What is our primary use case?
Until last year, we were using the enterprise version — Puppet 4 —; however, we recently switched to the open-source version — the community edition. We are using a product called Foreman as a front end for Puppet open source.
We used Puppet solely for Linux. At first, we had around 200 plus Linux servers that were managed by Puppet. It was like infrastructure as a code. If we had to build a new server or update a server, then we just had to commission a new server, apply Puppet control, and it would configure everything for us. That was one of our main use cases.
We also used it for compliance. We had some security products and policies that we needed to implement. This solution made sure that they're always there, that nobody was messing with them. Regarding security compliance, take CrowdStrike for example, it's supposed to be installed on every server — running and reporting properly. Puppet checks that a service is running every 15 minutes. If it's not, it starts it and if it's missing, it installs it.
Although we started with Linux, we are moving towards adding Windows servers as well.
How has it helped my organization?
We have a central code. If anyone makes any changes to the infrastructure, we'll get notified. We have around 10 people all managing the same infrastructure so there's always the chance of overstepping each other's work. When it's all centralized as a code, a single repository, it's easier to manage because everybody gets notified of what changes are being made.
What is most valuable?
Puppet has a big code repository hosted at puppet forge. Most of common tools and applications can be managed out of the box or by downloading the respective module from PuppetForge.
There are a couple of factory features included that I like. Anything that we manage through Puppet always runs perfectly. The ability to have infrastructure as a code is nice. Every two or three years we upgrade to the most recent version of Linux and build new machines. Afterward, it's just a matter of assigning roles; then we can forget about it and let it do its thing.
What needs improvement?
The main thing that we noticed when we switched from the enterprise version to the community version was the difference in cost — the infrastructure is pretty expensive. We work in the education sector so we get really good discounts from vendors. Other universities, including Harvard, use a competing product called Ansible. The only reason they use Ansible is that they got it for a really good price. We tried to get an educator's discount with Puppet, but unfortunately, we couldn't reach an arrangement. That's why we had to switch to the community version.
What do I think about the stability of the solution?
As far as stability is concerned, this solution is rock solid. We have a single server — it's called the Puppet Server. We never have to think about having a cluster or backup server for it because it's so stable. That's one of the reasons why we kept using it instead of moving to Ansible. Moving to a different platform would require a massive learning process.
What do I think about the scalability of the solution?
Puppet is pretty scalable — so far. Currently, we have 400 servers that are communicating with Puppet, pulling policies every 15 minutes. It gets sluggish sometimes, but a single server has been able to manage all of this. I think if we get to more than 500 VMs, we might have to add more servers. Currently, I think we have a very small setup. I think it's more than good for us.
How are customer service and technical support?
Their technical support has been really good. We have used Puppet technical support as well as third-party support companies. We worked with a company called Bitlancer; they helped us with some of the code. Puppet can provide us with backend support for any service issues, but code is something that we have to work out with the community. The community is very strong as well. If we have any trouble with code, we can ask them in the forums — they're always helpful. I think the support is very good overall.
Which solution did I use previously and why did I switch?
Before we began using Puppet, everything was manual. Once we moved to Puppet, it opened up a completely new world of automated management, which was amazing. We could never go back. Now, on the Windows side, we use something similar called SCCM. Before that, we used group policies to manage our servers. It's not the same as Puppet because you can only manage things that are built into the OS. Installing software manager roles and configuring servers is difficult.
How was the initial setup?
The initial deployment is very easy; it's actually one of the best. Even before Puppet, we used to have one script that we used to run. The server was commissioned and then we'd run the script. Now we don't even have to do that because it's part of our image.
For this reason, any new servers that we build already have Puppet installed. As it's part of our template, all we have to do is push the template and the new server automatically starts communicating. It pulls everything that it needs from the Puppet server directly.
Deployment takes around 10 minutes per server. Our servers get the base policies first and then we can assign the role — the policies are based on their role. It takes roughly two to three runs through Puppet to get all of the policies in place. It sounds like a lot, but it's pretty straightforward.
What about the implementation team?
We have our own people that handle deployment. We have a team of 10 people who manage the infrastructure. They're called the infrastructure group. The IT team is called EIG — Enterprise Infrastructure Group. All of us pretty much continuously building servers and working on different use cases.
Some maintenance is required. We have to update the infrastructure. It's a bit of a pain point to make sure that everything works once we've upgraded it because Puppet has been evolving pretty fast. From one version to another, a lot of things can break when we upgrade them. Although it comes with tools that can be used to verify that the code is supported, even after verification, it still breaks sometimes.
What was our ROI?
We have definitely seen a return on our investment with this solution. Switching to Puppet Enterprise was a game-changer for us. It was totally worth it, but there is a reoccurring cost associated with it because you have to pay a yearly licensing fee. We got a lot out of it in that time period. When we began exploring in Windows side, we didn't know if we would see a return.
What's my experience with pricing, setup cost, and licensing?
Puppet was a good product; we used it when we had 200 VMs. When we tried to add Windows servers to it, that's when we realized the price nearly doubled for us because we also have around 200 Windows servers. Puppet doesn't offer discounts for the education or non-profit sectors as pretty much every other product in the IT industry does. We get pro services from Microsoft at a very discounted price; and great offers, too — easily 60% off retail prices. Our managers tried to negotiate with Puppet asking if it was possible to add two hundred servers without doubling the price. Sadly we couldn't come to an agreement.
That was unfortunate because Puppet Enterprise has some of the features that we are now missing. Now, some of the code that was provided by Puppet is no longer usable on the Puppet community edition. I think that's the only downside of moving to the community version.
Which other solutions did I evaluate?
We evaluated Ansible — it's also good. The way Ansible works is a bit different than the way Puppet work. That's where we struggled with Ansible. Ansible is the kind of solution that only requires a one-time configuration. If we want to build a new server, we can easily build it with Ansible and Ansible will do all the work for us, but it's the compliance part that was missing from Ansible — it wasn't a built-in functionality. With Puppet, if you have built a server and someone changes something, within 15 minutes, Puppet will run and revert the changes. So, it's the compliance part that we like about Puppet.
What other advice do I have?
Puppet is one of the best products available — even when it comes to the cloud. It's very popular. There are only two main cloud competitors when it comes to configuration management: Puppet and Chef. I think both are strong products. Puppet has been the king of the market. To anyone interested in using Puppet, I always recommend that you start with the community edition first. If you don't require enterprise features or management, then you can get it for free. If you need those features, then you can always upgrade.
Overall, on a scale from one to ten, I would give Puppet a rating of nine. I don't think that similar products have any strengths that Puppet doesn't have.