This page tells the history of the Puppet 3.8 series.
Elsewhere: release notes for:
Puppet’s version numbers use the format X.Y.Z, where:
Before upgrading, look at the table of contents above and see if there are any “UPGRADE WARNING” or “Upgrade Note” items for the new version. Although it’s usually safe to upgrade from any 3.x version to any later 3.x version, there are sometimes special conditions that can cause trouble.
We always recommend that you upgrade your Puppet master servers before upgrading the agents they serve.
If you’re upgrading from Puppet 2.x, please learn about major upgrades of Puppet first! We have important advice about upgrade plans and package management practices. The short version is: test first, roll out in stages, give yourself plenty of time to work with. Also, read the release notes for Puppet 3 for a list of all the breaking changes made between the 2.x and 3.x series.
Released April 26, 2016.
This is a bug release in the Puppet 3.8 series.
PUP-4818: One part of the relative namespacing feature was not removed when using the future parser. When a class was declared with a resource like expression the references to classes were still interpreted as being relative. This is now fixed, and should help with migration to 4.x as the 3.x future parser will now also use absolute naming in these cases.
PUP-6113: Puppet will no longer attempt to retrieve the nonexistent password_min_age property from LDAP users on Solaris.
PUP-6073: launchd plists with line continuations no longer cause the launchd service provider to return Error: Could not prefetch service provider 'launchd': undefined method to_ruby for nil:NilClass.
PUP-5898: :undef caused unexpected behaviors with hashes due to the 3.x calling convention also applying to resource expressions.
PUP-5637: Puppet systemd packages now include an ExecReload command in the puppet.service files in order to facilitate graceful restart on systemd systems.
PUP-5356: Fixed the Puppet Nagios extension with Ruby 1.9.3+.
PUP-4545: Removed a script that restarts Puppet in response to network changes on EL based systems. It was causing pain in containers and other systems where network restarts are common and frequent.
If users have frequent system reboots combined with slow DHCP responses, they may want to add the script back to ensure that their agent is able to connect with their Puppet master.
Released February 3, 2016.
This is a security only release for Windows, that contains an updated version of OpenSSL that addresses a vulnerability announced by OpenSSL on January 28, 2016.
Released January 21, 2016.
Puppet 3.8.5 is a maintenance release in the Puppet 3.8 series that fixes several bugs.
Puppet 3.8.5 queries service enablement status on OS X several times faster than previous versions of Puppet.
environment_timeout = 0In previous versions of Puppet, an environment with an environment_timeout set to 0 that used many automatically bound default values would perform poorly, as each lookup caused the environment cache to be evicted and recreated. Puppet 3.8.5 greatly reduces the number of times it evicts the environment and significantly improves compilation performance.
pip providerIn previous versions of Puppet, the pip package provider could fail if used behind an HTTP proxy. This version adds the http_proxy_host and http_proxy_port settings to the provider.
Puppet 3.8.5 for Windows includes new versions of Ruby that fix CVE-2015-7551.
--noop runs when the members parameter is an arrayIn previous version of Puppet 3 for Windows, no-op Puppet runs (such as running puppet agent or puppet apply with the --noop flag) would fail if the members parameter of a group resource contained an array. Puppet 3.8.5 resolves this issue.
Integer[first,second]) for integer and and float types where the maximum limit was set first and the minimum limit was set second. Now for such declarations, the first value must not be greater than the second.Released November 3, 2015.
Puppet 3.8.4 is a maintenance release in the Puppet 3.8 series. It includes a security update for Windows OpenSSL, and fixes a few miscellaneous bugs.
Previously, Puppet generated a CA private key (Puppet[:cacert]) that was initially world readable, which would create a security vulnerability. Restarting the Puppet master (via webrick, passenger, puppetserver or executing the puppet cert generate command) would automatically resolve the issue, so the vulnerability was limited to the time between when Puppet was installed/started and when it was restarted.
This change ensures Puppet creates the CA private key with mode 640 initially.
The private host key (Puppet[:hostprivkey]) had the same issue, but the parent directory was not world executable/traversable, so it wasn’t a security issue. This change also fixes the host private key in the same manner as the CA private key.
Update Windows OpenSSL version to 1.0.2d from 1.0.0s
Previously, if you were attempting to create users without specifying the password and you had the Windows Password Policy for Password must meet complexity requirements set to Enabled, it Puppet would fail to create the user. Now it works appropriately.
NOTE: When the Windows Password Policy Minimum password length is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once the policy is set.
It is also important to note that when a user is specified with managehome => true, the password must always be specified if it is not an already existing user on the system.
filetimeout setting had a shorter time than the environment cache.
