Puppet 6 has been released the 18th of September, Eric Sorenson announced the new release in this blog post.
This is a new major release because it contains some enhancements which are not backwards compatible, but for most of the cases they won’t require you to do any major review of your Puppet code base: if it works with Puppet 4 it’s likely to work also on Puppet 6.
Let’s see what are the most interesting new features.
- Several types moved to dedicated modules
- New CA management on the puppetserver
- Puppet ssl command
- The Resource API
- The “Deferred” data type
- Functions imported from stdlib
- Command puppet module build removed
- Conclusions
Several types moved to dedicated modules
This is a long awaited cleanup: all the Nagios types, and some other OS specific ones are no more part of the core product or have been moved to modules.
Most of them are still shipped in the puppet-agent package, others are in maintained modules not included in the puppet agent and some have been moved to modules and been deprecated.
More precisely, the following types are included in supported modules on the forge and repackaged in puppet-agent, so nothing changes for end users:
augeas cron host mount scheduled_task selboolean selmodule ssh_authorized_key sshkey yumrepo zfs zone zpool
.
These other types have been moved to module which are still supported by are not included in Puppet agent package, so if you use them you should add the relevant modules from the Forge: k5login mailalias maillist
.
These types have been deprecated, they are moved to modules which are not going to be actively maintained and are not shipped with puppet-agent package: computer interface macauthorization mcx router vlan
plus all the nagios_*
types (all moved to puppetlabs-nagios_core module).
In general all the moved types are now placed in a puppetlabs module with _core
suffix. Look here for a rough list.
The core modules shipped with Puppet-agent are placed under /opt/puppetlabs/puppet/modules
on *nix and $codedir/modules
on Windows, these paths are added to the default basemodulepath
setting.
New CA management on the puppetserver
Puppet CA support has been rewritten in Clojure and included in the puppetserver package, the old CA Ruby code has been removed. The new puppetserver ca
command has been introduced to replace the previous puppet cert
and puppet ca
commands.
The puppetserver ca
actions to manage certs are similar to the old puppet cert
ones. Available actions are:
clean
: clean files from the CA for certificatesgenerate
: create a new certificate signed by the CAsetup
: generate a root and intermediate signing CA for Puppet Serverimport
: import the CA’s key, certs, and CRLslist
: list all certificate requestsrevoke
: revoke a given certificatesign
: sign a given certificate
Puppet ssl command
The puppet ssl
command has been introduced. It replaces puppet certificate_request
(use puppet ssl submit request
) and add subcommands like puppet ssl verify
(verifies that local Puppet cert and key are valid) and puppet ssl download_cert
(downloads a certificate for the local node).
The Resource API
A Resource API has been added, providing a new, recommended method to create custom types and providers. The Resource API is built on top of Puppet core and is easier, faster, and safer than the old types and providers method.
Writing new Puppet providers based on the Resource API is even simpler by using the pdk new provider
commands with the puppet Development Kit.
Check the reference for more details.
The “Deferred” data type
This is a quite interesting and long awaited feature. Up to now the sanest method to do something on the client based on some client’s condition was to create a custom fact and use it as needed in the Puppet code.
The Deferred
data type allows to call Ruby functions directly from the client before the catalog is applied (they are usually evaluated on the server). This is possible only with Ruby functions as they are already shipped to the client with pluginsync.
So it’s now possible to write some special function in our modules (under lib/puppet
) that we want to run on the client.
One of the expected use cases is to support secret lookups at catalog application time via tools like Consul and Vault.
Functions imported from stdlib
Some functions from the Puppetlabs-stdlib module have been moved to core:
-
the getvar() function has been moved from stdlib, a new get() one has been introduced.
-
the sort() function has been moved from stdlib to core and now accepts a lambda for custom comparisons
-
the mathematical functions abs(), ceil(), floor(), round(), min(), and max() are compatible with homonymous stdlib ones with the added feature to use a lambda with a custom compare.
-
upcase(), downcase(), capitalize(), camelcase(), lstrip(), rstrip(), strip(), chop(), chomp(), and size() and been moved to core and updated to the modern function API.
-
New compare() function.
Command puppet module build removed
The puppet module build
command has been removed. To build and package modules PDK should be used.
Conclusions
This is a list of the most important changes with Puppet 6, in our opinion.
As you have seen they are mostly related to consolidation, cleanup and enrichment of the language and the platform.
Upgrade from Puppet 5 is expected to be safe and painless for most of the cases. If you are using any of the types which have been moved to separated modules which are not shipped with puppet-agent, you will have to add them by yourself to your module path.
Thanks to David Schmitt from Puppet for the remarks about some incorrect statements in the first revision of this post.
Alessandro Franceschi