These are the new features, enhancements, resolved issues, and deprecations in this version of PE.
Puppet ensures platform repositories aren't installed in order to prevent accidental agent upgrade
Previously, Bolt users who installed the Puppet 5 or 6 platform repositories could experience
unsupported agent upgrades on managed nodes. With this release, Puppet ensures that the release packages for those
platforms are not installed on managed nodes by enforcing
ensure => 'absent' for the packages.
Windows install script optionally downloads a tarball of plug-ins
For Windows agents, the agent install script optionally downloads a tarball of plug-ins from the master before the agent runs for the first time. Depending on how many modules you have installed, bulk plug-in sync can speed agent installation significantly.
This feature is controlled by the setting
pe_repo::enable_windows_bulk_pluginsync which you can configure in
Hiera or in the console. The default setting for bulk plug-in sync is set to
puppet infrastructure run commands no longer
require an authentication token
puppet infrastructure run commands that affect PuppetDB, including
enable_ha_failover, no longer require setting up token-based
authentication as a prerequisite for running the command. By default, these commands
use the master's PuppetDB certificate for
puppet infrastructure run commands provide more
puppet infrastructure run commands, such as those for
regenerating certificates or enabling high availability failover, now provide more
readable output, making them easier to troubleshoot.
Calculations for PostgreSQL settings are fine-tunedThe
shared_bufferssetting uses less RAM by default due to improvements in calculating PostgreSQL settings. Previously, PostgreSQL settings were based on the total RAM allocated to the node it was installed on. Settings are now calculated based on total RAM less the default RAM used by PE services. As a result, on an 8GB installation for example, the default
shared_bufferssetting is reduced from ~2GB to ~1GB.
*nix command for regenerating agent certificates includes a parameter for CRL cleanup
puppet infra run regenerate_agent_certificate command includes a
clean_crl parameter. Setting
true cleans up the local
CRL bundle. When you regenerate certificates for *nix
agents after recreating your certificate authority, you must include this parameter
with the value set to
true. If you're regenerating
agent certificates without recreating the CA, you don't need to clean up the
This version adds support for these platforms.
- Fedora 31
Console was inaccessible on macOS Catalina using default certificates
Enhanced security requirements in macOS Catalina prevented accessing the console using the default certificate generated during installation.
puppet infrastructure run commands could fail if the agent was run
puppet infrastructure run commands, such as those used for certain
installation, upgrade, and certificate management tasks, could fail if the Puppet agent was run with cron. The failure occurred
if the command conflicted with a Puppet
Mismatch between classifier classification and matching nodes for regexp rules
PuppetDB’s regular expression matching had
surprising behaviors for structured fact value comparisons. For example, the
os is a rule that matches
":"]. PuppetDB would unintentionally
match every node that has the
os structured fact because the
regular expression was applied to the JSON encoded version of the fact value.
The classifier does not use PuppetDB for determining classification and regular expressions in the classifier rules syntax only support direct value comparisons for string types.
This caused issues in the console where the node list and counts for the "matching nodes" display sometimes indicated that nodes were matching even though the classifier would not consider them matching.
Now, the same criteria is applied to the displays and counts that the classifier uses. The output of the classifier’s rule translation endpoints makes queries that match the classifier behavior.
infrastructure run command no longer requires the
caserver parameter is no longer required for
puppet infrastructure run commands that are run from your master.
Replicas tried to query PuppetDB on the primary master
In high availability installations, the replica was incorrectly configured to first send queries to the PuppetDB service on the primary master. The failover list has been corrected so that the replica now queries its own PuppetDB service first.
Rerunning the installer created the All Environments node group
If the installer was run for a second time due an issue such as a failed upgrade or a faulty agent lock, the All Environments node group was mistakenly created for the installation. This issue has been resolved, and the All Environments node group is only created for new installations.
Puppet run failures after a split installation with multiple PuppetDB instances was migrated to a monolithic installation
If your split PE
installation architecture included multiple standalone PuppetDB instances, the
puppet infrastructure run migrate_split_to_mono command could not
create a PuppetDB instance in the new
monolithic installation, and subsequent Puppet runs failed. The
run migrate_split_to_mono command now exits with an error message if multiple PuppetDB instances are present in your split
Console output was shown when installing in quiet mode
When running the installer in text mode, adding the
-q option did not successfully activate quiet
mode, and the installation process was logged in the console.
