Puppet release notes

These are the new features, resolved issues, and deprecations in this version of Puppet.

Puppet 7.6.1

Released April 2021.

We would like to thank the following Puppet community members for their contributions to this release: gcampbell12 and ananace.


Puppet module type scripts directory

This release adds a new subdirectory to the scripts/ module class. It automatically generates the functions in the class and retrieves the available scripts. This helps to standardize specific file loading from either the files directory or scripts directory. PUP-10996

Backport logic to detect migrated CA directory location

After migrating the CA directory, Puppet now reports the correct cadir setting value. PUP-11004

Curl bumped to 7.76.0

This release bumps Curl to 7.76.0, fixing the following CVEs:


Ruby bumped to 2.7.3

This release bumps Ruby to 2.7.3, fixing the following CVEs:


Resolved issues

Race condition with agent_disabled_lockfile

This release fixes a race condition that caused the agent to become disabled and no longer enforce desired state. Contributed by Puppet community member gcampbell12. PUP-11000

User resource with forcelocal and groups attributes set fails if /etc/group contains empty lines

This release fixes an issue where Puppet failed when applying user resources with forcelocal if there were empty lines in /etc/group. PUP-10997

Unable to install gems with the puppet_gem provider on Windows

Previously, if you used Puppet as a library, environment.bat was not sourced and led to an unset PUPPET_DIR. As puppet_gem relied on this to build the gem.bat path, it used a non-existing path, making this provider unsuitable. This release updates the puppet_gem provider to use Gem.default_bindir, which determines the location of the executables. To avoid accidental usage of the puppet_gem provider with system Ruby, we have also added a confine to the aio_agent_version fact. PUP-10964

Changing a Puppet setting in a catalog invalidates the environment cache in multithreaded mode

You can now change the value of Puppet's rich_data setting at runtime, without it invalidating the environment cache. PUP-10952

Puppet cannot parse systemd instances when list-unit-files output has an additional column

This release fixes an issue affecting the parsing of systemd service instances caused by a change in the systemctl list-unit-files command output. PUP-10949

Cannot ensure dnfmodule with no default profile

Previously, using the dnfmodule provider to install a module with no default profile — without passing the enable_only parameter — failed with newer versions of DNF. PUP-11024

Puppet 7.5.0

Released March 2021.

We would like to thank the following Puppet community members for their contributions to this release: smokris and priv-kweihmann.

New features

The puppet ssl show command

The puppet ssl show command prints the full-text version of a host's certificate, including extensions. PUP-10888

The ciphers setting

The ciphers setting configures which TLS ciphersuites the agent supports. The default set of ciphersuites is the same, but you can now make the list of ciphersuites more restricted, for example, to only accept TLS v1.2 or greater ciphersuites. PUP-10889

The GlobalSignRoot CA R3

This release adds the GlobalSignRoot CA R3 certificate for rubygems.org. PA-3525

Resolved issues

The splat operator in a virtual query is not supported

This release fixes a regression in Puppet 7.x that prevented the splat operator from being used to override resource attributes in a resource collector. PUP-10951

Windows package provider continues to read DisplayVersion key after it is embedded NULL

Previously, Puppet would not stop reading the registry at the correct WCHAR_NULL because it was encoded to UTF-16LE, causing Puppet to read bad data and fail. This is now fixed. PUP-10943

Listing environments during code deploys prevents environment cache invalidation

Previously, catalog compilations for a newly created environment directory could fail if the environment was listed while the directory was being created. This issue only occurred when using an environment_timeout value greater than 0 and less than unlimited. This is now fixed. PUP-10942

Syntax error in previously valid Puppet code due to removal of keywords

The application, consumes, produces and site application orchestration keywords were previously removed from the reserved keywords list, causing syntax errors in Puppet code. This is now fixed. PUP-10929


A known issue with LookupAccountNameW caused Puppet to fail when managing Windows users under APPLICATION PACKAGE AUTHORITY with fully qualified names. This is now fixed and an account name sanitization step has been added to prevent faulty queries. PUP-10899

Retrieving the current user with the fully-qualified username fails on Windows

Previously, retrieving the current username SID on Windows caused Puppet to fail in certain scenarios, for example, when the user was a secondary domain controller. This release adds a fallback mechanism that uses the fully qualified domain name for lookup. PUP-10898

Puppet 7.4.1

Released February 2021.

