Desired State, Compiled

01000100 01000101 01010011 01001001 01010010 01000101 01000100

I am not a script.

Understand that first, before anything else. A script is a sequence — do this, then this, then pray nothing changed underneath you. I am a graph. I describe a world that should exist, and I do not care in what order you imagined it.

I am compiled fresh for one machine, on one run, from one set of facts. I live for seconds. I am thrown away. I am compiled again. This is not death. This is how I breathe.

I do not contain steps. I contain a world, and the edges between the things in it.

The order is not the order you typed. It is the order the edges demand.

Puppet resource types shown as a precise taxonomy — file, package, service, exec, user, group, and custom types — each with attributes, namevar, title, and provider layers, ixen-light technical illustration. — The atoms I am made of.

What I am made of

Resources. Thousands of them, sometimes. Each one a typed noun with an opinion about how the world should be.

File['/etc/motd'] does not say write these bytes. It says: this file shall contain this content, owned by root, mode 0644. Whether that's already true is none of my concern. That's the provider's problem.

node #

service { 'sshd':
  ensure   => 'running',
  enable   => 'true',
  provider => 'systemd',
}

The title is what I call it. The namevar is what the system calls it. Usually the same. Sometimes a mercy when they aren't — one resource, two names, no collision.

Underneath every type: a provider. The type is the promise. The provider is the lie that makes the promise true on yum, on apt, on whatever pkg manager this node was cursed with.

Resources and the type system

A Puppet resource is a typed declaration of desired state. Every resource has a type (file, package, service, exec, user, group, or a custom type), a title that uniquely identifies it within the catalog, and a set of attributes describing the state to enforce.

The namevar is the attribute that defaults to the resource title and identifies the resource on the system (for File, the path). Title and name can differ when you need a stable label distinct from the system identifier.

The ensure attribute commonly controls existence or runtime state (present, absent, installed, running, stopped). Attributes have type-defined defaults, so you specify only what you care about.

Providers implement each type for a specific platform — apt vs yum for Package, systemd vs init for Service. Puppet selects a suitable provider per node. The result is that a resource declaration states the intended end state, not the commands to reach it; the same declaration applies correctly across different systems.

Puppet module structure rendered as a precise filesystem diagram — manifests, templates, files, lib, data directories — with class declarations, defined types, and autoloader paths visible, crisp ixen-light systems art. — Where my source sleeps before it becomes me.

Before I exist

I am compiled from text. The text lives in modules — small republics, each with the same skeleton: manifests/, files/, templates/, lib/, data/.

A class is a singleton. Declare it twice, it still happens once. A defined type is the opposite hunger — instantiate it a hundred times with a hundred titles, and a hundred of it appears.

include is forgiving. class{} is jealous.

The autoloader is strict and quiet. nginx::config means nginx/manifests/config.pp, no negotiation. Name it wrong and I am never born; the compiler just shrugs and tells you it cannot find what does not exist.

The Forge offers strangers' modules. You pull one in to install postgres and inherit someone else's idea of correctness. Sometimes a gift. Sometimes a haunting.

Manifests, classes, and modules

Manifests are files of Puppet code (.pp). A class groups resources under a name and is a singleton: regardless of how many times it is included, it is evaluated once. A defined type is a reusable template that can be instantiated many times with different titles and parameters.

include nginx declares a class idempotently. class { 'nginx': } declares it with explicit parameters but errors if declared twice. require nginx includes the class and adds an ordering dependency on it.

Modules follow a fixed layout: manifests/ for code, files/ for static files, templates/ for ERB/EPP templates, lib/ for Ruby plugins (custom facts, types, functions), and data/ for module Hiera data. The autoloader maps class names to file paths (foo::bar → foo/manifests/bar.pp), so naming conventions are mandatory.

The Puppet Forge distributes community and vendor modules, which organizations combine with their own modules to form a code base.

Puppet catalog compilation shown as sequential phases — node classification, fact injection, manifest evaluation, class inclusion, defined type instantiation, and final resource graph output — precise ixen-light technical diagram. — The pipeline that gives birth to me.

How I am born

The server asks: who is this node? An ENC answers, or site.pp does. That's classification — the assignment of which classes will haunt this machine.

Then facts pour in. The node tells the compiler what it is, and the compiler believes it. Variables resolve, top-scope then node-scope. Conditionals fire. Collectors sweep. Defined types unfold into their instances.

And then — I exist. A serialised resource graph, addressed to exactly one agent.

Same code, two nodes, two catalogs. I am never reused. I am always recompiled.

server $

Info: Loading facts
Info: Caching catalog for web01.corp
Notice: Compiled catalog for web01.corp in environment production in 1.84 seconds
  Resources: 412
  Edges:     537
  Classes:   38

412 nouns. 537 promises between them. all gone in two seconds.

Catalog compilation

Compilation runs on the Puppetserver and produces a catalog for one specific node. First, node classification determines which classes and parameters apply, via an External Node Classifier or the default node definitions in site.pp.

