Open source Puppet documentation

These are the new features, resolved issues, and deprecations in this version of Puppet.

Puppet 6.4.4

Released 15 October 2019

New features

New no_proxy setting available in puppet.conf

You can now specify no_proxy as a Puppet setting, consistent with other http_proxy_* Puppet settings. The NO_PROXY environment variable takes precedence over the no_proxy Puppet setting. PUP-9316

serverip6 fact added

This release adds the serverip6 fact, which returns the server's IPv6 address. If Puppet cannot find either serverip or serverip6 facts, it returns a warning. PUP-5109

puppet plugin information was not included in help

The puppet help command did not include help information for puppet plugin Now the plugin command is included in puppet help output. PUP-9959

Module installation performance with minitar improved

Installation time on larger modules has been improved. Previously, on platforms that had the minitar gem installed, mintar would fsync every directory and file, causing long extraction times during module installation. Puppet now uses minitar 0.9, with this fsync option turned off by default. PUP-10013

Automatic (delayed start) is now an option for Windows services

Puppet can now set Windows service startup type to Auto-Start (Delayed). To set a service to use this setting, set the enable parameter of the service resource to "delayed". PUP-6382

Agent startup logged at debug level in daemon mode

When running in daemon mode, Puppet logs the configuration used on agent startup at the debug level. The log is sent to the output specified by the --logdest option. Configuration is reloaded and also logged on SIGHUP. PUP-9754

Resolved issues

Agents now connect directly if target host is set to NO_PROXY

If the agent is configured to use an HTTP proxy, and it attempts to connect to a host that matches an entry in the NO_PROXY environment variable, then Puppet connects directly to the host instead of using the proxy. This feature was originally introduced in Puppet 4.2, but it did not work. PUP-9942

HTTP connections did not support authenticating proxies

Agents could not connect through an authenticating HTTP proxy when making REST requests to Puppet infrastructure, such as when requesting a catalog. Now agents will observe the http_proxy_user and http_proxy_password settings or HTTP_PROXY_USER/PASSWORD environment variables when making those requests. PUP-4470

Puppet does not use proxy to connect to localhost

If an HTTP proxy is configured either in Puppet settings or the HTTP_PROXY_* environment variables, then Puppet does not use the proxy when connecting to localhost or This behavior can be modified by changing the no_proxy setting in puppet.conf or the NO_PROXY environment variable. PUP-2172

exec conditionals respect sensitive types

The exec type's onlyif and unless checks now return redacted output if it is marked sensitive. PUP-9956

Plug-in download speed improved

The puppet plugin download command now reuses HTTPS connections. This significantly speeds up the download process. PUP-8662

Puppet no longer ignores truncated file downloads caused by a Ruby issue

Prior to this release, Puppet silently ignored truncated file downloads, such as when using a file resource whose source parameter contained a puppet://, http://, or https:// URL. This issue was caused by a Ruby issue and is fixed in this release. PA-2849

Puppet tried to install packages that were already installed

Previously, Puppet incorrectly parsed the output of pip freeze when it reported package versions using the arbitrary equality operator, ===. As a result, Puppet treated the package as not installed and tried to reinstall it during every Puppet run. PUP-10015

Query parameters for HTTP and HTTPS file resources are preserved

When retrieving metadata and content for HTTP or HTTPS file resources, Puppet now preserves query parameters. Previously, Puppet requested only the path element of the URI and skipped the query parameters. PUP-9109

YAML output with special characters was not valid

Previously, the puppet resource --to_yaml and puppet device --to_yaml commands did not generate valid YAML if the output contained special characters such as a single quote. PUP-7808

Ruby security update

This version upgrades the Ruby version to 2.5.7 to address security issues:

Curl security update

This version includes a security update to curl 7.66.0 to address CVE-2019-5481 and CVE-2019-5482.

OpenSSL security update

This version updates OpenSSL to 1.1.1d to address CVE-2019-1547, CVE-2019-1549 and CVE-2019-1563. For more details, see the OpenSSL Security Advisory.

