Puppet¶
70 cards — 🟢 17 easy | 🟡 20 medium | 🔴 18 hard
🟢 Easy (17)¶
1. What is the purpose of the Puppet External Node Classifier (ENC)?
Show answer
Core resource types: file, package, service, user, group, exec, cron, mount, notify. Each declares desired state. Resources are idempotent -- Puppet only changes what differs from declared state.Remember: "Facter gathers FACTS, Puppet uses them." Example: $facts['os']['family'] returns 'Debian' or 'RedHat'.
Example: facter os.family on the command line shows the OS family.
2. What is the role of the Puppet Catalog Compiler?
Show answer
Puppet is a declarative configuration management tool. Agent-server model: Puppet Server compiles catalogs, agents apply them. Uses its own DSL for manifests. Key components: manifests, modules, Facter, Hiera, and the catalog.Example: class profiles::webserver { include nginx; include firewall } — a profile composes multiple modules into a role.
Remember: "Roles = what a node IS, Profiles = what a node DOES."
3. Explain how Puppet integrates with other DevOps tools in the toolchain.
Show answer
Facter collects system facts: OS, IPs, memory, CPU, hostname. Access in manifests as $facts['os']['family']. Run facter on CLI to see all. Custom facts extend detection for app-specific data.Example: class { 'ntp': servers => ['pool.ntp.org'] } — passes the servers parameter to the ntp class.
Remember: "Parameterized classes = reusable modules with knobs."
4. Explain the Puppet data in modules (data in code) approach.
Show answer
Manifests (.pp files) contain Puppet code defining resources. Site manifest (site.pp) is the entry point. Node definitions assign classes to specific nodes. Resources declare desired state in Puppet DSL.5. How can you extend Puppet functionality using custom facts and functions?
Show answer
Package resource manages software: ensure => installed, latest, absent, or specific version string. Provider auto-detected per platform (apt, yum). Use ensure => latest cautiously in production.Example: puppet apply --noop site.pp shows what WOULD change without applying. Always noop before apply in production.
Remember: "noop = dry run = safety net."
6. How can you enforce a specific configuration state using Puppet?
Show answer
Service resource: ensure => running/stopped, enable => true/false. Commonly combined with subscribe to restart on config changes. Provider auto-selects (systemd, init, upstart).Remember: "Augeas = surgical config editing." Instead of replacing entire files, Augeas modifies specific settings.
Example: augeas { 'sshd_config': context => '/files/etc/ssh/sshd_config', changes => 'set PermitRootLogin no' }
7. Explain the Puppet report processors and their significance.
Show answer
File resource manages files, directories, and symlinks. Properties: ensure (file/directory/link), source, content, owner, mode. source uses puppet:///modules/name/path for files from modules.Remember: "PDK = Puppet Development Kit." It generates modules, runs unit tests, and validates metadata.
Example: pdk new module mymodule && cd mymodule && pdk validate
8. What is the purpose of the Puppet catalog?
Show answer
Variables use $name syntax and are immutable once set. Scopes: local (class/defined type), node, top-scope ($::variable). Access out-of-scope with $classname::variable. Hiera variables available as class parameters.9. How do you install Puppet on a system?
Show answer
Puppet Forge (forge.puppet.com) hosts community modules. Install with puppet module install. Modules have quality scores and supported/approved badges. Use r10k Puppetfile for version-pinned management.10. What is the purpose of Puppet environments, and how are they configured?
Show answer
User resource: ensure => present/absent. Properties: uid, home, managehome, shell, groups. managehome => true creates the home directory with the user.Remember: "require = before + auto-subscribe, subscribe = notify in reverse." Both create ordering relationships.
Example: service { 'nginx': subscribe => File['/etc/nginx/nginx.conf'] } — restarts when config changes.
11. What is a Puppet manifest?
Show answer
Cron resource manages cron jobs. Properties: command, hour, minute, user, weekday, month. ensure => absent removes the job. Manages entries in user's crontab.12. What is Hiera in Puppet, and how is it used?
Show answer
Notify resource outputs messages during catalog application. Useful for debugging manifest flow. Use puppet agent --test for interactive verbose output with real-time resource status.Example: puppet resource user root shows the current state of the root user as Puppet code. Useful for reverse-engineering existing configs.
Remember: "puppet resource = read system state as Puppet code."
13. How can you implement Puppet in a high availability (HA) configuration?
Show answer
Mount resource: ensure => mounted (mount + fstab), defined (fstab only), unmounted (remove from fstab). Properties: device, fstype, options.Gotcha: Custom facts must be in lib/facter/ inside a module. They are synced to agents via pluginsync.
