puppet-kick (8) - Linux Manuals

puppet-kick: Remotely control puppet agent


puppet-kick - Remotely control puppet agent


Trigger a puppet agent run on a set of hosts.


puppet kick [-a|--all] [-c|--class class] [-d|--debug] [-f|--foreground] [-h|--help] [--host host] [--no-fqdn] [--ignoreschedules] [-t|--tag tag] [--test] [-p|--ping] host [host [...]]


This script can be used to connect to a set of machines running 'puppet agent' and trigger them to run their configurations. The most common usage would be to specify a class of hosts and a set of tags, and 'puppet kick' would look up in LDAP all of the hosts matching that class, then connect to each host and trigger a run of all of the objects with the specified tags.

If you are not storing your host configurations in LDAP, you can specify hosts manually.

You will most likely have to run 'puppet kick' as root to get access to the SSL certificates.

'puppet kick' reads 'puppet master''s configuration file, so that it can copy things like LDAP settings.


Puppet kick needs the puppet agent on the target machine to be running as a daemon, be configured to listen for incoming network connections, and have an appropriate security configuration.

The specific changes required are:

Set listen = true in the agent's puppet.conf file (or --listen on the command line)
Configure the node's firewall to allow incoming connections on port 8139
Insert the following stanza at the top of the node's auth.conf file:
  # Allow puppet kick access
  path    /run
  method  save
  auth    any
  allow   workstation.example.com

This example would allow the machine workstation.example.com to trigger a Puppet run; adjust the "allow" directive to suit your site. You may also use allow * to allow anyone to trigger a Puppet run, but that makes it possible to interfere with your site by triggering excessive Puppet runs.

See http://docs.puppetlabs.com/guides/rest_auth_conf.html for more details about security settings.


Note that any configuration parameter that's valid in the configuration file is also a valid long argument. For example, 'ssldir' is a valid configuration parameter, so you can specify '--ssldir directory' as an argument.

See the configuration file documentation at http://docs.puppetlabs.com/references/latest/configuration.html for the full list of acceptable parameters. A commented list of all configuration options can also be generated by running puppet master with '--genconfig'.

Connect to all available hosts. Requires LDAP support at this point.
Specify a class of machines to which to connect. This only works if you have LDAP configured, at the moment.
Enable full debugging.
Run each configuration in the foreground; that is, when connecting to a host, do not return until the host has finished its run. The default is false.
Print this help message
A specific host to which to connect. This flag can be specified more than once.
Whether the client should ignore schedules when running its configuration. This can be used to force the client to perform work it would not normally perform so soon. The default is false.
How parallel to make the connections. Parallelization is provided by forking for each client to which to connect. The default is 1, meaning serial execution.
Use the specified TCP port to connect to agents. Defaults to 8139.
Specify a tag for selecting the objects to apply. Does not work with the --test option.
Print the hosts you would connect to but do not actually connect. This option requires LDAP support at this point.
Do an ICMP echo against the target host. Skip hosts that don't respond to ping.


$ sudo puppet kick -p 10 -t remotefile -t webserver host1 host2


Luke Kanies


Copyright (c) 2011 Puppet Labs, LLC Licensed under the Apache 2.0 License