Package versions were not reset correctly after failed upgrade
If an agent run was in progress as an upgrade began, and consequently the installer failed because it could not acquire an agent lock, the installer did not roll back the relevant packages to the pre-upgrade PE version.
run plans caused Puppet agent
service settings to be ignored
In some cases, plans used in
puppet infrastructure run commands forced the Puppet agent service to run after the plan was complete, even if you
had previously disabled the service. The impacted plans now reset the Puppet agent service to the state it was in before the plan was
Certificate backup directories could be overwritten
When a certificate regeneration command was run multiple times, certificate backup directories could be unintentionally overwritten. To solve this issue, certificate backup directories are now uniquely named using a time stamp.
Upgrade attempts failed when a Puppet run was in progress
If a Puppet run began while the installer was attempting to upgrade PE, conflicts and failures occurred. The installer now checks for Puppet runs before beginning an upgrade, and stops the upgrade if one is in progress.
Infrastructure-only CRL disable option
You can now disable auto-creation of the infrastructure-only CRL,
which was enabled by default in a previous release. To disable the option, set
false in Hiera or
pe.conf, or in the console, in
the PE Certificate
Authority node group, in the puppet_enterprise::profile::certificate_authority
class, set the enable_infra_crl parameter to false.
Specify alternate DNS names when regenerating certificates
When regenerating agent or master certificates, you can now pass
to the Bolt task.
Report details sorted by event
Events in report details are now sorted by event type rather than resource name, so you can locate interesting events more reliably.
Puppet Server fails when it finds a lockfile
Prior to this release, Puppet Server failed if it found a lockfile in the file sync directories. Such lockfiles could be left in file sync directories if Puppet Server was terminated while file sync was syncing code. Now, Puppet Server instead cleans up this lockfile as part of startup.
If you run multiple file sync processes that must respect each
other's lockfiles, disable this behavior by setting the
hiera key to
ssh-keygen produces unusable key on RHEL8
To enable newer SSH key formats with Code Manager on Red Hat Enterprise Linux 8 (RHEL8), client-side C library libssh2 has been updated to a version that supports them.
Unable to view link to Unsigned certs
In PE 2019.1.0 the Unsigned certs navigation link was intermittently visible for users who had permission to accept and reject certificate requests. This has been fixed.
Issues discarding changes to RBAC member groups
In previous versions of PE, if you made changes to member groups for a selected user role and later clicked Discard changes instead of Commit changes, the changes were not cleared properly. This has been fixed.
When removing replicas, empty parameters were added to the PE Agent group
When you run
puppet infrastructure forget on a high availability
deployment that uses load-balanced compile masters,
pcp_broker_list parameters are no longer
added to the
puppet_enterprise::profile::agent class with their values set to empty
Replicas did not receive new or updated packages
When new packages were introduced on the master, whether as the result of a PE upgrade or the introduction of new agents,existing replicas did not receive the new packages.
Upgrade failures caused the
pe-installer package to uninstall
If any failure occurred during your upgrade of PE, the
pe-installer package was automatically
Reference to plaintext password in unused orchestrator configuration file
An unused default
orchestrator.conf file contained a reference to a
plaintext password entry and value. This entry has been removed.
Transport preference incorrectly reported in task target table
On the Task page in the console, under certain conditions, the Connection column incorrectly displayed the inventory transport instead of the Puppet agent transport.
Web-based installation support for Red Hat Enterprise Linux (RHEL) 8
Red Hat Enterprise Linux (RHEL) 8 is now included in the web-based installation method's list of supported operating systems.
Reinitializing a replica after upgrade failed
When upgrading a replica, the reinitialize command hung and failed
after five minutes depending on the order of services in your
Enabling a new replica using a previous master failed with autosign enabled
run enable_ha_failover command, which lets you enable a failed master
as a new replica, includes a step for signing the node's certificate. With autosign
enabled, an unsigned certificate couldn't be found, and the command errored out.
PE-PostgreSQL couldn't be enabled or disabled on Ubuntu 18.04
On Ubuntu 18.04
masters, a bug in systemd 237 prevented enabling or disabling the PE-PostgreSQL
Regenerating master certificates failed if the command conflicted with automatic backups
run regenerate_master_certificate command failed if it ran at the same
time as automatic configuration backups, triggering an error about pre-existing key
Regenerating agent certificates failed with autosign enabled
run regenerate_agent_certificate command includes a step for signing
the node's certificate. With autosign enabled, an unsigned certificate couldn't be
found, and the command errored out.
Backup failed with File changed as we read it error
If file sync tried to change files while the backup command was archiving files, the backup command errored and failed.
Restore failed if
/tmp folder was too small
When restoring a master using
puppet backup restore, the
/tmp folder was always used as the temporary location for
unpacking PostgreSQL dumps. If
/tmp didn't have enough space
to hold these dumps, the restore failed. Additionally, attempting to use a different
temp directory by setting the
TMPDIR environment variable did not work correctly.