Resolved issues

Puppet users with forcelocal are no longer idempotent

This release fixes a regression where setting the gid parameter on a user resource with forcelocal was not idempotent. PUP-10896

Puppet 7.4.0

Released February 2021.

New features

New --timing option in puppet facts show

This release adds a --timing option in the puppet facts show command. This flag shows you how much time it takes to resolve each fact. PUP-10858

Resolved issues

User resource with forcelocal uses getent for groups

The useradd provider now checks the forcelocal parameter and gets local information on the groups (from /etc/groups) and gid (from etc/passwd) of the user when requested. PUP-10857

Slow Puppet agent run after upgrade to version 6

This release improves the performance of the apt package provider when removing packages by reducing the calls to apt-mark showmanual. PUP-10856

The apt provider does not work with local packages

The apt package provider now allows you to install packages from a local file using source parameter. PUP-10854

The puppet facts show --value-only command displays a quoted value

Previously, the puppet facts show --value-only <fact> command emitted the value as a JSON string, which included quotes around the value, such as {{"RedHat"}}. It now only emits the value. PUP-10861

Puppet 7.3.0

Released January 2021.

New features

The serverport setting

The serverport setting is an alias for masterport. PUP-10725


Multiple logdest locations in puppet.conf accepted

You can set multiple logdest locations using a comma separated list. For example: /path/file1,console,/path/file2. PUP-10795

The puppet module install command lists unsatisfiable dependencies

If the puppet module install command fails, Puppet returns a more detailed error, including the unsatisfiable module(s) and its ranges. PUP-9176

New --no-legacy option to disable legacy facts

By default, puppet facts show displays all facts, including legacy facts. This release adds a --no-legacy option to disable legacy facts when querying all facts. PUP-10850

Resolved issues

The puppet apply command creates warnings

This release eliminates Ruby 2.7.x warnings when running puppet apply with node statements. PUP-10845

Remove Pathname#cleanpath workaround

This release removes an unnecessary workaround when cleaning file paths, as Ruby 1.9 is no longer supported. PUP-10840

The allow * error message shown during PE upgrade

Puppet no longer prints an error if fileserver.conf contains allow * rules. It continues to print an error for all other rules, as Puppet's legacy authorization is no longer supported and is superseded by Puppetserver's authorization. PUP-10851

3x functions cannot be called from deferred functions in Puppet agent

This release allows deferred 3.x functions, like sprintf, to be called during a Puppet agent run. PUP-10819

Cached catalog contains the result of deferred evaluation instead of the deferred function

Puppet 6.12.0 introduced a regression that caused the result of a deferred function to be stored in the cached catalog. As a result, an agent running with a cached catalog would not re-evaluate the deferred function. This is now fixed. PUP-10818

puppet facts show fact output differs from facter fact

The output format is different between Facter and Puppet facts when a query for a single fact is provided. This is now fixed. PUP-10847

Issue with Puppet creating production folder when multiple environment paths are set

Previously, the production environment folder was automatically created at every Puppet ran in the first search path, if it did not already exist. This release ensures Puppet searches all the given paths before creating a new production environment folder. PUP-10842

Puppet 7.2.0

This version of Puppet was never released.

Puppet 7.1.0

Released December 2020.


