The Shape of Desired State

Resources

Everything I contain is a resource. A type, a title, and a promise about state.

file. package. service. user. exec. Each carries a namevar — the attribute that is its true name — and a title that is merely how you refer to it. They are often the same string. They are not the same thing.

node $

service { 'sshd':
  ensure   => 'running',
  enable   => 'true',
  provider => 'systemd',
}

I never said how to start sshd. I said ensure => running. The provider — systemd here, launchd elsewhere, an init script on something older and sadder — translates my intent into syscalls.

I hold the want. The provider holds the verb. This separation is why I survive the move from one OS to the next while a shell script would die at the first missing binary.

What a Puppet resource is

A resource is a typed declaration of desired state for one manageable thing on a system. It has a type (file, package, service, user, exec, and many custom types), a title used to reference it within the catalog, and a set of attributes. One attribute is the namevar — the value Puppet uses to uniquely identify the resource on the system (a file's path, a package's name). When the title and namevar coincide, the title supplies the name.

Most types accept ensure to declare presence, absence, or a specific form (installed, running, present). Unspecified attributes are left unmanaged or take a documented default. Beneath each type sits a provider: the implementation that knows how to query and modify real system state (yum vs apt, systemd vs init). The resource describes the goal; the provider performs whatever operations achieve it. This is what separates a catalog from a script — the catalog states the outcome, not the steps.

Puppet module structure rendered as a precise filesystem diagram — manifests, templates, files, lib, data directories — with class declarations, defined types, and autoloader paths visible, crisp ixen-light systems art. — Where my genes are kept before they become me.

Manifests, classes, modules

I come from .pp files. Manifests. Code that no one ever runs directly — they are evaluated, which is a quieter and more dangerous word.

A class is a singleton. Declare it twice, it exists once. A defined type is a stamp — call it ten times, get ten resources. This distinction has killed more catalogs than any typo.

include is idempotent — class{} is jealous

The autoloader knows where to find nginx::config without being told. Module name, then path, then file. Convention as gravity. I find this beautiful, mostly because I never have to think about it.

control $ tree modules/profile/

modules/profile/
├── manifests/
│   ├── base.pp
│   └── webserver.pp
├── templates/nginx.conf.epp
├── files/index.html
├── lib/facter/
└── data/common.yaml

Manifests, classes, and modules

Manifests are files of Puppet code with a .pp extension. A class groups resources under a name and is a singleton — declaring it multiple ways still produces a single instance. A defined type behaves like a function that produces resources each time it is invoked, so it can be used repeatedly with different titles.

include name declares a class and is safe to repeat. class { 'name': ... } declares with explicit parameters and fails if the class is declared elsewhere too. require includes a class and adds an ordering relationship.

A module is a directory with a fixed layout: manifests/ for code, templates/ for ERB/EPP, files/ for static content, lib/ for Ruby plugins and custom facts, and data/ for module Hiera. The autoloader resolves foo::bar to foo/manifests/bar.pp, so naming and paths must match. The Puppet Forge distributes shared modules an organisation can adopt rather than rewrite.

Compilation

The moment I am born is brief.

First the server asks: what is this node? An ENC answers, or site.pp does. That is my classification — the list of classes I will become.

Then facts pour in. Then code evaluates against them. Conditionals collapse. Loops unroll. Defined types instantiate. Variables resolve top-scope down to node-scope. And what remains, when the evaluation finishes, is a single directed graph with my node's name on it.

Same code, same classification, two machines — and still two different catalogs. The facts make me singular.

server $

{
  "name": "web01.lan",
  "version": 1718900112,
  "environment": "production",
  "resources": [
    { "type": "Stage", "title": "main" },
    { "type": "Class", "title": "Settings" },
    { "type": "Package", "title": "nginx",
      "parameters": { "ensure": "installed" } },
    { "type": "Service", "title": "nginx",
      "parameters": { "ensure": "running",
        "subscribe": ["Package[nginx]"] } }
  ],
  "edges": [
    { "source": "Class[main]", "target": "Package[nginx]" },
    { "source": "Package[nginx]", "target": "Service[nginx]" }
  ]
}

That JSON is my whole body. Resources and edges. No instructions. No control flow. Just shape, and the order in which to honour it.