Puppet 6.4.3

Released 16 July 2019

Resolved issues

Puppet no longer upgrades Debian upgrade packages before setting them on hold

Prior to this release, if you set a Debian package on hold with ensure => held and the package had a pending upgrade, Puppet would install the upgrade before locking the package. PUP-9564

Disabled Ruby 2.5.1 automatic HTTP retry mechanism

This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the puppetserver report processor. PUP-3905

Security update to curl

This release includes an update to curl to address security issues. See for information about the CVEs. PA-2689

Hiera 3 lookups with convert_to keys

If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with convert_to, you'd get an error: "undefined method 'call_function' for Hiera::Scope". PUP-9693

Ruby in the Puppet agent caused issues with other components

This release fixes an issue where the gem update --system command used in the Puppet agent caused conflicts with software that depends on gems in Puppet's vendored Ruby directory, such as r10k. Now gem paths always contain the path for this directory, even after updating. PA-2628

puppet agent --fingerprint returns the CSR hash

When you run the puppet agent --fingerprint command, if the agent doesn't have a client cert yet, thePuppet returns the SHA256 digest of the certificate request (CSR). This functionality was broken as of Puppet 6.4.0, and is now fixed. PUP-9720

Recurring Puppet runs exited on some SSL bootstrap errors

Recurring Puppet runs wait a specified amount of time while bootstrapping the SSL system, and then retry if an error is encountered. This behavior was broken as of Puppet 6.4.0, and this release restores the behavior.

The wait interval is controlled by the waitforce setting. One-time Puppet runs such as puppet agent --test or puppet agent --onetime do not retry, and instead exit when the first error occurs. PUP-9717

Lockfile retained old PID, causing agent failure

This release fixes an issue where if a Puppet run is killed, the lockfile containing the PID that was being used for the process remains. If another process subsequently starts and uses this PID, the agent fails. Puppet now checks that the PID belongs to Puppet so it can lock the PID correctly. This fix works for Puppet even if you run it as a gem.PUP-9691

Puppet now registers OIDs in the SSL application

SSL requests might sometimes return errors because Puppet was not registering OIDs in the SSL application. This is now fixed. PUP-9746

Augeas updated

Update Augeas to 1.12.0, which includes the always_query_group_plugin keyword. PA-2562

puppet resource cron command now returns Solaris crontabs

This release fixes reading of crontabs using Puppet for Solaris 11. Now crontabs for all users are listed when running puppet resource cron. PUP-9697

Agent now requires findutils as a dependency

Prior to this release, Puppet agent required find, but didn't correctly declare it as a dependency. The agent now requires findutils as a dependency. PA-2629

Dependency issues when installing tools that require gems

This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670

Agent runs no longer fail if regional language is Arabic (UAE)

The Puppet agent failed to run if the Regional language was changed to Arabic (United Arab Emirates). Now if the code page is not available in Ruby, the handler reverts to UTF-8 and the agent does not fail. PA-2191

Library failure on AIX 7

If LD_LIBRARY_PATH ws set on an AIX 7 node, Puppet might fail with the following error:
libfacter was not found. Please make sure it was installed to the expected location.
This error is now fixed.PA-2668

Custom MSI actions are logged

Custom MSI actions did not correctly log STDERR to the MSI log. PA-2691

Some commands could not be found

Some Puppet commands, such as puppet-infra, might not be found in the system PATH. This fix ensures that the relevant directory, opt/puppetlabs/bin, is available in the PATH. PA-2750

Puppet 6.4.2

Released 30 April 2019

Resolved issues

Critical security patch to libxslt version in Puppet

The libxslt version packaged in puppet-runtime is now updated to version 1.11.33. This update patches a critical security issue in libxslt. See CVE-2019-11068 for details about this vulnerability. PA-2667

--logdest option accepts multiple logging destinations

This release fixes an issue where you could no longer specify multiple logging destinations on the command line with the --logdest option. This feature stopped working after we added the ability to specify a logging destination in puppet.conf. PUP-9565

Improved error message for certificate that doesn't match hostname

Prior to this release, agents printed a cryptic error message when connecting to an SSL server whose certificate did not match the hostname the agent tried to connect to. This was a regression when running on Ruby 2.4 or later, because of differences in how Ruby reports the mismatched certificate. Puppet now prints the expected error message. PUP-8213

Task parameter values no longer logged

Because parameters for task execution may be sensitive, the pxp-agent no longer logs or writes parameter values to disk. PCP-814

Documentation options changed to provide rubygems compatibility

Puppet now uses the --no-document option to exclude documentation when installing gems, instead of the deprecated --no-rdoc and --no-ri options. This change allows compatibility with rubygems 3.0 and greater. PUP-9395

Puppet 6.4.1

Released 16 April 2019

New features

Certificate download error message improved

The error message returned when the certificate can't be downloaded has been improved, to help make it clear when the agent is waiting for the cert to be signed on the CA. PUP-3122

Documentation improved for allow_duplicate_certs setting

Documentation for the allow_duplicate_certs setting has been updated to indicate that the settingallows new requests to overwrite old requests, but it doesn't overwrite an existing cert. The request still needs to be signed for that to happen. PUP-9574

Performance improvements to puppet device

This release improves performance of puppet device by removing redundant work during initialization. PUP-9584

puppet-agent support removed for Cumulus 2.2, Debian 7

This release removes puppet-agent support for:
  • Cumulus 2.2 (amd64)

  • Debian 7 (x86_64, i386)

Resolved issues

Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

puppet device failed to manage multiple devices

The puppet device command would not manage multiple network devices in a single run. This was a regression introduced in Puppet 6.0.5. PUP-9587

puppet device could not manage network devices

This release fixes a regression in Puppet 6.4.0 that prevented the device application from being able to manage network devices. PUP-9579

waitforcert option did not work with puppet device

This release fixes a regression in 6.4.0 that prevented Puppet's waitforcert option working with puppet device application. PUP-9589

Debug mode now shows server_list error correctly

Prior to this release, use of the server_list setting could cause misleading agent errors. Now, when running in debug mode, Puppet prints the exception that caused it to skip an entry in the server_list setting. PUP-8036

Debug output shows origin of server setting

This release adds information to debug output that specifies whether the server setting originates from the server or server_list setting in the configuration. PUP-9470

puppet device --apply failed to apply catalog to unregistered targets

With these changes, the puppet device command properly initializes the private directories required for compiling and running catalogs. PUP-9047

ASCII characters in cert names caused issues with string operations

Previously if Puppet agents or servers used a CA-issued certificate containing non-US ASCII characters, then the agent would not correctly render the name of the CA in its output, such as when running puppet ssl verify. PUP-9472



New features

HTTP certification requests

When run with debug, Puppet now prints the HTTP request and the response information. For example:
returned 200 OK

Debug logging for the exec resource

This version introduces the following improvements to debug logging for the exec resource:
  • Running the exec resource with --debug and --noop now prints a debug message with the command if checks prevent it from being executed. If command, onlyif, or unless are marked as sensitive, all commands are redacted from the log output. PUP-9357

  • Puppet now gives a debug message when checking the existence of a file specified by creates. PUP-9511

New method: Puppet::FileSystem.replace_file

Use Puppet::FileSystem.replace_file to atomically replace a file. If a mode is specified, it will always be applied to the file. Otherwise, if the file being replaced exists, its mode will be preserved. If the file doesn't exist, then the mode will default to 0640. This method supersedes Puppet::Util.replace_file, which will be deprecated in a future release. PUP-9499

SSL Improvements

This version introduces several features to improve Puppet agent's SSL subsystem, including the introduction of an SSL state machine. For information on agent-side checks and HTTPS requests, see Agent-master HTTPS communications. PUP-9459
The following SSL improvements have been made:
  • Puppet no longer uses Puppet::SSL::Host. Puppet::SSL::Host will be deprecated in a future release. PUP-9459

  • Puppet no longer saves its public key to disk, because the public key is derivable from its private key and is contained in its certificate. If you need to, you can extract the public key using $ openssl rsa -in $(puppet config print hostprivkey) -pubout. PUP-9459

