home
Naukri Code 360
expand-more
Library
expand-more
DevOps
expand-more
Infrastructure as a Code
expand-more
Configuration Management
expand-more
Puppet
expand-more
Overview of Puppet Server
Table of contents
1.
Introduction
2.
Puppet Server release notes
3.
Puppet Server Known Issues
3.1.
Access CA endpoint to update CRLs
3.2.
Cipher updates in Puppet Server 6.5
3.3.
Potential JAVA ARGS settings
3.4.
tmp directory mounted noexec 
4.
Frequently Asked Questions
4.1.
What is Puppet?
4.2.
Detail the architecture of the Puppet.
4.3.
What are puppet manifests?
5.
Conclusion
Last Updated: Mar 27, 2024

Overview of Puppet Server

Author Shivani Singh
0 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Puppet

A primary server node controls the configuration data for a fleet of agent nodes when Puppet is configured in an agent-server architecture. The main server node is Puppet Server. A Ruby and Clojure program called Puppet Server utilizes the Java Virtual Machine (JVM). Puppet Server uses several JRuby interpreters to provide files and compile Puppet catalogs. Through Clojure, it also offers a certificate authority. The major release of Puppet Server and Puppet is the same (Puppet Server 6. x and Puppet 6. x). However, they have separate versioning and may have many small or fixed versions (Puppet Server 6.5 versus Puppet 6.8). In this blog, we will discuss Pupper Server's known issues and Puppet Server release notes. Let us dig deeper into this section. 

Puppet Server release notes

In this section of the blog, we will see in detail different versions of Puppet Server available in the market. Their enhancements and resolved issues. 

Puppet Server release notes

Puppet Server 7.9.1

Released in September 2022, it came packaged with Puppet 7.19.0. 

Its main improvements consist of Publish Dropsonde version 0.0.8. The bundled Dropsonde gem has been updated to version 0.0.8, which gives the telemetry client report generator the ability to display unused modules.

Puppet Server 7.9.0

Released in August 2022, it came packaged with Puppet 7.18.0. 

Its main resolved issues include activated JRuby 9.3.4.0. JRuby 9.3.4.0 is now used by Puppet Server. 

Puppet Server 7.8.0

Released in May 2022, it came packaged with Puppet 7.17.0.

Its main improvements include making the include system store option respectable for the Puppet Server web client. The system trust store that comes with Puppet Agent is now supported by the Ruby HTTP client for Puppet Server. It is also possible to load certificates from a file or Java cert store at any location by using the SSL trust store parameter.

Its main resolved issues include Puppet user should be created by RPM with UID/GID 52. On rpm-based systems, the puppet user and group are now given a static UID/GID of 52 when they are formed.

Puppet Server 7.7.0

Released in April 2022, it came packaged with Puppet 7.16.0.

Its improvements include To opt-out of Dropsonde telemetry and changing it. Metrics will now by default be collected using Dropsonde. Configure Dropsonde: enabled: false in puppetserver. conf to refuse to collect metrics. By default, Dropsonde gathers metrics at the beginning of the service and once a week after that.

Puppet Server 7.6.1

Released in March 2022, it came packaged with Puppet 7.15.0.

Its enhancements include Bounce Bouncy Castle up to 1.70. Bouncy Castle 1.70, which has enhanced TLS 1.3 support, is now included in the Puppet Server distribution. Support from Rocky and Alma. On Linux Rocky and Alma, the Puppet Server is currently being tested. When using these operating systems, use the EL8 packages. Logging the lifecycle of a JRuby pool lock. The JRuby lock lifecycle of a request, acquire, and release is now logged at the INFO level, rather than DEBUG. 

Puppet Server 7.6.0

Released in January 2022, it came packaged with Puppet 7.14.0.

Its improvements include Debian assistance. For Debian 11, the Puppet Server is now packaged. Java 11 must be installed for it. Issues with the CA Authority Key Identifier being filled in with issuer rather than keyid were among those that were rectified. In order to match the CA chain created by puppetserver ca setup, the self-signed CA signing cert created by starting the puppetserver will now utilize a keyid as its authority key identifier.