The regression could also cause performance degradation in general due to many calls to get status of files.filter() function did not behave according to specification when filtering a hash, as it did not enforce that only boolean true as a return from the lambda would include the element in the result. Instead, any “truthy” value was accepted. Now, only boolean true will include an element in the result.Released September 21, 2015.
Puppet 3.8.3 is a bug fix release in the Puppet 3.8 series. It fixes one significant regression and several miscellaneous bugs.
In Puppet 3.8.2, we reserved the new keywords application, consumes, and produces (PUP-4941). For this version of Puppet, using these words as class names or unquoted strings was supposed to log a warning, but due to a bug, Puppet would raise an error and fail compilation instead.
This is now fixed, and the new keywords log warnings as intended.
exec resources with a timeout value will now send a TERM signal if their command runs too long.notify, subscribe, or ~>), Puppet would stop the service and fail to start it.Released August 6, 2015.
Puppet 3.8.2 is a maintenance (bug fix) release to improve forward compatibility for users upgrading to the Puppet 4.x series.
To prepare for new features in the 4.x series, the bare words ‘application’, ‘consumes’, and ‘produces’ have been made into reserved words when using the future parser. A warning is issued when they are used. These words should now be quoted if a string is wanted.
We updated the version of OpenSSL in Windows packages to 1.0.0s to address recent CVEs.
Optimized the future_parser checks by reducing the number of calls from once per copied resource attribute, to once per resource. This improvement affects all users irrespective of if running with parser = future or not.
When puppet forks (e.g. for a daemonized agent) it could leak file descriptors (with an fd > 255). It could also be slow. Both of those are addressed by this change.
Along with performance improvements, this release addresses several bug fixes in the future parser.
call_function, a user can agnostically call a 3.x or 4.x function. Arguments are given in an Array, and it accepts a ruby block (to enable calling 4.x iterative functions).Since the password provider is only intended for use on BSD operating systems, it should use confine to prevent accidental activation on non-BSD systems. Linux was particularly susceptible to this, as there are no default providers declared for that platform.
Having {} around variables in a systemd service file makes systemd treat it as a single argument, which breaks when used for something like PUPPET_EXTRA_OPS in the puppet agent and server systemd files. When passing more than one argument in using that variable, systemd would treat it as a single variable, which Puppet would ignore as invalid. Removing the {} from the variable addresses this issue. This was fixed in Puppet 4, and this ticket backported the fix to 3.x.
PMT fails on long Windows paths - For modules that install on Windows and use a long hierarchical directory structure, the default TEMP path where PMT extracts the modules tarball can be problematic. Windows has a default maximum path length of 260 characters (MAX_PATH).
By default, the extracted temp location looks like:
C:\ProgramData\PuppetLabs\puppet\cache\puppet-module\cache\tmp-unpackerYYYYMMDD-XXXX-xxxxxxx
The default install location of a puppet 4.0+ module is:
C:\ProgramData\PuppetLabs\code\environments\production\modules
In using the Temp directory instead we allow for longer path names in the modules. Instead of using over 90 characters before the module path, we only use around 60, allowing for longer module paths during unpacking.
Released May 26, 2015.
Puppet 3.8.1 is a bug fix release (with future parser changes) in the Puppet 3.8 series. It’s the first official open source release in the 3.8 series.
The main focus of this release is to make sure the 3.8 future parser is forward-compatible with the Puppet language as of Puppet 4.1. It also fixes several bugs.
The initial 3.8.0 release partially broke the per-environment parser setting added in 3.7.5, requiring some contortions to make per-environment parser changes work. This is now fixed.
This release improves the Puppet language with a new \u{xxxxxx} escape sequence for Unicode characters and a new NotUndef data type. It also adds a feature to the 4.x function API.
This release fixes several bugs with the Puppet language that were also fixed in Puppet 4.1.0.
Released April 28, 2015, as part of Puppet Enterprise 3.8.0. The first official open source release in the 3.8 series will be 3.8.1.
Puppet 3.8.0 is a backward-compatible features and fixes release in the Puppet 3 series.
This version includes several backend changes to support the PE-only compilation preview module.
In any of the Puppet subcommands that take the --logdest command line option, you can now specify a path to a JSON file and Puppet will log a (partial) JSON array of message objects to that file.
group resource type would ignore the auth_membership attribute and always treat the list of members as a complete list, removing any users not listed in that group resource. This was also fixed in Puppet 4.0.0. PUP-4185: Backport ability to add a member to group to Puppet 3.8scheduled_task resources were logging incorrect change notifications. This was also fixed in Puppet 4.0.0. PUP-4186: Backport Weekly tasks always notify ‘trigger changed’ to Puppet 3.8