homeblogwhats new in puppet 7 platform

What’s new in Puppet 7 Platform

Hello, Puppet friends! It’s been a few months since we rolled out the latest major version of the Puppet platform, bumping PuppetDB, Puppet Server and Puppet Agent to “7.0.0.”

First, we’d like to extend our gratitude to our vibrant Puppet community, who helped us immensely in locating and fixing some annoying bugs that managed to sneak through the release. We promptly provided follow-up releases, so be sure to check out the latest available versions for your operating system. Even though we strived to make most of the changes backwards-compatible, there are some breaking changes you should be aware of before making the jump to Platform 7.

Here is a breakdown of the most notable features, enhancements, removals and deprecations that went into this platform release:

Puppet Agent

Facter 4

Puppet Agent 7 ships with Facter 4 by default. Facter 4 was rewritten from the ground-up in Ruby, and aims to be 100% API-compatible with Facter 3. It includes many new features — granular fact blocking, user-defined cache groups, fact profiling, and an all-around friendlier and welcoming experience for both its users and contributors. Facter 4 is also provided as an opt-in fact provider for Platform 6 AIO installations, and can be activated by setting facterng to true in the Puppet configuration.

To find out more about Facter 4, check out the following blog post.

Bump to Ruby 2.7 and removal of end-of-life versions

  • Puppet Agent 7 comes with the latest available version of Ruby 2.7 — released in October 2020 — which brings new features and performance improvements.
  • Puppet 7 dropped support for end of life Ruby versions — 2.3.x and 2.4.x. This only affects Puppet as a gem, as Puppet Agent bundles its own Ruby interpreter.

Better separation between public and sensitive data

Puppet 7 defines clear locations for storing sensitive data (with user restricted access) and public directories for non-sensitive data. This facilitates the reorganization of files and additions to these directories without breaking users’ workflows and automation.

The default location of the newly added publicdir is /opt/puppetlabs/puppet/public on Linux and C:\ProgramData\PuppetLabs\puppet\public on Microsoft Windows. The directory is world-readable and has become the default location for the last_run_summary.yaml file.

Removal of harmful terminology

For both Platform 6 and 7, we decided to take action and remove the usage of harmful terms in favor of more inclusive terminology. Here are the changes you need to be aware of:

  • The masterport setting was deprecated in favor of serverport, which Puppet now uses internally. The masterport setting is still honored and can be set; however we encourage all users to migrate to the new setting.
  • The master setting section is deprecated in favor of the server section. Puppet now issues warnings if it encounters the master section in its configuration file.
  • The master run mode is deprecated in favor of the newly added server run mode. External applications that set the master run mode are now silently routed to the server run mode.
  • The master_used report entry was removed in favor of server_used.
  • The simple server status endpoint is now called when processing the server list. If the endpoint is not available in * Puppet Server, Puppet falls back to the previous master endpoint.
  • The PUPPET_SERVER and SERVERPORT MSI properties were added to configure the server and serverport settings.
  • When parsing the routes.yaml file, Puppet now accepts both server and master applications.
  • The default branches for Puppet and all its components were renamed to main.

Removal of gems

Puppet 7 removes the following gems:

  • win32-process
  • win32-service
  • win32-dir
  • win32-security
  • http-client
  • pathspec

By removing our dependency on the Win32 gems and moving the functionality to core Puppet (using the FFI gem), we consolidate Windows functionalities and enable smooth updates to newer versions of FFI. This also enables you to add dependencies to those gems without creating conflicts with Puppet.

Types and providers

  • On Linux, Puppet's gem provider installs gems using the system Ruby, if available. On Windows, the gem provider installs gems using the system Ruby instead of Puppet's vendored Ruby. Windows users should use the puppet_gem provider to install gems with Puppet's vendored Ruby. An example can be seen in the following video.
  • Solaris SMF service provider: the enable and ensure are now independent operations where enable handles whether the service starts or stops at boot time, while ensure handles whether the service starts or stops in the current running instance. An example can be seen here.
  • The apt provider removes ensure => held in favor of mark => hold, to allow holding specific versions of packages. Check out this video to see the feature in action!