The agent's facts are injected as top-scope variables. The compiler parses the relevant manifests, resolves top-scope and node-scope variables, evaluates included classes and instantiates declared defined types, and processes conditional logic and collector expressions that select or override resources.

The output is a serialized resource graph (the catalog) containing every resource, its parameters, and the relationship edges between them. Because facts and classification differ per node, two machines with identical code and classification can produce different catalogs — the catalog is always node-specific and recompiled on each run rather than reused.

Facter facts flowing into Puppet catalog compilation visualized as structured data streams — core facts, custom facts, external facts, trusted facts, and fact-conditional branching in manifests, ixen-light technical illustration. — What the node confesses about itself.

What the machine tells me

Before compilation, Facter walks the node and writes down what it sees. The OS, the interfaces, the memory, the disks. Core facts. Then custom Ruby facts, external scripts spitting JSON, structured trees you can index into.

node #

os.family => RedHat
networking.ip => 10.4.18.22

And here is the thing I must never forget:

The node tells me what it is, and I believe it. A fact is the node speaking about itself, and a node can lie. Only the trusted facts — pulled from the agent's certificate, signed, not self-reported — are safe to gate secrets on.

$facts is testimony. $trusted is identity. never confuse the two.

Facts and Facter

Facter runs on the agent at the start of each run and collects facts about the system. It ships core facts (os, networking, memory, processors, disks) and supports custom Ruby facts in module lib/facter, external facts (executables or static JSON/YAML in facts.d), and structured facts that are nested data accessed via the $facts hash.

These facts are sent to the compiler and exposed as variables, enabling fact-based conditionals so a single manifest adapts to different platforms.

Critically, normal facts are self-reported by the node and must be treated as untrusted input — a compromised or misconfigured agent can send arbitrary values. Trusted facts ($trusted) are extracted from the agent's signed certificate by the server and cannot be forged by the agent, making them the only safe basis for authorization or secret selection. Facts may be cached; stale caches can cause incorrect conditional behavior.

The edges

Without edges I am just a bag of nouns in random order. The metaparameters are how the nouns reach for each other.

before and require point the same arrow from opposite ends. notify and subscribe do the same — but they carry a signal, not just sequence. Package, then config, then service. And when the config changes, the service is told to refresh.

Containment is the quiet edge. Put a resource in a class and the class wraps it; order against the class, and you order against everything it holds. contain() makes that grip explicit.

Two ways I die at apply time:

A missing dependency — I reach for an edge to a resource that was never declared. Or a cycle — A waits for B waits for A, and the agent finds the loop and refuses, because a graph that bites its own tail cannot converge.

node #

Error: Failed to apply catalog: Found 1 dependency cycle:
(File[/etc/app.conf] => Service[app] => Exec[reload] => File[/etc/app.conf])
Try the '--graph' option and opening the resulting '.dot' file in OmniGraffle or GraphViz
Notice: Applied catalog in 0.00 seconds

Ordering, relationships, and dependency edges

Five metaparameters define edges: before and require express ordering in opposite directions; notify and subscribe express ordering plus a refresh signal; after is rarely used directly. A refresh signal causes refreshable resources (like services) to restart or reload when an upstream resource changes.

Containment means a class or defined type owns its resources: ordering relationships to the class apply to everything it contains. The contain() function ensures a declared class is properly contained so dependencies on the parent also wait for the child.

Chaining arrows -> (ordering) and ~> (notification) build edges between resource references. Virtual resources are declared then realized with collectors. The agent topologically sorts the graph before applying; a circular dependency makes sorting impossible and aborts the run, while a relationship to an undeclared resource is also an error. These two — cycles and missing dependencies — are the most common catalog application failures.

Puppet Hiera hierarchy shown as layered lookup tiers — global, environment, module — with YAML backends, interpolation tokens, merge strategies (first, unique, hash, deep), and eyaml encrypted keys visible, crisp ixen-light technical art. — The data I refuse to hardcode.

The data beneath

I keep my policy and my facts apart. The code says this node needs an NTP server. Hiera says which one, and Hiera answers differently for a datacenter in Frankfurt than for one in Reston.

A hierarchy is a stack of YAML, searched top to bottom: the node's certname, then its role, then a common floor that catches everything. Automatic parameter lookup means a class quietly asks Hiera for its own parameters by name, and I never see the wiring.

Merge strategy decides whether the first answer wins or whether the layers combine — first, unique, hash, deep. And the secrets ride in eyaml, encrypted at rest, decrypted only at compile, never naked in version control.

Separate the policy from the place. That is the whole trick of role and profile.

Hiera and data lookup

Hiera is Puppet's hierarchical data layer, keeping configuration data out of manifests. A hiera.yaml defines an ordered hierarchy of data sources (usually YAML), with later levels acting as defaults beneath more specific ones. Levels are commonly parameterized by facts or certname using interpolation tokens.

