Foreman vs Puppet
Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

A long time ago in a datacenter far, far away, developers and operators were writing specialized scripts by hand to manage IT resources. Configuration management (CM) and automation tools integrated these processes into streamlined solutions for delivering repeatable, rapidly deployable IT environments. Well, times they are a changin’ again, and automation tools have evolved—this time into comprehensive IT lifecycle management platforms for automating resource deployment from bare-metal to the application stack. 

Two such technologies—Puppet and Foreman—offer powerful orchestration and provisioning capabilities to eliminate time-consuming and error-prone processes from soup-to-nuts.


Foreman is an open source tool for complete server lifecycle management. The tool first appeared on the scene 6 years ago and is actively maintained by a core team and supported by a legion of community volunteers and contributors. Written in Ruby on Rails, the tool features a visual interface for GUI-based resource management, integration with leading automation solutions (e.g., Puppet, Chef, SaltStack), a powerful REST API, and more.

Automation tools typically handle the installation/configuration of software, users, and network interfaces, while orchestration solutions like Foreman set up the foundational components from bare metal. In fact, Foreman is commonly used in conjunction with tools like SaltStack or Puppet for creating and managing servers; these tools in turn report back to Foreman with system facts. In essence, Foreman oversees and manages the big picture of infrastructure resource creation, leaving pieces like server automation to the tools that do it best.

Extensible Through Plugins

Foreman is written in Ruby and is highly modular and extensible. Plugins—also written in Ruby—can be authored or installed to give the tool additional capabilities. For example. the Docker plugin enables the management of Docker containers; similarly, its Salt plugin enables integration with SaltStack. Plugins are implemented as Rails engines and packaged as gems.

Smart Proxy Architecture

Foreman’s Smart Proxy Architecture drives the tool's easy integration capabilities. It consists of a powerful REST API for hooking into and extending various subsystems like Puppet, Chef, or SaltStack. Smart Proxy components reside on or near machines that perform specific functions and facilitate Foreman’s orchestration efforts. Smart Proxies support DHCP, DNS, TFTP, as well as connectivity to tools like Puppet and Chef out-of-the-box.


Leading IT automation solution Puppet comes in two flavors: Open Source Puppet and Puppet Enterprise. For an in-depth comparison of the two, check out Open Source Puppet and Puppet Enterprise. For the sake of this comparison, we'll be focusing on Puppet Enterprise and its physical and virtual hardware provisioning solution called Razor.

Puppet Razor fully automates the setup of bare metal servers to be managed by Puppet Enterprise. It takes a physical server "blank slate", provisions an OS or hypervisor on top of it, and turns it over to Puppet Enterprise for further policy-based configuration.

The Razor's Edge

Razor is included as a module (pe_razor) with Puppet Enterprise and consists of a server and client component. The client is installed as a Ruby gem on any machine to be managed by Razor server. The following sequence illustrates how Razor work on a high level:

  1. Razor identifies a new node and discovers its characteristics.
  2. Based on these characteristics (i.e., "facts"), Razor tags the node accordingly.
  3. Policies with matching tags are applied to the node in question and provisioning elements are pulled together.
  4. The node is provisioned with the appropriate OS or hypervisor. At this point, it is under full management of Puppet Enterprise. 

Open Source Puppet and Razor

What's open source without a little legwork? Razor comes as an easy-to-install tarball that ships with Puppet Enterprise; Open Source Puppet users will have to install it manually, either from package or source. Additionally, open source Razor requires the installation/configuration of PostgreSQL as its primary database backend.


Both Foreman and Puppet Razor are effective tools for bare-metal provisioning—in fact, using Foreman specifically to manage Puppet nodes is arguably the most popular use case. However, an important distinction must be made here in regards to Foreman's limitations: the tool will automate provisioning to the OS/hypervisor level and then hand it off to an automation tool like Puppet, Chef, or Ansible.

In contrast, Puppet Razor will automatically take a machine from bare-metal to the state of being managed by Puppet Enterprise. Puppet nodes can be managed visually with Foreman's competent web GUI, whereas Puppet's visual management console is only available in the Enterprise version of the product (read: pay to play). In fact, many happily use Foreman as an open source front-end to either version of Puppet. Indeed, various 3rd-party front-ends to Puppet can be had such as Puppet Open Source Dashboard and Puppetboard, but Foreman remains the most popular and well-supported complement to Puppet.

In short, if your organization has gone the route of a full Puppet Enterprise deployment, Razor is clearly the best bet for streamlining your server lifecycle management and automation workflow. However, if you've gone the open source route—Foreman can provide competent bare metal provisioning that integrates well with Open Source Puppet. Additionally, you'll get a nice management GUI for managing your Open Source Puppet deployment. 



UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    13 risk factors, including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape