Updated on May 9, 2017 by UpGuard
So you’ve done your research and settled on Puppet as your configuration management (CM) and automation tool of choice. But it comes in 2 flavors: a commercial enterprise product and a free open-source version. Can free beat fee in this case? Let’s dig into the details to help inform your decision.
Open Source ≠ Free
First, a note regarding open source software: most, if not all CM tools on the market are open source. Their source code is openly modifiable and redistributable, giving organizations the flexibility to modify the software to fit unique requirements. So while open source equates to software freedom, it does not necessarily mean free of cost. Typically, core functionality comes standard—with other premium features available for purchase (e.g., freemium). Ultimately it comes down to how the vendor chooses to strategically package up its solution. Take Open Source Puppet's arch nemesis/counterpart Open Source Chef as a representative example.
“Wait…” you ask. “Chef has a free open source version of its product?”
It does, in fact—though it might not be readily apparent or referred to as such. According to Chef, it does not market an open source version of their solution, since “there is only one completely free, fully Open Source, Chef Server.” Fair enough, though features like the management console and replication features are available at a premium only (or severely limited). Similarly, Puppet Enterprise comes with additional features and official support from Puppet Labs that is absent in the free, open source version.
The Puppet Platform
Puppet was written in Ruby and uses a declarative Ruby-like Domain-Specific Language (DSL) in its command-line environment (pure Ruby support has since been discontinued). It utilizes an idempotent master-agent model consisting of a central controlling server called—appropriately enough—the Puppet Master, and a fleet of agent-controlled nodes.
Idempotence is an important principle when discussing CM tools: it means you can safely run Puppet multiple times and it will only make any changes to the system if the system state does not match the configured state. Another important concept to understand is that the Puppet DSL (Domain Specific Language) is declarative: This means that you only need to describe the desired end state(s) of the system and Puppet sorts out the steps needed to get there. Unlike an imperative language, you don’t have to figure out all the steps required to achieve the desired end state. Puppet supports all major operating systems – Linux, *nix, Windows, and MacOS. This is undoubtedly a major driver for its widespread adoption, as many competing solutions are only available on *nix platforms.
Open Source Puppet
Open source Puppet is free for use and open to modification and customization. You get a comprehensive tool with core CM capabilities and functionality out-of-the-box, and—if you possess the skill set— can be tweaked and improved upon directly through modifying its source code directly. You get access to a huge collection of modules: reusable, sharable units of code that can in turn be used to extend Puppet across your infrastructure by automating tasks such as setting up a database, web server, or mail server, among others. So for instance, if you are automating the provisioning and deployment of a new Apache webserver, there’s no need to write your own set of Puppet commands from scratch – simply head over to the PuppetForge module repository and download whatever you need from the 3,500+ module library.
As a mature industry-proven technology, Puppet enjoys a sizeable and active user community, a plethora of free excellent documentation, and other related online resources such as wikis and mailing lists. However, Open Source Puppet lacks the nifty management GUI available in the Enterprise offering—widely regarded as the best in its class. Granted, the CLI can still do everything the GUI can, but the latter does make life much easier—especially for newbies trying to learn the system. Seasoned ops staff desiring a quick, visual way to implement and monitor deployments for large setups also appreciate the centralized GUI dashboard. In fact, many choose to implement Foreman as a competent, free GUI to interface with Puppet. We’ve covered Foreman in-depth previously, so be sure to check out our take on the popular orchestration platform. Given the above, Open Source Puppet is predominantly used in smaller infrastructures and deployments.
For more information regarding Foreman, check out our Foreman vs. SaltStack comparison.
Considering you get core Puppet functionality for free in the open source version, why on earth would you opt for the Enterprise version? There are always trade-offs when you choose to build versus buy. Many enterprises start with the open source version only to realize they don’t have the time or resources to maintain the deployment, or they need additional capabilities which they have to build and maintain themselves.