  • The puppet ssl, puppet device, and puppet agent applications are now the only applications that can initialize SSL. Puppet applications other than puppet agent, puppet device, and puppet ssl now raise an error if they attempt to make an SSL connection while the SSL bootstrap process is incomplete. PUP-9461 PUP-9459

  • Added an API for loading certificates, keys, and certificate revocation lists (CRLs). PUP-9455

  • Added an API for creating an SSLContext containing certificates and keys needed to make an SSL connection. PUP-9456

  • Added a method to Puppet::Network::HttpPool to create an HTTPS connection using a specified SSLContext. PUP-9457

  • Instead of using Puppet::SSL::HOST, puppet ssl now uses an SSL state machine to download certificate authority (CA) and certificate revocation list (CRL) bundles. PUP-9458

  • Puppet preserves existing user and group behavior when saving SSL-related files. PUP-9463

  • The new puppet ssl bootstrap action submits a CSR and downloads the client certificate without running puppet agent -t. PUP-9556

SUSE Linux Enterprise Server support removed

This release of the puppet-agent package removes support for SUSE Linux Enterprise Server 11/12 s390x. PA-2489

Resolved issues

Ruby security patch in puppet-agent package

This puppet-agent package release includes a security patch for Ruby 2.5.3. To learn more about the CVEs that this patch address, see the Ruby security advisories. PA-2512

Resolved SSL issues

Improvements in the SSL subsystem ( PUP-9459) have resolved the following issues:
  • Puppet no longer conditionally sends its certificate signing request (CSRs) based on the presence or absence of the file on disk. Instead it generates and sends the CSR whenever it needs to check for a certificate. Puppet still saves the CSR to disk, but it never reads it back in. PUP-4568

  • Puppet no longer downloads the CSR from the server, so it can never get into a state where it saves the wrong CSR to disk, causing it to be stuck. As a result, it's now possible to enable allow_duplicate_certs=true and have the agent submit a CSR with the same name as a previous instance of the node. The admin still needs to revoke the old cert and sign the new CSR in order for the agent to get its certificate. PUP-2354

  • Puppet no longer uses the indirector to handle certificates or keys. PUP-6207

  • Puppet was too permissive about skipping SSL verification if no client certificate was found. Puppet now never downgrades verification based on the absence of a client certificate. PUP-7295

  • Mismatched certificates were cached on the host, causing Puppet to print an error on each run until an admin removed the files. If a client certificate, Certificate Authority (CA) bundle, or certificate revocation list (CRL) bundle are invalid, Puppet now discards them. PUP-7903

  • The error message for a mismatched certificates name was not helpful. When a Puppet agent tries to connect to an SSL server where the certificate does not match the hostname it is trying to connect to, it will now return the expected error message. PUP-8213

  • The Puppet agent was not verifying its peer in an SSL connection when downloading a CRL. Puppet now verifies the server's SSL certificate when retrieving a CRL. PUP-9142

filebucket type server and port settings no longer have explicit defaults

For the filebucket type, server and port no longer have explicit default values in the type definition. If server is not set, it defaults to the first entry in server_list if set; otherwise, it defaults to server. If port is not set, it defaults to the port in the first entry of server_list if set; otherwise, it defaults to masterport. PUP-9025

Custom functions can now be correctly called

This release fixes an issue where the call() function could call only functions that existed in Puppet core; custom functions could not be called. Now any function in the environment is visible and can be called. PUP-9477

Puppet agent now produces an error when a functional server is not found

If server_list is set and a functional server is not found, Puppet returns an error rather than falling back to the server setting. PUP-9076

Optional type without arguments no longer returns an error

Previously, if you used the type Optional without any arguments, it could result in an internal error. This is now fixed. On its own, Optional means the same as Any. You should always supply a type argument with the desired type if the value is not undef. PUP-9467

Fixed remote MSI package installation on Windows

This release fixes a regression that prevented installing MSI packages from an HTTP URL on Windows. PUP-9496


Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

SublocatedExpression class

The AST SublocatedExpression class is no longer generated by the parser. The SublocatedExpressionclass itself will be removed from Puppet in a future release. PUP-9303

Certificate authority subcommands and v1 CA HTTP API

Certificate authority subcommands have been removed from Puppet, including: cert, ca, certificate, certificate request, and certificate_revocation_list. Use puppetserver ca and puppet ssl instead. PUP-8998

As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650

For details on changes and the new commands, see our documentation about certificates and SSL.

