This page describes new features, enhancements, and deprecations in this Puppet Enterprise (PE) release.
For more information about this release, see:
Tip: This PE release contains several components that have additional release notes. Refer to Related release notes for more information.
PE 2017.2.5 provides bug fixes, security improvements, and enhancements.
You can now control the state of the Puppet service when you install *nix or Windows agents with an install script. This capability enables manually kicking off the initial Puppet run or doing so with a provisioning system.
Use these flags to control the Puppet service:
| Option | *nix | Windows | Values |
|---|---|---|---|
| ensure | --puppet-service-ensure <VALUE> |
-PuppetServiceEnsure <VALUE> |
running, stopped |
| enable | --puppet-service-enable <VALUE> |
-PuppetServiceEnable <VALUE> |
true, false, manual, mask |
The simplified agent install script for Windows now supports setting certain MSI properties as flags in the PowerShell script. You can combine agent configurations with MSI properties.
| MSI property | PowerShell flag |
|---|---|
INSTALLDIR |
-InstallDir |
PUPPET_AGENT_ACCOUNT_USER |
-PuppetAgentAccountUser |
PUPPET_AGENT_ACCOUNT_PASSWORD |
-PuppetAgentAccountPassword |
PUPPET_AGENT_ACCOUNT_DOMAIN |
-PuppetAgentAccountDomain |
For example:
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://<MASTER HOSTNAME>:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 -PuppetAgentAccountUser "svcPuppet" -PuppetAgentAccountPassword "s3kr3t_P@ssword"
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://<MASTER HOSTNAME>:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 -PuppetAgentAccountUser "svcPuppet" -PuppetAgentAccountPassword "s3kr3t_P@ssword" agent:splay=true agent:environment=development
This release adds support for the Puppet agent on:
PE 2017.2.4 provides bug fixes, security improvements, and enhancements.
You can now purge nodes without running Puppet on your master and reloading it. However, if you use compile masters, you must still run Puppet on all compile masters in order to revoke a node’s certificate and have the change take effect.
You can now securely install Windows agents by installing using a certificate.
This release adds support for the Puppet agent on Debian 9 (Stretch).
PE 2017.2.3 provides bug fixes, security improvements, and enhancements.
Connections to PE databases can now be made only with certificates. Usernames and passwords are no longer allowed by default.
PuppetDB now uses 14 days for a default “time-to-live” value (node-purge-ttl) before it deletes nodes that have been deactivated or expired. This default can be changed as needed.
PE now supports Puppet agents on the following new platforms:
PE 2017.2.2 provides bug fixes, security improvements, and enhancements.
On Redhat, Ubuntu, SLES, Solaris, and AIX platforms, if you manually transfer CA certificates to agents and install using the --cacert flag to point to the master CA, subsequent downloads invoked by the installation script are now secured.
The PE classifier node-check-in purge has been optimized for speed and performance.
We’ve added a new Code Manager parameter, deploy-ttl. This parameter specifies the length of time completed deployments are retained before garbage collection, which is important to ensuring consistent Code Manager performance over time.
You can now set up orchestrator jobs in the console. You can create node lists, either static or using Puppet Query Language, on which to run Puppet.
With orchestrator integrated into the console, you can set up jobs with ease, and use the console’s reporting and infrastructure monitoring tools to review jobs and dig deeper into node run results.
See Running jobs in the console for details.
View an inventory of all packages installed on your nodes, and learn which nodes are using each package version. Use this data when determining which nodes are impacted by packages eligible for maintenance updates, security patches, and license renewals. Package inventory reporting is available for all nodes with a Puppet agent installed, including systems that are not actively managed by Puppet.
Package data collection is turned off by default. To turn on package data collection and use this feature, see Viewing all packages in use.
As part of our ongoing commitment to PE users in Japan, PE 2017.2 features Version 1 of Puppet Enterprise (Japanese).
Version 1 of Puppet Enterprise (Japanese) includes a Japanese GUI, and localization of the following services and resources into Japanese.
Puppet Enterprise (Japanese) is included in the same tarball as the English version of PE. To view the PE installer, console, and the Puppet Forge in Japanese, set your web browser language preference to Japanese. To view API messages and command line tool messages in Japanese, set your system locale preference to Japanese. If you already have your browser and system preferences set to Japanese, the Japanese strings are displayed automatically.
We have also improved UTF-8 character encoding support in PE and in the Puppet components and services that are used with PE.
The console now redirects to HTTPS when you attempt to connect over HTTP. The pe-nginx webserver now listens on port 80 by default.
You can disable the HTTPS redirect in Hiera.
