Puppet agent on *nix systems

Puppet agent is the application that manages the configurations on your nodes. It requires a Puppet master to fetch configuration catalogs from.

Depending on your infrastructure and needs, you can manage systems with Puppet agent as a service, as a cron job, or on demand.

For more information about running the puppet agent command, see the puppet agent man page.

Puppet agent's run environment

Puppet agent runs as a specific user, (usually root) and initiates outbound connections on port 8140.

Ports

Puppet’s HTTPS traffic uses port 8140. Your operating system and firewall must allow Puppet agent to initiate outbound connections on this port.

If you want to use a non-default port, you have to change the masterport setting on all agent nodes, and ensure that you change your Puppet master’s port as well.

User

Puppet agent runs as root, which lets it manage the configuration of the entire system.

Puppet agent can also run as a non-root user, as long as it is started by that user. However, this restricts the resources that Puppet agent can manage, and requires you to run Puppet agent as a cron job instead of a service.

If you need to install packages into a directory controlled by a non-root user, use an exec to unzip a tarball or use a recursive file resource to copy a directory into place.

When running without root permissions, most of Puppet’s resource providers cannot use sudo to elevate permissions. This means Puppet can only manage resources that its user can modify without using sudo.

Out of the core resource types listed in the resource type reference, only the following types are available to non-root agents:
Resource type Details
augeas
cron Only non-root cron jobs can be viewed or set.
exec Cannot run as another user or group.
file Only if the non-root user has read/write privileges.
notify
schedule
service For services that don’t require root. You can also use the startstop, and status attributes to specify how non-root users should control the service.
ssh_authorized_key
ssh_key

Manage systems with Puppet agent

In a standard Puppet configuration, each node periodically does configuration runs to revert unwanted changes and to pick up recent updates.

On *nix nodes, there are three main ways to do this:
Run Puppet agent as a service.
The easiest method. The Puppet agent daemon does configuration runs at a set interval, which can be configured.
Make a cron job that runs Puppet agent.
Requires more manual configuration, but a good choice if you want to reduce the number of persistent processes on your systems.
Only run Puppet agent on demand.
You can also deploy MCollective to run on demand on many nodes.

Choose whichever one works best for your infrastructure and culture.

Run Puppet agent as a service

The puppet agent command can start a long-lived daemon process that does configuration runs at a set interval.

Note: If you are running Puppet agent as a non-root user, use a cron job instead.
  1. Start the service.

    The best method is with Puppet agent’s init script / service configuration. When you install Puppet with packages, included is an init script or service configuration for controlling Puppet agent, usually with the service name puppet (for both open source and Puppet Enterprise).

    In open source Puppet, enable the service by running this command:
    sudo puppet resource service puppet ensure=running enable=true
    You can also run the sudo puppet agent command with no additional options which will cause the Puppet agent to start running and daemonize, however you won’t have an interface for restarting or stopping it. To stop the daemon, use the process ID from the agent’s  pidfile :
    sudo kill $(puppet config print pidfile --section agent)
  2. (Optional) Configure the run interval.
    The Puppet agent service defaults to doing a configuration run every 30 minutes. You can configure this with the runinterval setting in  puppet.conf :
    # /etc/puppetlabs/puppet/puppet.conf
    [agent]
      runinterval = 2h

    If you don’t need frequent configuration runs, a longer run interval lets your Puppet master servers handle many more agent nodes.

Run Puppet agent as a cron job

Run Puppet agent as a cron job when running as a non-root user.

If the onetime setting is set to true, the Puppet agent command does one configuration run and then quits. If the daemonize setting is set to false, the command stays in the foreground until the run is finished. If set to true, it does the run in the background.

This behavior is good for building a cron job that does configuration runs. You can use the splay and splaylimit settings to keep the Puppet master from getting overwhelmed, because the system time is probably synchronized across all of your agent nodes.

To set up a cron job, run the puppet resource command:
sudo puppet resource cron puppet-agent ensure=present user=root minute=30 command='/opt/puppetlabs/bin/puppet agent --onetime --no-daemonize --splay --splaylimit 60'
The above example runs Puppet once every hour.  

Run Puppet agent on demand

Some sites prefer to run Puppet agent on-demand, and others use scheduled runs along with the occasional on-demand run.

You can start Puppet agent runs while logged in to the target system, or remotely with Bolt or MCollective.

Run Puppet agent on one machine, using SSH to log into it:
ssh ops@magpie.example.com sudo puppet agent --test
Results

To run remotely on multiple machines, you need some form of orchestration or parallel execution tool, such as Bolt or MCollective with the puppet agent plugin.

Note: As of Puppet agent 5.5.4, MCollective is deprecated and will be removed in a future version of Puppet agent. If you use Puppet Enterprise, consider migrating from MCollective to Puppetorchestrator. If you use open source Puppet, migrate MCollective agents and filters using tools like Bolt and PuppetDB’s Puppet Query Language.

Disable and re-enable Puppet runs

Whether you’re troubleshooting errors, working in a maintenance window, or developing in a sandbox environment, you may need to temporarily disable the Puppet agent from running.

  1. To disable the agent, run:
    sudo puppet agent --disable "<MESSAGE>"
  2. To enable the agent, run:
    sudo puppet agent --enable

Configuring Puppet agent

The Puppet agent comes with a default configuration that may not be the most convenient for you.

Configure Puppet agent with puppet.conf using the [agent] section, the [main] section, or both. For information on settings relevant to Puppet agent, see important settings.

Logging for Puppet agent on *nix systems

When running as a service, Puppet agent logs messages to syslog. Your syslog configuration determines where these messages are saved, but the default location is /var/log/messages on Linux/var/log/system.log on Mac OS X, and /var/adm/messages on Solaris.

You can adjust how verbose the logs are with the log_level setting, which defaults to notice.

When running in the foreground with the --verbose--debug, or --test options, Puppet agent logs directly to the terminal instead of to syslog.

When started with the --logdest <FILE> option, Puppet agent logs to the file specified by <FILE>.

Reporting for Puppet agent on *nix systems

In addition to local logging, Puppet agent submits a report to the Puppet master after each run. This can be disabled by setting report = false in puppet.conf.)