaml",
-    :process   => "puppetd",
+    :statefile => "/opt/puppetlabs/puppet/cache/state/state.yaml",
+    :process   => "puppet",
     :interval  => 30,
   }
 

data/ext/README.md

@@ -0,0 +1,13 @@
+# `ext/` directory details 
+This directory contains files used internally when packaging [puppet](https://github.com/puppetlabs/puppet) and [puppet-agent](https://github.com/puppetlabs/puppet-agent)
+What follows is a more detailed description of each directory/file:
+* `debian/` - init scripts for puppet (used for Debian-based platforms that do not support systemd)
+* `hiera/hiera.yaml` - installed to `$codedir/environments/production`as a default Hiera configuration file
+* `osx/puppet.plist` - puppet launchd plist for macOS
+* `redhat/` -  init scripts for puppet (used for EL-based platforms that do not support systemd)
+* `solaris/smf/` - service manifests for Solaris 11
+* `suse/client.init` - init script for puppet (used for SUSE-based platforms that do not support systemd) 
+* `systemd/puppet.service` - systemd unit file for puppet
+* `windows/` - the puppet daemon for Windows, and other useful `.bat` helper wrappers
+* `build_defaults.yaml` - information pertaining to the puppetlabs build automation
+* `project_data.yaml` - information used when packaging the puppet gem

data/lib/puppet/configurer.rb

@@ -91,7 +91,7 @@ class Puppet::Configurer
 
         if result
           # don't use use cached catalog if it doesn't match server specified environment
-          if @node_environment && result.environment != @environment
+          if result.environment != @environment
             Puppet.err _("Not using cached catalog because its environment '%{catalog_env}' does not match '%{local_env}'") % { catalog_env: result.environment, local_env: @environment }
             return nil
           end
@@ -126,6 +126,94 @@ class Puppet::Configurer
     catalog
   end
 
+  def warn_number_of_facts(size, max_number)
+    Puppet.warning _("The current total number of facts: %{size} exceeds the number of facts limit: %{max_size}") % { size: size, max_size: max_number }
+  end
+
+  def warn_fact_name_length(name, max_length)
+    Puppet.warning _("Fact %{name} with length: '%{length}' exceeds the length limit: %{limit}") % { name: name, length: name.to_s.bytesize, limit: max_length }
+  end
+
+  def warn_number_of_top_level_facts(size, max_number)
+    Puppet.warning _("The current number of top level facts: %{size} exceeds the top facts limit: %{max_size}") % { size: size, max_size: max_number }
+  end
+
+  def warn_fact_value_length(value, max_length)
+    Puppet.warning _("Fact value '%{value}' with the value length: '%{length}' exceeds the value length limit: %{max_length}") % { value: value, length:value.to_s.bytesize, max_length: max_length }
+  end
+
+  def warn_fact_payload_size(payload, max_size)
+    Puppet.warning _("Payload with the current size of: '%{payload}' exceeds the payload size limit: %{max_size}") % { payload: payload, max_size: max_size }
+  end
+
+  def check_fact_name_length(name, number_of_dots)
+    max_length = Puppet[:fact_name_length_soft_limit]
+    return if max_length.zero?
+
+    # rough byte size estimations of fact path as a postgresql btree index 
+    size_as_btree_index = 8 + (number_of_dots * 2) + name.to_s.bytesize
+    warn_fact_name_length(name, max_length) if size_as_btree_index > max_length
+  end
+
+  def check_fact_values_length(values)
+    max_length = Puppet[:fact_value_length_soft_limit]
+    return if max_length.zero?
+
+    warn_fact_value_length(values, max_length) if values.to_s.bytesize > max_length
+  end
+
+  def check_top_level_number_limit(size)
+    max_size = Puppet[:top_level_facts_soft_limit]
+    return if max_size.zero?
+
+    warn_number_of_top_level_facts(size, max_size) if size > max_size
+  end
+
+  def check_total_number_limit(size)
+    max_size = Puppet[:number_of_facts_soft_limit]
+    return if max_size.zero?
+
+    warn_number_of_facts(size, max_size) if size > max_size
+  end
+
+  def check_payload_size(payload)
+    max_size = Puppet[:payload_soft_limit]
+    return if max_size.zero?
+
+    warn_fact_payload_size(payload, max_size) if payload > max_size
+    Puppet.debug _("The size of the payload is %{payload}") % {payload: payload}
+  end
+
+  def parse_fact_name_and_value_limits(object, path = [])
+    case object
+    when Hash
+      object.each do |key, value|
+        path.push(key)
+        parse_fact_name_and_value_limits(value, path)
+        path.pop
+        @number_of_facts += 1
+      end
+    when Array
+      object.each_with_index do |e, idx|
+        path.push(idx)
+        parse_fact_name_and_value_limits(e, path)
+        path.pop
+      end
+    else
+      check_fact_name_length(path.join(), path.size)
+      check_fact_values_length(object)
+    end
+  end
+
+  def check_facts_limits(facts)
+    @number_of_facts = 0
+    check_top_level_number_limit(facts.size)
+
+    parse_fact_name_and_value_limits(facts)
+    check_total_number_limit(@number_of_facts)
+    Puppet.debug _("The total number of facts registered is %{number_of_facts}") % {number_of_facts: @number_of_facts}
+  end
+
   def get_facts(options)
     if options[:pluginsync]
       plugin_sync_time = thinmark do
@@ -148,7 +236,9 @@ class Puppet::Configurer
       # facts_for_uploading may set Puppet[:node_name_value] as a side effect
       facter_time = thinmark do
         facts = find_facts
+        check_facts_limits(facts.to_data_hash['values'])
         facts_hash = encode_facts(facts) # encode for uploading # was: facts_for_uploading
+        check_payload_size(facts_hash[:facts].bytesize)
       end
       options[:report].add_times(:fact_generation, facter_time) if options[:report]
     end
@@ -255,6 +345,7 @@ class Puppet::Configurer
 