To CA certs, CA included a Subject Alternative Name extension. Since the topic alternate names given to the CA signing cert are meaningless, they are no longer present.

Puppet Server 7.5.0

Released in December 2021, it came packaged with Puppet  7.13.1.

Its improvements include the collecting of metrics using Dropsonde. Users can now use Dropsonde to activate module metrics collecting. Configure dropsonde: enabled: true in puppetserver. conf to activate this. When enabled, Dropsonde automatically starts collecting metrics when the service is activated and then does so once a week after that. Resolved problems include uploading CRL. When a CRL is submitted in the body of a request without an authority key identifier, the CRL update endpoint will now send a clear error message.

Puppet Server 7.4.2 and Pupper Server 7.4.1

Released in November 2021, it came packaged with Puppet 7.12.1.

Pupper Server 7.4.1 was released in October 2021 and came with Puppet 7.12.0.

Facts can now be retrieved from any endpoint, among other improvements. If no facts terminus is specified in the request, the v4 catalog endpoint (used by Impact Analysis) now enables getting facts from any facts terminus. 

Puppet Server 7.0.1

Released in December 2020, it came packaged with Puppet 7.1.0.

JRuby 9.2.14.0 has improvements. Version 9.2.13.0 of JRuby has been upgraded to 9.2.14.0. The current cadir's permissions are the same as those of the symlink from the previous cadir. The puppet user will now be given the proper ownership of the symlink when it is created between the new and legacy cadirs.

Its troubles were resolved since a part of the Puppet configuration file was not respected by the CA command line tool. The server portions in the puppet. conf are now correctly respected by the CA command-line tool. 

Puppet Server 7.0.0

Released in November 2020, it came packaged with Puppet 7.0.0.

Puppet Server 7.0 is a significant update. The default location for the cadir is changed, the defaults for fact caching and cipher suites are altered, and it breaks compatibility with agents older than 4.0 and the legacy Puppet auth. conf. For more information, see below. When updating, use caution. 

Its new characteristics are the following:

  1. Cadir's default value may now be found at /etc/puppetlabs/puppetserver/ca.
  2. The CA directory can now be transferred from the Puppet confdir to the puppetserver confdir using the migrate command in the puppetserver CA CLI. It leaves a symlink pointing to the new CA location at /etc/puppetlabs/puppetserver/ca on the old CA location. Tools that continue to expect the cadir to be in the old location can still function properly thanks to the symlink. The cadir setting will be completely eliminated in a later version.
  3. JSON has replaced YAML as the facts cache's default value.
  4. Legacy Puppet auth.conf support has been discontinued.
  5. Requests for legacy (3. x) Puppet endpoints are no longer serviced by Puppet Server.

Puppet Server Known Issues

In this section of the blog, we will discuss Puppet Server's most known issues like Access CA endpoint to update CRLs, Server-side Ruby gems that might need to be updated for upgrading from JRuby 1.7, tmp directory mounted noexec, etc.

Let us see all these issues in detail.

Puppet Server Known Issues

Access CA endpoint to update CRLs

The upcoming new API endpoint is included in Puppet Server 7.2.0 and 6.16.0: PUT the certificate revocation list into puppet-ca/v1. You must change the endpoint's rule in the configuration file located at /etc/puppetlabs/puppetserver/conf.d/auth.conf to type regex rather than the path in order to update this endpoint.

Cipher updates in Puppet Server 6.5

The most recent Jetty 9.4 series upgrade is included with Puppet Server 6.5. With this update, ciphers that were previously enabled by default might now display "weak cipher" warnings. You must first delete the weak ciphers before Puppet Server switches by default to stronger FIPS-compliant ciphers. Although the outdated standards still deem the ciphers that were previously enabled by default to be weak, they have not been altered. By deleting the cipher-suite settings section from the webserver. conf, the weak ciphers will be eliminated. When the cipher-suite is removed, Puppet Server switches to FIPS-compliant ciphers. The weak ciphers are included in this release solely for backward compatibility.

