Puppet 8: The Biggest Changes & How to Get It Now [with Video]

Puppet 8 is here, and it’s included in the latest release of Puppet Enterprise. It’s the biggest update to Puppet since Puppet 7’s first release in November 2020, and it carries a host of enhancements and improvements to make managing and scaling your infrastructure easier than ever. 

Read on for a list of the major changes included in Puppet 8, how they benefit you, and how to get going with Puppet 8 fast.

What is Puppet 8?

Puppet 8 is the eighth full release of Puppet’s open source code. Puppet 8 was released in April 2023 and became part of Puppet Enterprise releases in October 2023. Puppet 8 includes updates to configuration reporting, protections for user inputs, and more.

How to Get Puppet 8

Upgrade to the latest version of Puppet Enterprise or Open Source Puppet to start using Puppet 8. PE 2023.4, released in October 2023, was the first version of Puppet Enterprise to include Puppet 8.

Upgrade to Puppet 8

Try Puppet Enterprise Free

Your Puppet modules may require upgrades to make them compatible with Puppet 8. Head here for instructions on upgrading Puppet modules.

Why Upgrade to Puppet 8? The Biggest Features & Updates

Puppet 8 features behind-the-scenes and functional changes focused on user experience and giving you even more control over your automation and configuration management.

Updates to Certificate Management in Puppet 8 & Puppet Enterprise 

Nobody likes dealing with certificates. You might not even know a certificate is expired if servers were set up at different times, or you inherited the infrastructure from another team, or your documentation isn’t up to snuff. And trying to keep up with certificates in a big enough environment can kick off a never-ending change management process, which isn’t good for releasing on time.

Watch the Video Below to See Puppet 8 Certificate Management in Action

Wistia URL

In previous releases of Puppet Enterprise, once a Certificate of Authority expired, the server lost communication with the primary server and wouldn’t update. That meant no new code, no security fixes, and no continuous compliance. 

In the latest versions of Puppet Enterprise, built on Puppet 8, we’ve all but eliminated this huge pain point for practitioners. As soon as you upgrade, auto-renewal for certificates is on by default. Instead of managing changes to certificates across all their servers, you can instead just have shorter-lived certifications that renew just as they expire. That means your team doesn’t have to go through the toil of monitoring and managing certificate expiration, and it makes it much easier to recover from expired certification.

Whether it’s keeping track of different expiration dates, manual errors mucking things up, or just the sheer volume of certificates to manage, you can say goodbye to the hangups that have been haunting your certificate management.

Updating to Ruby 3.2 and OpenSSL 3

With Puppet 8, Puppet is now on the latest branch of Ruby 3.2 and OpenSSL 3. The replacement ensures everything is up-to-date with the latest version while reducing vulnerability scanning concerns.

Note: Ruby 3 only has the exist? function and not exists? All code using the exists? function will need to be updated for compatibility. (You can actually do this before you upgrade to Puppet 8, since Ruby 2 features both exist? and exists? functions.)

Strict Mode

Platform engineering is prompting a shift toward self-service in DevOps. Self-service brings freedom, but also liabilities: With the potential for so many more user inputs, we need to make sure they can’t make unsafe variable assignments. 

Strict Mode in Puppet 8 ensures that if something hasn’t been passed correctly, like if it contains a typo that has caused something to become “undefined”, Puppet will throw an error rather than allowing a change that might have unexpected consequences. It also prevents mixed data transformations that lead to messy data assignments, like attempting to add a string to an integer. 

Together with freezing string literals, Strict Mode helps avoid mistakes or malicious attempts to reassign variables. 

Excluding Unchanged Resources from Reporting by Default

During a Puppet run in an IT estate with hundreds of thousands of servers, the Puppet agent runs every 30 minutes by default, reports on resources, and stores the data for 7 days by default. The problem is that these run reports also included data on the resources that hadn’t changed since the last run. 

All that unchanged data about hundreds of resources per run — sometimes thousands — was effectively burying the data some users needed to see. To get around that problem, users were cutting down the data storage period or scheduling less frequent runs, which decreased the effectiveness and usability of the tool. 

In Puppet 8, unchanged resources are excluded from reporting by default. (Users have had the ability to set this in Puppet 7, but it wasn’t on by default.) That means every Puppet run will show you the information that matters so you don’t have to dig through mountains of data to get to actionable insights.

Default Lazy Evaluation of Deferred Functions

Deferred functions let you run commands on the client side instead of all in a Puppet compile server. That’s helpful when accessing something you don’t want to be passed through the Puppet infrastructure nodes, like vault secrets. Deferred functions let you access them using only your client and vault server. 

Before Puppet 8, all deferred functions were evaluated prior to enforcement of the catalog. This means that if your function depended on configuration like installing a library or writing a config file, then it would fail the first time through. In Puppet 8, it’s possible to install a dependency for a deferred function and call the deferred function in a single agent run.

Dropping Hiera 3

Hiera 3 has been out of use for a while, and dropping it from this version trims down the Puppet 8 install. The lookup function and Hiera 5 continue to work as expected.

Excluding Legacy Facts by Default

Legacy facts have also been deprecated for some time. Puppet 8 drops them altogether, reducing network load, freeing PuppetDB storage, and improving general performance.