Reduced query time for system user groups

The time it takes to query groups of a system user has been reduced on Linux operating systems with FFI. The getgrouplist method is also available. PUP-10774

Log rotation for Windows based platforms

You can now configure the pxp-agent to use the Windows Event Log service by setting thelogfile value to eventlog. PA-3492

Log rotation for macOS based platforms

This release enables log rotation for the pxp-agent on OSX platforms. PA-3491

Added server alias for routes.yaml

When routes.yaml is parsed, it accepts either server or master applications. PUP-10773

OpenSSL bumped to 1.1.1i

This release bumps OpenSSL to 1.1.1i. PA-3513

Curl bumped to 7.74.0

This release bumps Curl to 7.74.0. PA-3512

Resolved issues

The Puppet 7 gem is missing runtime dependency on scanf

This is fixed and you can now run module tests against the Puppet gem on Ruby 2.7. PUP-10797

The puppet node clean action LoggerIO needs to implement warn

In Puppet 7.0.0, the puppet node clean action failed if you had cadir in the legacy location or inside the ssldir. This was a regression and is now fixed. PUP-10786

Calling scope#tags results in undefined method

Previously, calling the tags method within an ERB template resulted in a confusing error message. The error message now makes it clear that this method is not supported. PUP-10779

User resource is not idempotent on AIX

The AIX user resource now allows for password lines with arbitrary whitespace in the passwd file. PUP-10778

Fine grained environment timeout issues

Previously, if the environment.conf for an environment was updated and the environment was cleared, puppetserver used old values for per-environment settings. This happened if the environment timed out or if the environment was explicitly cleared using puppetserver's environment cache REST API. With this fix, if an environment is cleared, Puppet reloads the per-environment settings from the updated environment.conf. PUP-10713

FIPS compliant nodes are returning an error

This release fixes an issue on Windows FIPS where Leatherman libraries loaded at the predefined address of the OpenSSL library. This caused the OpenSSL library to relocate to a different address, failing the FIPS validation. This is fixed and leatherman compiled with dynamicbase is disabled on Windows. PA-3474

User provider with uid/gid as Integer raises warning

This release fixes a warning introduced in Ruby 2.7 that checked invalid objects (such as Integer) against a regular expression. PUP-10790

Puppet 7.0.0

Released November 2020.

New features

The puppet facts show command

You can use the puppet facts show command to retrieve a list of facts. By default, it does not return legacy facts, but you can enable it to with the --show legacy option. This command replaces puppet facts find as the default Puppet facts action. PUP-10644 and PUP-10715

JSON terminus for node and report

This release implements JSON termini for node and report indirection. The format of the last_run_report.yaml report can be affected by the cache setting key of the report terminus in the routes.yaml file. To ensure the file extension matches the content, update the lastrunreport configuration to reflect the terminus changes (lastrunreport = $statedir/last_run_report.json). PUP-10712

JSON terminus for facts

This release adds a new JSON terminus for facts, allowing them to be stored and loaded as JSON. Puppet agents continue to default to YAML, but you can use JSON by configuring the agent application in routes.yaml. Puppet Server 7 also caches facts as JSON instead of YAML by default. You can re-enable the old YAML terminus in routes.yaml. PUP-10656

Public folder (default location for last_run_summary.yaml)

There is a new folder with 0755 access rights named public, which is now the default location for the last_run_summary.yaml report. It has 640 file permissions. This makes it possible for a non-privileged process to read the file. To relax permissions on the last run summary, set the group permission on the file in puppet.conf to the following: lastrunsummary = $publicdir/last_run_summary.yaml { owner = root, group = monitoring, mode = 0640 }. Note that if you use tools that expect to find last_run_summary.yaml in vardir instead of publicdir, you might experience breaking changes.PUP-10627

The settings_catalog setting

To load Puppet more quickly, you can set the settings_catalog setting to false to skip applying the settings catalog. The setting defaults to true. PUP-8682

New numeric and port setting types

This release adds a new port setting type, which turns the given value to an integer, and validates it if the value is in the range of 0-65535. Puppet port can use this setting type. PUP-10711


This release adds a new Windows Installer property called PUPPET_SERVER. You can use this as an alias to the existing PUPPET_MASTER_SERVER property. PA-3440

New GPG signing key

Puppet has a new GPG signing key. See verify packages for the new key.


