Puppet apply is an application that compiles and manages configurations on nodes. It acts like a self-contained combination of the Puppet master and Puppet agent applications.
For more information about Puppet’s architecture, see Overview of Puppet’s
architecture — in particular, read the note about differences and
trade-offs between agent/master and
For details about invoking the
puppet apply command, see the puppet apply man page.
Puppet apply runs similarly on *nix and Windows systems. Not all operating systems can manage the same resources with Puppet; some resource types are OS-specific, and others have OS-specific features. For more information, see the resource type reference.
Puppet apply's run environment
Unlike Puppet agent, Puppet apply never runs as a daemon or service. It runs as a single task in the foreground, which compiles a catalog, applies it, files a report, and exits.
By default, it never initiates outbound network connections, although it can be configured to do so, and it never accepts inbound network connections.
Like the Puppet master application, Puppet
apply uses its settings (such as
basemodulepath) and the
configured environments to locate the Puppet code and configuration data it will use when
compiling a catalog.
The one exception is the main manifest. Puppet apply always requires a single command line argument, which acts as its main manifest. It ignores the main manifest from its environment.
Alternatively, you can
write a main manifest directly using the command line, with the
-e option. For more
information, see the puppet apply man page.
Puppet apply runs as whichever user executed the Puppet apply command.
rooton *nix systems.
LocalServiceor a member of the
Administratorsgroup on Windows systems.
Puppet apply can also run as a non-root user. When
running without root permissions, most of Puppet’s resource providers cannot use
sudo to elevate
permissions. This means Puppet
can only manage resources that its user can modify without using
||Only non-root cron jobs can be viewed or set.|
||Cannot run as another user or group.|
||Only if the non-root user has read/write privileges.|
||For services that don’t require root. You
can also use the
To install packages into a directory
controlled by a non-root user, you can either use an
exec to unzip a tarball or use a
file resource to copy a directory into place.
By default, Puppet apply does not communicate over the network. It uses its local collection of modules for any file sources, and does not submit reports to a central server.
Depending on your system and the resources you are managing, it might download packages from your configured package repositories or access files on UNC shares.
If you have configured an external node classifier (ENC), your ENC script might create an outbound HTTP connection. Additionally, if you’ve configured the HTTP report processor, Puppet agent sends reports via HTTP or HTTPS.
If you have configured PuppetDB, Puppet apply will create outbound HTTPS connections to PuppetDB.
Puppet apply logs directly to the terminal, which is good for interactive use, but less so when running as a scheduled task or cron job.
You can adjust how
verbose the logs are with the
log_level setting, which defaults to
notice. Setting it
info is equivalent to running with the
--verbose option, and setting it
debug is equivalent to
--debug. You can also make logs quieter by setting it
warning or lower.
When started with
syslog option, Puppet apply logs to the *nix syslog service. Your syslog configuration
dictates where these messages will be saved, but the default location
/var/log/messages on Linux,
Mac OS X, and
/var/adm/messages on Solaris.
When started with the
--logdest eventlog option, it logs to the Windows Event Log. You can view its logs by browsing
the Event Viewer. Click
Control Panel ->
System and Security
-> Administrative Tools
-> Event Viewer.
When started with the
--logdest <FILE> option, it logs to the
file specified by
In addition to local logging, Puppet apply will process a report using its
configured report handlers, like a Puppet master does. Using the
reports setting, you can enable different
reports. For more information, see see the list of available reports.
For information about reporting, see the reporting
Managing systems with Puppet apply
In a typical site, every node periodically does a Puppet run, to revert unwanted changes and to pick up recent updates.
Puppet apply doesn’t run as a service, so you must manually create a scheduled task or cron job if you want it to run on a regular basis, instead of using Puppet agent.
On *nix, you can use
command to set up a cron job.
sudo puppet resource cron puppet-apply ensure=present user=root minute=60 command='/opt/puppetlabs/bin/puppet apply /etc/puppetlabs/puppet/manifests --logdest syslog'
Configuring Puppet apply
Configure Puppet apply in the
puppet.conf file, using the
[user] section, the
[main] section, or both.
For information on which settings are relevant to
puppet apply, see important settings.