4 Key Reasons to Switch from SaltStack to Puppet

At first, the differences between common configuration management tools might seem marginal. But choosing the right solution for automated configuration management can make a huge difference. Some tools will have features that align with your organization’s goals, while others won’t. The choice between Puppet vs. SaltStack is one such decision, and it’s a little more nuanced than you might think.

Puppet and SaltStack work toward a similar goal (better infrastructure management), but there are a few key differences to note — not to mention uncertainty around the long-term vision of the SaltStack product in the volatile open source landscape. In this blog, we’ll cover a few of the main reasons SaltStack users might switch to Puppet, from key features and functionality to long-term open source support.

What’s the Difference Between Puppet and SaltStack?

The most important difference between Puppet and SaltStack is that Puppet uses pull-based automation, while SaltStack uses a push-based automation model. With Puppet, agents running on each node check in with the primary Puppet server for configurations. With SaltStack, the primary server initiates communication with the nodes to push changes on command.

Puppet’s pull-based, agent-based automation is built for large-scale environments and continuous configuration automation because Puppet agents run at specified intervals, ensuring all resources are configured according to the desired state held on the primary server. When configurations on the primary server change, the Puppet agent will pick up on those changes on its next run — every 30 minutes by default — and apply the necessary changes to bring target nodes in line with the desired state configuration.

In contrast, SaltStack is often used for on-demand updates because its push-based automation model prioritizes rapid execution over continuous configuration automation. Configuration management with SaltStack primarily relies on the Salt primary server pushing commands to agents on target nodes — called ‘minions’ — rather than regular desired state enforcement.

Other ways Puppet and SaltStack differ are in their languages, scalability, reporting, and more. Learn more of the differences between Puppet and SaltStack and get a side-by-side comparison chart on our blog.

Puppet's Pull-Based Automation Enables More Secure Infrastructure Management

SaltStack’s push-based automation model can expose nodes to vulnerabilities if they’re not properly secured. Puppet’s pull-based model doesn’t need to open ports to communicate with the primary server, which authorizes and authenticates nodes before providing configurations.

Puppet Automation Pre-Authorizes Contact with the Primary Server

In a pull-based model of automation like Puppet’s, managed nodes actively request configurations from the primary server. This lets the Puppet communicate with the primary Puppet server without exposing open ports.

With Puppet, the agents installed on each node check in with the Puppet primary server. Then they execute whatever commands need to be executed to bring the current state of the node they’re running on into alignment with the desired state defined on the primary server. This is called a Puppet run, and it happens every 30 minutes by default.

In terms of security, Puppet’s pull-based model makes it simple to identify vulnerable systems, downgrade to safe versions of software affected by vulnerabilities, roll out patches to affected software, and monitor security and compliance on a continuous basis.

SaltStack’s Agentless Automation Can’t Ensure Continuous Compliance Automation at Scale

In a push-based automation model like Salt’s, an agent on each node (called a “minion” in SaltStack parlance) needs to expose open ports to communicate with the primary server. This can increase the system’s attack surface, especially at scale, and provide potential entry points for unauthorized users if they’re not properly secured against attack.

SaltStack configuration issues that can leave infrastructure vulnerable have been well-documented by cybersecurity experts and industry publications. The risks of misconfiguring SaltStack include letting attackers run code on the Salt primary server, on Salt minion nodes, and even in customer environments.

Acquisitions Leave Users Uncertain About the Future of SaltStack

Founded in 2011, SaltStack was acquired by VMware in 2020. Semiconductor and computer software company Broadcom acquired VMware in 2023. Amid those transitions, SaltStack has announced changes to code contribution policies and licensing models that some users feel signals a shift away from active, community-focused development of the SaltStack product.

The open source software (OSS) space is changing fast. Changes to licensing models (like HashiCorp’s switch to a business source license) and the ways OSS companies relate to their communities can leave open source users — the heart and soul of any open source project — uncertain about security, development pace, sustainability, and support for the tools they love. In the face of that uncertainty, leaders at organizations that use open source tools consider alternatives to the OSS their organizations rely on.

Puppet is Actively Engaged with its Open Source Roots

Puppet remains committed to its long-tenured open source community. Open Source Puppet, Bolt, the Puppet Development Kit (PDK), and more are created and maintained with the active involvement of the Puppet community. We’ve worked directly with our open source users on a number of key initiatives:

• We began offering a value-adding compliance enforcement extension for Open Source Puppet that was previously only available to Puppet Enterprise users
• We created Admin-as-a-Service offerings to help open source users get more from their Open Source Puppet instance
• We’ve updated the Puppet Forge to make it easier to access the thousands of free, community-created modules available there
• We created the Puppet Ecosystem Advisory Board, which invites open source users and Puppet Enterprise customers to have their voice heard on the direction of Puppet as a product

For more on how we’re keeping open source at the center of Puppet, visit our page on Puppet’s open source projects.

Puppet Has Longevity, a Large Community + Lots of Modules

There’s a wide array of use cases for Puppet, from reducing tech debt to managing hybrid cloud infrastructure, patch management, and Windows automation. Part of Puppet’s flexibility is due to the modules that extend functionality for common infrastructure management use cases. If you wish there was something you could use Puppet for, there’s probably a module for it. There are literally thousands of modules on the Puppet Forge, including ones created, supported, and sold by Puppet as well as free ones created by the Puppet community.  

Speaking of community, the Puppet community has been with us since the launch of Puppet’s open source offering in 2005. Between the Forge and the Puppet Community Slack, there are tons of friendly, welcoming people who are willing to help out at any stage of your automation journey.

Puppet is Easy to Get Started With

Automation and configuration management can be tough to break into. That’s why we’ve created a number of ways to get started with Puppet, no matter if you’ve used it before or not:

• Puppet Training: Free and paid classes help first-timers get on their feet, with on-demand virtual courses and instructor-led education.
  • If you're hungry for more, countless independent creators have offered training, tips, and how-tos for learning the ins and outs of Puppet’s open source and enterprise offerings!
• Puppet Certification: We offer pathways for individuals and teams to get certified in Puppet Enterprise so they can add more value to their team and build a career they love with the infrastructure management skills businesses want.
• Free Trial of Puppet Enterprise: With our free trial offer, you can download and run Puppet Enterprise on 10 nodes for free — no credit card, no contract, no commitment. You can even take Puppet modules from the Forge for a spin.

The Bottom Line: Should You Switch from SaltStack to Puppet?

You should switch from SaltStack to Puppet if...

• You need to manage a large number of resources across disparate operating systems
• You plan on scaling up your infrastructure and want to avoid the complexity of SaltStack’s state files
• You have to prove continuous compliance to vendors, contractors, customers, and auditors
• You want a mature, proven automation and configuration management solution with a steadfast dedication to open source
• You need enterprise features like role-based access control, continuous delivery, reporting, and orchestration — all available in Puppet Enterprise

Take the next step by getting in touch with the Puppet team to plan your migration from SaltStack to Puppet, or start automating with Puppet Enterprise on 10 nodes for free right now.

PUPPET PRICING   FREE TRIAL