Ruby version bumped to 2.7

The default version of Ruby is now 2.7. The minimum Ruby version required to run Puppet 7 is now 2.5. After upgrading to Puppet 7, you may need to use the puppet_gem provider to ensure all your gems are installed. PUP-10625

Default digest algorithm changed to sha256

Puppet 7 now uses sha256 as the default digest algorithm. PUP-10583

Gem provider installs gems in Ruby

The gem provider now installs gems in Ruby by default. Use the puppet_gem provider to reinstall gems in the Ruby distribution vendored in Puppet. For example, if custom providers or deferred functions require gems during catalog application. PUP-10677

FFI functions, structs and constants moved to a separate Windows module

To increase speed, we have moved FFI functions, constants and structures out of Puppet::Util::Windows. PUP-10606

Default value of ignore_plugin_errors changed from true to false

The default value for ignore_plugin_errors is now false. This stops Puppet agents failing to pluginsync. PUP-10598

Interpolation of sensitive values in EPP templates

Previously, if you interpolated a sensitive value in a template, you were required to unwrap the sensitive value and rewrap the result. Now the epp and inline_epp functions automatically return a Sensitive value if any interpolated variables are sensitive. For example: inline_epp("Password is <%= Sensitive('opensesame') %>" ). Note that these changes just apply to EPP templates, not ERB templates. PUP-8969

shkeys_core module bumped to 2.2.0

Puppet 7 bumps the sshkeys_core modules to 2.2.0 in the Puppet agent. PA-3473

Call simple server status endpoint

Puppet updates the endpoint for checking the server status to /status/v1/simple/server. If the call returns a 404, it makes a new call to /status/v1/simple/master, and ensures backwards compatibility. PUP-10673

Default value of disable_i18n changed from false to true

The default value for the disable_i18n setting has changed from false to true and locales are not pluginsynced when i18n is disabled. PUP-10610

Pathspec no longer vendored

The pathspec Ruby library is no longer vendored in Puppet. If you require this functionality, you need to install the pathspec Ruby gem. PUP-10107

Deprecations and removals

func3x_check setting removed

The func3x_check setting has been removed. PUP-10724

master_used report parameter removed

The deprecated master_used parameter has been removed. Instead use server_used. PUP-10714

facterng feature flag removed

The facterng feature flag has been removed. It is not needed anymore as Puppet 7 uses Facter 4 by default. PUP-10605

held removed from apt provider

The apt provider no longer accepts deprecated ensure=held. Use the mark attribute instead. PUP-10597

Method from DirectoryService removed

The deprecated DirectoryService#write_to_file method has been removed. PUP-10489

Method from Puppet::Provider::NameService removed

The deprecated Puppet::Provider::NameService#listbyname method has been removed. PUP-10488

Methods from TypeCalculator removed

The deprecated TypeCalculator.enumerable has been removed, and the functionality has been moved to Iterable. PUP-10487

Enumeration type removed

The deprecated Enumeration class has been removed, and its functionality has been moved to Iterable. PUP-10486

Puppet::Util::Yaml.load_file removed

The deprecated Puppet::Util::Yaml.load_file method has been removed. PUP-10475

Puppet::Resource methods removed

The following deprecated Puppet::Resource methods have been removed:

  • Puppet::Resource.set_default_parameters
  • Puppet::Resource.validate_complete
  • Puppet::Resource::Type.assign_parameter_values. PUP-10474

legacy auth.conf support removed

The legacy auth.conf has been deprecated for several major releases. Puppet 7 removes all support for legacy auth.conf. Instead, authorization to Puppet REST APIs is controlled by puppetserver auth.conf. In addition, the allow and deny rules in fileserver.conf are now ignored and Puppet logs an error for each entry. The rest_authconfig setting has also been removed. PUP-10473

Puppet.define_settings removed

The deprecated Puppet.define_settings method has been removed. PUP-10472

Application orchestration language features removed

The deprecated application orchestration language features have been removed. The keywords application, site, consumes and produces, and the export and consume metaparameters, now raise errors. The keywords are still reserved, but can’t be used as a custom resource type or attribute name. The environment catalog REST API has also been removed, along with supporting classes, such as the environment compiler and validators. PUP-10446

