Open source Puppet documentation

The Puppet platform bundles the components needed for a successful deployment.

Puppet platform components

The Puppet platform includes these components:

PackageContents
puppet-agent Puppet, Facter, Hiera, the PXP agent, root certificates, and prerequisites like Ruby and Augeas.
Note: In Puppet version 3.8 and later, Enterprise Linux 5 packages contain only the agent component.
puppetserver Puppet Server
puppetdb PuppetDB
puppetdb-termini Plugins to connect your master to PuppetDB
Note: The Puppet platform is available only for Linux, because most of its components can run only on Linux. The puppet-agent component is available independently for Windows and macOS.

Puppet platform location and naming

The Puppet platform is packaged separately for each supported operating system and version.

*nix platform packages are located in a Puppet.com repository corresponding to the package management system.
Package management systemURL naming conventionURL example
Yum https://yum.puppet.com/<PLATFORM_VERSION>/<PLATFORM_NAME>-release-<OS ABBREVIATION>-<OS VERSION>.noarch.rpm https://yum.puppet.com/puppet6/puppet6-release-el-7.noarch.rpm
Apt https://apt.puppet.com/<PLATFORM_VERSION>-release-<VERSION CODE NAME>.deb
Tip: For Ubuntu releases, the code name is the adjective, not the animal.
https://apt.puppetlabs.com/puppet6-release-wheezy.deb

Windows and macOS agent packages are indexed on the Puppet download site.

Managing platform versions

To receive the most up-to-date software without introducing breaking changes, use the latest platform, pin your infrastructure to known versions, and update the pinned version manually when you’re ready to update.

For example, if you’re using the puppetlabs/puppet_agent module to manage the installed puppet-agent package, use this resource to pin it to version 6.0:
class { '::puppet_agent':
  collection      => 'latest',
  package_version => '6.0.0',
}
If you’re upgrading from a 1.x version of puppet-agent, simply update the package_version when you’re ready to upgrade to the 6.x series.

Enable the Puppet platform repository

Enabling the Puppet platform repository makes the components needed for installation available on your system. 

The process for enabling the repository varies based on your package management system.

Enable the Puppet platform on Yum

Before you begin

Identify the URL of the package you want to enable based on your operating system and version. For details, see Puppet platform location and naming.

Logged in as root, run the RPM tool in upgrade mode:
sudo rpm -U <PACKAGE_URL>
Note: For Enterprise Linux 5, you must download the package before running RPM:
wget https://yum.puppet.com/puppet6/puppet6-release-el-5.noarch.rpm
sudo rpm -Uvh puppet6-release-el-5.noarch.rpm
For example, to enable the Enterprise Linux 7 repository:
sudo rpm -Uvh https://yum.puppet.com/puppet6/puppet6-release-el-7.noarch.rpm

Enable the Puppet platform on Apt

Identify the URL of the package you want to enable based on your operating system and version. For details, see Puppet platform location and naming.

  1. Logged in as root, download the package and run the dpkg tool in install mode:
    wget <PACKAGE_URL>
    sudo dpkg -i <FILE_NAME>.deb
    For example, to enable the Ubuntu 16.04 Xenial repository:
    wget https://apt.puppetlabs.com/puppet6-release-xenial.deb
    sudo dpkg -i puppet6-release-xenial.deb
  2. Update the apt package lists: sudo apt-get update

Verify packages

Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use GPG to verify package signatures.

Tip:
Certain operating systems and installation methods automatically verify package signatures. In these cases, you don’t need to do anything to verify the package signature.
  • If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you install them.

  • If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature before installing the package.


Verify a source tarball or gem

You can manually verify the signature for Puppet source tarballs or Ruby gems.

  1. Import the public key: gpg --keyserver pgp.mit.edu --recv-key 7F438280EF8D349F
    The key is also available via HTTP.
    Tip:  If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.
    The gpg tool imports the key:
    gpg: requesting key EF8D349F from hkp server pgp.mit.edu gpg: /home/username/.gnupg/trustdb.gpg: trustdb created gpg: key EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
  2. Verify the fingerprint: gpg --list-key --fingerprint 7F438280EF8D349F

    The fingerprint of the Puppet release signing key is 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F. Ensure the fingerprint listed matches this value.

