The Puppet server

Many Puppet-based workflows are centered on the server, which is the central source of configuration data and authority. The server hands instructions to all the computer systems in the infrastructure (where agents are installed). It serves multiple purposes in the distributed system of Puppet components.

The server will perform the following tasks:

• Storing manifests and compiling catalogs
• Serving as the SSL certification authority
• Processing reports from the agent machines
• Gathering and storing information about the agents

As such, the security of your server machine is paramount. The requirements for hardening are comparable to those of a Kerberos key distribution center.

During its first initialization, the Puppet server generates the CA certificate. This self-signed certificate will be distributed among and trusted by all the components of your infrastructure. This is why its private key must be protected very carefully. New agent machines request individual certificates, which are signed with the CA certificate.

The terminology around the master software might be a little confusing. That's because both the terms Puppet master and Puppet server are floating around, and they are closely related too. Let's consider some technological background in order to give you a better understanding of what is what.

Puppet's master service mainly comprises a RESTful HTTP API. Agents initiate the HTTPS transactions, with both sides identifying each other using trusted SSL certificates. During the time when Puppet 3 and older versions were the most advanced versions available, the HTTPS layer was typically handled by Apache. Puppet's Ruby core was invoked through the Passenger module. This approach offered good stability and scalability.

Puppet Inc. has improved upon this standard solution with specialized software called puppetserver. The Ruby-based core of the master remains basically unchanged, although it now runs on JRuby instead of Ruby's own MRI. The HTTPS layer is run by Jetty, sharing the same Java virtual machine with the master.

By cutting out some middlemen, puppetserver is faster and more scalable than a Passenger solution. It is also significantly easier to set up.