   def run_internal(options)
     report = options[:report]
+    report.initial_environment = Puppet[:environment]
 
     if options[:start_time]
       startup_time = Time.now - options[:start_time]
@@ -294,53 +385,18 @@ class Puppet::Configurer
       configured_environment = Puppet[:environment] if Puppet.settings.set_by_config?(:environment)
 
       # We only need to find out the environment to run in if we don't already have a catalog
-      unless (cached_catalog || options[:catalog] || Puppet[:strict_environment_mode])
-        begin
-          node = nil
-          node_retr_time = thinmark do
-            node = Puppet::Node.indirection.find(Puppet[:node_name_value],
-              :environment => Puppet::Node::Environment.remote(@environment),
-              :configured_environment => configured_environment,
-              :ignore_cache => true,
-              :transaction_uuid => @transaction_uuid,
-              :fail_on_404 => true)
-          end
-          options[:report].add_times(:node_retrieval, node_retr_time)
-
-          if node
-            # If we have deserialized a node from a rest call, we want to set
-            # an environment instance as a simple 'remote' environment reference.
-            if !node.has_environment_instance? && node.environment_name
-              node.environment = Puppet::Node::Environment.remote(node.environment_name)
-            end
-
-            @node_environment = node.environment.to_s
-
-            if node.environment.to_s != @environment
-              Puppet.notice _("Local environment: '%{local_env}' doesn't match server specified node environment '%{node_env}', switching agent to '%{node_env}'.") % { local_env: @environment, node_env: node.environment }
-              @environment = node.environment.to_s
-              report.environment = @environment
-              query_options = nil
-              facts = nil
-
-              new_env = Puppet::Node::Environment.remote(@environment)
-              Puppet.push_context(
-                {
-                  current_environment: new_env,
-                  loaders: Puppet::Pops::Loaders.new(new_env, true)
-                },
-                "Local node environment #{@environment} for configurer transaction"
-              )
-            else
-              Puppet.info _("Using configured environment '%{env}'") % { env: @environment }
-            end
-          end
-        rescue StandardError => detail
-          Puppet.warning(_("Unable to fetch my node definition, but the agent run will continue:"))
-          Puppet.warning(detail)
+      unless (cached_catalog || options[:catalog] || Puppet.settings.set_by_cli?(:environment) || Puppet[:strict_environment_mode])
+        Puppet.debug(_("Environment not passed via CLI and no catalog was given, attempting to find out the last server-specified environment"))
+        if last_server_specified_environment
+          @environment = last_server_specified_environment
+          report.environment = last_server_specified_environment
+        else
+          Puppet.debug(_("Could not find a usable environment in the lastrunfile. Either the file does not exist, does not have the required keys, or the values of 'initial_environment' and 'converged_environment' are identical."))
         end
       end
 
+      Puppet.info _("Using environment '%{env}'") % { env: @environment }
+
       # This is to maintain compatibility with anyone using this class
       # aside from agent, apply, device.
       unless Puppet.lookup(:loaders) { nil }
@@ -354,9 +410,15 @@ class Puppet::Configurer
         )
       end
 
