I need to use Puppet, a system to configure linux boxes (add the right users, install and configure the right services, make sure the right things are running and the wrong things not). Puppet seems good, better than cfengine.

So I read the existing configuration, which seemed to make sense but left a lot of open questions, read the the documentation, felt little wiser, and bought a book (Pulling strings with Puppet by James Turnbull) and it didn't answer my questions, either. Instead it told me how to wget; configure; make; make install, just like every other book does when the publisher tells the author to add more pages.

In all fairness, the book does get a lot of things right. The examples are good. Only one example shows an incorrect script and in that case it's justified. Few books do as well. The blah­blah about configure­make­makeinstall is briefer than in many other books. And it did answer one of my important questions.

My first questions, and their answers:

What variables does puppet provide? Most of the variables are pulled from facter, and (the book says) just running facter gives you a list on stdout (and does nothing else).

There are more variables, however, it's best to stick to the ones facter provides. Using anything else seems to lead to hacky configurations, and puppet provides clean/better ways now.

What services etc. are in stock puppet? None, more or less. All the examples that talk about service sshd require that you define that service (or download it). There are lots of services to be downloaded, e.g. at puppetforge and github.com/puppet-modules.

However, the generic defaults for services are so good that you may be able to use a service without definining it explicitly. If you're lucky. If not, a line or two to tweak the defaults may do. service --status-all lists the services puppet ought to see.

What services, classes, nodes, etc. are in my puppet? And the answer is: Exactly that which is in the configuration tree, plus something vaguely knowable if puppetmasterd is configured to use LDAP. IMO a good reason to avoid LDAP and store the entire configuration tree in a VCS.

How do I test changes before activating them? There's no really good way. Use version control and manitest, know how to rollback if something doesn't work, and most importantly, monitor that the servers do what they should do.

At some point I want to put together something that looks at two puppet configurations and emits the practical differences. Given the facts presented by each puppetd last time, which hosts would do anything differently with the second configuration, and what?