PE release notes

These are the new features, enhancements, resolved issues, and deprecations in this version of PE.

Security and vulnerability announcements are posted at

PE 2021.7

Released August 2022

Important: PE 2021.7 is our new PE LTS. Expect to see changes to the documentation ahead of our next STS release. We apologize for any inconvenience.

If you're preparing to upgrade or looking for earlier 2021.y release notes, go to What's new since PE 2019.8.

New features

Force stop in-progress Puppet runs
By default, POST /command/stop prevents new runs from starting, but allows in-progress runs to finish. Now you can use the force option to block new runs and stop in-progress runs. This is useful, for example, if you need to stop a task that is hanging.
pe_status_check module bundled with PE
The pe_status_check module helps keep your PE installation in an ideal state. Read About the pe_status_check module to learn how the module works and how to get the module's reports.
Important: If you have previously specified a version of this module, from the Forge or other sources, in your code, we recommend removing this version before upgrading to allow the version bundled with PE to be asserted.
New Orchestrator scheduling API
This release includes a new scheduling API for the orchestrator, which introduces several new scheduled_jobs endpoints and deprecates the previous scheduling API's endpoints (for a list of deprecated endpoints, see Deprecations and removals for this release, below).
Existing scheduled jobs are automatically migrated to the new scheduling system, and the PE console now uses the new API (but there is no change to the UI).
With the new API, you can edit scheduled jobs; however, this functionality is currently only available through the API (not yet available in the PE console). To learn more about the new endpoints, go to Scheduled jobs endpoints.
Tools that rely on the deprecated endpoints must be upgraded to use the new endpoints.
Use the RBAC API to set the disclaimer text on the console login page
You can use the RBAC API v1 Disclaimer endpoints to configure the disclaimer text that appears on the PE console login page.
Automatically sync LDAP user details and group membership
Prior to this release, user details and group membership for LDAP-based users only refreshed when users logged in. Now, LDAP group bindings, user names, and descriptions update automatically every 30 minutes (by default) for every LDAP user in the system. If a user is no longer present in LDAP or has no group bindings, all user-group associations are removed from the user and all of the user's known tokens are revoked.
You can disable automatic refresh or change the refresh time by changing the puppet_enterprise::profile::console::ldap_sync_period parameter. Learn more about this parameter in Configure RBAC and token-based authentication settings.
Stop LDAP users from logging in if they have no group membership
You can use the exclude-groupless-ldap-users setting to prevent LDAP users with no group memberships from logging in. This setting is off by default. To learn how to enable this setting, go toRequire LDAP group membership to log in.
Metrics API v2 documentation
The Metrics API v2 uses the Jolokia library to query Orchestrator service metrics. This version of the API has been available for some time, but it was only described in the open source Puppet documentation.
Disaster recovery support for FIPS platforms
Disaster recovery is now supported for FIPS 140-2 compliant Red Hat Enterprise Linux (RHEL) 7 and 8.


Orchestrator API endpoints return "total": 0 if there are no jobs
Orchestrator API v1 endpoints that return pagination containing the total number of jobs (such as GET /jobs, GET /scheduled_jobs (deprecated), and GET /plan_jobs) now return "total": 0, instead of "total": null, when there are no jobs.
Activity service API /v2/events endpoint returns more information for orchestrator events
Responses from GET /v2/events containing information about orchestrator events (Puppet agent runs and task runs) now report additional information about the job start time, end time, duration, and status.
Upgraded JRuby
We are now shipping JRuby
Addressed CVEs
We updated the PostgreSQL driver in some PE component to address CVE-2022-31197. The application was not vulnerable to exploit prior to this update.
We also made changes to address CVE-2022-1292 and CVE-2022-2068.

Platform support

Ubuntu 16.04 is no longer a supported agent platform.

