Puppet 3.6 Release Notes

Included in Puppet Enterprise 3.3. A newer version is available; see the version menu above for details.

This page tells the history of the Puppet 3.6 series. (Elsewhere: release notes for Puppet 3.0 – 3.4 and Puppet 3.5.)

Puppet’s version numbers use the format X.Y.Z, where:

  • X must increase for major backwards-incompatible changes
  • Y may increase for backwards-compatible new functionality
  • Z may increase for bug fixes

How to Upgrade

If you’re upgrading from a 3.x version of Puppet, you can usually just go for it. Upgrade your puppet master servers before upgrading the agents they serve. (But do look at the table of contents above and see if there are any “Upgrade Warning” notes for the new version.)

If you’re upgrading from Puppet 2.x, please learn about major upgrades of Puppet first! We have important advice about upgrade plans and package management practices. The short version is: test first, roll out in stages, give yourself plenty of time to work with. Also, read the release notes for Puppet 3 for a list of all the breaking changes made between the 2.x and 3.x series.

Puppet 3.6.2

Released June 10, 2014.

Puppet 3.6.2 is a security and bug fix release in the Puppet 3.6 series. It addresses two security vulnerabilities and includes fixes for a number of fairly recent bugs. It also introduces a new disable_warnings setting to squelch deprecation messages.

Security Fixes

CVE-2014-3248 (An attacker could convince an administrator to unknowingly execute malicious code on platforms with Ruby 1.9.1 and earlier)

On platforms running Ruby 1.9.1 and earlier, previous code would load Ruby source files from the current working directory. This could lead to the execution of arbitrary code during puppet runs.

CVE-2014-3250 (Information Leakage Vulnerability)

Apache 2.4+ uses the SSLCARevocationCheck setting to determine how to check the certificate revocation list (CRL) when establishing a connection. Unfortunately, the default setting is none, so a puppet master running Apache 2.4+ and Passenger will ignore the CRL by default. This release updates the Apache vhost settings to enable CRL checking.

Feature: Disabling Deprecation Warnings

Puppet 3.6.0 deprecated config-file environments, leading to warnings during every puppet run for people who haven’t yet switched to the new and improved directory environments. The high volume of duplicate deprecation warnings was deemed annoying enough that we’ve added a new feature to allow people to disable them.

You can now use the new (optional) disable_warnings setting in puppet.conf or on the command line to suppress certain types of warnings. For now, disable_warnings can only be set to deprecations, but other warning types may be added in future versions. All warnings are still enabled by default.

Related issue:

Fix for Directory Environments Under Webrick

Puppet 3.6.1 introduced a bug that prevented directory environments from functioning correctly under Webrick, causing this error: “Attempted to pop, but already at root of the context stack.” This release fixes the bug.

Related issue:

Fixes to purge_ssh_keys

Two bugs were discovered with the new (as of 3.6.0) purge_ssh_keys attribute for the user type. These bugs could prevent SSH keys from being purged under certain circumstances, and have been fixed.

Related issues:

Default environment_timeout increased

The previous default value for environment_timeout was 5s, which turns out to be way too short for a typical production environment. This release changes the default environment_timeout to 3m.

Related issue:

General Bug Fixes

Puppet 3.6.1

Released May 22, 2014.

Puppet 3.6.1 is a bug fix release in the Puppet 3.6 series. It also makes the transaction_uuid more reliably available to extensions.

Changes to RPM Behavior With Virtual Packages

In Puppet 3.5, the RPM package provider gained support for virtual packages. (That is, Puppet would handle package names the same way Yum does.) In this release, we added a new allow_virtual attribute for package, which defaults to false. You’ll have to set it to true to manage virtual packages.

We did this because there are a few cases where a virtual package name can conflict with a non-virtual package name, and Puppet will manage the wrong thing. (Again, just like Yum would.) For example, if you set ensure => absent on the inetd package, Puppet might uninstall the xinetd package, since it provides the inetd virtual package.

We had to treat that change as a regression, so we’re currently defaulting allow_virtual => false to preserve compatibility in the Puppet 3 series. The default will change to true for Puppet 4. If you manage any packages with virtual/non-virtual name conflicts, you should set allow_virtual => false on a per-resource basis.

If you don’t have any resources with ambiguous virtual/non-virtual package names, you can enable the Puppet 4 behavior today by setting a resource default in the main manifest:

    Package {
      allow_virtual => true,

Improvements to transaction_uuid in Reports and Node Termini

Each catalog request from an agent node has a unique identifier, which persists through the entire run and ends up in the report. However, it was being omitted from reports when the catalog run failed, and node termini had no access to it. This release adds it to failed reports and node object requests.

(Note that transaction_uuid isn’t available in the standard ENC interface, but it is available to custom node termini.)

Windows Start Menu Fixes

If your Windows machine only had .NET 4.0 or higher, the “Run Facter” and “Run Puppet Agent” start menu items wouldn’t work, stating that they needed an older version of .NET installed. This is now fixed.

Improved Passenger Packages on Debian/Ubuntu

The Apache vhost config we ship in the Debian/Ubuntu puppetmaster-passenger package had some non-optimal TLS settings. This has been improved.


A regression in Puppet 3.5 broke DELETE requests to Puppet’s HTTP API. Also, a change in 3.6.0 made puppet agent log spurious warnings when using multiple values for the source attribute. These bugs are both fixed.

