Puppet Commands

Puppet is a declarative infrastructure automation tool for managing system configuration across multiple machines.

Installation

Linux (Ubuntu/Debian)

# Add Puppet repository
wget https://apt.puppet.com/puppet-release-focal.deb
sudo dpkg -i puppet-release-focal.deb
sudo apt update

# Install Puppet agent
sudo apt install puppet-agent

# Verify installation
/opt/puppetlabs/bin/puppet --version

Linux (RHEL/CentOS)

# Add Puppet repository
sudo rpm -Uvh https://yum.puppet.com/puppet-release-el-7.noarch.rpm

# Install Puppet agent
sudo yum install puppet-agent

# Verify installation
/opt/puppetlabs/bin/puppet --version

macOS

# Homebrew installation
brew install puppet

# Or download from Puppet
curl -O https://downloads.puppetlabs.com/mac/puppet/puppet-7.0.0-1.osx11.dmg

# Verify
puppet --version

Basic Commands

Command	Description
puppet --version	Display Puppet version
puppet apply manifest.pp	Apply manifest locally
puppet agent -t	Run agent and apply catalog
puppet agent --enable	Enable agent runs
puppet agent --disable	Disable agent runs
puppet config print	Display configuration
puppet describe package	Show resource type docs
puppet help	Display help

Agent Management

# Run Puppet agent on-demand
/opt/puppetlabs/bin/puppet agent -t

# Run agent with verbose output
/opt/puppetlabs/bin/puppet agent -t -v

# Run agent with debug output
/opt/puppetlabs/bin/puppet agent -t -d

# Run specific manifest
/opt/puppetlabs/bin/puppet apply /path/to/manifest.pp

# Dry run (no changes)
/opt/puppetlabs/bin/puppet agent -t --noop

# Enable agent runs
/opt/puppetlabs/bin/puppet agent --enable

# Disable agent runs (with message)
/opt/puppetlabs/bin/puppet agent --disable "Maintenance window"

# Check agent status
/opt/puppetlabs/bin/puppet agent --status

# Sign pending certificates
/opt/puppetlabs/bin/puppet cert sign agent-hostname

# List certificates
/opt/puppetlabs/bin/puppet cert list

# Sign all pending certificates
/opt/puppetlabs/bin/puppet cert sign -a

Module Management

# Create new module
puppet module generate username-modulename

# Install module from Puppet Forge
puppet module install puppetlabs-apache

# Install specific version
puppet module install puppetlabs-apache --version 5.0.0

# List installed modules
puppet module list

# Search for modules
puppet module search apache

# Upgrade module
puppet module upgrade puppetlabs-apache

# Uninstall module
puppet module uninstall puppetlabs-apache

# Generate module structure
puppet module generate author-mymodule

Resource Types

# Package resource
package { 'apache2':
  ensure => present,
}

# Service resource
service { 'apache2':
  ensure => running,
  enable => true,
}

# File resource
file { '/etc/apache2/apache2.conf':
  ensure  => file,
  content => template('apache/apache2.conf.erb'),
  mode    => '0644',
  owner   => 'root',
  group   => 'root',
  notify  => Service['apache2'],
}

# User resource
user { 'appuser':
  ensure   => present,
  uid      => 1001,
  gid      => 1001,
  home     => '/home/appuser',
  shell    => '/bin/bash',
  password => sha512('password'),
}

# Group resource
group { 'appgroup':
  ensure => present,
  gid    => 1001,
}

# Exec resource
exec { 'install_dependencies':
  command => '/usr/bin/apt-get update && /usr/bin/apt-get install -y build-essential',
  unless  => '/usr/bin/dpkg -l | grep build-essential',
}

# Cron resource
cron { 'backup_database':
  command => '/usr/local/bin/backup.sh',
  hour    => 2,
  minute  => 0,
  user    => 'root',
}

Manifest Structure

# Simple manifest
node 'webserver.example.com' {
  package { 'apache2':
    ensure => present,
  }

  service { 'apache2':
    ensure  => running,
    enable  => true,
    require => Package['apache2'],
  }

  file { '/var/www/html/index.html':
    ensure  => file,
    content => 'Hello World',
    mode    => '0644',
  }
}

# Default node
node default {
  include base_classes::system_updates
}

# Regular expression node matching
node /^webserver\d+\.example\.com$/ {
  class { 'apache':
    mpm_module => 'worker',
  }
}

Classes and Includes

# Define class
class apache {
  package { 'apache2':
    ensure => present,
  }

  service { 'apache2':
    ensure  => running,
    enable  => true,
    require => Package['apache2'],
  }
}

# Use class
include apache

# Or with parameters
class { 'apache':
  port => 8080,
}

# Class with parameters
class mysql (
  String $version = '5.7',
  String $root_password,
) {
  package { 'mysql-server':
    ensure => $version,
  }
}

# Use class with parameters
class { 'mysql':
  version       => '8.0',
  root_password => 'secure_password',
}

Conditionals and Logic

# If statement
if $osfamily == 'Debian' {
  package { 'apache2':
    ensure => present,
  }
} elsif $osfamily == 'RedHat' {
  package { 'httpd':
    ensure => present,
  }
} else {
  fail('Unsupported OS')
}

