diff --git a/install_puppet.sh b/install_puppet.sh
index 0d3d49003c..dbca29a24c 100755
--- a/install_puppet.sh
+++ b/install_puppet.sh
@@ -20,7 +20,19 @@
 # Distro identification functions
 #  note, can't rely on lsb_release for these as we're bare-bones and
 #  it may not be installed yet)
+
 #
+# Test condition to install puppet 3
+if [ "$1" = '--three' ]; then
+    THREE=yes
+    echo "Running in 3 mode"
+fi
+
+#
+# Distro identification functions
+#  note, can't rely on lsb_release for these as we're bare-bones and
+#  it may not be installed yet)
+
 
 function is_fedora {
     [ -f /usr/bin/yum ] && cat /etc/*release | grep -q -e "Fedora"
@@ -48,10 +60,12 @@ function setup_puppet_fedora {
     # lsbdistcodename
     yum install -y redhat-lsb-core git puppet
 
-    gem install hiera hiera-puppet
 
     mkdir -p /etc/puppet/modules/
-    ln -s /usr/local/share/gems/gems/hiera-puppet-* /etc/puppet/modules/
+    if [ "$THREE" != 'yes' ]; then
+        gem install hiera hiera-puppet
+        ln -s /usr/local/share/gems/gems/hiera-puppet-* /etc/puppet/modules/
+    fi
 
     # Puppet expects for an expects the command to be pip-python on
     # Fedora, as per the packaged command name.  However, we're
@@ -85,29 +99,43 @@ baseurl=http://yum.puppetlabs.com/el/6/products/$basearch
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-puppetlabs
 enabled=1
 gpgcheck=1
-exclude=puppet-2.8* puppet-2.9* puppet-3* facter-2*
 EOF
 
+    if [ "$THREE" != 'yes' ]; then
+        echo "exclude=puppet-2.8* puppet-2.9* puppet-3*" >> /etc/yum.repos.d/puppetlabs.repo
+    fi
+
     yum update -y
 }
 
 function setup_puppet_ubuntu {
     lsbdistcodename=`lsb_release -c -s`
     if [ $lsbdistcodename != 'trusty' ] ; then
-        # NB: keep in sync with openstack_project/files/00-puppet.pref
-        cat > /etc/apt/preferences.d/00-puppet.pref <<EOF
-Package: puppet puppet-common puppetmaster puppetmaster-common puppetmaster-passenger
-Pin: version 2.7*
-Pin-Priority: 501
-
-Package: facter
-Pin: version 1.*
-Pin-Priority: 501
-EOF
         rubypkg=rubygems
     else
         rubypkg=ruby
+        THREE=yes
     fi
+
+    # NB: keep in sync with openstack_project/files/00-puppet.pref
+    if [ "$THREE" == 'yes' ]; then
+        PUPPET_VERSION=3.4.*
+        FACTER_VERSION=2.*
+    else
+        PUPPET_VERSION=2.7*
+        FACTER_VERSION=1.*
+    fi
+
+    cat > /etc/apt/preferences.d/00-puppet.pref <<EOF
+Package: puppet puppet-common puppetmaster puppetmaster-common puppetmaster-passenger
+Pin: version $PUPPET_VERSION
+Pin-Priority: 501
+
+Package: facter
+Pin: version $FACTER_VERSION
+Pin-Priority: 501
+EOF
+
     puppet_deb=puppetlabs-release-${lsbdistcodename}.deb
     wget http://apt.puppetlabs.com/$puppet_deb -O $puppet_deb
     dpkg -i $puppet_deb
diff --git a/manifests/site.pp b/manifests/site.pp
index 1a8a79f1b9..e0f0d4fea1 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -158,6 +158,16 @@ node 'ci-puppetmaster.openstack.org' {
   }
 }
 
+node 'puppetmaster.openstack.org' {
+  class { 'openstack_project::puppetmaster':
+    root_rsa_key    => hiera('puppetmaster_root_rsa_key'),
+    salt            => false,
+    update_slave    => false,
+    sysadmins       => hiera('sysadmins'),
+    version         => '3.4.',
+  }
+}
+
 node 'puppetdb.openstack.org' {
   class { 'openstack_project::puppetdb':
     sysadmins => hiera('sysadmins', ['admin']),
diff --git a/modules/openstack_project/manifests/base.pp b/modules/openstack_project/manifests/base.pp
index 8bea6325be..ff1651e276 100644
--- a/modules/openstack_project/manifests/base.pp
+++ b/modules/openstack_project/manifests/base.pp
@@ -1,8 +1,10 @@
 # == Class: openstack_project::base
 #
 class openstack_project::base(
-  $certname = $::fqdn,
-  $install_users = true
+  $certname      = $::fqdn,
+  $install_users = true,
+  $pin_puppet    = '2.7.',
+  $pin_facter    = '1.',
 ) {
   if ($::osfamily == 'Debian') {
     include apt
@@ -124,7 +126,7 @@ class openstack_project::base(
           owner   => 'root',
           group   => 'root',
           mode    => '0444',
-          source  => 'puppet:///modules/openstack_project/00-puppet.pref',
+          content => template('openstack_project/00-puppet.pref.erb'),
           replace => true,
         }
       }
diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp
index 832833efcb..178053c602 100644
--- a/modules/openstack_project/manifests/puppetmaster.pp
+++ b/modules/openstack_project/manifests/puppetmaster.pp
@@ -3,7 +3,10 @@
 class openstack_project::puppetmaster (
   $root_rsa_key,
   $override_list = [],
-  $sysadmins = []
+  $salt = true,
+  $update_slave = true,
+  $sysadmins = [],
+  $version   = '2.7.',
 ) {
   include logrotate
   include openstack_project::params
@@ -11,32 +14,41 @@ class openstack_project::puppetmaster (
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [4505, 4506, 8140],
     sysadmins                 => $sysadmins,
+    pin_puppet                => $version,
   }
 