+      temp_value = options[:pluginsync]
+
+      # only validate server environment if pluginsync is requested
+      options[:pluginsync] = valid_server_environment? if options[:pluginsync] == true
+
       query_options, facts = get_facts(options) unless query_options
+      options[:pluginsync] = temp_value
+
       query_options[:configured_environment] = configured_environment
-      options[:convert_for_node] = node
 
       catalog = prepare_and_retrieve_catalog(cached_catalog, facts, options, query_options)
       unless catalog
@@ -381,6 +443,15 @@ class Puppet::Configurer
         @environment = catalog.environment
         report.environment = @environment
 
+        new_env = Puppet::Node::Environment.remote(@environment)
+        Puppet.push_context(
+          {
+            :current_environment => new_env,
+            :loaders => Puppet::Pops::Loaders.new(new_env, true)
+          },
+          "Local node environment #{@environment} for configurer transaction"
+        )
+
         query_options, facts = get_facts(options)
         query_options[:configured_environment] = configured_environment
 
@@ -454,6 +525,25 @@ class Puppet::Configurer
   end
   private :run_internal
 
+  def valid_server_environment?
+    session = Puppet.lookup(:http_session)
+    begin
+      fs = session.route_to(:fileserver)
+      fs.get_file_metadatas(path: URI(Puppet[:pluginsource]).path, recurse: :false, environment: @environment)
+      true
+    rescue Puppet::HTTP::ResponseError => detail
+      if detail.response.code == 404
+        Puppet.notice(_("Environment '%{environment}' not found on server, skipping initial pluginsync.") % { environment: @environment })
+      else
+        Puppet.log_exception(detail, detail.message)
+      end
+      false
+    rescue => detail
+      Puppet.log_exception(detail, detail.message)
+      false
+    end
+  end
+
   def find_functional_server
     begin
       session = Puppet.lookup(:http_session)
@@ -470,6 +560,24 @@ class Puppet::Configurer
   end
   private :find_functional_server
 
+  def last_server_specified_environment
+    return @last_server_specified_environment if @last_server_specified_environment
+    if Puppet::FileSystem.exist?(Puppet[:lastrunfile])
+      summary = Puppet::Util::Yaml.safe_load_file(Puppet[:lastrunfile])
+      return unless summary.dig('application', 'run_mode') == 'agent'
+      initial_environment = summary.dig('application', 'initial_environment')
+      converged_environment = summary.dig('application', 'converged_environment')
+      @last_server_specified_environment = converged_environment if initial_environment != converged_environment
+    end
+
+    Puppet.debug(_("Found last server-specified environment: %{environment}") % { environment: @last_server_specified_environment }) if @last_server_specified_environment
+    @last_server_specified_environment
+  rescue => detail
+    Puppet.debug(_("Could not find last server-specified environment: %{detail}") % { detail: detail })
+    nil
+  end
+  private :last_server_specified_environment
+
   def send_report(report)
     puts report.summary if Puppet[:summarize]
     save_last_run_summary(report)
@@ -558,6 +666,7 @@ class Puppet::Configurer
           # don't update cache until after environment converges
           :ignore_cache_save => true,
           :environment       => Puppet::Node::Environment.remote(@environment),
+          :check_environment => true,
           :fail_on_404       => true,
           :facts_for_catalog => facts
         )

data/lib/puppet/defaults.rb

@@ -199,7 +199,7 @@ module Puppet
 
         The strictness level is for both language semantics and runtime
         evaluation validation. In addition to controlling the behavior with
-        this master switch some individual warnings may also be controlled
+        this primary server switch some individual warnings may also be controlled
         by the disable_warnings setting.
 
         No new validations will be added to a micro (x.y.z) release,
@@ -268,7 +268,7 @@ module Puppet
       :default    => true,
       :type       => :boolean,
       :desc       => "Whether to compile a [static catalog](https://puppet.com/docs/puppet/latest/static_catalogs.html#enabling-or-disabling-static-catalogs),
-        which occurs only on a Puppet Server master when the `code-id-command` and
+        which occurs only on Puppet Server when the `code-id-command` and
         `code-content-command` settings are configured in its `puppetserver.conf` file.",
     },
     :settings_catalog => {
@@ -391,13 +391,13 @@ module Puppet
         :default  => "production",
         :desc     => "The environment in which Puppet is running. For clients,
           such as `puppet agent`, this determines the environment itself, which
-          Puppet uses to find modules and much more. For servers, such as `puppet master`,
+          Puppet uses to find modules and much more. For servers, such as `puppet server`,
           this provides the default environment for nodes that Puppet knows nothing about.
 