# Unless statement
unless $service_enabled {
  service { 'apache2':
    ensure => stopped,
  }
}

# Case statement
case $operatingsystem {
  'Ubuntu', 'Debian': {
    package { 'apache2':
      ensure => present,
    }
  }
  'CentOS', 'RedHat': {
    package { 'httpd':
      ensure => present,
    }
  }
  default: {
    fail("${operatingsystem} not supported")
  }
}

# Selector expression
$package_name = $osfamily ? {
  'Debian' => 'apache2',
  'RedHat' => 'httpd',
  default  => undef,
}

Variables and Facts

# Define variable
$apache_port = 80

# Use variable
service { 'apache2':
  ensure => running,
}

# Facts (predefined)
notify { 'system_info':
  message => "OS: ${::operatingsystem} ${::operatingsystemrelease}",
}

# Common facts
# $::osfamily - OS family (Debian, RedHat, etc.)
# $::operatingsystem - OS name (Ubuntu, CentOS, etc.)
# $::hostname - system hostname
# $::ipaddress - primary IP address
# $::interfaces - network interfaces
# $::processorcount - number of CPUs
# $::memorytotal - total system memory

# Custom fact
$custom_fact = $::custom_variable

Arrays and Hashes

# Array
$package_list = ['apache2', 'curl', 'git']

# Iterate over array
package { $package_list:
  ensure => present,
}

# Hash
$config = {
  'port'       => 80,
  'ssl_port'   => 443,
  'admin_user' => 'admin',
}

# Access hash value
$port = $config['port']

# Iterate over hash
$config.each |String $key, $value| {
  notify { "Config ${key}":
    message => "Value: ${value}",
  }
}

Functions

# Template function
file { '/etc/apache2/apache2.conf':
  ensure  => file,
  content => template('apache/apache2.conf.erb'),
}

# Inline template
file { '/etc/myconfig':
  ensure  => file,
  content => inline_template('<%= @variable %>'),
}

# File function
file { '/etc/config':
  ensure  => file,
  content => file('apache/default_config'),
}

# Lookup function
$value = lookup('some_key', { 'default_value' => 'default' })

# String functions
$upcase = upcase('hello')          # 'HELLO'
$downcase = downcase('HELLO')      # 'hello'
$capitalize = capitalize('hello')  # 'Hello'
$join = join(['a', 'b'], ',')     # 'a,b'
$split = split('a,b,c', ',')      # ['a', 'b', 'c']

# Array functions
$size = size(['a', 'b', 'c'])      # 3
$reverse = reverse(['a', 'b', 'c'])  # ['c', 'b', 'a']
$unique = unique(['a', 'b', 'a'])  # ['a', 'b']

Facter (Facts System)

# List all facts
facter

# List specific fact
facter operatingsystem

# List facts as JSON
facter --json

# Search for fact
facter | grep -i memory

# Custom fact script
cat > /opt/puppetlabs/facter/facts.d/custom_fact.sh << 'EOF'
#!/bin/bash
echo "custom_app_version=$(cat /opt/app/VERSION)"
EOF
chmod +x /opt/puppetlabs/facter/facts.d/custom_fact.sh

# Refresh facts
puppet facts upload

Testing Manifests

# Validate manifest syntax
puppet parser validate manifest.pp

# Dry run (no-op)
puppet apply manifest.pp --noop

# Dry run with verbose
puppet apply manifest.pp --noop -v

# Check syntax only
puppet apply --parseonly manifest.pp

# Use puppet-lint for style checking
gem install puppet-lint
puppet-lint manifest.pp

# Test with rspec-puppet
gem install rspec-puppet
rspec spec/classes/apache_spec.rb

Hiera (Hierarchy Data)

# Check Hiera configuration
puppet config print hiera_config

# Look up value
hiera package_name

# Look up with override
hiera package_name environment=production

# Test Hiera configuration
hiera-eyaml explain

hiera.yaml

---
version: 5
defaults:
  datadir: data
  data_hash: yaml_data

hierarchy:
  - name: "Environment-specific"
    path: "environment/%{::environment}.yaml"

  - name: "OS-specific"
    path: "os/%{::osfamily}.yaml"

  - name: "Common"
    path: "common.yaml"

Puppet Forge Integration

# Install module from Forge
puppet module install puppetlabs/apache

# Install with dependencies
puppet module install puppetlabs/postgresql

# Search Forge
puppet module search mysql

# List installed modules
puppet module list

# Update all modules
puppet module upgrade --all

# Check module compatibility
puppet module list --tree

Best Practices

• Use Hiera for data separation
• Organize code into modules
• Use version control for manifests
• Test manifests before deployment
• Document classes and resources
• Use parameterized classes
• Implement proper dependency ordering
• Use conditional logic based on facts
• Monitor agent runs
• Implement gradual rollouts
• Use puppet-lint for code quality
• Keep modules focused and reusable

Resources

• Official Documentation
• Puppet Forge
• Resource Types
• Language Guide
• Best Practices

---

Last updated: 2026-03-30|Puppet 7+