Open source Puppet documentation

These are the new features, resolved issues, and deprecations in this version of Puppet.

Puppet 6.5.0

Released 19 June 2019

New features

Use the staging_location parameter to customize the temporary location for new files

You can now use the staging_location parameter to render a file in a different location before you validate it with the validate_cms parameter. PUP-9389

Use puppet catalog compile to compile catalogs

The puppet catalog compile action works in the same way puppet master --compile worked before it was removed in Puppet 6.0.0. You must run the command on the puppetserver with access to your environments, modules, manifests, and Hiera data. PUP-9055

Create a Regexp with all special characters escaped

Create a Regexp that escapes all regexp special characters by adding a boolean true as a second argument in a call to new. For example Regexp(".[/", true) or".[/", true). The default value is false. PUP-9554

Package providers now support an alternative gem command

Previously, package providers relied on $PATH for the default gem. This release adds a targetable feature to the package type, allowing package providers to implement a command attribute. The gem and pip providers now implement that attribute. This feature allows Puppet to manage packages in software collections, such as Red Hat Software Collections. PUP-6488

For example:
package { 'colorize':
  name     => 'colorize',
  provider => gem,

package { 'colorize-opt':
  name     => 'colorize',
  provider => gem,
  command  => '/opt/ruby/bin/gem',

Manage multiple Python installations with pip and pip3 package providers

You can now add a custom path to your pip and pip3 providers using a package command. If you have multiple Python installations, this allows you to point to a specific installation. PUP-1082

Specify the maximum amount of time an agent should wait for its certificate

By default, Puppet agents attempt to download their signed certificate indefinitely. This release adds a maxwaitforcert setting, which specifies the maximum amount of time an agent should wait for its certificate. Acceptable values are unlimited (the current behavior), or a duration such as 10m, or 1h. If you specify a duration, the agent waits the full amount of time and, if the certificate is not downloaded, exits with an error. PUP-3237

Elliptic-curve cryptography (ECC) key support

Configure your agent to use elliptic curve private keys using the key_type=ec setting. By default, Puppet uses the prime256v1 elliptic curve, but you can specify an alternate curve using the named_curve setting if the curve is supported by Ruby and OpenSSL. See OpenSSL::PKey::EC.builtin_curves for a list of supported curves. PUP-2606
Note: Puppet ignores the key_type and named_curve settings if the agent already has a private key. These settings only control the type of private key that the agent generates. The settings do not affect which curve is selected in the TLS protocol.

Specify a refresh interval for certificate revocation lists (CRLs)

Use the crl_refresh_interval setting to specify a refresh interval for CRLs. If specified as a duration, such as 8h, or 7d, the agent refreshes its CRL on its first run after the specified duration has elapsed. If the agent downloads a new CRL, it uses the new CRL for all subsequent network requests. If the refresh request fails or if the CRL is unchanged on the certificate authority (CA), the agent run continues using the local CRL. PUP-2310
Note: Always set the duration to be greater than the runinterval. Setting runinterval to an equal or lesser value than the duration causes Puppet to refresh the CRL on every agent run.

Improved server_list output and error messaging

Previously, using config print to view your server_list would output a nested array that was difficult to read. Using config print now outputs the text in the same human-readable format as its entry in puppet.conf. Puppet uses the same human-readable output for errors you receive from being unable to connect to a server in server_list. PUP-9495

Improved JSON output support for validation errors

The puppet parser validate subcommand now supports a --render-as=json option to output validate errors in a machine readable JSON format. Additionally, if you use the command with multiple files, Puppet continues to validate additional files when it finds a parse error, instead of halting immediately on the first error encountered. PUP-8984
Note: puppet parser validate returns a maximum of one parse error per file.

Fedora 30 support

This release adds puppet-agent support for Fedora 30. PA-2675

Resolved issues

puppet device failed to manage multiple devices

The puppet device command would not manage multiple network devices in a single run. This was a regression introduced in Puppet 6.0.5. PUP-9587

Security update to curl

This release includes an update to curl to address security issues. See and for information about the CVEs. PA-2689

Amazon platforms now use yum as the default provider

Prior to this release, Amazon platforms did not have a default provider set. This resulted in Puppet trying to use the gem provider to install Amazon packages. PUP-9724

On Windows, Puppet no longer applies corrective changes to the administrator password on every Puppet run

Puppet now applies corrective changes to the administrator password only on the first run. PUP-9688

Improved syntax error feedback for legacy Ruby functions

If you loaded a legacy Ruby function with syntax errors, you'd get an error saying that your function "does not seem to be a Puppet 3x API function." Puppet now alerts you to syntax errors. PUP-9643

Password protected private key support for agent-only nodes

If a private key password file (Puppet[:passfile]) exists and the agent doesn't yet have a private key, the agent generates a key and uses the contents of the passfile to encrypt the key on disk using AES-128-CBC. If the agent already has an unencrypted private key, no change occurs. PUP-9466

Note: Puppet Server does not support password protected private keys. You can enable password protected private keys on agent-only nodes.