           When defining an environment in the `[agent]` section, this refers to the
-          environment that the agent requests from the master. The environment doesn't
+          environment that the agent requests from the primary server. The environment doesn't
           have to exist on the local filesystem because the agent fetches it from the
-          master. This definition is used when running `puppet agent`.
+          primary server. This definition is used when running `puppet agent`.
 
           When defined in the `[user]` section, the environment refers to the path that
           Puppet uses to search for code and modules related to its execution. This
@@ -791,7 +791,7 @@ Valid values are 0 (never cache) and 15 (15 second minimum wait time).
     :certname => {
       :default => lambda { Puppet::Settings.default_certname.downcase },
       :desc => "The name to use when handling certificates. When a node
-        requests a certificate from the CA puppet master, it uses the value of the
+        requests a certificate from the CA Puppet Server, it uses the value of the
         `certname` setting as its requested Subject CN.
 
         This is the name used when managing a node's permissions in
@@ -854,7 +854,7 @@ EOT
       :desc => <<EOT
 An optional file containing custom attributes to add to certificate signing
 requests (CSRs). You should ensure that this file does not exist on your CA
-puppet master; if it does, unwanted certificate extensions may leak into
+Puppet Server; if it does, unwanted certificate extensions may leak into
 certificates created with the `puppetserver ca generate` command.
 
 If present, this file must be a YAML hash containing a `custom_attributes` key
@@ -1143,7 +1143,7 @@ EOT
       :default => "$confdir/autosign.conf",
       :type => :autosign,
       :desc => "Whether (and how) to autosign certificate requests. This setting
-        is only relevant on a puppet master acting as a certificate authority (CA).
+        is only relevant on a Puppet Server acting as a certificate authority (CA).
 
         Valid values are true (autosigns all certificate requests; not recommended),
         false (disables autosigning certificates), or the absolute path to a file.
@@ -1154,7 +1154,7 @@ EOT
         file, it will be treated as a policy executable; otherwise, it will be
         treated as a config file.
 
-        If a custom policy executable is configured, the CA puppet master will run it
+        If a custom policy executable is configured, the CA Puppet Server will run it
         every time it receives a CSR. The executable will be passed the subject CN of the
         request _as a command line argument,_ and the contents of the CSR in PEM format
         _on stdin._ It should exit with a status of 0 if the cert should be autosigned
@@ -1241,7 +1241,7 @@ EOT
     :manifest => {
       :default    => nil,
       :type       => :file_or_directory,
-      :desc       => "The entry-point manifest for puppet master. This can be one file
+      :desc       => "The entry-point manifest for the primary server. This can be one file
         or a directory of manifests to be evaluated in alphabetical order. Puppet manages
         this path as a directory if one exists or if the path ends with a / or \\.
 
@@ -1421,8 +1421,8 @@ EOT
         their names should be comma-separated, with whitespace allowed. (For example,
         `reports = http, store`.)
 
-        This setting is relevant to puppet master and puppet apply. The puppet
-        master will call these report handlers with the reports it receives from
+        This setting is relevant to puppet server and puppet apply. The primary Puppet
+        server will call these report handlers with the reports it receives from
         agent nodes, and puppet apply will call them with its own report. (In
         all cases, the node applying the catalog must have `report = true`.)
 
@@ -1474,14 +1474,14 @@ EOT
     :node_name_value => {
       :default => "$certname",
       :desc => "The explicit value used for the node name for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_fact.  Changing this setting also requires changes to
         Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html)."
     },
     :node_name_fact => {
       :default => "",
       :desc => "The fact name used to determine the node name used for all requests the agent
-        makes to the master. WARNING: This setting is mutually exclusive with
+        makes to the primary server. WARNING: This setting is mutually exclusive with
         node_name_value.  Changing this setting also requires changes to
         Puppet Server's default [auth.conf](https://puppet.com/docs/puppetserver/latest/config_file_auth.html).",
       :hook => proc do |value|
@@ -1494,8 +1494,8 @@ EOT
       :default => "$statedir/state.yaml",
       :type => :file,
       :mode => "0640",
-      :desc => "Where puppet agent and puppet master store state associated
-        with the running configuration.  In the case of puppet master,
+      :desc => "Where Puppet agent and Puppet Server store state associated
+        with the running configuration.  In the case of Puppet Server,
         this file reflects the state discovered through interacting
         with clients."
     },
@@ -1558,11 +1558,11 @@ EOT
         the POSIX syslog service and the Windows Event Log are unavailable. (Currently,
         no supported operating systems match that description.)
 