The following are some of the more popular reasons large organizations choose Puppet Enterprise:
Packaging - Puppet Enterprise includes over 40+ open source projects (MCollective, Facter, Hiera, etc.) in a straightforward installer. This saves teams precious time in packaging and managing dependencies for their Puppet deployments.
Out-of-the-box Scalability - Puppet Enterprise is stable, tested and hardened and includes a multi-master installer for large deployments.
User Interface - an intuitive, visual environment containing an extensive collection of highly useful features—dashboards for easy monitoring, advanced reporting capabilities, alerting capabilities, a unified installer, and the ability to deploy agents with just a few mouse clicks. And again, the GUI is a much more useful interface for both newbies wishing to learn Puppet and busy ops folks looking to avoid typing out repetitive commands.
a. Puppet Node Manager - A rules-based node classifier that groups nodes based on key characteristics, such as operating system, graphic location and business unit.
b. Puppet Code Manager - Leverages r10k technology to deploy infrastructure changes in a testable and programmatic way. Combined with Jenkins and Puppet Labs' Beaker for acceptance testing, you can apply continuous delivery practices to your infrastructure code.
c. Puppet Configuration Manager - Gain insight into relationships of node configurations to ensure reliable deployments. You can visualize and easily map relationships across the resources on a node for troubleshooting purposes.
a. RBAC - Important for large, distributed teams, RBAC allows you to safely delegate tasks to individuals and groups. Puppet Enterprise integrates directly with directory services such as Active Directory and Open LDAP.
b. Reporting - Puppet Server Reporting collects a wide variety of metrics about your Puppet Server health and performance including active requests, request duration, execution times and compilation load.
c. Event Inspection - Digests thousands upon thousands of piece of information generated by Puppet Enterprise and visualizes changes by nodes, classes and resources so you know exactly what changed, where and how
6. Supported Modules: Enterprise customers can call support when they need help with any one of the Puppet Supported modules. Supported modules include critical services such as Apache, MySQL, NTP, F5, Windows Registry, Docker, AWS, and more. Some modules, such as the SQL Server and VMware vSphere modules are available only for Puppet Enterprise.
7. Automated Provisioning: Support for automated provisioning of containers, cloud, VMs and bare metal.
8. Official Puppet Labs Support: Enterprises commonly shy away from open source offerings because of perceived lack of official corporate sponsorship and support. For mid-sized and large corporate clients with hundreds or thousands of nodes to manage, the peace of mind that comes with vendor-supported software is indispensable. Product upgrades, maintenance, and training come out-of-the-box with Puppet Enterprise, with support options available in both Standard (9am-5pm, 5 days a week) or Premium (24x7x365) formats.
9. Access to Professional Services: Professional Services can help you with deployment of Puppet Enterprise, upgrades, customization and education. Also, a Puppet Labs’ Professional Services consultant can evaluate your Open Source Puppet infrastructure and provide best practice recommendations to help migrate to Puppet Enterprise.
Of course, the downside to all these benefits is that it will cost you. Puppet Enterprise is tiered based on number of managed nodes and the support plan chosen. Pricing ranges from $112 per node/year with a standard support plan to $199 per node/year with the premium plan. For comparison’s sake, a standard subscription for 100 virtual nodes of Red Hat Enterprise Linux Server would be $39,950 per year. More details on pricing is available on Puppet Lab’s pricing page.
In this case, free beats fee only if Puppet Enterprise’s additional features and benefits listed above don’t apply to your use case. Smaller, developer-centric setups and “one-off” projects are best suited for Open Source Puppet, but require greater technical proficiency to successfully manage. And though it lacks a competent GUI, Open Source Puppet can be augmented with free tools like Foreman for easy, visual management of nodes and resources. On the other hand, enterprises who need enterprise-grade support and management capabilities would no doubt be better served by Puppet Enterprise’s time-saving GUI, out-of-the-box scalability, thoroughly tested releases, and robust applications and features. among others.
*special thanks to Puppet Labs for the in-depth product information and updates/clarification regarding the information in this article.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.