This version adds support for these platforms:
macOS 12 M1
Ubuntu (General Availability kernels) 22.04 x86_64
Microsoft Windows 11 x64
Client tools
Ubuntu (General Availability kernels) 22.04 x86_64
macOS 12 M1, M2
Patch management
Ubuntu (General Availability kernels) 22.04 x86_64
Microsoft Windows 11 x64

Deprecations and removals

Ubuntu 16.04 is no longer a supported agent platform.

The following endpoints are deprecated due to the release of several new Scheduled jobs endpoints for the Orchestrator API. Tools that rely on deprecated endpoints must be upgraded to use the new endpoints. Existing scheduled jobs are automatically migrated to the new scheduling system that uses the new endpoints.
GET /scheduled_jobs (deprecated)
Replaced by GET /scheduled_jobs/environment_jobs and GET /scheduled_jobs/environment_jobs/<job-id>
DELETE /scheduled_jobs/<job-id> (deprecated)
Replaced by PUT /scheduled_jobs/environment_jobs/<job-id>
POST /command/schedule_deploy (deprecated)
Replaced by POST /scheduled_jobs/environment_jobs
POST /command/schedule_plan (deprecated)
Replaced by POST /scheduled_jobs/environment_jobs
POST /command/schedule_task (deprecated)
Replaced by POST /scheduled_jobs/environment_jobs

Resolved issues

full-deploy didn't override --incremental
Code Manager's full-deploy option, used for Configuring module deployment scope, now correctly overrides the default --incremental deploy behavior.
Code Manager couldn't fetch code on FIPS platforms
On FIPS platforms running PE versions 2021.5 or 2021.6, Code Manager and r10k couldn't fetch code from your code repo due to libssh attempting to use algorithms that are not allowed on FIPS. In PE 2021.7, the disallowed algorithms are disabled in libssh, allowing Code Manager and r10k to successfully fetch code.
An unreachable replica consumed all of the primary server's disk space
Previously, if a provisioned replica became unreachable, the associated primary server could quickly run out of disk space, causing a complete interruption to PE services. In larger installations, an outage could occur in under an hour. Excessive disk usage was caused by the PE-PostgreSQL service on the primary server retaining change logs that the replica hadn't acknowledged.
To resolve this, we limited available disk space for the pg_wal directory. To learn more and tune this setting in your installation, refer to PostgreSQL WAL disk space.
Orchestrator ignored _noop when passed to run_task() through a plan
When a plan passed the _noop flag to the run_task() function, the PE Orchestrator now correctly acknowledges the _noop flag.
Some RBAC endpoints returned an incorrect Content-Type
Responses for the following endpoints now return the correct Content-Type: POST /users/<uuid>/password/reset, POST /auth/reset, and PUT /users/current/password.
LDAP with anonymous binding sometimes prevented Console Services from starting or restarting
Previously, if you use anonymous binding, or another configuration with a zero-length password, Console Services sometimes couldn't start or restart. This could cause upgrade failures when upgrading to PE version 2021.4 through 2021.6 from a version earlier than 2021.4. This is resolved.
Orchestrator doesn't restart unexpectedly during the convert_legacy_compiler plan
Previously, when running the enterprise_tasks::convert_legacy_compiler plan, the hosts in the pcp-brokers array could change order. This caused the pe-orchestration-services service to restart (as a result of detecting a presumed configuration change) and, ultimately, caused the plan to fail.
Some SSO configuration fields weren't marked as required
The Organization and Contacts fields on the SSO Configuration page are now correctly marked as required.
Orchestrator couldn't run tasks within modules named tasks or scripts
You can now successfully run tasks that are within modules named tasks or scripts.
Incorrect run-time for splayed agent runs
In previous PE versions, when agent runs were splayed, the run-time reported in the PE console was incorrect.
Sensitive parameters sometimes exposed in cleartext in job results
Sensitive plan parameters from Bolt plans that execute actions over PCP transport are no longer stored in the orchestrator database and, therefore, are properly masked in the job results.