Temporary files created from validate_cmd use the same permissions as the file resource

Prior to this release, the permissions of temporary files created by validate_cmd were different to the permissions defined on the file resource. PUP-8983

Uninstall an rpm package without specifying a version or build number

You can now remove a package with rpm package provider using ensure => absent without specifying a version or build number. PUP-8664

Tags specified via --skip_tags are no longer expanded by splitting on the namespace

Using --skip_tags split tags on the namespace separator (::) and caused Puppet to expand and skip all resources in the specified namespace. For example, using fruit:apples expanded and skipped ['fruit::apples', 'fruit', 'apples'] . PUP-8215

Improved error message when listing provider resources

You now get a helpful error message if you try to list resources for a provider type that does not have the instances class method defined. PUP-4930

Performing two or more rapid-fire Puppet runs no longer results in a race condition

When an additional Puppet run was triggered immediately after Puppet had requested a certificate from the master, the master receive the original Certificate Signing Request (CSR) and continuously return the original certificate, which wouldn't match the new keys generated by the second Puppet run. PUP-2958

Removing a user resource on Solaris 11 installations with home directory configurations

Previously, trying to remove a user resource on a Solaris 11 installation using a home directory configuration resulted in an error. PUP-9706

Hiera 3 lookups with convert_to keys

If you used a Hiera 3 lookup or Hiera handled an alias and the key was configured with convert_to, you'd get an error: "undefined method 'call_function' for Hiera::Scope". PUP-9693

Perform string to integer conversions on decimal strings with leading zeros

Converting a decimal string with leading zeros – for example, Integer("08", 10)– to an integer would result in an error. PUP-9689

puppet device always initializes SSL directories with the correct permissions

When initializing new device certificates, puppet device would sometimes set permissions in a way that prevented the pe-puppet user from reading some directories (PUP-9642).

The Windows package resource removes trailing whitespace

This release updates the Windows registry read method to replace null byte sequences with a space. This issue caused PuppetDB to discard updated facts from affected nodes. PUP-9639

Puppet no longer upgrades Debian upgrade packages before setting them on hold

Prior to this release, if you set a Debian package on hold with ensure => held and the package had a pending upgrade, Puppet installed the upgrade before locking the package. PUP-9564

Disabled Ruby 2.5.1 automatic HTTP retry mechanism

This Ruby mechanism could cause the same report to be submitted multiple times, increasing the load on the Puppet Server report processor. PUP-3905

System updates to Ruby in the Puppet agent conflicted with other software

This release fixes an issue where the gem update --system command used in the Puppet agent caused conflicts with software that depends on gems in Puppet's vendored Ruby directory, such as r10k. Now gem paths always contain the path for this directory, even after updating. PA-2628

Dependency issues when installing tools that require gems

This release fixes an issue where incorrectly named spec files caused gem dependency lookup failures. If you tried to install tools that rely on gems such as Facter, Puppet and Hiera gem dependencies could not be referenced. PA-2670


Fine grained control of file and environment timeouts deprecated

Fine grained control of file and environment timeouts is deprecated. Instead, use 0 or unlimited to control default caching behavior and the environment-cache endpoint in Puppet Server's administrativeAPI to expire the cache as needed. PUP-9497

SublocatedExpression class

The AST SublocatedExpression class is no longer generated by the parser. The SublocatedExpressionclass itself will be removed from Puppet in a future release. PUP-9303

Certificate authority subcommands and v1 CA HTTP API

Certificate authority subcommands have been removed from Puppet, including: cert, ca, certificate, certificate request, and certificate_revocation_list. Use puppetserver ca and puppet ssl instead. PUP-8998

As a part of the larger CA rework, the v1 CA HTTP API is removed (everything under the ca url /v1). PUP-3650

For details on changes and the new commands, see our documentation about certificates and SSL.

