Voxpupuli Puppet Server container

⚠️ Deprecated ⚠️

This repository is deprecated and will be archived soon. Please use the OpenVox Server container instead.

CILicenseDonated by PuppetSponsored by betadots GmbH

This project hosts the Dockerfile and the required scripts to build a Puppet Server container image.

You can run a copy of Puppet Server with the following Docker command:

docker run --name puppet --hostname puppet

Although it is not strictly necessary to name the container puppet, this is useful when working with the other Puppet images, as they will look for a server on that hostname by default.

If you would like to start the Puppet Server with your own Puppet code, you can mount your own directory at /etc/puppetlabs/code:

 docker run --name puppet --hostname puppet -v ./code:/etc/puppetlabs/code

For compose file see: CRAFTY

You can find out more about Puppet Server in the official documentation.

Note about environment caching

⚠️ The Puppetserver has the environment caching enabled by default. You should explicitly call the API endpoint to clear the cache when a new environment is deployed. See the curl example below.

curl -i --cert $(puppet config print hostcert) \
--key $(puppet config print hostprivkey) \
--cacert $(puppet config print cacert) \
https://$(puppet config print server):8140/puppet-admin-api/v1/environment-cache?environment=production

Another option is to disable the environment caching by setting the PUPPETSERVER_ENVIRONMENT_TIMEOUT environment variable to zero (0).

New version schema

The new version schema has the following layout:


Example usage:

docker run --name puppet --hostname puppet -v ./code:/etc/puppetlabs/code/
puppet.majorDescribes the contained major Puppet version (7 or 8)
puppet.minorDescribes the contained minor Puppet version
puppet.patchDescribes the contained patchlevel Puppet version
container.majorDescribes the major version of the base container (Ubunutu 22.04) or incompatible changes
container.minorDescribes new features or refactoring with backward compatibility
container.patchDescribes if minor changes or bugfixes have been implemented


The following environment variables are supported:

NameUsage / Default
PUPPETSERVER_HOSTNAMEThe DNS name used on the servers SSL certificate - sets the server in puppet.conf

Defaults to unset.
CERTNAMEThe DNS name used on the servers SSL certificate - sets the certname in puppet.conf

Defaults to unset.
DNS_ALT_NAMESAdditional DNS names to add to the servers SSL certificate
Note only effective on initial run when certificates are generated
PUPPETSERVER_PORTThe port of the puppetserver

AUTOSIGNWhether or not to enable autosigning on the puppetserver instance. Valid values are true, false, and /path/to/autosign.conf.

Defaults to true.
CA_ENABLEDWhether or not this puppetserver instance has a running CA (Certificate Authority)

CA_TTLCA expire date (in seconds or with suffix s, m, h, d, y)

CA_HOSTNAMEThe DNS hostname for the puppetserver running the CA. Does nothing unless CA_ENABLED=false

CA_PORTThe listening port of the CA. Does nothing unless CA_ENABLED=false

CA_ALLOW_SUBJECT_ALT_NAMESWhether or not SSL certificates containing Subject Alternative Names should be signed by the CA. Does nothing unless CA_ENABLED=true.

INTERMEDIATE_CAAllows to import an existing intermediate CA. Needs INTERMEDIATE_CA_BUNDLE, INTERMEDIATE_CA_CHAIN and INTERMEDIATE_CA_KEY. See Puppet Intermediat CA
INTERMEDIATE_CA_BUNDLEFile path and name to the complete CA bundle (signing CA + Intermediate CA)
INTERMEDIATE_CRL_CHAINFile path and name to the complete CA CRL chain
INTERMEDIATE_CA_KEYFile path and name to the private CA key
PUPPET_REPORTSSets reports in puppet.conf

PUPPET_STORECONFIGSSets storeconfigs in puppet.conf

PUPPET_STORECONFIGS_BACKENDSets storeconfigs_backend in puppet.conf

PUPPETSERVER_MAX_ACTIVE_INSTANCESThe maximum number of JRuby instances allowed

PUPPETSERVER_MAX_REQUESTS_PER_INSTANCEThe maximum HTTP requests a JRuby instance will handle in its lifetime (disable instance flushing)

PUPPETSERVER_JAVA_ARGSArguments passed directly to the JVM when starting the service

-Xms1024m -Xmx1024m
USE_PUPPETDBWhether to connect to puppetdb
Sets PUPPET_REPORTS to log and PUPPET_STORECONFIGS to false if those unset

PUPPETDB_SERVER_URLSThe server_urls to set in /etc/puppetlabs/puppet/puppetdb.conf

PUPPETDB_HOSTNAMEThe DNS name of the puppetdb

Defaults to puppetdb
PUPPETDB_SSL_PORTThe TLS port of the puppetdb

Defaults to 8081

Defaults to false
PUPPETSERVER_GRAPHITE_HOSTOnly used if PUPPETSERVER_GRAPHITE_EXPORTER_ENABLED is set to true. FQDN or Hostname of the graphite server where puppet should push metrics to.

Defaults to exporter
PUPPETSERVER_GRAPHITE_PORTOnly used if PUPPETSERVER_GRAPHITE_EXPORTER_ENABLED is set to true. Port of the graphite server where puppet should push metrics to.

Default to 9109
PUPPETSERVER_ENVIRONMENT_TIMEOUTConfigure the environment timeout

Defaults to unlimited
PUPPETSERVER_ENABLE_ENV_CACHE_DEL_APIEnable the puppet admin api endpoint via certificates to allow clearing environment caches

Defaults to true
ENVIRONMENTPATHSet an environmentpath

Defaults to /etc/puppetlabs/code/environments
HIERACONFIGSet a hiera_config entry in puppet.conf file

Defaults to $confdir/hiera.yaml
CSR_ATTRIBUTESProvide a JSON string of the csr_attributes.yaml content. e.g. CSR_ATTRIBUTES='{"custom_attributes": { "challengePassword": "foobar" }, "extension_requests": { "pp_project": "foo" } }'

Please note that within a compose file, you must provide all environment variables as Hash and not as Array!
CSR_ATTRIBUTES: '{"extension_request": {...}}'

Initialization Scripts

If you would like to do additional initialization, add a directory called /docker-custom-entrypoint.d/ and fill it with .sh scripts.

You can also create sub-directories in /docker-custom-entrypoint.d/ for scripts that have to run at different stages.

  • /docker-custom-entrypoint.d/pre-default/ - scripts that run before the default entrypoint scripts from this repo run.
  • /docker-custom-entrypoint.d/ - scripts that run after the default entrypoint scripts, but before the puppetserver service is started.
  • /docker-custom-entrypoint.d/post-startup/ - scripts that run after the puppetserver service is started.
  • /docker-custom-entrypoint.d/sigterm-handler/ - scripts that run when the container receives a SIGTERM signal.
  • /docker-custom-entrypoint.d/post-execution/ - scripts that run after the puppetserver service has stopped.


If you plan to use the in-server CA, restarting the container can cause the server's keys and certificates to change, causing agents and the server to stop trusting each other. To prevent this, you can persist the default cadir, /etc/puppetlabs/puppetserver/ca. For example:

docker run -v $PWD/ca-ssl:/etc/puppetlabs/puppetserver/ca

or in compose:

    # ...
      - ./ca-ssl:/etc/puppetlabs/puppetserver/ca

How to Release the container

see here

How to contribute

see here

Transfer Notice

This project was originally authored by Puppet. The maintainer preferred that Vox Pupuli take ownership of the project for future improvement and maintenance. Existing pull requests and issues were transferred over, please fork and continue to contribute here.

Docker Pull Command

docker pull voxpupuli/container-puppetserver