Puppet
Puppet is a leading open-source configuration management tool, widely used by DevOps and SRE teams to automate provisioning, enforce compliance, and manage cloud and on-premises infrastructure at scale.
Overview (2025)
Puppet enables Infrastructure as Code (IaC) using a declarative, model-driven approach. It supports hybrid and multi-cloud environments (AWS, Azure, GCP), integrates with CI/CD pipelines, and is ideal for large-scale, compliance-driven operations.
Pros
- Declarative language for infrastructure configuration
- Large module ecosystem
- Strong community support
- Idempotent operations
- Cross-platform support
- Built-in reporting and compliance
- Integration with cloud providers
- Excellent for large-scale deployments
Cons
- Steep learning curve
- Complex setup for master-agent architecture
- Resource-intensive master server
- Limited real-time execution compared to other tools
- Ruby dependency
- Can be overkill for small infrastructures
Installation and Setup (2025)
Linux (Ubuntu/Debian)
# Install Puppet server
wget https://apt.puppet.com/puppet7-release-focal.deb
sudo dpkg -i puppet7-release-focal.deb
sudo apt update
sudo apt install puppetserver
# Configure Java heap size if needed
sudo vi /etc/default/puppetserver
# JAVA_ARGS="-Xms1g -Xmx1g"
# Start Puppet server
sudo systemctl start puppetserver
sudo systemctl enable puppetserver
WSL
# Install Puppet agent
wget https://apt.puppet.com/puppet7-release-focal.deb
sudo dpkg -i puppet7-release-focal.deb
sudo apt update
sudo apt install puppet-agent
NixOS
# Add to configuration.nix
{
services.puppet = {
enable = true;
masterService.enable = true;
extraConfig = ''
[main]
server = puppet.example.com
'';
};
}
Real-Life DevOps & SRE Examples
1. Enforcing Compliance Across Cloud VMs
node /^web\d+\.prod\.aws\.example\.com$/ {
include profile::base
include profile::cloudwatch_agent
include profile::cis_hardening
}
2. Automated User Management (SRE)
users::user { 'devops_engineer':
ensure => present,
uid => '1050',
groups => ['sudo', 'docker'],
ssh_keys => ['ssh-rsa AAAA...'],
managehome => true,
}
3. Multi-Cloud Resource Tagging (AWS & Azure)
# AWS EC2 Tagging
aws_tag { 'Environment':
resource_id => 'i-0abcd1234',
value => 'production',
}
# Azure VM Tagging
azure_vm_tag { 'web-vm':
resource_group => 'prod-rg',
tags => { 'Owner' => 'SRE', 'CostCenter' => '1234' },
}
4. Integrating Puppet with CI/CD (GitHub Actions)
name: Puppet Validate & Deploy
on: [push]
jobs:
puppet:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Validate Puppet code
run: |
gem install puppet-lint
puppet-lint manifests/
- name: Deploy with r10k
run: |
gem install r10k
r10k deploy environment -p
Best Practices for DevOps & SRE (2025)
- Use roles/profiles for code organization
- Integrate Puppet runs with CI/CD pipelines
- Store secrets in Hiera or external vaults
- Monitor agent runs and failures (e.g., with Prometheus)
- Use resource collectors for dynamic infrastructure
- Test modules with rspec-puppet and puppet-lint
- Prefer declarative over imperative code
Common Pitfalls
- Not using version control for manifests
- Hardcoding secrets in code
- Ignoring resource dependencies (ordering)
- Not monitoring agent failures
- Overusing exec resources (prefer native types)
Troubleshooting
Common issues and their solutions:
- Certificate Issues:
- Clean SSL on agent
- Regenerate certificates
- Check time synchronization
- Resource Ordering:
- Use proper dependencies
- Implement proper require/before statements
- Use resource collectors wisely
- Performance Issues:
- Check JVM heap size
- Optimize agent runs
- Monitor PuppetDB performance
Resources
Puppet Joke: Why did the SRE break up with Puppet? Too many strings attached!