Restore reset master DNS altnames
When restoring a master using
puppet backup restore,
pe_install::puppet_master_dnsaltnames was reset as an
array with only the certname of the restore host.
Usernames appear as Base64 strings
Under some circumstances when using an LDAP server, usernames that contained extended characters would incorrectly appear as a Base64 encoded string. For example, a username spelled with a German umlaut, Schröder, would appear in the string format U2NocsO2ZGVyDQo=. After upgrading to PE 2019.1.1, users impacted by this issue must log out and log back in to see their usernames correctly spelled.
Schedule recurring tasks
Continuous Delivery for PE console installation
You can now install Continuous Delivery for PE directly from the console using a new Integrations page. Installation leverages a Bolt task requiring a limited set of parameters, so you no longer have to install a separate module or dependencies. For details about installing Continuous Delivery for PE, see Install Continuous Delivery for PE from the PE console in the Continuous Delivery for PE documentation.
infrastructure run command
infrastructure run command leverages built-in Bolt plans to perform certain PE management tasks, such as regenerating
certificates and migrating from a split to a monolithic installation. To use the
command, you must be able to connect using SSH from your master to any nodes that
the command modifies. You can establish an SSH connection using key forwarding, a
local key file, or by specifying keys in
.ssh/config on your master. For information about available plans, run
puppet infrastructure run
Enable a new HA replica using a failed master
After promoting a replica, you can use your old master as a new replica, effectively swapping the roles of your failed master and promoted replica.
Add nodes without agents to Puppet Enterprise
Using the new Inventory option on the console, you can add nodes to your Puppet Enterprise deployment without installing the Puppet agent. When you add nodes and their credentials to the inventory, the information is securely stored and made available in the console through remote connections (SSH or WinRM). Authorized users can then run tasks on these nodes without re-entering credentials. For more information, see Adding and removing agentless nodes.
You can now run tasks on a proxy target that remotely interacts with
the real target, as defined by the
run-on option. Remote tasks are useful for targets like network devices
that have limited shell environments, or cloud services driven only by HTTP APIs.
Connection information for non-server targets, like HTTP endpoints, can be stored in
Simplified Code Manager control repo configuration
Setting up control repositories for Code Manager no longer requires manually creating an SSH
directory and configuring permissions on the key pair and directory. These steps have
been automated with the
Improved handling of server settings
puppet.confare now used in this order:
server_listsetting, this order prevents unexpected behavior if you promote a replica.
Improved RBAC API log messages
The RBAC service log entries for revoked users attempting to log in now includes the username and UUID.
Infrastructure terminology changes
With this version, we've unified infrastructure terminology across all installation types. We now call compile masters compilers to reflect their role: compiling catalogs. Similarly, we call the master a master, whether or not your installation includes compilers. In high availability installations, the node that replicates data from the master is simply a replica or master replica.
R.I.P. MoM, master of masters, and primary master replica.
This version adds support for these platforms.
Enterprise Linux 8Note: Enterprise Linux 8 support for agents was added in previous Z releases.
Deprecations and removals
Split and large environment installations
The split and large environment installations, where the master, console, and PuppetDB were installed on separate nodes, are no longer recommended. Because compilers do most of the intensive computing, installing the console and PuppetDB on separate nodes doesn't substantially improve load capability, and adds unnecessary complexity.
For new installations, we now recommend only monolithic configurations, where the infrastructure components are installed on the master. You can add one or more compilers and a load balancer to this configuration to expand capacity up to 20,000 nodes, and for even larger installations, you can install standalone PE-PostgreSQL on a separate node. For details about current installation configurations, see Choosing an architecture. For instructions on migrating from a split installation to a monolithic installation, see Migrate from a split to a monolithic installation.
module has been removed. The module was used internally to manage PE users but was superseded several
versions ago by the
puppetlabs/accounts module. If you're using the
pe_accounts module for account management,
migrate to the
module as soon as possible. As a short term workaround, you can copy the
pe_accounts module from an existing PE installation or from the
pe-modules package inthe PE installer tarball and place
the module in your own modulepath.
TLSv1 and v1.1
Windows Server 2008r2
Puppet file permissions on Windows were modified with every run
Changes to how Puppet handled system permissions caused permissions for Windows file resources to be rewritten with each run.
owner and group are not set in the resource
owner and/or group are set to the system user on the running node and the system user is set to full control
SYSTEMin the file resource. In this case, Puppet emits a warning, because setting
SYSTEMto less than full control might have unintended consequences, but it does not modify the permissions.
Setting node group environment required Edit configuration data permission
To allow a user role to set a node group environment, users previously had to add the permission Edit configuration data in addition to Set environment . The permission Set environment alone is now enough to allow a user to change the environment.