Puppet agent's run environment
Puppet agent runs as a specific user, (usually root) and initiates outbound connections on port
8140.
Ports
Puppet’s HTTPS traffic uses port 8140. Your operating system and firewall must allow Puppet agent to initiate outbound connections on this port.
If you want to use a non-default port, you have to change the serverport setting on all agent nodes, and ensure that you change your primary Puppet server’s port as well.
User
Puppet agent runs as root, which lets it manage the
configuration of the entire system.
Puppet agent can also run as a non-root user, as long as it is started by that user. However, this restricts the resources that Puppet agent can manage, and requires you to run Puppet agent as a cron job instead of a service.
If you need to install packages into a directory
controlled by a non-root user, use an exec to unzip a tarball or use a
recursive file resource to copy a directory into place.
When running without root permissions, most of Puppet’s resource providers cannot use sudo to elevate
permissions. This means Puppet can only manage
resources that its user can modify without using sudo.
Out of the core resource types listed in the resource type reference, only the following types are available to non-root agents:
| Resource type | Details |
|---|---|
augeas | |
cron | Only non-root cron jobs can be viewed or set. |
exec | Cannot run as another user or group. |
file | Only if the non-root user has read/write privileges. |
notify | |
schedule | |
service | For services that don’t require root.
You can also use the start, stop,
and status attributes to specify
how non-root users can control the service. |
ssh_authorized_key | |
ssh_key |