  • The puppet key and puppet cert commands are replaced by the puppet ssl and puppetserver ca commands.
  • The puppet status application — replaced by the Puppet Server status REST API.
  • The puppet module build and generate applications — replaced by PDK.
  • The output of the puppet facts application has changed. It defaults to the show action which pretty prints the facts for the node. It is also possible to only show specific facts or fact groups (e.g. puppet facts show os). To revert to the old output format, call puppet facts find explicitly.


  • The default digest algorithm has been changed from MD5 to SHA256. You may need to take action if remote filebuckets are enabled in your environment, see the following video for details.
  • The local filebucket is disabled by default as the local cache grows unbounded. It can be enabled by setting the File { backup => 'puppet' } resource default.
  • The strict_hostname_checking setting is removed as it can result in hosts getting a catalog they are not authorized to receive. Node definitions that previously used this feature can use regular expression matching instead.
  • Puppet Agent no longer ignores plugin errors. The old behavior can be re-enabled using the ignore_plugin_errors setting.

Puppet language

Removing application orchestration

The compiler will raise a syntax error if it encounters the previously deprecated application orchestration language keywords (site, application, consumes, produces) or resource metaparameters (export, consume).

Exporting and virtualizing classes

Puppet 2.6 allowed classes to be exported and virtualized, but stopped working in 2.7. This functionality has been deprecated since 4.10.2 and errors when strict mode is enabled, otherwise it shows a warning. In Platform 7, it will always error, regardless of strict mode.

Removing the Enumerable data type

The Enumerable data type has been superseded by the Iterable data type.

Puppet Server

Changing the default location of the CA

It is too easy to delete the CA certs and private key because the CA directory is contained within the /etc/puppetlabs/puppet/ssl directory. In Puppet 7 the default location has changed so that you can’t accidentally delete it. This change was made in a backwards-compatible way so that the old path is still usable.

Environment Caching

Puppet Server now caches environments based on when they were most recently used. This allows you to cache frequently-used production environments, while environments for test/feature branches will automatically expire, reducing puppetserver memory utilization.

Fact Caching

Puppet Server now caches facts as JSON instead of YAML for improved performance and to eliminate issues with YAML serialization. The puppetlabs-puppetdb module has also been updated (in version 7.7.0) to use JSON as well. To revert to YAML, modify the facts cache key in /etc/puppetlabs/puppet/routes.yaml manually or using the puppetdb module so it contains:

Legacy Code

Puppet 7 removes the following legacy code: Old networking code, though the legacy API Puppet::Network::HttpPool.http_instance is to be supported. Legacy Ruby authentication layer — replaced by trapperkeeper authentication since Platform 5. Legacy routes handler, dropping support for Puppet 3.x agents.


Require Postgres 11+

PuppetDB 7.0.0 requires Postgres 11+, which allows us to write faster migrations that add columns by ensuring we can take advantage of its new features. It also allows us access to other new features like logical partitioning, and ensures that a user running the supported LTS branch of PuppetDB won’t end up running with an unsupported Postgres 9.6 (after November 2021).

Terminus HTTP Client

PuppetDB has been migrated to use the new HTTP client. This means that users upgrading to Platform 7 either need to upgrade — on the node running Puppet Server — their Puppet Agent and PuppetDB terminus packages at the same time or ensure that they upgrade to puppet-agent 6.16.0+ before upgrading puppetdb-terminus.

Learn more

For the complete list of changes, be sure to check the release notes for Puppet, Puppet Server and PuppetDB before upgrading. More information about the scope of Puppet Platform 7 can be found in this document. For a detailed view of all tickets scheduled for Platform 7, refer to the following JIRA query.

Puppet 7 releases can be found in our repositories:

  • Debian/Ubuntu: apt.puppet.com
  • EL/Fedora: yum.puppet.com
  • Windows/macOS: downloads.puppet.com

Nightly builds for all supported platforms are available under nightlies.puppet.com.

Finally, we'd love to hear your feedback on the #puppet channel in our Community Slack!

Gabriel Nagy is a software engineer at Puppet.