Puppet Overview
Puppet is a powerful automation tool used to manage configurations and automate administrative tasks across multiple systems. This guide walks you through installing a Puppet server (master) and configuring 10 Debian-based client servers (agents) to automatically install system updates (patches) using Puppet.
Table of Contents
1. Prerequisites
- Debian server to act as the Puppet master (e.g., Debian 11)
- Debian servers as Puppet agents (clients)
- Root or sudo access on all systems
- Static IPs or properly configured hostnames
- Network connectivity between master and agents
2. Install Puppet Server on Debian
a. Add the Puppet APT repository
# wget https://apt.puppet.com/puppet7-release-bullseye.deb
# dpkg -i puppet7-release-bullseye.deb
# apt update
b. Install Puppet Server
# apt install puppetserver -y
c. Configure JVM memory (optional but recommended)
Edit /etc/default/puppetserver:
JAVA_ARGS="-Xms512m -Xmx1g"
d. Enable and start the Puppet Server
# systemctl enable puppetserver
# systemctl start puppetserver
3. Configure the Puppet Server
a. Set the hostname
# hostnamectl set-hostname puppet.example.com
Update /etc/hosts with your server’s IP and FQDN if DNS is not configured:
192.168.1.10 puppet.pc-freak.net puppet
b. Configure Puppet
Edit /etc/puppetlabs/puppet/puppet.conf:
[main] certname = puppet.pc-freak.net
server = puppet.pc-freak.net
environment = production
runinterval = 1h
Restart Puppet server:
# systemctl restart puppetserver
4. Install Puppet Agent on 10 Debian Clients
Repeat this section on each client server (Debian 10/11).
a. Add the Puppet repository
# wget https://apt.puppet.com/puppet7-release-bullseye.deb
# dpkg -i puppet7-release-bullseye.deb
# apt update
b. Install the Puppet agent
# apt install puppet-agent -y
c. Configure the agent to point to the master
# /opt/puppetlabs/bin/puppet config set server puppet.example.com –section main
d. Start the agent to request a certificate
# /opt/puppetlabs/bin/puppet agent –test
5. Sign Agent Certificates on the Puppet Server
Run on the Puppet master below 2 cmds:
# /usr/bin/puppetserver ca list –all
Sign all pending requests:
# /usr/bin/puppetserver ca sign –all
Verify connection to puppet server is fine:
# /opt/puppetlabs/bin/puppet node find haproxy2.pc-freak.net
6. Create a Puppet Module for Patching
a. Create the patching module
# mkdir -p /etc/puppetlabs/code/environments/production/modules/patching/manifests
b. Add a manifest file
/etc/puppetlabs/code/environments/production/modules/patching/manifests/init.pp:
class patching {
exec { 'apt_update':
command => '/usr/bin/apt update',
path => [‘/usr/bin’, ‘/usr/sbin’],
unless => '/usr/bin/test $(find /var/lib/apt/lists/ -type f -mmin -60 | wc -l) -gt 0',
}exec { 'apt_upgrade':
command => '/usr/bin/apt upgrade -y',
path => [‘/usr/bin’, ‘/usr/sbin’],
require => Exec[‘apt_update’],
unless => '/usr/bin/test $(/usr/bin/apt list –upgradable 2>/dev/null | wc -l) -le 1',
}}
This class updates the package list and applies all available security and feature updates.
7. Assign the Module and Trigger Updates
a. Edit site.pp on the Puppet master:
# vim /etc/puppetlabs/code/environments/production/manifests/site.pp
node default {
include patching
}
node 'agent1.example.com' {
include patching
}
b. Run Puppet manually on each agent to test:
# /opt/puppetlabs/bin/puppet agent –test
Once confirmed working, Puppet agents will run this patching class automatically every hour (default runinterval).
