Puppet: Only allow changes during certain hours?

Is it possible to setup puppet in a way that changes in manifests only will be applied during certain hours, so that any eventual downtime on our server will occur when we decide it to?

Thanks

I just had to solve this problem... There are a few approaches...

• Use cron. If you have an OS that supports cron.d entries, distribute a puppet.cron file via Puppet. The accompanying manifest would have something that ensures that the Puppet daemon is off. If you have a lot of servers, use a bash function to randomize the cron pull time to reduce the load on the master server. Also see the Puppet wiki on this topic.

The module I use:

class puppet_cron {

   file { '/etc/cron.d/puppet.cron':
     ensure   => file,
     owner    => root,
     group    => root,
     mode     => 644,
     source   => "puppet:///modules/puppet_cron/puppet.cron",
   }

   service { 'puppet':
     ensure    => stopped,
     enable    => false,
   }

}

An example puppet.cron:

# puppet.cron
#
# Run puppet in one-time mode during daily downtime window.
# 

# Puppet check window for Monday through Thursday
*/15 16-19 * * 1-5 root exec /usr/sbin/puppetd --no-daemonize -o

• There's a Puppet schedule metaparameter that allows you to list times when manifests should be evaluated on a per-class basis. See: https://serverfault.com/a/341865/13325

• I recently read a book that suggested using Git as a manifest distribution method in order to scale and reduce the load on the master server. This means you'd have more granular control over scheduling.

Yes, just setup the cronjob that runs puppet to only run during certain hours. Running puppet as a daemon is a really terrible idea. We use the IP address of the server as the key into a hashing function to splay our cronjobs across the entire time period of our Puppet runs, to avoid a thundering herd problem.