Just got here to this convo. I’m gov, and we’re RHEL8 using Puppet Open Source, latest. And we’re DoE. Me thinks that requirement is being misread up the food chain from you somewhere.

We have PE v2023.7 installed and PE Agent version 8.6.0. We are getting vulnerabilities with the Ruby associated with that agent...I see that there is Agent version 8.8.0 available in Open Source. Is there any reason why we should not look at upgrading the agent to ver 8.8 while still working within our PE environment?

SInce you’re a PE customer, I would open a ticket with the vulnerability listed therein. It doesn’t answer your question or solve your problem, but it puts it in Perforce’s view

One day I hope to see a vulnerability scanner that is smarter than "is the product newer than version x.y.z? No? It must be vulnerable!"

you could also just update the puppet agent with the open source version

is that "supported"? no. Does it work? yes.

Don't do that.

The next round of PE releases is Really Close Now™ and will include those latest agent versions.

¯\_(ツ)_/¯

So.... "wait". O_o

Thanks...lol.... I did not mean to start a friendly war... but the info helps 😉

PE and Metrics Collection. We had the metrics_collection module installed, the one from the forge. After we updated PE to 2023.7 I uninstalled. My question revolves around the assertion of the bundled pkg. Will the new install for 2023.8 help with this assertion, now that I have removed the forge pkg?

Is code manager okay with ecdsa-sha2-nistp384 SSH public keys (on the Git server side)?

@Gavin Patton can I get any reviews for the open PRs on pe_status_check, peadm, or some feedback on the open issues on https://github.com/puppetlabs/puppet-enterprise_issues/issues ? Or is there anybody else who can help out? And any chance for a new release of https://github.com/puppetlabs/puppet-classify ?

It's a bit hard to understand/explain to PE customers why it takes months to get features merged into modules 😞

Do we have any CaC to implement SAML and RBAC. We have bootstrapped PE using peadm.

there's the rbac and puppet_ds module. that supports AD/LDAP configuration. I don't know if it supports SAML

Puppet Enterprise Metrics... What's the recommended setting for the Replica? On the forge, it is recommended to put the base metrics on the Primary server only, and for each of the compilers to have only System Metrics. Is the same true for the replica? Or should the replica have the base metrics as well since it may one day become the primary in a fail-over scenario.

probably related to

Deprecated Security-Enhanced Linux (SELinux) methods are replaced.
Deprecated SELinux methods of the matchpathcon family such as Selinux.matchpathcon are replaced by supported SELinux methods such as Selinux.selabel_lookup. This update does not require any action by Puppet users. Community member wbclark contributed to this fix.

It seems the apt module is not supported by the latest PE LTS 2023.8.0. 😞 If you try to run the agent using you get a lot of errors that seem connected to ruby syntax or something. Has anybody else run into this problem? Any workarounds?

Sure: Error: Could not autoload puppet/provider/apt_key/apt_key: /opt/puppetlabs/puppet/cache/lib/puppet/provider/apt_key/apt_key.rb💯 syntax error, unexpected ']' ... key_long: fingerprint[-16..],

which version of the apt module are you using?

9.4.0, and I know it does not support 2023.8... But that is kind of a problem. 🙂

It seems like a ruby "endless range" syntax problem. There is a caret pointing to the last last part of "[-16..]" in the row above in the error message.

looks like valid syntax to me

what do you get for

puppet --version

on that node?

Ah, good question.... root@li-test-puppet-ng-deb9:~# puppet agent --version 6.26.0

aha 🙂

that's not PE 2023.8