  3. Download the tarball or gem and its corresponding .asc file from https://downloads.puppetlabs.com/puppet/.
  4. Verify the tarball or gem, replacing <VERSION> with the Puppet version number, and <FILE TYPE> with tar.gz for a tarball or gem for a Ruby gem: gpg --verify puppet-<VERSION>.<FILE TYPE>.asc puppet-<VERSION>.<FILE TYPE>
    The output confirms that the signature matches:
    gpg: Signature made Mon 19 Sep 2016 04:58:29 PM UTC using RSA key ID EF8D349F
    gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>"
    Tip: If you haven't set up a trust path to the key, you receive a warning that the key is not certified. If you’ve verified the fingerprint of the key, GPG has verified the archive’s integrity; the warning simply means that GPG can’t automatically prove the key’s ownership.

Verify an RPM package

RPM packages include an embedded signature, which you can verify after importing the Puppet public key.

  1. Import the public key: gpg --keyserver pgp.mit.edu --recv-key 7F438280EF8D349F
    The key is also available via HTTP.
    Tip:  If this is your first time running the gpg tool, it might fail to import the key after creating its configuration file and keyring. You can run the command a second time to import the key into your newly created keyring.
    The gpg tool imports the key:
    gpg: requesting key EF8D349F from hkp server pgp.mit.edu gpg: /home/username/.gnupg/trustdb.gpg: trustdb created gpg: key EF8D349F: public key "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <[email protected]>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
  2. Verify the fingerprint: gpg --list-key --fingerprint 7F438280EF8D349F

    The fingerprint of the Puppet release signing key is 6F6B 1550 9CF8 E59E 6E46 9F32 7F43 8280 EF8D 349F. Ensure the fingerprint listed matches this value.

  3. Retrieve the Puppet public key and place it in a file on your node.
  4. Use the RPM tool to import the public key, replacing <PUBLIC KEY FILE> with the path to the file containing the public key: sudo rpm --import PUBKEY <PUBLIC KEY FILE>

    The RPM tool doesn’t output anything if the command is successful.

  5. Use the RPM tool to check the signature of a downloaded RPM package: sudo rpm -vK <RPM_FILE_NAME>
    The embedded signature is verified and displays OK:
     puppet-agent-1.5.1-1.el6.x86_64.rpm:
         Header V4 RSA/SHA512 Signature, key ID ef8d349f: OK
         Header SHA1 digest: OK (95b492a1fff452d029aaeb59598f1c78dbfee0c5)
         V4 RSA/SHA512 Signature, key ID ef8d349f: OK
         MD5 digest: OK (4878909ccdd0af24fa9909790dd63a12)

Verify a macOS puppet-agent package

puppet-agent packages for macOS are signed with a developer ID and certificate. You can verify the package signature using the pkgutil tool or the installer.

Use one of these methods to verify the package signature:
  • Download and mount the puppet-agent disk image, and then use the pkgutil tool to check the package's signature:
    pkgutil --check-signature /Volumes/puppet-agent-<AGENT-VERSION>-1.osx10.10/puppet-agent-<AGENT-VERSION>-1-installer.pkg
    The tool confirms the signature and outputs fingerprints for each certificate in the chain:
    Package "puppet-agent-<AGENT-VERSION>-1-installer.pkg":
       Status: signed by a certificate trusted by macOS
       Certificate Chain:
        1. Developer ID Installer: PUPPET LABS, INC. (VKGLGN2B6Y)
           SHA1 fingerprint: AF 91 BF B7 7E CF 87 9F A8 0A 06 C3 03 5A B4 C7 11 34 0A 6F
           -----------------------------------------------------------------------------
        2. Developer ID Certification Authority
           SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
           -----------------------------------------------------------------------------
        3. Apple Root CA
           SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
  • When you install the package, click the lock icon in the top right corner of the installer.

    The installer displays details about the package's certificate.

Back to top