Question... Attempting an upgrade from 2025.2 to 2025.6 using PIM. The problem is I have is that I do not have direct ssh access as root to the target nodes... Are the run_as and sudo_password variables available via the cli or can I put them in the paramters.json such then when I run the Upgrade it automatically escalates to root? Its kind of what I do with bolt to upgrade cd4pe...

Hi - whenever I run

pdk test unit

to perform unit testing on my classes, for some reason nothing gets tested against Ubuntu 24.04. I always receive these logs

No facts were found in the FacterDB for: [{"os.name"=>"Ubuntu", "os.release.full"=>"/^24\\.04/", "os.hardware"=>"x86_64"}]
Run options: exclude {:bolt=>true}

All examples were filtered out
.

Coverage Report:

Total resources:   0
Touched resources: 0
Resource coverage: 100.00%


Finished in 0.08528 seconds (files took 3.75 seconds to load)
1 example, 0 failures

I've been changing my metadata.json file to check all OS versions I need, and this issue only exists for Ubuntu 24.04. Any thoughts on this?

The facterdb version from your pdk is too old

I think 3.2.0 introduced Ubuntu 24.04 factsets https://github.com/voxpupuli/facterdb/blob/master/CHANGELOG.md

I ok, that makes sense. Turns out I'm using 2.1.0 still

Thanks!!

latest is greatest 🙂

question:

puppet code deploy -h

contains

Flags:
      --all       Tells puppet-code deploy to start deployments for all Code Manager environments

what does "all Code Manager environments" actually mean? is this "every branch in the control repo"? is it "every directory or symlink that exists under the

/etc/puppetlabs/puppetserver/code/environments/

directory? something else?

All branches

And the branches will lead to those symlinks

Hey there, are the re-puppetize demand handled by puppet-entreprise team ? I opened one linked to an issue that I fixed upstream https://github.com/puppetlabs/Puppet.Dsc/issues/327 🙏 thanks

Is there a way to see which agents are disabled in the console? They show regular green check marks in the report, which is misleading, imho

sorry, no reports for them, by bad

anyone else getting service failure for the artifacts-puppetcore.puppet.com?

so i just found out, our beloved corporate overlords have a requirement in place which says, and i quote ...

Interactions which are authenticated via X.509 certificates must adhere to the following:

* Certificate keys must be randomly generated for each customer or user
* Certificate keys must use Elliptic Curve Cryptography, curve P-256 or P-384
* Certificates must use hash algorithm SHA-256 or greater
* Certificates must be able to be revoked or rotated
Certificates must contain a Validity Period (Issued On and Expires On)

When the puppet agent connects to the PE server, the connection is authenticated using an X.509 certificate, which means they're going to tell me that these rules apply ... the agent keys in PE2023.8 use RSA-4096 rather than EC, so they're going to want me to change it ... so my question is, How do i make the agent-enrollment process use EC rather than RSA?

PE ticks all of those boxes except using EC curves. There is no tested configuration for shifting PE over to using EC. At the moment, RSA is the only option.

And why do they want EC?

okay ... i'll have to ping my account rep and ask him for an email saying that, so that when the corp security types come sniffing around, i've got something to show them ... personally i think RSA-4096 should be good enough, but what do i know.

There is support for using EC curves deep in the animal brain of Puppet, but there is Product development that needs to be done to get that to a deployable PE configuration.

they didn't (and won't) explain why they want EC, i just found this in a "requirement" document that i didn't know existed. the company i work for has been acquired twice, my guess is that one of the two "acquiring" companies already had this in place and nobody has ever questioned it. if EC isn't possible right now, i just need some kind of documentation from puppet/perforce/whoever-it-is-next-week that says so.

just pretend you didn't see it

Head in the sand isn't defensible.

that won't change anything ... i'm not going to try and contact them to push an explanation, but when/if they come around and ask for an explanation, i want to be able to say "here, now go away you bother me kid" 😁

"Vendor dependency"

documented vendor dependency

in this case you should have a link or a local copy

Question about the Puppet AI agent... if I have 2 seperate primaries, do they each need their own Azure OpenAI service or can they both connect to the same one?

ugh... on my workstation (macOS 26.0.1) i removed the older homebrew

pdk

and

puppet-agent

packages, downloaded PDK from the secret perforce server, and used

gem install eyaml

to install eyaml and its dependencies ... now whenever i try to use it, i get this:

$ echo testing | eyaml encrypt --stdin -o block -l xyz
/Users/jms1/.gems/gems/psych-5.2.6/lib/psych.rb:716:in 'File#initialize': Is a directory @ io_fillbuf - fd:7 xyz (Errno::EISDIR)
	from /Users/jms1/.gems/gems/psych-5.2.6/lib/psych.rb:716:in 'IO.open'
	from /Users/jms1/.gems/gems/psych-5.2.6/lib/psych.rb:716:in 'Psych.load_file'
	from /Users/jms1/.gems/gems/eyaml-0.4.4/lib/eyaml.rb:37:in 'EYAML.encrypt_file_in_place'
	from /Users/jms1/.gems/gems/eyaml-0.4.4/lib/eyaml/cli.rb:11:in 'block in EYAML::CLI#encrypt'
	from /Users/jms1/.gems/gems/eyaml-0.4.4/lib/eyaml/cli.rb:7:in 'Array#each'
	from /Users/jms1/.gems/gems/eyaml-0.4.4/lib/eyaml/cli.rb:7:in 'EYAML::CLI#encrypt'
	from /Users/jms1/.gems/gems/thor-1.4.0/lib/thor/command.rb:28:in 'Thor::Command#run'
	from /Users/jms1/.gems/gems/thor-1.4.0/lib/thor/invocation.rb:127:in 'Thor::Invocation#invoke_command'
	from /Users/jms1/.gems/gems/thor-1.4.0/lib/thor.rb:538:in 'Thor.dispatch'
	from /Users/jms1/.gems/gems/thor-1.4.0/lib/thor/base.rb:584:in 'Thor::Base::ClassMethods#start'
	from /Users/jms1/.gems/gems/eyaml-0.4.4/bin/eyaml:7:in '<top (required)>'
	from /usr/local/Cellar/ruby/3.4.7/lib/ruby/3.4.0/rubygems.rb:319:in 'Kernel#load'
	from /usr/local/Cellar/ruby/3.4.7/lib/ruby/3.4.0/rubygems.rb:319:in 'Gem.activate_and_load_bin_path'
	from /Users/jms1/.gems/bin/eyaml:25:in '<main>'

@csharpsteen do you know why postgresql on a primary is listening on *, when I've no replica, no standalone puppetdb. no compilers? That seems unnecessary / like a security issue to me. Tested on 2025.6.0 EL9

question: is there any way to "inspect" the contents of a

suite-license.lic

file, without installing it on a PE server and checking the web interface? (specifically, to see the start/end dates) ... it looks like an SSL certificate, i'm hoping there's a command like

openssl x509

that can read it (asking here first before i start poking at the file with a sharp stick)