8. Check the status of puppetserver and puppet agent on hosts is fine
root@puppetserver:/etc/puppet# systemctl status puppetserver
● puppetserver.service – Puppet Server
Loaded: loaded (/lib/systemd/system/puppetserver.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-06-16 23:44:42 EEST; 37min ago
Docs: https://puppet.com/docs/puppet/latest/server/about_server.html
Process: 2166 ExecStartPre=sh -c echo -n 0 > ${RUNTIME_DIRECTORY}/restart (code=exited, status=0/SUCCESS)
Process: 2168 ExecStartPost=sh -c while ! head -c1 ${RUNTIME_DIRECTORY}/restart | grep -q '^1'; do kill -0 $MAINPID && sleep 1 || exit 1; done (code=exited, status=0/SUCCESS)
Main PID: 2167 (java)
Tasks: 64 (limit: 6999)
Memory: 847.0M
CPU: 1min 28.704s
CGroup: /system.slice/puppetserver.service
└─2167 /usr/bin/java -Xms512m -Xmx1g -Djruby.lib=/usr/share/jruby/lib -XX:+CrashOnOutOfMemoryError -XX:ErrorFile=/var/log/puppetserver/puppetserver_err_pid%p.log -jar /usr/share/pup>юни 16 23:44:06 haproxy2 systemd[1]: Starting puppetserver.service – Puppet Server…
юни 16 23:44:30 haproxy2 java[2167]: 2025-06-16T23:44:30.516+03:00 [clojure-agent-send-pool-0] WARN FilenoUtil : Native subprocess control requires open access to the JDK IO subsystem
юни 16 23:44:30 haproxy2 java[2167]: Pass '–add-opens java.base/sun.nio.ch=ALL-UNNAMED –add-opens java.base/java.io=ALL-UNNAMED' to enable.
юни 16 23:44:42 haproxy2 systemd[1]: Started puppetserver.service – Puppet Server.
root@grafana:/etc/puppet# systemctl status puppet
* puppet.service – Puppet agent
Loaded: loaded (/lib/systemd/system/puppet.service; enabled; preset: enabled)
Active: active (running) since Mon 2025-06-16 21:22:17 UTC; 18s ago
Docs: man:puppet-agent(8)
Main PID: 1660157 (puppet)
Tasks: 6 (limit: 2307)
Memory: 135.6M
CPU: 5.303s
CGroup: /system.slice/puppet.service
|-1660157 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent –no-daemonize
`-1660164 "puppet agent: applying configuration"Jun 16 21:22:17 grafana systemd[1]: Started puppet.service – Puppet agent.
Jun 16 21:22:28 grafana puppet-agent[1660157]: Starting Puppet client version 7.34.0
Jun 16 21:22:33 grafana puppet-agent[1660164]: Requesting catalog from puppet.pc-freak.net:8140 (192.168.1.58)
9. Use Puppet facter to extract interesting information from the Puppet running OS
facter is a powerful command-line tool Puppet agents use to gather system information (called facts). You can also run it manually on any machine to quickly inspect system details.
Here are some interesting examples to get useful info from a machine using facter:
a) Get all facts about Linux OS
$ facter
…
b) get OS name / version
$ facter os.name os.release.full
os.name => Debian
os.release.full => 12.10
c) check the machine hostname and IP address
$ facter hostname ipaddress
hostname => puppet-client1
ipaddress => 192.168.0.220
d) Get amount of RAM on the machine
$ facter memorysize
16384 MB
e) Get CPU (Processor information)
$ facter processors
{
count => 4,
models => [“Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz”],
physicalcount => 1,
speed => "1.60 GHz"
}
10. Conclusion
You've successfully set up a Puppet server and configured a sample Debian client systems to automatically install security patches using a custom module.
To apply this on the rest of systems where puppet agent is installed repeat the process on each of the left 9 nodes.
This approach provides centralized control, consistent configuration, and peace of mind for you as system administrator if you have the task to manage multiple Debian servers
with an easy.
Of course the given configuration is very sample and to guarantee proper functiononing of your infrastrcutreu you'll have to read and experiment with puppet, however I hope article is a good
standpoint to have puppet server / agent running relatively easy.