-  class { 'salt':
-    salt_master => 'ci-puppetmaster.openstack.org',
+  if ($salt) {
+    class { 'salt':
+      salt_master => 'ci-puppetmaster.openstack.org',
+    }
+    class { 'salt::master': }
+  }
+
+  if ($update_slave) {
+    $cron_command = 'bash /opt/config/production/run_all.sh'
+    logrotate::file { 'updatepuppetmaster':
+      ensure  => present,
+      log     => '/var/log/puppet_run_all.log',
+      options => ['compress',
+        'copytruncate',
+        'delaycompress',
+        'missingok',
+        'rotate 7',
+        'daily',
+        'notifempty',
+      ],
+      require => Cron['updatepuppetmaster'],
+    }
+  } else {
+    $cron_command = 'sleep $((RANDOM\%600)) && cd /opt/config/production && git fetch -q && git reset -q --hard @{u} && ./install_modules.sh && touch manifests/site.pp'
   }
-  class { 'salt::master': }
 
   cron { 'updatepuppetmaster':
     user        => 'root',
     minute      => '*/15',
-    command     => 'bash /opt/config/production/run_all.sh',
+    command     => $cron_command,
     environment => 'PATH=/var/lib/gems/1.8/bin:/usr/bin:/bin:/usr/sbin:/sbin',
   }
-  logrotate::file { 'updatepuppetmaster':
-    ensure  => present,
-    log     => '/var/log/puppet_run_all.log',
-    options => ['compress',
-      'copytruncate',
-      'delaycompress',
-      'missingok',
-      'rotate 7',
-      'daily',
-      'notifempty',
-    ],
-    require => Cron['updatepuppetmaster'],
-  }
 
   cron { 'deleteoldreports':
     user        => 'root',
diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp
index 6b1d71c531..f48f45604a 100644
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@@ -7,7 +7,8 @@ class openstack_project::server (
   $iptables_rules4           = [],
   $iptables_rules6           = [],
   $sysadmins                 = [],
-  $certname                  = $::fqdn
+  $certname                  = $::fqdn,
+  $pin_puppet                = '2.7.',
 ) {
   class { 'openstack_project::template':
     iptables_public_tcp_ports => $iptables_public_tcp_ports,
@@ -15,6 +16,7 @@ class openstack_project::server (
     iptables_rules4           => $iptables_rules4,
     iptables_rules6           => $iptables_rules6,
     certname                  => $certname,
+    pin_puppet                => $pin_puppet,
   }
   class { 'exim':
     sysadmin => $sysadmins,
diff --git a/modules/openstack_project/manifests/template.pp b/modules/openstack_project/manifests/template.pp
index 710ce34d1a..507d687120 100644
--- a/modules/openstack_project/manifests/template.pp
+++ b/modules/openstack_project/manifests/template.pp
@@ -7,6 +7,7 @@ class openstack_project::template (
   $iptables_public_udp_ports = [],
   $iptables_rules4           = [],
   $iptables_rules6           = [],
+  $pin_puppet                = '2.7.',
   $install_users = true,
   $install_resolv_conf = true,
   $automatic_upgrades = true,
@@ -30,6 +31,7 @@ class openstack_project::template (
   class { 'openstack_project::base':
     install_users => $install_users,
     certname      => $certname,
+    pin_puppet    => $pin_puppet,
   }
 
   package { 'lvm2':
diff --git a/modules/openstack_project/files/00-puppet.pref b/modules/openstack_project/templates/00-puppet.pref.erb
similarity index 67%
rename from modules/openstack_project/files/00-puppet.pref
rename to modules/openstack_project/templates/00-puppet.pref.erb
index 2d9aaf8cca..11c08f6a6b 100644
--- a/modules/openstack_project/files/00-puppet.pref
+++ b/modules/openstack_project/templates/00-puppet.pref.erb
@@ -1,7 +1,7 @@
 Package: puppet puppet-common puppetmaster puppetmaster-common puppetmaster-passenger
-Pin: version 2.7*
+Pin: version <%= @pin_puppet %>*
 Pin-Priority: 501
 
 Package: facter
-Pin: version 1.*
+Pin: version <%= @pin_facter %>*
 Pin-Priority: 501