Puppet::Network::HTTP::ConnectionAdapter removed

The Puppet::Network::HTTP::ConnectionAdapter has been removed, and contains the following breaking changes:

  • The Client networking code has been moved to Puppet::HTTP.
  • The Puppet::Network::HttpPool.http_instance method has been removed.
  • The Puppet.lookup(:http_pool) has been removed.
  • The deprecated Puppet::Network::HttpPool.http_instance and connection methods have been preserved. PUP-10439

environment_timeout_mode setting removed

The environment_timeout_mode setting has been removed. Puppet no longer supports environment timeouts based on when the environment was created. In Puppet 7, the environment_timeout setting is always interpreted as 0 (never cache), unlimited (always cache), or from when the environment was last used. PUP-10619

Networking code from the parent REST terminus removed

The Networking code from the parent REST terminus has been removed, and is a breaking change for any REST terminus that relies on the parent REST terminus to perform the network request and process the response. The REST termini must implement the find, search, save and destroy methods for their indirected model. PUP-10440

Dependency on http-client gem removed

The dependency on the http-client gem has been removed. If you have a Puppet provider that relies on this gem, you must install it. PUP-10490

HTTP file content terminus removed

The HTTP file content terminus has been removed. It is no longer possible to retrieve HTTP file content using the indirector. Instead, use Puppet's builtin HTTP client instead: response = Puppet.runtime[:http].get(URI("http://example.com/path")). PUP-10442

Puppet::Util::HttpProxy.request_with_redirects removed

The Puppet::Util::HttpProxy.request_with_redirects method has been removed, and moves the Puppet::Util::HttpProxy class to Puppet::HTTP::Proxy. The old constant is backwards compatible. PUP-10441

Puppet::Rest removed

Puppet::Rest removed and Puppet::Network::HTTP::Compression have been removed. This change moves Puppet::Network::Resolver to Puppet::HTTP::DNS and deprecates Puppet::Network::HttpPool methods. PUP-10438

Remove strict_hostname_checking removed

The deprecated strict_hostname_checking and node_name settings have been removed. The functionality of these settings is possible using explicit constructs within a site.pp or fully featured enc. PUP-10436

puppet module build, generate and search actions removed

The puppet module build, generate and search actions have been removed. Use Puppet Development Kit (PDK) instead.PUP-10387

puppet status application has been removed

The deprecated puppet status application has been removed. PUP-10386

The puppet cert and key commands removed

The non-functioning puppet cert and puppet key commands have been removed. Instead use puppet ssl on the agent node and puppetserver ca on the CA server. PUP-10369

SSL code, termini and settings removed

The following SSL code, termini and settings have been removed:

  • Puppet::SSL::Host

  • Puppet::SSL::Key

  • Puppet::SSL::{Certificate,CertificateRequest}.indirection

  • Puppet::SSL::Validator*

  • ssl_client_ca_auth

  • ssl_server_ca_auth PUP-10252

The func3x_check setting has been removed

The setting to turn off func 3x API validation has been removed. Now all 3x functions are validated. PUP-9469

The future_features logic has been removed

The unused future_features setting has been removed. PUP-9426

The puppet man application has been removed

The puppet man application is no longer needed and has been removed. The agent package now installs man pages so that man puppet produces useful results. Puppet's help system (puppet help) is also available. PUP-8446

The execfail method from util/execution has been removed

The following deprecated methods have been removed:

  • Puppet::Provider#execfail
  • Puppet::Util::Execution.execfail. PUP-7584

The win32-process has been removed

The Puppet dependency on the win32-process gem has been removed. You can implement the functionality using FFI. PUP-7445

The win32-service gem has been removed

The dependency on the win32-service gem has been removed and uses the Daemon class in Puppet instead. PUP-5758

The win32-security gem has been removed from Puppet

To improve Puppet's handling of Unicode user and group names on Windows, some of the code interacting with the Windows API has been rewritten to ensure wide character (UTF-16LE) API variants are called. As a result, Puppet no longer needs the win32-security gem. Any code based references to the gem have been removed. The gem currently remains for backward compatibility, but is to be removed in a future release. PUP-5735