Remember: "Facts run on the agent, functions run on the server."
14. How does Puppet support custom resource types and providers?
Show answer
Group resource: ensure => present/absent. Properties: gid, members. Use for managing system groups. Often paired with user resources.Remember: "r10k = Puppet environment deployer." It syncs Git branches to Puppet environments and deploys modules from a Puppetfile.
Example: r10k deploy environment production pulls the production branch.
15. Explain the Puppet resource type and provide examples.
Show answer
Host resource manages /etc/hosts entries. Properties: ensure, ip, host_aliases. Useful for local DNS overrides and service discovery in environments without full DNS.16. What are Puppet modules, and how do they promote reusability?
Show answer
Noop mode shows what Puppet would change without applying: puppet agent -t --noop. Reports each resource as in-sync or would-change. Essential for validating changes before production. Can be set in puppet.conf.17. Explain the Puppet relationships metaparameter and its usage.
Show answer
puppet apply runs manifests locally without a server. Useful for testing, bootstrapping, masterless setups. Supports --noop for dry runs.Example: puppet apply -e 'package { nginx: ensure => installed }'.
🟡 Medium (20)¶
1. How does Puppet handle conditional execution of resources?
Show answer
Puppet uses if/elsif/else, unless, case, and selector statements in manifests. Conditions evaluate Facter facts and variables to control which resources are applied. Example: conditionally install different packages per OS.Remember: "Puppet = declare the WHAT, not the HOW." You describe desired state; Puppet figures out the steps.
Example: package { 'nginx': ensure => installed } — works on apt, yum, or any supported provider.
2. How does Puppet ensure idempotence in configurations?
Show answer
Puppet ensures idempotency through resource abstraction (declare desired state, not steps), catalog compilation (compares current to desired), and idempotent resource types (only act on differences). Repeated runs produce the same result.Example: A manifest (.pp file) contains resource declarations. site.pp is the main entry point.
Remember: "Manifest = Puppet source code, Catalog = compiled plan."
3. Discuss Puppet's approach to handling secrets and sensitive data securely.
Show answer
Standard module layout: manifests/init.pp (main class), templates/ (EPP/ERB), files/ (static), lib/facter/ (custom facts), lib/puppet/ (types/providers), data/ (Hiera), spec/ (rspec tests). Install community modules with puppet module install.Example: node 'web01.example.com' { include role::webserver } — the catalog compiler matches node names to definitions.
Gotcha: Node names are typically the certname, which defaults to the FQDN.
4. Explain the concept of facts in Puppet.
Show answer
Classes group related resources. Parameterized classes accept configuration values. Declare with include nginx or class { 'nginx': workers => 8 }. Parameters can have defaults and type constraints.Example: File["/etc/nginx/nginx.conf"] ~> Service["nginx"] — the tilde-arrow means "notify" (restart service when file changes).
Remember: "-> = order, ~> = order + notify."
5. How can Puppet be used for managing Docker containers?
Show answer
Agent-server workflow: 1) Agent sends facts to server, 2) Server compiles catalog, 3) Agent receives and applies catalog, 4) Agent sends report. Runs every 30 min by default. Catalog is a dependency graph of resources.Remember: "Hiera = external data, separated from code." Hierarchy: per-node → per-environment → per-OS → common.
Example: In hiera.yaml, hierarchy levels use facts as lookup keys.
6. Discuss the impact of Puppet changes on system performance during a run.
Show answer
Puppet supports EPP (Puppet language) and ERB (Ruby) templates. EPP uses <%= $variable %> syntax. Templates live in module's templates/ directory. Prefer EPP over ERB for new code. Pass variables explicitly.7. Explain the Puppet automatic parameter lookup feature.
Show answer
Resource ordering: require (run after), before (run before), notify (trigger refresh on change), subscribe (refresh when dependency changes). Arrow syntax: Package['nginx'] -> File['/etc/nginx.conf'] ~> Service['nginx'].Remember: "30 minutes is the default agent interval." puppet agent runs as a daemon, checking in every 30 minutes.
Gotcha: For immediate changes, use puppet agent -t (test/one-shot mode).
8. What is Puppet and how does it manage infrastructure configuration?
Show answer
Defined types are reusable manifest blocks. Unlike classes, they can be declared multiple times with different titles. Accept parameters like classes. Use for patterns that repeat with different values (e.g., vhosts, users).9. Explain the difference between Puppet and other configuration management tools.