-        Despite the name, both puppet agent and puppet master will use this file
+        Despite the name, both puppet agent and puppet server will use this file
         as the fallback logging destination.
 
         For control over logging destinations, see the `--logdest` command line
-        option in the manual pages for puppet master, puppet agent, and puppet
+        option in the manual pages for puppet server, puppet agent, and puppet
         apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
         or read them online at https://puppet.com/docs/puppet/latest/man/."
     },
@@ -1576,12 +1576,12 @@ EOT
     },
     :server => {
       :default => "puppet",
-      :desc => "The puppet master server to which the puppet agent should connect.",
+      :desc => "The primary Puppet server to which the Puppet agent should connect.",
     },
     :server_list => {
       :default => [],
       :type => :server_list,
-      :desc => "The list of Puppet master servers to which the Puppet agent should connect,
+      :desc => "The list of primary Puppet servers to which the Puppet agent should connect,
         in the order that they will be tried. Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted, Puppet uses masterport for that host.",
     },
     :use_srv_records => {
@@ -1596,7 +1596,7 @@ EOT
     :http_extra_headers => {
       :default => [],
       :type => :http_extra_headers,
-      :desc => "The list of extra headers that will be sent with http requests to the master.
+      :desc => "The list of extra headers that will be sent with http requests to the primary server.
       The header definition consists of a name and a value separated by a colon."
     },
     :ignoreschedules => {
@@ -1622,7 +1622,7 @@ EOT
         like it does when running normally. However, if a resource attribute is not in
         the desired state (as declared in the catalog), Puppet will take no
         action, and will instead report the changes it _would_ have made. These
-        simulated changes will appear in the report sent to the puppet master, or
+        simulated changes will appear in the report sent to the primary Puppet server, or
         be shown on the console if running puppet agent or puppet apply in the
         foreground. The simulated changes will not send refresh events to any
         subscribing or notified resources, although Puppet will log that a refresh
@@ -1689,13 +1689,38 @@ EOT
         new configurations, where you want to fix the broken configuration
         rather than reverting to a known-good one.",
     },
+    :fact_name_length_soft_limit => {
+      :default    => 2560,
+      :type       => :integer,
+      :desc       => "The soft limit for the length of a fact name.",
+    },
+    :fact_value_length_soft_limit => {
+      :default    => 4096,
+      :type       => :integer,
+      :desc       => "The soft limit for the length of a fact value.",
+    },
+    :top_level_facts_soft_limit => {
+      :default    => 512,
+      :type       => :integer,
+      :desc       => "The soft limit for the number of top level facts.",
+    },
+    :number_of_facts_soft_limit => {
+      :default    => 2048,
+      :type       => :integer,
+      :desc       => "The soft limit for the total number of facts.",
+    },
+    :payload_soft_limit => {
+      :default    => 16 * 1024 * 1024,
+      :type       => :integer,
+      :desc       => "The soft limit for the size of the payload.",
+    },
     :use_cached_catalog => {
       :default    => false,
       :type       => :boolean,
       :desc       => "Whether to only use the cached catalog rather than compiling a new catalog
         on every run.  Puppet can be run with this enabled by default and then selectively
         disabled when a recompile is desired. Because a Puppet agent using cached catalogs
-        does not contact the master for a new catalog, it also does not upload facts at
+        does not contact the primary server for a new catalog, it also does not upload facts at
         the beginning of the Puppet run.",
     },
     :ignoremissingtypes => {
@@ -1703,7 +1728,7 @@ EOT
       :type       => :boolean,
       :desc       => "Skip searching for classes and definitions that were missing during a
         prior compilation. The list of missing objects is maintained per-environment and
-        persists until the environment is cleared or the master is restarted.",
+        persists until the environment is cleared or the primary server is restarted.",
     },
     :splaylimit => {
       :default    => "$runinterval",
@@ -1733,7 +1758,7 @@ EOT
         If you restart an agent's puppet service with `splay` enabled, it
         recalculates its splay period and delays its first agent run after
         restarting for this new period. If you simultaneously restart a group of
-        puppet agents with `splay` enabled, their checkins to your puppet masters
+        puppet agents with `splay` enabled, their checkins to your primary servers
         can be distributed more evenly.",
     },
     :clientbucketdir => {
@@ -1832,7 +1857,7 @@ EOT
 
       When starting for the first time, puppet agent will submit a certificate
       signing request (CSR) to the server named in the `ca_server` setting
-      (usually the puppet master); this may be autosigned, or may need to be
+      (usually the primary Puppet server); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.
 
       Puppet agent cannot apply configurations until its approved certificate is