Setting up Puppet on Windows

Our system configuration strategy consists mainly of saved VMs, a hodgepodge of scripts and notes scattered about, a lot of manual effort, and good intentions. We have a mixed linux/windows environment so we’ve never been sure if the new DevOps tools offered us much. But we decided to take the plunge and start trying out Puppet‘s relatively new Windows offerings.

Install puppet agent on Windows

You can’t run your central Puppet server on Windows, but you can install a puppet agent, which can run standalone or take marching orders from a puppet master running on linux. Even if you’re not interested in standalone, it’s helpful to make sure it works before trying it with your master.

The Puppet Windows instructions are pretty straightforward. Before you start, though, think about whether you’ll want to run puppet as administrator or as a regular user. On Windows 2008/Windows 7, if you run puppet as administrator, data will be stored at C:\ProgramData\PuppetLabs\puppet. For other users, data will get stored relative to %HOMEDRIVE%%HOMEPATH%\.puppet.

Download and run the ruby 1.8.7 installer. If you have a different version of ruby already installed, you obviously need to figure out how you want to handle the PATH variable.

Install some gems:

gem install sys-admin win32-process win32-dir win32-taskscheduler --no-rdoc --no-ri
gem install win32-service --platform=mswin32 --no-rdoc --no-ri --version 0.7.1

Download facter and puppet from github, unzip each, go into the uncompressed folder and run ruby install.rb (do facter first) for each.

Test Puppet standalone on Windows

At this point, you should be able to run puppet standalone, which isn’t terribly interesting, but you can test that things are okay so far. Here’s a simple manifest, for example, that ensures that a test file stored in a source folder exists in a target folder and that my MySQL service was running:

file { "c:/test/puppet/target/win_test_file.txt":  
  ensure => 'file', 
  owner => 'Administrator', 
  source => 'c:/test/puppet/source/win_test_file.txt', 

service { 'MySQL': 
  ensure => 'running', 
  enable => true, 

Save this into a file named init.pp, and run puppet apply init.pp (puppet.bat is now in your ruby install’s bin folder). It should turn on the MySQL service if it’s off and copy the test file over from source to target if it’s missing from target.

Puppet can control a fair number of things on Windows, as listed in the docs, but it’s not very compelling unless you add in puppet’s ability to control agents from a central puppet server.

Install Puppetmaster on Linux

There are many other, better instructions for installing puppet on linux, but just to keep documenting what I did for this case…I installed the master on an old Oracle Enterprise Linux vm. Again, you need ruby. The puppet instructions recommend using the ruby package that comes with your OS, but I used rvm and matched the same version of ruby, 1.8.7, as on Windows, though it probably doesn’t matter.

Install rvm by first getting the installer:
sudo bash rvm-installer

I started installing puppet from a gem first, but the latest gem on the download site was only 2.7.6. There are a few warnings floating around about not using a higher version on agents than on the master so I got the source from github. Run rvmsudo ruby install.rb to build it.

Start it up with rvmsudo puppet master --mkusers. Use --mkusers to make a users for puppet if it doesn’t exist yet. The first time you run this it should also create the master security certificate, too, I believe.

Make sure the firewall allows 8140/tcp.

Introduce your Windows agent to your Linux master

Back on your Windows agent, add the server to your puppet.conf (ie. C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf):
server = <>

Set up puppet with your DNS, or add to your hosts file at C:\WINDOWS\system32\drivers\etc\hosts a line like <> puppet.

Try puppet agent --test --verbose. You can also specify the master explicitly by adding --server <>.

You should get output like

info: Creating a new SSL key for
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca/etc/puppet/manifests/site.pp
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for
info: Certificate Request fingerprint (md5):
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

This attempts to connect to the puppet master and sends a certificate request. Back on the puppet master, check out the waiting requests with puppet cert --list. Your client host should show up. Accept it with puppet cert --sign <>.

Go back to your Windows agent and try puppet agent --test again. It should now output something like notice: Finished catalog run with no errors.

Judging from online comments, getting the certificates working is a common stumbling block for setting up puppet clients in general. The error messages are often not very informative. For example, I kept getting this error:

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

It took a while to realize that I had an old, incorrect server key stored on the client. Removing the files from C:\ProgramData\PuppetLabs\puppet\etc\ssl then trying again worked.

Set up a manifest to execute

I set up more or less the same manifest on the master as I had run for standalone. It would be nice to store source files on the master, but puppet currently requires that Windows files and packages live on the Windows agent (or some share or location reachable by the agent, of course).

If you try to define a *nix file location in a manifest on the linux master to copy over to Windows, you will get an error like: err: Failed to apply catalog: Parameter source failed: Cannot use relative URLs.

Once it works running it from the command line, you can set up a Windows service to check in with the master regularly with nssm:

nssm.exe install puppet-agent <FULLPATH>\puppet.bat agent --server <>

The server arg shouldn’t really be necessary if you have it defined in your puppet.conf.

And there you are! Sit back and let your puppet master control your services, set up users and groups, and run msi packages or other executables on your Windows instances.

This entry was posted in software. Bookmark the permalink.

9 Responses to Setting up Puppet on Windows

  1. Toto says:


    Do you know how to configure a file (like site.pp or init.pp) to retrive a file from the linux puppet master to the windows puppet agent ? It seems my configuration doesn’t work ..
    class test {
    file { “C:/ProgramData/testfile.txt”:
    ensure => present,
    mode => 0644,
    owner => test,
    group => Administrators,
    source => “puppet://”,

    Thanks a lot for your help !!

    • tborthwick says:

      My understanding is that its not currently possible to retrieve a file from the linux master to the windows agent. You have to store all the files the windows agent needs on the agent (or on a place the agent can reach). So your source setting would need to point to a windows location.

      • Josh says:

        Puppet windows agents can retrieve (aka source) files from remote Linux masters. There were some issues with this previously, but version 2.7.12 definitely supports this.

  2. Toto says:

    Thank u for replying. I have spent one day to find out the problem and google a lot… The windows agent shows constantly error messages like below :
    ‘err: /Stage[main]/Test/File[C:ProgramData/testfile.txt]: Could not evaluate: Could not intern from pson: Paths must be fully qualified Could not retrieve file metadata for puppet:///modules/test/testfile.txt: Could not intern from pson: Paths must be fully qualified at /etc/puppet/modules/test/manifests/init.pp:27′

    I read the puppetlab website :
    It said that puppet on windows manage files and directories. I didn’t realized that it can not retrieve files …

    Thank you

    • Toto says:

      I just read puppetlabs website again, it said that it’s possible … (maybe I missunderstand the sentence. English is not my native language..)
      ‘The source of a file can either be a local path, mapped drive, or puppet URL. In the latter case, puppet will apply a default owner, group and mode to files it sources from remote puppet masters.’

      • tborthwick says:

        Yes, that does sound like a puppet url pointing at a resource on the master should be okay, but I was never able to get it to work. I would get errors about bad filepaths. For package resources, the documentation says that only local files are supported. I suspect that might be true for file resources as well, but you might pose the question on the Puppet Users google group.

  3. Toto says:

    ok thx. I’ll do it. It takes time to register an account. I’m waiting for their confirmation email..

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>