How to Upgrade to Puppet 8

Ready to upgrade from Puppet 7 to Puppet 8? Like any big upgrade, it’s a significant process — but totally manageable if you follow the right steps. Here’s a quick guide to upgrading Puppet to ensure a smooth transition so you can start taking advantage of all the great new features and improvements of Puppet 8.

For more detailed information, refer to the official Puppet documentation on upgrading to Puppet 8.

Before You Upgrade: Back Up Your Current Puppet Installation

Before upgrading, it’s crucial to back up your installation to prevent data loss. Here’s a general overview of what you should back up before upgrading to the new version of Puppet:

• Manifests and modules
• Hiera data
• SSL certificates directory
• PuppetDB (if you’re using it)
• Store all those backups somewhere secure (like external storage or a secure cloud)

The default puppet-backup command helps create a complete backup of your Puppet install, including configurations, certificates, code, and PuppetDB data. For more specific instructions, check out the Puppet docs for backing up and restoring Puppet Enterprise.

Key Changes That May Affect Your Upgrade

MRI Ruby 3.2: Puppet 8 vendors Ruby 3.2, which requires a code refactor to update deprecated references, such as functions, custom facts, types & providers, and report processors. It’s essential to review these changes and update your code accordingly.

• Learn more about refactoring code for Puppet 8 compatibility here.

OpenSSL 3.0: Puppet agent now vendors OpenSSL 3.0. If any application compiles against Puppet’s OpenSSL, it must be recompiled when upgrading. This ensures compatibility and security.

• For more information, see the OpenSSL Migration Guide.

Hiera 3 Component Dropped: If you rely on a Hiera 3 backend, you must convert your backend to Hiera 5 or manually install the Hiera 3 gem on all Puppet Server hosts.

• This change does not affect Hiera 5, puppet lookup, or the hiera_include, hiera_hash, etc., set of functions.

Legacy Facts: Legacy facts are no longer collected on the agent or sent to Puppet server. Since they are not available during compilation, they cannot be referenced in Puppet code, ERB/EPP templates, or Hiera configuration.

• You can handle this by using the legacy_facts puppet-lint plugin to identify and correct legacy fact usage or by re-enabling them in puppet.conf.

Testing Puppet Code for Upgrading

Testing your existing Puppet code before upgrading is a crucial step to ensure a smooth transition. Here are some steps you can follow:

1. Use the Puppet Development Kit (PDK)

   You can use the PDK to run unit tests, validate your code against Puppet’s style guide, and ensure compatibility with Puppet 8.

2. Perform Syntax and Style Checks

   Use the puppet-lint tool to check your code for syntax and style issues, helping you identify and fix any code that doesn’t comply with Puppet 8’s style guide.

3. Run Unit Tests

   Unit tests help you verify that individual components of your Puppet code work as expected. You can use the puppetlabs_spec_helper gem to write and run unit tests for your Puppet modules.

4. Use the puppet parser validate Command

   The puppet parser validate command checks your Puppet manifests for syntax errors. Run this command on your existing code to ensure there are no syntax issues before upgrading.

5. Run Acceptance Tests

   Acceptance tests help you verify that your Puppet code works correctly in a real-world environment. You can use tools like Serverspec or other tools to run integration tests on your Puppet modules.

6. Check for Deprecated Features

   Update your code to remove deprecated constructs and ensure compatibility with Puppet 8. Review the Puppet 8 documentation to identify any deprecated features or changes that might affect your code.

7. Use a Test Environment

   Set up a test environment that mirrors your production environment. Apply your Puppet code in this test environment to identify any issues before upgrading your production environment.

8. Review and Update Dependencies

   Ensure that all dependencies, such as Puppet modules and Ruby gems, are compatible with Puppet 8. Update your metadata.json and Gemfile files to reflect the correct dependencies.

Upgrading Modules for Puppet 8

When upgrading officially supported Puppet modules, follow these stages:

1. Preliminary Work:
   1. Remove deprecated code constructs.
   2. Update code to comply with the new Ruby layer changes.
   3. Assign datatypes to class parameters.
   4. Replace legacy facts with structured facts.
   5. Clean up code to work with strict mode.
2. Updating Dependencies:
   1. Update metadata.json and Gemfile files to ensure correct dependencies.
   2. Use the pdk update command to assist with this process.

By following these steps, you can thoroughly test your existing Puppet code and ensure a smooth upgrade to Puppet 8. For any specific questions or next steps, get in touch with your Puppet support team or contact Puppet Professional Services for a helping hand in upgrading Puppet!

Download Puppet 8 & Get Started Now

If you’re a current Puppet user, you can upgrade to Puppet 8 by following the instructions above and a more detailed guide over on Docs. For a more in-depth look at Puppet 8, check out Puppet 8 for DevOps Engineers from Packt Publishing. If you’re new to Puppet, try the latest version for free on 10 nodes with no time restriction or user limit.

Upgrade Instructions  Try Puppet

Tom Chisholm, Principal Training Solutions Engineer at Puppet by Perforce, contributed to this article.

This blog was originally published in October 2023 and has since been updated for accuracy and relevance.