Previously, the node classifier service stored a check-in for each node when its classification was requested. The check-in included an explanation of how the node matched the rule of every group it was classified into. This functionality created performance issues when managing a large deployment of nodes. The check-in storage is still available, but it’s now disabled (false) by default.
You can enable this by setting puppet_enterprise::profile::console::classifier_node_check_in_storage to true in the console.
In this release, you can determine the amount of time that should pass after a node sends its last report before it is considered unresponsive. Set an integer to specify the value in seconds. The default is 3600 seconds (one hour).
Adjust puppet_enterprise::console_services::no_longer_reporting_cutoff in the console.
The ping_interval setting controls how long PXP agents will ping PCP brokers. If the agents don’t receive responses, they will attempt to reconnect. The default is 120 seconds (two minutes).
Adjust puppet_enterprise::pxp_agent::ping_interval in the console.
We’ve redesigned the console’s navigation pane, and reduced its width by half.
Quickly access the run report associated with a particular event by using the View run report link that now appears on the Events detail page.
The fact value filters on the Overview and Reports pages now display warning messages if you attempt to use an invalid regular expression, invalid string operator, or empty fact name.
The Puppet orchestrator communicates with PCP brokers on compile masters on port 8143 and sends job-related messages to the brokers, which are then relayed by the brokers to PXP agents. As you add compile masters, you’re able to scale the number of PCP brokers that can send orchestration messages to agents. See Configure compile masters for orchestration scale for instructions.
In High Availability installations, you can now configure PXP agents to communicate with compile masters, instead of just the master or replica, using the new pcp_broker_list parameter.
Use the PXP agent log file to debug issues with the Puppet orchestrator. You can change its location from the default as needed.
The pe-puppetserver service now defaults to an open file limit of 12000 to support orchestrator scale with PCP brokers.
We’ve added a new flag, --dry-run, to the puppet-code command. When you run puppet-code with this flag, it tests connections to your control repos and returns a consolidated list of all environments in the control repos.
The behavior of the --wait flag used with the puppet-code command has been updated to improve accuracy and completeness of reporting. Previously, --wait returned results after deploying code to the code-staging directory. The flag now waits for file sync to also deploy code to the live code directory on all compile masters before returning results.
Due to this updated behavior, running puppet-code deploy with --wait takes a minimum of 10 seconds longer than in previous PE versions. In deployments that are geographically dispersed or have a large quantity of environments, completing code deployment can take up to several minutes.
Puppet Enterprise collects data about your PE installation and sends it to Puppet so we can improve our product. In addition to previously collected analytics, we now also collects basic information about:
puppet-agent package versionFor details about what data we collect and how to opt out, see Puppet Enterprise analytics data collection.
For those with security compliance needs, PE now supports disabling TLSv1. Services in PE support TLS versions 1, 1.1, and 1.2.
The MCollective package agent plug-in helps you install packages from any source (including a URL) and does not require that the packages are signed. This provides a peadmin user the ability to execute arbitrary code on any MCollective server.
A default action policy has been put into place in PE that disallows using the package install, uninstall, and purge actions. The policy can be modified and additional action policies can be added using the puppet_enterprise::profile::mcollective::agent::allowed_actions parameter to specify agent plug-ins you want to apply an action policy to, and a list of the actions you want to explicitly allow.
MCollective client keys are now labeled sensitive and will not be stored in PuppetDB.
Previously, compile masters downloaded agent packages from puppet.com to make them available for agent installs, meaning they had to reach the internet to retrieve those packages. Compile masters now retrieve agent packages directly from the master of masters.
Java garbage collection logs can help you diagnose performance issues with JVM-based PE services. Garbage collection logs are now enabled by default in PE, and the results are captured in the support script, but you can disable them if you need to.
To help with troubleshooting, you can customize the MCollective client logging level either in the console or in pe.conf by setting puppet_enterprise::profile::mcollective::peadmin::mco_loglevel to debug, warning, or error instead of the default info.
We’ve removed the previously unsupported option to disable file sync while Code Manager remains enabled.
This release deprecates the file_sync_repo_id and file_sync_auto_commit Code Manager parameters. PE ignores these parameters and raises a warning if you have set them.
RHEL 4, Fedora 23, and Ubuntu 12.04 have reached end-of-life (EOL).
Refer to the system requirements for a list of platforms that will soon be EOL.
Refer to the Puppet Enterprise support life cycle for a list of support dates for our latest versions.
This version of PE includes Puppet version 4.10.8. Refer to the Puppet release notes for more information.
This version of PE includes Puppet agent version 1.10.8. Refer to the Puppet agent release notes for more information.
This version of PE includes PuppetDB version 4.4.2. Refer to the PuppetDB release notes for more information.
This version of PE includes Puppet Server version 2.7.3. Refer to the Puppet Server release notes for more information.