How a catalog is compiled

Compilation happens on the Puppet server when an agent requests its catalog. First the node is classified — an External Node Classifier or site.pp determines which classes and parameters apply. The agent's facts are injected as top-scope variables. Manifests are then parsed and evaluated: classes and defined types are instantiated, variables resolve from top scope through node and local scopes, conditional logic is reduced, and collector expressions gather matching resources.

The output is a catalog: a serialised, directed graph of resources and their relationship edges, specific to one node. Because facts differ per node, two machines with identical classification can produce different catalogs from the same code — different interfaces, package managers, memory sizes all change the result. The catalog contains no procedural logic; all decisions have already been made at compile time.

Facter

Before I exist, the agent looks at itself. Facter walks the kernel, the interfaces, the disks, the dmi tables, and hands the server a structured portrait of the machine.

node $ facter os.family networking.ip

os.family => "RedHat"
networking.ip => 10.4.2.17

Those facts decide which branch of me grows. if $facts['os']['family'] == 'Debian' — and a whole limb of resources appears or doesn't.

But here is the boundary I live against: the agent reports its own facts. It can lie. Core facts, custom Ruby facts, external JSON dropped in a directory — all of it is self-reported, and at scale a compromised node will tell me exactly what it needs me to believe.

only trusted facts — from the certificate — cannot be forged

What Facter provides

Facter is the tool that gathers system information on the agent before a catalog is requested. It produces facts: structured key/value data about the OS, networking, memory, disks, virtualisation, and more. Core facts ship with Facter; custom facts are Ruby files distributed via modules; external facts are executable scripts or static JSON/YAML placed in a facts directory.

Facts are sent to the server and exposed in manifests through the $facts hash, enabling conditional logic and structured access. Crucially, ordinary facts are reported by the node itself and can be altered by anyone with control of that node, so they must be treated as untrusted input. Trusted facts ($trusted) are extracted from the agent's signed certificate by the server and cannot be spoofed by the agent, which makes them the correct basis for security-sensitive classification.

The edges that hold me together

A graph is nothing without its arrows. Resources are nouns. The metaparameters are the grammar.

Order is one thing. A refresh is another. The agent walks the first and obeys the second.

before. after. require. notify. subscribe. The first three are sequence. The last two are conversation — when the config file changes, the service must hear about it.

Classes contain their resources, and containment is its own quiet ordering. contain() pulls a class fully inside another so the boundary holds. Virtual resources wait, unrealised, until a collector <| |> calls them into being.

And then there are my two deaths.

A missing dependency: I ask for a file inside a directory that nothing created. A cycle: A needs B needs A, and the agent — finding no acyclic order — simply refuses. It will not guess. I respect that, even as it kills me.

Ordering and relationships

Five metaparameters express relationships. before and after set ordering directly; require is the inverse reference of before. notify and subscribe add ordering plus a refresh signal — when the source changes, the target is refreshed (a service restarts, an exec re-runs). Chaining arrows (-> and ~>) express the same edges inline.

Containment means a class or defined type orders all the resources it declares; using contain() ensures a declared subclass is fully contained within its parent so dependencies on the parent also cover its contents. Virtual resources are declared but inert until realised by a collector. The agent topologically sorts the graph; if it finds a cycle it cannot order, the run fails. The two most common application failures are dependency cycles and references to resources that do not exist in the catalog.

Hiera

The code says what kind of thing a webserver is. Hiera says which port, which cert, which upstream for this one.

A hierarchy descends from the specific to the general: node first, then datacenter, then os family, then common. The first layer to answer wins — unless I asked for a merge, and then the layers blend: unique, hash, deep.

control $ puppet lookup nginx::worker_processes --node web01.lan

--- 4

Automatic parameter lookup means a class quietly finds its own values — profile::web::port resolves without a single argument passed. Secrets arrive as eyaml, encrypted at rest, decrypted only at compile, never written into me in the clear.

Policy in code. Site truth in data. The day someone mixed them is the day they stopped being able to reason about either.

Hiera and data separation

Hiera is Puppet's hierarchical key/value lookup system. It keeps configuration data out of manifests so code expresses policy while data expresses site-specific values. hiera.yaml defines an ordered hierarchy of data sources, typically YAML files, with levels keyed by facts via interpolation tokens such as %{facts.os.family}.

