Puppet — Infrastructure Configuration Management at Scale

Introduction

Puppet is a configuration management tool that lets you define infrastructure as code using a declarative language. It enforces the desired state of servers, packages, services, and files across fleets of machines, keeping environments consistent and auditable.

What Puppet Does

• Declares desired system state in manifests using the Puppet DSL
• Continuously enforces configuration and auto-corrects drift
• Manages packages, services, files, users, cron jobs, and custom resources
• Provides a module ecosystem on the Puppet Forge with thousands of reusable modules
• Reports on compliance with detailed run logs and change audits

Architecture Overview

Puppet uses a client-server model. The Puppet Server compiles catalogs from manifests, Hiera data, and facts reported by each agent. Agents run on managed nodes, collect system facts via Facter, request a catalog from the server, apply resources in dependency order, and send a report back. In agentless mode, Puppet Bolt pushes tasks over SSH or WinRM.

Self-Hosting & Configuration

• Deploy Puppet Server on a dedicated host; agents connect on port 8140
• Write manifests in .pp files and organize them into modules under a control repo
• Use Hiera for hierarchical data separation (secrets, per-environment values)
• Store modules in a Puppetfile and install them with r10k or Code Manager
• Use Puppet Bolt for agentless ad-hoc task execution over SSH

Key Features

• Declarative language with strong typing and dependency ordering
• Idempotent runs ensure repeated application produces the same result
• Puppet Forge provides thousands of community and vendor-supported modules
• Built-in reporting and compliance auditing for every managed node
• Supports Linux, Windows, macOS, and network devices

Comparison with Similar Tools

• Ansible — agentless with YAML playbooks; Puppet uses agents and a custom DSL for continuous enforcement
• Chef Infra — Ruby-based imperative recipes; Puppet is declarative and models desired state
• SaltStack — event-driven with remote execution; Puppet focuses on configuration convergence
• Terraform — provisions infrastructure; Puppet manages OS-level configuration after provisioning
• NixOS — functional OS configuration; Puppet works across existing Linux and Windows systems

FAQ

Q: Does Puppet require agents on every node? A: The traditional model uses agents, but Puppet Bolt provides agentless task execution over SSH or WinRM for ad-hoc operations.

Q: Is Puppet still relevant in a container world? A: Yes. Puppet manages the hosts running containers, configures base images, and handles non-containerized infrastructure like databases and network devices.

Q: What is Hiera? A: Hiera is Puppet's built-in key-value lookup system that separates data from code, letting you define environment-specific or role-specific values in YAML files.

Q: How does Puppet handle secrets? A: Puppet integrates with HashiCorp Vault, eyaml (encrypted YAML), and other secret backends via Hiera backends and custom functions.

Sources

• https://github.com/puppetlabs/puppet
• https://www.puppet.com/docs/puppet/latest/puppet_index.html