Ruby certificate authority 

Puppet no longer has a Ruby CA. All CA actions now rely entirely on the Clojure implementation in Puppet Server. It can be interacted with by means of the CA API and the puppetserver ca command, which leverages the API using subcommands like those provided by puppet certPUP-8912

Trusted server facts

Trusted server facts are always enabled and have been deprecated since 5.0. This removes the setting and conditional logic. PUP-8530

write_only_yaml node terminus

The write_only_yaml node terminus was used to “determine the list of nodes that the master knows about” and predated widespread PuppetDB adoption. The write_only_yaml has been deprecated since 4.10.5, and this commit removes it. Note this results in a Puppet Server speedup as it no longer needs to serialize node data as YAML to disk during a compile. PUP-8528

LDAP node terminus

The LDAP node terminus has been removed. PUP-7601

computermacauthorization, and mcx types and providers

The computermacauthorization, and mcx types and providers have been moved to the macdslocal_core module. It is not repackaged into puppet-agent in the 6.0 series.

Nagios types

The Nagios types no longer ship with Puppet, and are now available as the puppetlabs/nagios_core module from the Forge.

Cisco network devices

The Cisco network device types no longer ship with Puppet. These types and providers have been deprecated in favor of the puppetlabs/cisco_ios module, which is available on the Forge. PUP-8575

:undef in types and providers

In previous versions, values from manifests assigned to resource attributes that contained undef values nested in arrays and hashes would use the Ruby symbol :undef to represent those values. When using puppet apply types and providers would see those as :undef or as the string “undef” depending on the implementation of the type. When using a master, the same values were correctly handled. In this version, Ruby nil is used consistently for this. (Top level undef values are still encoded as empty string for backwards compatibility). PUP-9112

puppet module build command

To reduce the amount of developer tooling installed on all agents, this version of puppet removes the puppet module build command. To continue building module packages for the Forge and other repositories, install  Puppet Development Kit (PDK). PUP-8763

pcore_type and pcore_value

The earlier experimental -rich_data format used the tags pcore_type and pcore_value, these are now shortened to __ptype and __pvalue respectively. If you are using this experimental feature and have stored serializations you need to change them or write them again with the updated version. PUP-8597


Webrick support (previously deprecated) has been removed. To run Puppet as a server you must use Puppet Server. PUP-8591)

puppet master command

The puppet master command and its subcommands have been removed. Instead, use a  puppet-config command.  PE-24280

–strict flag in puppet module 

The –strict flag in puppet module has been removed. The default behavior remains intact, but the tool no longer accepts non-strict versioning (such as release candidates and beta versions). PUP-8558

Select settings

The following settings have been removed:
  • The previously deprecated configtimeout setting has been removed in favor of the http_connect_timeout and http_read_timeout setting. PUP-8534

  • The unused ignorecache setting has been removed. PUP-8533

  • The previously deprecated pluginsync setting has now been removed. The agent’s pluginsync behavior is controlled based on whether it is using a cached catalog or not. PUP-8532

  • The deprecated app_management setting has now been removed. Previously, this setting was ignored, and always treated as though it was set to be on. PUP-8531

  • The deprecated ordering setting has been removed, and catalogs now always have the ordering previously provided by the manifest value of this setting. PUP-6165

  • Settings related to the rack webserver from Puppet, including binaddress and masterhttplog. PUP-3658

String duplication in 3x runtime converter

Types and provider implementations must not mutate the parameter values of a resource. With this release, it is more likely that the parameters of a resource have frozen (that is, immutable) string values and any type or provider that directly mutates a resource parameter may fail. Previously, every resource attribute was copied to not make application break even if they did mutate. Look for use of gsub! in your modules and replace logic with non-mutating version, or operate on a copy of the value. All authors of Forge modules having this problem have been notified. PUP-7141

Puppet.newtype method

The deprecated Puppet.newtype method (deprecated since 2011) has now been removed. ( PUP-7078)

Certificate handling commands deprecated but not removed

The following subcommands were deprecated in a previous version and slated for removal in this version. While these subcommands are still deprecated, they have not yet been removed.
  • ca_name
  • cadir
  • cacert
  • cakey
  • capub
  • cacrl
  • caprivatedir
  • csrdir
  • signeddir
  • capass
  • serial
  • autosign
  • allow_duplicate_certs
  • ca_ttl
  • cert_inventory
Back to top
The page rank or the 1 our of 5 rating a user has given the page.
The email address of the user submitting feedback.
The URL of the page being ranked/rated.