Show answer
External Node Classifiers (ENCs) assign classes and parameters via external scripts/tools. Server calls ENC with certname, receives YAML with classes and parameters. Puppet Enterprise Console, Foreman are common ENCs.Example: Package['nginx'] -> File['/etc/nginx/nginx.conf'] ~> Service['nginx'] — install, then configure, then restart.
Remember: "The Puppet trinity: Package → File → Service."
10. What is the Puppet Bolt project, and how is it used?
Show answer
Exec runs commands (use sparingly, prefer native resources). Use creates, unless, onlyif guards for idempotency. Set refreshonly => true for notification-triggered-only execution. Always specify path.11. What are the considerations for migrating from Puppet 3 to Puppet 4 or later versions?
Show answer
Node definitions in site.pp assign classes to specific nodes by name or regex. Modern approach: use ENCs, Hiera, or role/profile pattern instead of node blocks. node default catches unmatched nodes.12. What is the Puppet DSL (Domain Specific Language)?
Show answer
Roles compose profiles: profiles are technology-specific (profile::nginx), roles are business-function (role::webserver includes profiles). Nodes get exactly one role. Separates technology from business logic.13. Explain the Puppet best practices for writing maintainable manifests.
Show answer
Augeas edits config files using a tree-based API (no regex/full-file replacement). Supports many file formats. Safer than exec sed.Example: set PermitRootLogin to no in sshd_config.
14. Explain the concept of Puppet facts and how they are collected.
Show answer
Puppet supports typed parameters: String, Integer, Array[String], Optional, Enum, Boolean, Hash, etc. Type mismatches cause catalog compilation failure. Enforces correctness at compile time.15. Describe the architecture of a large-scale Puppet deployment.
Show answer
Custom functions add reusable logic. Modern API (Puppet 4+) is type-safe. Write in Ruby, place in lib/puppet/functions/. Call in manifests as module::function_name(). Also supports Puppet language functions.16. How does Puppet handle dependencies between resources?
Show answer
Puppet supports iteration (4+): each, map, filter, reduce, slice. Iterate over arrays and hashes to create resources dynamically.Example: ['nginx','vim'].each |$pkg| { package { $pkg: ensure => installed } }.
17. What is the purpose of the Puppet Hiera hierarchy?
Show answer
Report processors handle agent run reports. Built-in: log, store, http. Custom processors send data to monitoring/alerting systems. Configure in puppet.conf: reports = store,http.18. How can you integrate Puppet with version control systems like Git?
Show answer
Virtual resources are declared but not applied unless realized with realize() or collector syntax (<| |>). Avoids duplicate declaration errors when multiple classes need the same resource.19. What is the Puppet Resource Abstraction Layer (RAL)?
Show answer
Concat module assembles files from fragments contributed by different classes. Each fragment has an order value for sorting. Useful when multiple modules contribute sections to a single config file.20. Describe the Puppet Master and Puppet Agent components.
Show answer
Puppet on Windows: package (MSI/Chocolatey), service, file (NTFS via ACL module), registry_key, scheduled_task, exec (PowerShell), dsc resources. Use $facts['os']['family'] == 'windows' guards for cross-platform modules.🔴 Hard (18)¶
1. Describe the differences between Puppet apply and Puppet agent modes.
Show answer
Custom types define new resource abstractions; providers implement them per platform. Types define parameters/properties, providers handle create/destroy/exists? methods. Modern alternative: Resource API (Puppet 6+) or Bolt tasks.Remember: "Puppet Agent pulls, Puppet Server compiles." Agent sends facts → Server compiles catalog → Agent applies catalog.
Example: puppet agent -t triggers an immediate run (test mode).
2. Explain the role of the PuppetDB in a Puppet infrastructure.
Show answer
Hiera is Puppet's data lookup system separating data from code. Hierarchy defined in hiera.yaml (per-node, per-OS, common). Automatic parameter lookup: class params match Hiera keys by convention. Supports YAML, JSON, and eyaml (encrypted) backends.Example: file { '/etc/motd': ensure => file, content => template('mymodule/motd.erb') } uses an ERB template with embedded Ruby.
Gotcha: EPP templates (Puppet language) are preferred over ERB in modern Puppet.
3. Describe the process of using Puppet in a masterless (standalone) mode.
Show answer
Puppet environments map to git branches for code isolation. r10k deploys environments from git: Puppetfile declares module versions, r10k deploy environment syncs modules per branch. Enables GitOps workflow for infrastructure code.Example: environments/production/modules/ vs environments/staging/modules/ — each environment has its own code and data.