Server-side Ruby gems might need to be updated for upgrading from JRuby 1.7

Server-side gems that were manually installed using the puppetserver gem command or via the puppetserver gem package provider may need to be changed to function with the more recent JRuby when upgrading from Puppet Server 5 running JRuby 1.7 (9k was optional in earlier releases). There may not be any modifications required because, in the majority of situations, gems do not contain APIs that fail when upgrading from the Ruby versions implemented between JRuby 1.7 to JRuby 9k. However, there are two notable exceptions: yard-doc must be version 0.9 or later, and the auto sign gem must be version 0.1.3 or later.

Potential JAVA ARGS settings

Increase ReservedCodeCache to 512m under normal load if you're operating outside of a lab context. Run with a ReservedCodeCache of 1G if you're working with 6–12 JRuby instances (or a max-requests–per–instance number much lower than 100k). It may take two gigabytes or more to run twelve or more JRuby instances on a single server.

If users are controlling MaxMetaspace, similar warnings about scaling ReservedCodeCache may also be relevant.

tmp directory mounted noexec 

In rare circumstances (particularly for RHEL 7 installs), the Puppet Server may not function properly if the /tmp directory is mounted as noexec. JRuby has some embedded files that must be copied elsewhere on the filesystem before they can be run, which is what causes the problem. You can either mount the /tmp directory without noexec to get around this problem, or you can pick another directory to serve as the temporary directory for the Puppet Server process. In any case, you must change the directory's permissions to 1777. This enables the JRuby process running on the Puppet Server to write a file to /tmp and then execute it.

To use a different temporary directory, you can set the following JVM property:

-Djava.io.tmpdir=/some/other/temporary/directory

Frequently Asked Questions

What is Puppet?

For the deployment, configuration, and management of servers, Puppet is an open-source configuration management application. Puppet Enterprise is also a DevOps software platform designed specifically for automating infrastructure management activities. 

Detail the architecture of the Puppet.

A Master-Slave architecture is used by Puppet. To create a secure connection, the puppet slave must make a request to the puppet master. Along with a request for a slave certificate, the puppet master transmits the master certificate. Then, the puppet slave sends the puppet master the slave certificate along with a data request. Following receipt of the request, the puppet master pushes the configuration to the puppet slave.

What are puppet manifests?

The configuration information for all nodes or Puppet Agents that are written in the native Puppet language is contained in the Puppet Master. Puppet Manifests are the name for these documents. 

Conclusion

To conclude this blog, firstly we discussed Puppet Server release notes. In the release notes, we saw Puppet Server 7.9.1, Puppet Server 7.9.0, Puppet Server 7.8.0, Puppet Server 7.7.0, Puppet Server 7.6.1, etc. Then we discussed Puppet Server known issues like Access CA endpoint to update CRLs, Server-side Ruby gems might need to be updated for upgrading from JRuby 1.7, tmp directory mounted noexec, etc.

For more content, Refer to our guided paths on Coding Ninjas Studio to upskill yourself.

Do upvote our blogs if you find them helpful and engaging!

Happy Learning!

Thankyou
Previous article
Overview of Open Source Puppet
Next article
Overview of PuppetDB
Live masterclass
author
Top GenAI Skills to crack 30 LPA+ roles at Amazon & Google
by Sumit Shukla
02 Feb, 2026
03:00 PM
discord 34+ registered
author
Python + AI Skills to ace 30L+ CTC Data roles at Amazon
by Prerita Agarwal
01 Feb, 2026
06:30 AM
discord 538+ registered
author
Top 5 GenAI Projects to Crack 25 LPA+ Roles in 2026
by Shantanu Shubham
01 Feb, 2026
08:30 AM
discord 181+ registered
author
Zero to Data Analyst: Amazon Analyst Roadmap for 30L+ CTC
by Abhishek Soni
02 Feb, 2026
01:30 PM
discord 346+ registered
author
Top GenAI Skills to crack 30 LPA+ roles at Amazon & Google
by Sumit Shukla
02 Feb, 2026
03:00 PM
discord 34+ registered
author
Python + AI Skills to ace 30L+ CTC Data roles at Amazon
by Prerita Agarwal
01 Feb, 2026
06:30 AM
discord 538+ registered
View more events