Puppet apply

Puppet apply is an application that compiles and manages configurations on nodes. It acts like a self-contained combination of the Puppet primary server and Puppet agent applications.

For details about invoking the puppet apply command, see the puppet apply man page.

Supported platforms

Puppet apply runs similarly on *nix and Windows systems. Not all operating systems can manage the same resources with Puppet; some resource types are OS-specific, and others have OS-specific features. For more information, see the resource type reference.

Puppet apply's run environment

Unlike Puppet agent, Puppet apply never runs as a daemon or service. It runs as a single task in the foreground, which compiles a catalog, applies it, files a report, and exits.

By default, it never initiates outbound network connections, although it can be configured to do so, and it never accepts inbound network connections.

Main manifest

Like the primary Puppet server application, Puppet apply uses its settings (such as basemodulepath) and the configured environments to locate the Puppet code and configuration data it uses when compiling a catalog.

The one exception is the main manifest. Puppet apply always requires a single command line argument, which acts as its main manifest. It ignores the main manifest from its environment.

Alternatively, you can write a main manifest directly using the command line, with the -e option. For more information, see the puppet apply man page.


Puppet apply runs as whichever user executed the Puppet apply command.

To manage a complete system, run Puppet apply as:
  • root on *nix systems.

  • Either LocalService or a member of the Administrators group on Windows systems.

Puppet apply can also run as a non-root user. When running without root permissions, most of Puppet’s resource providers cannot use sudo to elevate permissions. This means Puppet can only manage resources that its user can modify without using sudo.

Of the core resource types listed in the resource type reference, the following are available to non-root agents:
Resource type Details
cron Only non-root cron jobs can be viewed or set.
exec Cannot run as another user or group.
file Only if the non-root user has read/write privileges.
service For services that don’t require root. You can also use the start, stop, and status attributes to specify how non-root users can control the service. For more information, see tips and examples for the service type.

To install packages into a directory controlled by a non-root user, you can either use an exec to unzip a tarball or use a recursive file resource to copy a directory into place.

Network access

By default, Puppet apply does not communicate over the network. It uses its local collection of modules for any file sources, and does not submit reports to a central server.

Depending on your system and the resources you are managing, it might download packages from your configured package repositories or access files on UNC shares.

If you have configured an external node classifier (ENC), your ENC script might create an outbound HTTP connection. Additionally, if you’ve configured the HTTP report processor, Puppet agent sends reports via HTTP or HTTPS.

If you have configured PuppetDB, Puppet apply creates outbound HTTPS connections to PuppetDB.


Puppet apply logs directly to the terminal, which is good for interactive use, but less so when running as a scheduled task or cron job.

You can adjust how verbose the logs are with the log_level setting, which defaults to notice. Setting it to info is equivalent to running with the --verbose option, and setting it to debug is equivalent to --debug. You can also make logs quieter by setting it to warning or lower.

When started with the --logdest syslog option, Puppet apply logs to the *nix syslog service. Your syslog configuration dictates where these messages are saved, but the default location is /var/log/messages on Linux, and /var/log/system.logon Mac OS X.

When started with the --logdest eventlog option, it logs to the Windows Event Log. You can view its logs by browsing the Event Viewer. Click Control Panel -> System and Security -> Administrative Tools -> Event Viewer.

When started with the --logdest <FILE> option, it logs to the file specified by <FILE>.


In addition to local logging, Puppet apply processes a report using its configured report handlers, like a primary Puppet server does. Using the reports setting, you can enable different reports. For more information, see the list of available reports. For information about reporting, see the reporting documentation.

To disable reporting and avoid taking up disk space with the store report handler, you can set report = false in puppet.conf.

Managing systems with Puppet apply

In a typical site, every node periodically does a Puppet run, to revert unwanted changes and to pick up recent updates.

Puppet apply doesn’t run as a service, so you must manually create a scheduled task or cron job if you want it to run on a regular basis, instead of using Puppet agent.

On *nix, you can use the puppet resource command to set up a cron job.

This example runs Puppet one time per hour, with Puppet Enterprise paths:
sudo puppet resource cron puppet-apply ensure=present user=root minute=60 command='/opt/puppetlabs/bin/puppet apply /etc/puppetlabs/puppet/manifests --logdest syslog'

Configuring Puppet apply

Configure Puppet apply in the puppet.conf file, using the [user] section, the [main] section, or both.

For information on which settings are relevant to puppet apply, see important settings.