Gotcha: Agent environment is set in puppet.conf or via ENC.
4. Discuss Puppet orchestration and its role in complex infrastructures.
Show answer
Catalog compilation: Server receives facts, evaluates node classifier/site.pp, resolves Hiera data, compiles all resources into a JSON dependency graph (catalog), sends to agent. Catalogs are cacheable and can be diffed between runs.Remember: "Module layout: manifests/, files/, templates/, lib/, spec/." The init.pp in manifests/ is the main class.
Example: puppet module generate author-modulename scaffolds the structure.
5. What is exported resources in Puppet, and how are they used?
Show answer
Bolt is an agentless orchestration tool. Run commands, scripts, tasks, and plans across nodes via SSH/WinRM without Puppet agent. Plans are YAML or Puppet language workflows. Bolt can apply manifests without a server.Example: exec { 'apt-update': command => '/usr/bin/apt-get update', refreshonly => true } — only runs when notified.
Gotcha: Exec resources are not idempotent by default — always add unless, onlyif, or creates.
6. How can you troubleshoot and debug Puppet manifests and configurations?
Show answer
Test Puppet code with rspec-puppet for unit tests. Pipeline: puppet-lint (style) -> rspec-puppet (unit) -> Litmus/Beaker (integration) -> acceptance tests.Example: it { is_expected.to contain_package('nginx') }.
7. Explain the role of Puppet roles and profiles in a modular architecture.
Show answer
PuppetDB stores catalogs, facts, and reports. Enables exported resources (cross-node config), fact-based queries, and infrastructure-wide reporting. Backed by PostgreSQL. Essential for multi-node orchestration patterns.8. How does Puppet handle file content updates without replacing the entire file?
Show answer
Exported resources let one node define resources applied on others. Uses PuppetDB for storage. Syntax: @@resource_type for export, Resource_type <<| |>> for collection. Common for LB backends, monitoring registration, DNS.9. How can you implement Puppet code testing and linting in a development workflow?
Show answer
Tune Puppet: increase Server JRuby instances, optimize PuppetDB PostgreSQL settings, reduce agent interval for large fleets, minimize Hiera lookup depth, profile slow catalog compilations. Use cached catalogs cautiously.10. What is the role of the notify resource type in Puppet?
Show answer
Debug Puppet: puppet agent -t --debug for verbose output, check /var/log/puppetlabs/. Common issues: duplicate resource declarations, dependency cycles, Hiera lookup failures, certificate problems (puppet ssl clean).11. How does Puppet handle sensitive data such as passwords?
Show answer
Upgrade Puppet: test in dev, check deprecation warnings, update modules for API compatibility, verify Hiera config (v3 to v5 migration), test with --noop, roll out incrementally starting with non-critical nodes.12. What is the role of Facter in Puppet?
Show answer
Deferred functions run on the agent during catalog application (not at compile time). Used for secrets that shouldn't appear in the catalog.Example: Deferred('vault_lookup::lookup', ['secret/app']). Available since Puppet 6.
13. How does Puppet support role-based access control (RBAC)?
Show answer
Scale Puppet: compile masters behind load balancer, tune PuppetDB connection pool, shard PuppetDB for very large deployments, use Code Manager or r10k for code deployment, implement report processors for external reporting.14. Describe the Puppet Forge. How can modules be shared and obtained from Puppet Forge?
Show answer
Puppet uses SSL for all agent-server communication. CA managed by Puppet Server. Key commands: puppetserver ca list/sign, puppet ssl clean. Rotate CA before expiry. Use policy-based autosigning over open autosigning.15. How do you enforce periodic Puppet agent runs?
Show answer
Custom facts: Ruby-based (lib/facter/) with Facter.add, or external facts (drop scripts/files in /etc/facter/facts.d/ as YAML, JSON, or executable). Structured facts return hashes/arrays for complex data.16. Discuss the use of Puppet with continuous integration/continuous deployment (CI/CD) pipelines.
Show answer
Code Manager (PE) automates code deployment from git. Triggered by webhook on push. Deploys environments, installs Puppetfile modules. Open-source alternative: r10k with custom deployment scripts.17. Explain the differences between include, require, and contain in Puppet.
Show answer
Resource API (Puppet 6+) is the modern way to write types and providers. Simpler than legacy type/provider pattern with automatic data type validation. Define attributes declaratively with types and defaults.18. How does Puppet support multi-cloud or hybrid cloud environments?