Puppet 3.8 Release Notes

This version is out of date. For current versions, see Puppet packages and versions.

This page tells the history of the Puppet 3.8 series.

Elsewhere: release notes for:

Puppet’s version numbers use the format X.Y.Z, where:

  • X must increase for major backwards-incompatible changes
  • Y may increase for backwards-compatible new functionality
  • Z may increase for bug fixes

How to Upgrade

Before upgrading, look at the table of contents above and see if there are any “UPGRADE WARNING” or “Upgrade Note” items for the new version. Although it’s usually safe to upgrade from any 3.x version to any later 3.x version, there are sometimes special conditions that can cause trouble.

We always recommend that you upgrade your Puppet master servers before upgrading the agents they serve.

If you’re upgrading from Puppet 2.x, please learn about major upgrades of Puppet first! We have important advice about upgrade plans and package management practices. The short version is: test first, roll out in stages, give yourself plenty of time to work with. Also, read the release notes for Puppet 3 for a list of all the breaking changes made between the 2.x and 3.x series.

Puppet 3.8.7

Released April 26, 2016.

This is a bug release in the Puppet 3.8 series.

Bug Fixes

  • PUP-4818: One part of the relative namespacing feature was not removed when using the future parser. When a class was declared with a resource like expression the references to classes were still interpreted as being relative. This is now fixed, and should help with migration to 4.x as the 3.x future parser will now also use absolute naming in these cases.

  • PUP-6113: Puppet will no longer attempt to retrieve the nonexistent password_min_age property from LDAP users on Solaris.

  • PUP-6073: launchd plists with line continuations no longer cause the launchd service provider to return Error: Could not prefetch service provider 'launchd': undefined method to_ruby for nil:NilClass.

  • PUP-5898: :undef caused unexpected behaviors with hashes due to the 3.x calling convention also applying to resource expressions.

  • PUP-5637: Puppet systemd packages now include an ExecReload command in the puppet.service files in order to facilitate graceful restart on systemd systems.

  • PUP-5356: Fixed the Puppet Nagios extension with Ruby 1.9.3+.

  • PUP-4545: Removed a script that restarts Puppet in response to network changes on EL based systems. It was causing pain in containers and other systems where network restarts are common and frequent.

If users have frequent system reboots combined with slow DHCP responses, they may want to add the script back to ensure that their agent is able to connect with their Puppet master.

Puppet 3.8.6

Released February 3, 2016.

This is a security only release for Windows, that contains an updated version of OpenSSL that addresses a vulnerability announced by OpenSSL on January 28, 2016.

Puppet 3.8.5

Released January 21, 2016.

Puppet 3.8.5 is a maintenance release in the Puppet 3.8 series that fixes several bugs.

Improvements: Speed!

Faster service queries on OS X

Puppet 3.8.5 queries service enablement status on OS X several times faster than previous versions of Puppet.

Faster compilation when environment_timeout = 0

In previous versions of Puppet, an environment with an environment_timeout set to 0 that used many automatically bound default values would perform poorly, as each lookup caused the environment cache to be evicted and recreated. Puppet 3.8.5 greatly reduces the number of times it evicts the environment and significantly improves compilation performance.

New Feature: Set HTTP proxy host and port for the pip provider

In previous versions of Puppet, the pip package provider could fail if used behind an HTTP proxy. This version adds the http_proxy_host and http_proxy_port settings to the provider.

Security update: Ruby on Windows

Puppet 3.8.5 for Windows includes new versions of Ruby that fix CVE-2015-7551.

Bug fix: Fix group resources on Windows --noop runs when the members parameter is an array

In previous version of Puppet 3 for Windows, no-op Puppet runs (such as running puppet agent or puppet apply with the --noop flag) would fail if the members parameter of a group resource contained an array. Puppet 3.8.5 resolves this issue.

Bug fixes: Puppet language

  • PUP-5590: No error on duplicate parameters in classes and resources: In previous versions of Puppet, you could use the same parameter multiple times in a single class or resource without invoking an error. Instead, Puppet would use the second invocation’s value only. Puppet 3.8.5 produces an error message when parsing a manifest in which a class or resource assigns the same parameter multiple times.
  • PUP-5658: Disallow numeric ranges where from > to: Previous versions of Puppet allowed you to create range sub-type declarations (such as Integer[first,second]) for integer and and float types where the maximum limit was set first and the minimum limit was set second. Now for such declarations, the first value must not be greater than the second.

Bug Fixes: Miscellaneous

Puppet 3.8.4

Released November 3, 2015.

Puppet 3.8.4 is a maintenance release in the Puppet 3.8 series. It includes a security update for Windows OpenSSL, and fixes a few miscellaneous bugs.

Security Fix: CA private key now created privately

Previously, Puppet generated a CA private key (Puppet[:cacert]) that was initially world readable, which would create a security vulnerability. Restarting the Puppet master (via webrick, passenger, puppetserver or executing the puppet cert generate command) would automatically resolve the issue, so the vulnerability was limited to the time between when Puppet was installed/started and when it was restarted.

This change ensures Puppet creates the CA private key with mode 640 initially.

