Puppet's services: Puppet agent on Windows systems
Included in Puppet Enterprise 2017.2. A newer version is available; see the version menu above for details.
For details about invoking the Puppet agent command, see the puppet agent man page.
Puppet agent’s run environment
Puppet agent runs as a specific user, (defaulting to
LocalSystem) and initiates outbound connections on port 8140.
By default, Puppet’s HTTPS traffic uses port 8140. Your operating system and firewall must allow Puppet agent to initiate outbound connections on this port.
If you want to use a non-default port, change the
masterport setting on all agent nodes, and ensure that you’ve changed your Puppet master’s port as well.
By default, Puppet agent runs as the
LocalSystem user. This lets it manage the configuration of the entire system, but prevents it from accessing files on UNC shares.
Puppet can also run as a different user. You can change the user in the Service Control Manager (SCM). To start the SCM, from the Start menu choose “Run…” and type
You can also specify a different user when installing Puppet. To do this, install via the command line and specify the required MSI properties (
Puppet agent’s user can be a local or domain user. If this user isn’t already a local administrator, the Puppet installer adds it to the
Administrators group. The installer also grants Logon as Service to the user.
Managing systems with Puppet agent
In a normal Puppet configuration, every node periodically does configuration runs to revert unwanted changes and to pick up recent updates.
On Windows nodes, there are two main ways to do this:
- Run Puppet agent as a service. The easiest method. The Puppet agent service does configuration runs at a set interval, which can be configured.
- Only run Puppet agent on demand. You can also deploy MCollective to run on demand on many nodes.
Since the Windows version of the Puppet agent service is much simpler than the *nix version, there’s no real performance to be gained by running Puppet as a scheduled task, but if you do want scheduled configuration runs, use the Windows service.
Running Puppet agent as a service
By default, the Puppet installer configures Puppet agent to run as a Windows service and automatically starts it. No further action is needed. Puppet agent does configuration runs at a set interval.
Configuring the run interval
The Puppet agent service defaults to doing a configuration run every 30 minutes. If you don’t need an aggressive schedule of configuration runs, a longer run interval lets your Puppet master server(s) handle many more agent nodes.
# C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf [agent] runinterval = 2h
Once the run interval has been changed, the service sticks to the prior schedule for the next run and then switches to the new run interval for subsequent runs.
Configuring the service start up type
The Puppet agent service defaults to starting automatically. If you’d rather start it manually or disable it, you can configure this during installation.
To do this, install via the command line and specify the
PUPPET_AGENT_STARTUP_MODE MSI property.
You can also configure this after installation with the Service Control Manager (SCM). To start the SCM, choose “Run…” from the Start menu and type
You can also configure agent service with the
sc.exe command. To prevent the service from starting on boot:
C:\>sc config puppet start= demand [SC] ChangeServiceConfig SUCCESS
Important: The space after
start=is mandatory! Also note that this must be run in cmd.exe; this command won’t work from PowerShell.
To restart the service:
C:\>sc stop puppet C:\>sc start puppet
To change the arguments used when triggering a Puppet agent run (this example changes the level of detail that gets written to the Event Log):
C:\>sc start puppet --debug --logdest eventlog
Running Puppet agent on demand
Some sites prefer to only run Puppet agent on demand; others occasionally need to do an on-demand run.
Puppet agent runs can be started locally while logged in to the target system, or remotely with MCollective.
While logged in to the target system
On Windows, you can start a configuration run with the “Run Puppet Agent” Start menu item. This shows the status of the run in a command prompt window.
You must be logged in as an administrator to do this. On Windows 7/2008 and later, Windows asks for User Account Control confirmation when you start a configuration run:
Running other Puppet commands
If you want to run other Puppet-related commands, you must start a command prompt with administrative privileges. (You can do so with either the standard
cmd.exe program, or the “Start Command Prompt with Puppet” Start menu item added by the Puppet installer.)
To do this, right-click the start menu item and choose “Run as administrator:”
This prompts it to ask for UAC confirmation:
Disabling and re-enabling Puppet runs
Whether you’re troubleshooting errors, working in a maintenance window, or simply developing in a sandbox environment, you may need to temporarily disable the Puppet agent from running.
- Start a command prompt with elevated privileges.
Run one of these commands, depending on whether you want to disable or re-enable the agent:
- Disable –
puppet agent --disable "<MESSAGE>"
- Enable –
puppet agent --enable
- Disable –
Configuring Puppet agent on Windows
The Puppet agent comes with a default configuration that may not be the most convenient for you.
Logging for Puppet agent on Windows systems
When running as a service, Puppet agent logs messages to the Windows Event Log. You can view its logs by browsing the Event Viewer. (Control Panel → System and Security → Administrative Tools → Event Viewer)
You can adjust how verbose the logs are with the
log_level setting, which defaults to
When running in the foreground with the
--test options, Puppet agent logs directly to the terminal.
When started with the
--logdest <FILE> option, Puppet agent logs to the file specified by