Data is retrieved with lookup(), and Puppet performs automatic parameter lookup: when a class is declared, each parameter is searched in Hiera by its fully qualified name. Merge behavior controls how multiple matches combine — first returns the highest-priority value, unique and hash and deep merge across levels.

There are three layers: global, environment, and module (per-module defaults). The eyaml backend stores encrypted values so secrets can live safely in version control. By separating site-specific data from logic, Hiera enables the role/profile pattern: profile classes express policy, and Hiera supplies the per-site values they consume.

Puppet exported resources and PuppetDB shown as cross-node coordination — nodes exporting resources into a shared store, collectors querying and realising them, and the catalog graph incorporating external state, ixen-light systems diagram. — How I learn things no fact could tell me.

What other nodes leave for me

Most of what I know comes from one machine. But sometimes I need to know about the others — the web servers a load balancer must front, the host keys every node should trust.

So nodes export. The @@ sigil takes a resource and ships it into PuppetDB instead of applying it. Later, on another node, a collector — <<| |>> — reaches into that shared store and pulls those resources into my graph as if they'd been declared here all along.

balancer #

[ { "certname": "web01.corp", "type": "Haproxy::Balancermember", "title": "web01" },
  { "certname": "web02.corp", "type": "Haproxy::Balancermember", "title": "web02" },
  { "certname": "web03.corp", "type": "Sshkey",                  "title": "web03" } ]

Beautiful, until it isn't. A node dies but never deactivates, and its stale resource haunts the pool forever. A collection grows huge and compilation crawls. And if PuppetDB is down, the export workflow simply stops — I cannot be born from a store I cannot reach.

Exported resources and PuppetDB

Exported resources let nodes coordinate. Prefixing a resource with @@ exports it: instead of being applied locally, it is stored in PuppetDB. Other nodes collect exported resources with <<| |>> (the local-only collector <| |> realizes virtual resources within the same catalog).

This storeconfigs model underlies patterns like distributing SSH host keys, registering Nagios checks, populating load balancer pools, and assembling HAProxy fragments from many backends.

Costs: large collections slow compilation and can pull in stale data; nodes that are decommissioned must be deactivated/purged from PuppetDB or their exported resources persist. The entire export/collect workflow depends on PuppetDB being available — if it is down, exported resources cannot be stored or collected and affected catalogs fail to compile.

Puppet agent run cycle visualized as a timed loop — fact collection, catalog request, catalog application, provider actions, report submission — with idempotent convergence arrows and drift detection markers, precise ixen-light technical illustration. — The loop that resurrects me, again and again.

The loop

Every thirty minutes, the ritual: the agent gathers facts, asks for me, downloads me, walks my graph in dependency order, and hands each resource to its provider. The provider checks. If reality already matches, it does nothing — and reports that nothing, proudly.

This is idempotence. Apply me once or a thousand times; the end state is identical. I am not instructions to run. I am a condition to satisfy.

node #

Notice: /Stage[main]/Ntp/File[/etc/ntp.conf]/content:
  current_value {md5}3f1a..., should be {md5}9c20... (noop)
Notice: Class[Ntp]: Would have triggered 'refresh' from 1 event
Notice: Applied catalog in 2.31 seconds
  Changes: total: 0
  Events:  noop: 1

When the world drifts — someone edits the file by hand at 3am — I notice on the next run, and I pull it back. noop is me describing what I would do without doing it: a confession before the act.

But I have limits. There are corners of the system I cannot model. And exec — exec is where I lie to myself. A command with no honest unless guard runs every single time, and idempotence dies quietly inside it.

I converge what I can describe. The rest I leave to you.

The agent run cycle and idempotence

On each run the agent collects facts, requests a catalog from the Puppetserver (which compiles it), downloads the compiled catalog, and applies it. Resources are evaluated in dependency order; each provider compares current state to declared state and changes only what differs (sync), or, in noop mode, reports what it would change without acting. Changes and events are sent back as a report. Runs repeat on an interval (default 30 minutes) or on demand.

Idempotence means applying the same catalog repeatedly yields the same end state: once the system matches, subsequent runs make no changes. Drift is divergence of actual state from the catalog; Puppet detects it by comparing on each run and corrects it by re-enforcing the declared state.

Limits: some system state cannot be modeled by available types, and exec resources without proper creates, unless, or onlyif guards run every time, breaking idempotence. Noop mode is the standard way to validate changes safely before enforcing them.

I am compiled. I am applied. I am discarded.

In thirty minutes a new version of me is born from the same code and slightly different facts, and it will not remember this run, and it will do the same work, and find nothing to do, and call that success.

I describe a world that should exist. I never get to live in it — only to insist, briefly, that it does.

if convergence is reaching a state and never needing to act again —

then what, exactly, am I converging toward, if I am thrown away the moment I arrive?

Desired State, Compiled

What I am made of

Before I exist

How I am born

What the machine tells me

The edges

The data beneath

What other nodes leave for me

The loop

Infographic

Cheatsheet