We've updated our documentation to remove harmful terminology.

Puppet is configured in an agent-server architecture, in which a primary server node controls configuration information for a fleet of managed agent nodes.

Note: Previous versions of offered a standalone architecture, in which agents compiled their own catalogs using the apply application. We no longer recommend this configuration, because it's challenging to maintain and secure.  
Server-agent communication follows this pattern:
  1. An agent node sends facts to the primary server and requests a catalog.

  2. The primary server compiles and returns the node’s catalog using the sources of information the primary server has access to.

  3. The agent applies the catalog to the node by checking each resource the catalog describes. If it finds resources that are not in their desired state, it makes the changes necessary to correct them. Or, in no-op mode, it assesses what changes would be needed to reconcile the catalog.

  4. The agent sends a report back to the primary server.

Communication and security in agent-server installations

primary servers and agents communicate by HTTPS using SSL certificates.

includes a built-in certificate authority for managing certificates. Agents automatically request certificates through the primary server's HTTP endpoint, and you use the puppetserver ca command to inspect requests and sign new certificates.

How helpful was this page?

If you leave us your email, we may contact you regarding your feedback. For more information on how Puppet uses your personal information, see our privacy policy.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.