The private host key (Puppet[:hostprivkey]) had the same issue, but the parent directory was not world executable/traversable, so it wasn’t a security issue. This change also fixes the host private key in the same manner as the CA private key.

Security Fix: Windows OpenSSL

Update Windows OpenSSL version to 1.0.2d from 1.0.0s

Bug Fix: Windows Password Management

Previously, if you were attempting to create users without specifying the password and you had the Windows Password Policy for Password must meet complexity requirements set to Enabled, it Puppet would fail to create the user. Now it works appropriately.

NOTE: When the Windows Password Policy Minimum password length is greater than 0, the password must always be specified. This is due to Windows validation for new user creation requiring a password for all new accounts, so it is not possible to leave password unspecified once the policy is set.

It is also important to note that when a user is specified with managehome => true, the password must always be specified if it is not an already existing user on the system.

Bug Fixes: Misc

Puppet 3.8.3

Released September 21, 2015.

Puppet 3.8.3 is a bug fix release in the Puppet 3.8 series. It fixes one significant regression and several miscellaneous bugs.

Regression Fix: Warnings (Not Errors) for New Reserved Words

In Puppet 3.8.2, we reserved the new keywords application, consumes, and produces (PUP-4941). For this version of Puppet, using these words as class names or unquoted strings was supposed to log a warning, but due to a bug, Puppet would raise an error and fail compilation instead.

This is now fixed, and the new keywords log warnings as intended.

Bug Fixes: Misc

Puppet 3.8.2

Released August 6, 2015.

Puppet 3.8.2 is a maintenance (bug fix) release to improve forward compatibility for users upgrading to the Puppet 4.x series.

Deprecation: New Reserved Words

To prepare for new features in the 4.x series, the bare words ‘application’, ‘consumes’, and ‘produces’ have been made into reserved words when using the future parser. A warning is issued when they are used. These words should now be quoted if a string is wanted.

Security Update: Windows

We updated the version of OpenSSL in Windows packages to 1.0.0s to address recent CVEs.

Performance Improvements

Optimized the future_parser checks by reducing the number of calls from once per copied resource attribute, to once per resource. This improvement affects all users irrespective of if running with parser = future or not.

When puppet forks (e.g. for a daemonized agent) it could leak file descriptors (with an fd > 255). It could also be slow. Both of those are addressed by this change.

Bug Fixes: Future Parser

Along with performance improvements, this release addresses several bug fixes in the future parser.

Bug Fixes: Resource Types and Providers

Since the password provider is only intended for use on BSD operating systems, it should use confine to prevent accidental activation on non-BSD systems. Linux was particularly susceptible to this, as there are no default providers declared for that platform.

Bug Fixes: Misc

Having {} around variables in a systemd service file makes systemd treat it as a single argument, which breaks when used for something like PUPPET_EXTRA_OPS in the puppet agent and server systemd files. When passing more than one argument in using that variable, systemd would treat it as a single variable, which Puppet would ignore as invalid. Removing the {} from the variable addresses this issue. This was fixed in Puppet 4, and this ticket backported the fix to 3.x.

PMT fails on long Windows paths - For modules that install on Windows and use a long hierarchical directory structure, the default TEMP path where PMT extracts the modules tarball can be problematic. Windows has a default maximum path length of 260 characters (MAX_PATH).

By default, the extracted temp location looks like:


The default install location of a puppet 4.0+ module is:


In using the Temp directory instead we allow for longer path names in the modules. Instead of using over 90 characters before the module path, we only use around 60, allowing for longer module paths during unpacking.

Bug Fixes: HTTP API

Puppet 3.8.1

Released May 26, 2015.

Puppet 3.8.1 is a bug fix release (with future parser changes) in the Puppet 3.8 series. It’s the first official open source release in the 3.8 series.

The main focus of this release is to make sure the 3.8 future parser is forward-compatible with the Puppet language as of Puppet 4.1. It also fixes several bugs.

Bug Fixes: Major

The initial 3.8.0 release partially broke the per-environment parser setting added in 3.7.5, requiring some contortions to make per-environment parser changes work. This is now fixed.

Improvements: Future Parser

This release improves the Puppet language with a new \u{xxxxxx} escape sequence for Unicode characters and a new NotUndef data type. It also adds a feature to the 4.x function API.

Bug Fixes: Future Parser

This release fixes several bugs with the Puppet language that were also fixed in Puppet 4.1.0.

Bug Fixes: Resource Types and Providers

Bug Fixes: Misc

Puppet 3.8.0

Released April 28, 2015, as part of Puppet Enterprise 3.8.0. The first official open source release in the 3.8 series will be 3.8.1.

Puppet 3.8.0 is a backward-compatible features and fixes release in the Puppet 3 series.

New Feature: Back-end Support for Upgrade Previews

This version includes several backend changes to support the PE-only compilation preview module.

New Feature: Logging as JSON

In any of the Puppet subcommands that take the --logdest command line option, you can now specify a path to a JSON file and Puppet will log a (partial) JSON array of message objects to that file.

Improvements: Resource Types and Providers

Bug Fixes: Resource Types and Providers


Other Operating Systems

Improvements: Future Language

Bug Fixes: Future Language

Bug Fixes: General

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.