Puppet vs CFEngine

Puppet vs CFEngine

While most people think of Puppet and Chef when they’re thinking about Configuration Management tools, other alternatives exist. One notable example is CFEngine. In this post, we’ll compare Puppet to this older, more established configuration management tool.

CFEngine is actually significantly older than Puppet or Chef, dating back to 1993. It was created by Mark Burgess and, like Puppet, started out as an open-source configuration management tool, not an an enterprise Configuration Management product. It wasn’t commercialized in 2008. CFEngine has been described as the grandfather of configuration management tools.

So how do CFEngine and Puppet differ from one another?

Complexity and Power

While Puppet is heralded to be more “Ops-friendly”, due to its model-driven approach and relatively small learning curve, CFEngine resides more in the “Dev-friendly” side of the spectrum.

CFEngine runs on C, as opposed to Puppet’s use of Ruby. C is the more low level of the two languages, and one of the main complaints regarding CFEngine is that the learning curve is very steep. It does mean though that CFEngine has a dramatically smaller memory footprint, it runs faster and has far fewer dependencies.

Puppet’s model-driven approach means a smaller learning curve, which makes it a preferred option for sysadmins with limited coding experience. The model-driven approach also takes on a lot of the responsibility for dependency management. Some argue that this can result in unexpected behaviour though and has its limits.


Puppet’s edge here is avoiding specific nuances across operating systems, which exist when using CFEngine. However, Puppet and CFEngine have excellent support across platforms.

CFEngine’s supported platforms

Puppet’s supported platforms


Puppet and CFEngine both have strong user communities, as they are both mature tools. CFEngine has a strong international presence, headquartered in Oslo, with several US offices as well.

CFEngine’s site claims that they currently manage more than 10 million nodes. Puppet is less specific about exactly how many servers their software runs on, but they have an impressive list of customers.


Both Puppet and CFEngine have moved past early missteps (or lack of focus) on the documentation front. Both have online references available:

CFEngine Reference Doc

Puppet Reference Doc

Whatever your choice it is always wise to look to third party reference material to get a full appreciation of the power and nuances of each tool.

Learning CFEngine

Automating Linux and Unix System Administration

Pro Puppet

Puppet 2.7 Cookbook


Naturally, due to its open-source origins, CFEngine (like Puppet) has a free open-source version available. Puppet’s Enterprise edition provides 10 free nodes, and then charges $99 per node per year (with bulk discounts available). CFEngine’s pricing after the 25 free nodes is unspecified, they require you to contact a sales representative for more pricing information – they offer “promotional pricing” based off of a client’s particular needs.

One key benefit of CFEngine’s pricing model appears to be that its pricing is more customizable to a company’s specific needs. CFEngine also offers significantly more free nodes than does Puppet.


At a high level if coding and complexity doesn’t scare you, if small agent footprints and speed matter and you’ll take control and scale over simplicity then CFEngine may be for you. If the relatively smoother onboarding and simpler model driven approach is more attractive then Puppet may well be for you. As always, both tools are available to trial at no cost so if you have the time choose a representative (if modest) configuration to automate using each and compare and contrast. Nothing beats hands on experience.

Read Next: You’re Doing DevOps Wrong – Automation in the Enterprise


  • Walid Shaari

    CFEngine3 try also to model the configuration problem using primitives as does puppet. CFengine3 starts with node autonmous “promises” and bundles them into collection called bundles and you can use design sketchs so i am not sure you statement regarding modelling “model-driven” is accurate especially when it comes to CFEngine3. also i wish you have gone more in depth on what are the key differentiators and strengths of each platform. thanks for posting

    • scriptrock

      Thanks for the comment!

      I would be very interested in hearing your thoughts on any key differentiators or strengths I might have missed for future posts.

      • Derek

        CFEngine 3, which is in active development, was released in 2009. It’s important to note that Puppet was inspired by CFEngine 2 (released in 200. Big reason why we chose CFEngine 3 is the security. The difference is vast, CFEngine 3 has 0 published vulnerabilities while Puppet has 33, with 10 published already in 2013.

        If security matters, I think CFEngine 3 is an easy choice. We also appreciated the lean footprint, simple server side architecture, minimal dependencies (augh! Ruby!),

  • Hajo

    Hi, i hear that “cfEnginge is dead”, and that “the community” is choosing Puppet. That the development of cfEnginge has almost stopped. is that true?

    • Mike Baukes

      Hey There – CFEngine isn’t dead, in fact it is still widely adopted by a significant amount of organisations. They looks to have recently started getting aggressive on the marketing front – which is a good sign.

    • Nicolas Charles

      CFEngine is far from dead. New versions are regularly released, community is growing, and there is an ecosystem of software or tools around it (mainly rudder-project / http://www.rudder-project.org , but there are others available as well)