Directory Environment Fixes

If puppet master was running under Rack (e.g. with Passenger) and the environmentpath was configured in the [master] section of puppet.conf (instead of in [main]), Puppet would use the wrong set of environments. This has been fixed.

Future Parser Improvements

This release fixes two compatibility bugs where the future parser conflicted with the 3.x parser. It also fixes a bug with the new EPP templating language.

Puppet 3.6.0

Released May 15, 2014. (RC1: May 6.)

Puppet 3.6.0 is a backward-compatible features and fixes release in the Puppet 3 series. The biggest things in this release are:

  • Improvements to directory environments, and the deprecation of config file environments
  • Support for purging unmanaged ssh_authorized_key resources
  • Support for installing gems for a custom provider as part of a Puppet run
  • A configurable global logging level
  • A configurable hashing algorithm (for FIPS compliance and other purposes)
  • Improvements to the experimental future parser

Improvements for Directory Environments

Directory environments were introduced in Puppet 3.5 as a partially finished (but good enough for most people) feature. With Puppet 3.6, we consider them completed. We’re pretty sure they can now handle every use case for environments we’ve ever heard of.

The final piece is the environment.conf file. This optional file allows any environment to override the manifest, modulepath, and config_version settings, which is necessary for some people and wasn’t possible in Puppet 3.5. You can now exclude global module directories for some environments, or point all environments at a global main manifest file. For details, see the page on directory environments and the page on environment.conf.

It’s also now possible to tune the cache timeout for environments, to improve performance on your puppet master. See the note on timeout tuning in the directory environments page.

Deprecation: Config-File Environments and the Global manifest/modulepath/config_version Settings

Now that directory environments are completed, config-file environments are deprecated. Defining environment blocks in puppet.conf will cause a deprecation warning, as will any use of the modulepath, manifest, and config_version settings in puppet.conf.

This also means that using no environments is deprecated. In a future version of Puppet (probably Puppet 4), directory environments will always be enabled, and the default production environment will take the place of the global manifest/modulepath/config_version settings.

Related issues:

Feature: Purging Unmanaged SSH Authorized Keys

Purging unmanaged ssh_authorized_key resources has been on the most-wanted features list for a very long time, and we haven’t been able to make the resources meta-type accommodate it.

Fortunately, the user type accommodates it very nicely. You can now purge unmanaged SSH keys for a user by setting the purge_ssh_keys attribute:

user { 'nick':
  ensure         => present,
  purge_ssh_keys => true,

This will purge any keys in ~nick/.ssh/authorized_keys that aren’t being managed as Puppet resources.

Related issues:

Feature: Installing Gems for a Custom Provider During Puppet Runs

Previously, custom providers that required one or more gems would fail if at least one gem was missing before the current puppet run, even if they had been installed by the time the provider was actually called. This release fixes the behavior so that custom providers can rely on gems installed during the same puppet run.

Related issue:

Feature: Global log_level Setting

You can now set the global log level using the log_level setting in puppet.conf. It defaults to notice, and can be set to debug, info, notice, warning, err, alert, emerg, or crit.

Related issue:

Feature: digest_algorithm Setting

You can now change the hashing algorithm that puppet uses for file digests to sha256 using the new digest_algorithm setting in puppet.conf. This is especially important for FIPS-compliant hosts, which would previously crash when puppet tried to use MD5 for hashing. Changing this setting won’t affect the md5 or fqdn_rand functions.

This setting must be set to the same value on all agents and all masters simultaneously; if they mismatch, you’ll run into two problems:

Related issue:

Improvements to the Future Parser

It’s still experimental, but the future parser has gotten a lot of attention in this release. For example, functions can now accept lambdas as arguments using the new Callable type. There are also a few changes laying the groundwork for the upcoming catalog builder.

OS Support Changes

This release improves compatibility with Solaris 10 and adds support for Ubuntu 14.04 (Trusty Tahr).

Support for Ubuntu 13.04 (Raring Ringtail) has been discontinued; it was EOL’d in January 2014.

Related issues:

Module Tool Changes

The puppet module tool has been updated to deprecate the Modulefile in favor of metadata.json. To help ease the transition, the module tool will automatically generate metadata.json based on a Modulefile if it finds one. If neither Modulefile nor metadata.json is available, it will kick off an interview and generate metadata.json based on your responses.

The new module template has also been updated to include a basic README and spec tests. For more information, see Publishing Modules on the Puppet Forge.

Related issues:

Issues fixed during RC:

Type and Provider Fixes


Several providers were updated to support the install_options attribute, and the yum provider now has special behavior to make --enablerepo and --disablerepo work well when you set them as install_options.




OpenBSD services can now be enabled and disabled, and we fixed some bugs on other platforms.


We fixed a regression from Puppet 3.0 that broke file resources whose source URL specified a server other than the default. (That is, puppet://myserver/modules/... instead of puppet:///modules/....)


We fixed a few lingering regressions from the big yumrepo cleanup of Puppet 3.5, and added support for the skip_if_unavailable parameter.


We added better control over the way Augeas resources display diffs, for better security and less noise.

General Bug Fixes

All Resolved Issues for 3.6.0

Our ticket tracker has the list of all issues resolved in Puppet 3.6.0.

↑ Back to top