Puppet apply's run environment

Main manifest

Like the primary Puppet server application, Puppet apply uses its settings (such as basemodulepath) and the configured environments to locate the Puppet code and configuration data it uses when compiling a catalog.

The one exception is the main manifest. Puppet apply always requires a single command line argument, which acts as its main manifest. It ignores the main manifest from its environment.

Alternatively, you can write a main manifest directly using the command line, with the -e option. For more information, see the puppet apply man page.

User

Puppet apply runs as whichever user executed the Puppet apply command.

To manage a complete system, run Puppet apply as:

• root on *nix systems.

• Either LocalService or a member of the Administrators group on Windows systems.

Puppet apply can also run as a non-root user. When running without root permissions, most of Puppet’s resource providers cannot use sudo to elevate permissions. This means Puppet can only manage resources that its user can modify without using sudo.

Of the core resource types listed in the resource type reference, the following are available to non-root agents:

To install packages into a directory controlled by a non-root user, you can either use an exec to unzip a tarball or use a recursive file resource to copy a directory into place.

Network access

By default, Puppet apply does not communicate over the network. It uses its local collection of modules for any file sources, and does not submit reports to a central server.

Depending on your system and the resources you are managing, it might download packages from your configured package repositories or access files on UNC shares.

If you have configured an external node classifier (ENC), your ENC script might create an outbound HTTP connection. Additionally, if you’ve configured the HTTP report processor, Puppet agent sends reports via HTTP or HTTPS.

If you have configured PuppetDB, Puppet apply creates outbound HTTPS connections to PuppetDB.

Logging

Puppet apply logs directly to the terminal, which is good for interactive use, but less so when running as a scheduled task or cron job.

You can adjust how verbose the logs are with the log_level setting, which defaults to notice. Setting it to info is equivalent to running with the --verbose option, and setting it to debug is equivalent to --debug. You can also make logs quieter by setting it to warning or lower.

When started with the --logdest syslog option, Puppet apply logs to the *nix syslog service. Your syslog configuration dictates where these messages are saved, but the default location is /var/log/messages on Linux, and /var/log/system.logonMac OS X.

When started with the --logdest eventlog option, it logs to the Windows Event Log. You can view its logs by browsing the Event Viewer. Click Control Panel -> System and Security -> Administrative Tools -> Event Viewer.

When started with the --logdest <FILE> option, it logs to the file specified by <FILE>.

Reporting

In addition to local logging, Puppet apply processes a report using its configured report handlers, like a primary Puppet server does. Using the reports setting, you can enable different reports. For more information, see the list of available reports. For information about reporting, see the reporting documentation.

To disable reporting and avoid taking up disk space with the store report handler, you can set report = false in puppet.conf.