October 17, 2023

Puppet 8: The Biggest Changes + How to Get It Now

Products & Services
Ecosystems & Integrations

Puppet 8 is here, and it’s included in the latest release of Puppet Enterprise. It’s the biggest update to Puppet since Puppet 7’s first release in November 2020, and it carries a host of enhancements and improvements to make managing and scaling your infrastructure easier than ever. 

Read on for a list of the major changes included in Puppet 8, how they benefit you, and how to get going with Puppet 8 fast.

Back to top

What is Puppet 8?

Puppet 8 is the eighth full release of Puppet’s open source code. Puppet 8 was released in April 2023 and became part of Puppet Enterprise releases in September 2023. Puppet 8 includes updates to configuration reporting, protections for user inputs, and more.

Back to top

How to Get Puppet 8

Upgrade to the latest version of Puppet Enterprise or Open Source Puppet to start using Puppet 8. PE 2023.3, released in September 2023, was the first version of Puppet Enterprise to include Puppet 8.



Back to top

Why Upgrade to Puppet 8? The Biggest Features + Updates

Puppet 8 features behind-the-scenes and functional changes focused on user experience and giving you even more control over your automation and configuration management.

Updates to Certificate Management in Puppet 8 + Puppet Enterprise 

Nobody likes dealing with certificates. You might not even know a certificate is expired if servers were set up at different times, or you inherited the infrastructure from another team, or your documentation isn’t up to snuff. And trying to keep up with certificates in a big enough environment can kick off a never-ending change management process, which isn’t good for releasing on time.

Watch the Video Below to See Puppet 8 Certificate Management in Action

In previous releases of Puppet Enterprise, once a Certificate of Authority expired, the server lost communication with the primary server and wouldn’t update. That meant no new code, no security fixes, and no continuous compliance. 

In the latest versions of Puppet Enterprise, built on Puppet 8, we’ve all but eliminated this huge pain point for practitioners. As soon as you upgrade, auto-renewal for certificates is on by default. Instead of managing changes to certificates across all their servers, you can instead just have shorter-lived certifications that renew just as they expire. That means your team doesn’t have to go through the toil of monitoring and managing certificate expiration, and it makes it much easier to recover from expired certification.

Whether it’s keeping track of different expiration dates, manual errors mucking things up, or just the sheer volume of certificates to manage, you can say goodbye to the hangups that have been haunting your certificate management.

Updating to Ruby 3.2 and OpenSSL 3

With Puppet 8, Puppet is now on the latest branch of Ruby 3.2 and OpenSSL 3. The replacement ensures everything is up-to-date with the latest version while reducing vulnerability scanning concerns.

Note: Ruby 3 only has the exist? function and not exists? All code using the exists? function will need to be updated for compatibility. (You can actually do this before you upgrade to Puppet 8, since Ruby 2 features both exist? and exists? functions.)

Strict Mode

Platform engineering is prompting a shift toward self-service in DevOps. Self-service brings freedom, but also liabilities: With the potential for so many more user inputs, we need to make sure they can’t make unsafe variable assignments. 

Strict Mode in Puppet 8 ensures that if something hasn’t been passed correctly, like if it contains a typo that has caused something to become “undefined”, Puppet will throw an error rather than allowing a change that might have unexpected consequences. It also prevents mixed data transformations that lead to messy data assignments, like attempting to add a string to an integer. 

Together with freezing string literals, Strict Mode helps avoid mistakes or malicious attempts to reassign variables. 

Excluding Unchanged Resources from Reporting by Default

During a Puppet run in an IT estate with hundreds of thousands of servers, the Puppet agent runs every 30 minutes by default, reports on resources, and stores the data for 7 days by default. The problem is that these run reports also included data on the resources that hadn’t changed since the last run. 

All that unchanged data about hundreds of resources per run – sometimes thousands – was effectively burying the data some users needed to see. To get around that problem, users were cutting down the data storage period or scheduling less frequent runs, which decreased the effectiveness and usability of the tool. 

In Puppet 8, unchanged resources are excluded from reporting by default. (Users have had the ability to set this in Puppet 7, but it wasn’t on by default.) That means every Puppet run will show you the information that matters so you don’t have to dig through mountains of data to get to actionable insights.

Default Lazy Evaluation of Deferred Functions

Deferred functions let you run commands on the client side instead of all in a Puppet compile server. That’s helpful when accessing something you don’t want to be passed through the Puppet infrastructure nodes, like vault secrets. Deferred functions let you access them using only your client and vault server. 

Before Puppet 8, all deferred functions were evaluated prior to enforcement of the catalog. This means that if your function depended on configuration like installing a library or writing a config file, then it would fail the first time through. In Puppet 8, it’s possible to install a dependency for a deferred function and call the deferred function in a single agent run.

Dropping Hiera 3

Hiera 3 has been out of use for a while, and dropping it from this version trims down the Puppet 8 install. The lookup function and Hiera 5 continue to work as expected.

Excluding Legacy Facts by Default

Legacy facts have also been deprecated for some time. Puppet 8 drops them altogether, reducing network load, freeing PuppetDB storage, and improving general performance.

Back to top

Download Puppet 8 + Get Started Now

If you’re a current Puppet user, you can upgrade to Puppet 8 by following the instructions over on Docs. For a more in-depth look at Puppet 8, check out Puppet 8 for DevOps Engineers from Packt Publishing. If you’re new to Puppet, try the latest version for free on 10 nodes with no time restriction or user limit.


Back to top