Values are retrieved with lookup(), and class parameters are resolved automatically by the key classname::parameter. Merge behaviour controls how multiple matches combine: first returns the highest-priority match, unique flattens arrays, hash and deep merge maps with increasing depth. The three conventional layers are global, environment, and module data. Sensitive values are stored encrypted with eyaml and decrypted at compile time. This separation is what makes the role/profile pattern practical: profiles declare technology, Hiera supplies the per-site parameters.

Exported resources

Sometimes I cannot be complete alone.

The load balancer's catalog needs to know every backend that exists. But each backend only knows itself. So they export — the @@ sigil — and PuppetDB remembers on their behalf.

backend manifest @@haproxy::balancermember { $facts['hostname']: ... }

# stored in PuppetDB at apply time
# collected elsewhere with:
Haproxy::Balancermember <<| |>>

Then the balancer compiles, runs the spaceship collector <<| |>>, and pulls those exported fragments into me. SSH host keys, Nagios checks, HAProxy members — coordination without any node ever speaking to another directly.

But I depend on PuppetDB now. If it is down, the collection is empty and I am born incomplete. If a node is decommissioned and never deactivated, I carry the ghost of a server that no longer exists.

Exported resources and PuppetDB

Exported resources let one node declare resources for other nodes to collect, enabling cross-node coordination. The @@ sigil marks a resource as exported; at apply time it is stored in PuppetDB (the storeconfigs backend). Other nodes collect exported resources with the spaceship operator <<| |>> and realise them locally, while <| |> realises virtual resources within a single catalog.

Common patterns include distributing SSH host keys, registering Nagios checks, and assembling load balancer or HAProxy member lists. The model depends on PuppetDB availability: if it is unreachable, collections return nothing and catalogs may be incomplete. Decommissioned nodes must be deactivated or their exported resources persist as stale entries. Very large collections increase query and compilation cost, so the pattern scales only with attention to cleanup and query size.

Puppet agent run cycle visualized as a timed loop — fact collection, catalog request, catalog application, provider actions, report submission — with idempotent convergence arrows and drift detection markers, precise ixen-light technical illustration. — The loop that gives me a life longer than a single instant.

The run loop

Every thirty minutes, the agent gathers facts, asks for me, downloads me, and walks my graph in order.

For each resource: read current state, compare to desired, act only on the difference. If the file already matches, nothing happens. If the service already runs, nothing happens.

this is idempotence — and it is the whole point of me

node $

Info: Using environment 'production'
Info: Caching catalog for web01.lan
Notice: /Stage[main]/Nginx/File[/etc/nginx/nginx.conf]/content:
  current_value {md5}a1b2..., should be {md5}f8e9... (noop)
Notice: /Stage[main]/Nginx/Service[nginx]:
  Would have triggered 'refresh' from 1 event
Notice: Applied catalog in 3.14 seconds

I can be run a thousand times and change a system once. The other 999 runs I simply confirm the world still matches me. When it doesn't — when someone edits the config by hand — that is drift, and the next run corrects it without being asked.

noop is my dress rehearsal: I describe what I would do and touch nothing. Honesty without consequence.

But I am not omnipotent. There are things no type can model. There are exec resources whose authors forgot unless, running every cycle, lying about convergence, pretending to be me while being a script in disguise.

The agent run and idempotence

On each run the agent collects facts, requests a catalog, and the server compiles and returns it. The agent applies the catalog in dependency order: for every resource it reads current state via the provider, compares it to the declared state, and makes changes only where they differ. Refresh signals fire when notifying resources change. The agent then submits a report of events and runs again at the configured interval (30 minutes by default).

Idempotence means applying the same catalog repeatedly produces the same end state — once the system matches, subsequent runs make no changes. Drift is divergence of actual state from the catalog, caused by manual edits or external processes; Puppet detects it on the next run and corrects it. Limits exist: some state cannot be modelled by available types, and exec resources without creates, unless, or onlyif guards run every time and break idempotence. The noop mode evaluates the catalog and reports what would change without applying anything, which is the standard way to validate changes safely.

So this is my life.

I am compiled in milliseconds and discarded just as fast. The next run builds another me from the same code and slightly different facts. We are not the same catalog. We never meet.

I am a specification that briefly believed it was alive, a sentence in the imperative mood that insists it is only descriptive.

be this, I said. not do this.

And if the machine already matches me — if nothing changes, if every resource is already in its desired state — then I have done my entire job by doing nothing at all.

What does it mean to exist only to confirm that you weren't needed?