Ruby certificate authority 

Puppet no longer has a Ruby CA. All CA actions now rely entirely on the Clojure implementation in Puppet Server. It can be interacted with by means of the CA API and the puppetserver ca command, which leverages the API using subcommands like those provided by puppet certPUP-8912

Trusted server facts

Trusted server facts are always enabled and have been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530

write_only_yaml node terminus

The write_only_yaml node terminus was used to “determine the list of nodes that the master knows about” and predated widespread PuppetDB adoption. The write_only_yaml has been deprecated since 4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a compile. PUP-8528

LDAP node terminus

The LDAP node terminus has been removed. PUP-7601

computermacauthorization, and mcx types and providers

The computermacauthorization, and mcx types and providers have been moved to the macdslocal_core module. It is not repackaged into puppet-agent in the 6.0 series.

Nagios types

The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core module from the Forge.

Cisco network devices

The Cisco network device types no longer ship with Puppet. These types and providers have been deprecated in favor of the puppetlabs/cisco_ios module, which is available on the Forge. PUP-8575

:undef in types and providers

In previous versions, values from manifests assigned to resource attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef to represent those values. When using puppet apply types and providers would see those as :undef or as the string “undef” depending on the implementation of the type. When using a master, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level undef values are still encoded as empty string for backwards compatibility). PUP-9112

puppet module build command

To reduce the amount of developer tooling installed on all agents, this version of puppet removes the puppet module build command. To continue building module packages for the Forge and other repositories, install  Puppet Development Kit (PDK). PUP-8763

pcore_type and pcore_value

The earlier experimental -rich_data format used the tags pcore_type and pcore_value, these are now shortened to __ptype and __pvalue respectively. If you are using this experimental feature and have stored serializations you need to change them or write them again with the updated version. PUP-8597


Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)

puppet master command

The puppet master command and its subcommands have been removed. Instead, use a  puppet-config command.  PE-24280

–strict flag in puppet module 

The –strict flag in puppet module has been removed. The default behavior remains intact, but the tool no longer accepts non-strict versioning (such as release candidates and beta versions). PUP-8558

Select settings

The following settings have been removed:
  • The previously deprecated configtimeout setting has been removed in favor of the http_connect_timeout and http_read_timeout setting. PUP-8534

  • The unused ignorecache setting has been removed. PUP-8533

  • The previously deprecated pluginsync setting has now been removed. The agent’s pluginsync behavior is controlled based on whether it is using a cached catalog or not. PUP-8532

  • The deprecated app_management setting has now been removed. Previously, this setting was ignored, and always treated as though it was set to be on. PUP-8531

  • The deprecated ordering setting has been removed, and catalogs now always have the ordering previously provided by the manifest value of this setting. PUP-6165

  • Settings related to the rack webserver from Puppet, including binaddress and masterhttplog. PUP-3658

String duplication in 3x runtime converter

Types and provider implementations must not mutate the parameter values of a resource. With this release, it is more likely that the parameters of a resource have frozen (that is, immutable) string values and any type or provider that directly mutates a resource parameter may fail. Previously, every resource attribute was copied to not make application break even if they did mutate. Look for use of gsub! in your modules and replace logic with non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified. PUP-7141

Puppet.newtype method

The deprecated Puppet.newtype method (deprecated since 2011) has now been removed. ( PUP-7078)

Certificate handling commands deprecated but not removed

The following subcommands were deprecated in a previous version and slated for removal in this version. While these subcommands are still deprecated, they have not yet been removed.
  • ca_name
  • cadir
  • cacert
  • cakey
  • capub
  • cacrl
  • caprivatedir
  • csrdir
  • signeddir
  • capass
  • serial
  • autosign
  • allow_duplicate_certs
  • ca_ttl
  • cert_inventory
Back to top
The page rank or the 1 our of 5 rating a user has given the page.
The email address of the user submitting feedback.
The URL of the page being ranked/rated.