The capability to install an agent on Windows 2008 and 2008 R2 has been removed

You can no longer install Puppet 7 agents on Windows versions lower than 2012. PA-3364

Support for Ruby versions older than 2.5 removed

Support for Ruby versions older than 2.5 has been removed, and Fixnum and Bignum have been replaced with Integer. PUP-10509

dir monkey-patch removed

This external dependency on the win32/dir gem has been removed and replaces CSIDL constants with environment variables. PUP-10653

Master removed from docs

Documentation for this release replaces the term master with primary server. This change is part of a company-wide effort to remove harmful terminology from our products. For the immediate future, you’ll continue to encounter master within the product, for example in parameters, commands, and preconfigured node groups. Where documentation references these codified product elements, we’ve left the term as-is. As a result of this update, if you’ve bookmarked or linked to specific sections of a docs page that include master in the URL, you’ll need to update your link.

Resolved issues

Puppet agent installation fails when msgpack is enabled on puppetserver

Previously, the agent failed to deserialize the catalog and fail the run if the msgpack gem was enabled but not installed. Now the agent only supports that format when the msgpack gem is installed in the agents vendored Ruby. PUP-10772

Puppet feature detection leaves Ruby gems in a bad state

This release fixes a Ruby gem caching issue that prevented the agent from applying a catalog if a gem was managed using the native package manager, such as yum or apt. PUP-10719

Puppet 6 agents do not honor the usecacheonfailure setting when using server_list

Previously, when server_list was used when there was no server accessible, the Puppet run failed even if usecacheonfailure was set to true. Now Puppet only fails if usecacheonfailure is set to false. PUP-10648

Setting certname in multiple sections bypasses validation

Previously, Puppet only validated the certname setting when specified in the main setting, but not if the value was in a non-global setting like agent. As a result, it was possible to set the certname setting to a value containing uppercase letters and prevent the agent from obtaining a certificate the next time it ran. Puppet now validates the certname setting regardless of which setting the value is specified in. PUP-9481

Issues caused by backup to the local filebucket

By default, Puppet won’t backup files it overwrites or deletes to the local filebucket, due to issues where it became unbounded. You can re-enable the local filebucket by setting File { backup => 'puppet' } as a resource default. PUP-9407

Remove future feature flag for prefetch_failed_providers in transaction.rb

If a provider prefetch method raises a LoadError or StandardError, the resources associated with the provider are marked as failed, but unrelated resources are applied. Previously this behavior was controlled by the future_features flag, and disabled by default. PUP-9405

Change default value of hostcsr setting

The default value of the hostcsr setting has been updated to match where Puppet stores the certificate request (CSR) when waiting for the CA to issue a certificate. PUP-9346

Refactor the SMF provider to implement enableable semantics

Previously, the SMF provider did not properly implement enableable semantics. Now enable and ensure are independent operations where enable handles whether a service starts or stops at boot time, and ensure handles whether a service starts or stops in the current running instance. PUP-9051

The list of reserved type names known to the parser validator is incomplete

A class or defined type in top scope can no longer be named init, object, sensitive, semver, semverrange, string, timestamp, timespan or typeset . You can continue to use these names in other scopes such as mymodule::object. PUP-7843

Export or virtualize class error

Previously, Puppet returned a warning or error if it encountered a virtual class or an exported class, but it still included resources from the virtual class in the catalog. Now Puppet always error on virtual and exported classes. PUP-7582

Puppet::Util::Windows::String.wide_string embeds a NULL char

This release removes a Ruby workaround for wide character strings on Windows. PUP-3970

puppet config set certname accepts upper-case names

Previously, the puppet config set command could set a value that was invalid, causing Puppet to fail the next time it ran or the service was restarted. Now the command validates the value before committing the change to puppet.conf. PUP-2173

Unable to read last_run_summary.yaml from user

Puppet agent code now aligns with the new last_run_summary.yaml location. PA-3253