diff --git a/openvoxserver/files/container-entrypoint.d/20-use-templates-initially.sh b/openvoxserver/files/container-entrypoint.d/20-use-templates-initially.sh
index b88fd85..45594fa 100755
--- a/openvoxserver/files/container-entrypoint.d/20-use-templates-initially.sh
+++ b/openvoxserver/files/container-entrypoint.d/20-use-templates-initially.sh
@@ -2,12 +2,14 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 # During build, pristine config files get copied to this directory. If
 # they are not in the current container, use these templates as the
 # default
 TEMPLATES=/var/tmp/puppet
 
-cd "$(puppet config print confdir)"
+cd "$(config_get confdir)"
 for f in auth.conf hiera.yaml puppet.conf puppetdb.conf; do
   [ -f "$TEMPLATES/$f" ] && [ ! -f "$f" ] && {
     echo "Copying template $f from $TEMPLATES"
diff --git a/openvoxserver/files/container-entrypoint.d/30-ensure-config.sh b/openvoxserver/files/container-entrypoint.d/30-ensure-config.sh
index 9ac44c2..6e98313 100755
--- a/openvoxserver/files/container-entrypoint.d/30-ensure-config.sh
+++ b/openvoxserver/files/container-entrypoint.d/30-ensure-config.sh
@@ -2,9 +2,12 @@
 
 set -e
 
-puppet config set confdir /etc/puppetlabs/puppet
-puppet config set vardir /opt/puppetlabs/puppet/cache
-puppet config set logdir /var/log/puppetlabs/puppet
-puppet config set codedir /etc/puppetlabs/code
-puppet config set rundir /var/run/puppetlabs
-puppet config set manage_internal_file_permissions false
\ No newline at end of file
+source /usr/local/share/openvox/config_lib.sh
+
+config_set main \
+  confdir /etc/puppetlabs/puppet \
+  vardir /opt/puppetlabs/puppet/cache \
+  logdir /var/log/puppetlabs/puppet \
+  codedir /etc/puppetlabs/code \
+  rundir /var/run/puppetlabs \
+  manage_internal_file_permissions false
diff --git a/openvoxserver/files/container-entrypoint.d/40-update-puppetdb-conf.sh b/openvoxserver/files/container-entrypoint.d/40-update-puppetdb-conf.sh
index f460b5c..1bf81d6 100755
--- a/openvoxserver/files/container-entrypoint.d/40-update-puppetdb-conf.sh
+++ b/openvoxserver/files/container-entrypoint.d/40-update-puppetdb-conf.sh
@@ -2,6 +2,8 @@
 
 set -e
 
-if test -n "${OPENVOXDB_SERVER_URLS}" ; then
-  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(puppet config print confdir)/puppetdb.conf
+source /usr/local/share/openvox/config_lib.sh
+
+if test -n "${OPENVOXDB_SERVER_URLS}"; then
+  sed -i "s@^server_urls.*@server_urls = ${OPENVOXDB_SERVER_URLS}@" $(config_get confdir)/puppetdb.conf
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/50-set-certname.sh b/openvoxserver/files/container-entrypoint.d/50-set-certname.sh
index caa50d0..8b7bd2e 100755
--- a/openvoxserver/files/container-entrypoint.d/50-set-certname.sh
+++ b/openvoxserver/files/container-entrypoint.d/50-set-certname.sh
@@ -2,10 +2,12 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if [ -n "${OPENVOXSERVER_HOSTNAME}" ]; then
-  puppet config set server "$OPENVOXSERVER_HOSTNAME"
+  config_set main server "$OPENVOXSERVER_HOSTNAME"
 fi
 
 if [ -n "${CERTNAME}" ]; then
-  puppet config set certname "$CERTNAME"
+  config_set main certname "$CERTNAME"
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/55-set-masterport.sh b/openvoxserver/files/container-entrypoint.d/55-set-masterport.sh
index 5b3dc1f..dec91cc 100755
--- a/openvoxserver/files/container-entrypoint.d/55-set-masterport.sh
+++ b/openvoxserver/files/container-entrypoint.d/55-set-masterport.sh
@@ -2,9 +2,11 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if test -n "$OPENVOXSERVER_PORT"; then
   cd /etc/puppetlabs/puppetserver/conf.d/
   hocon -f webserver.conf set webserver.ssl-port $OPENVOXSERVER_PORT
   cd /
-  puppet config set serverport $OPENVOXSERVER_PORT --section main
+  config_set main serverport $OPENVOXSERVER_PORT
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/56-set-environmentpath.sh b/openvoxserver/files/container-entrypoint.d/56-set-environmentpath.sh
index 6f631e8..61b2722 100755
--- a/openvoxserver/files/container-entrypoint.d/56-set-environmentpath.sh
+++ b/openvoxserver/files/container-entrypoint.d/56-set-environmentpath.sh
@@ -2,4 +2,6 @@
 
 set -e
 
-puppet config set --section server environmentpath $ENVIRONMENTPATH
+source /usr/local/share/openvox/config_lib.sh
+
+config_set server environmentpath $ENVIRONMENTPATH
diff --git a/openvoxserver/files/container-entrypoint.d/57-set-hiera_config.sh b/openvoxserver/files/container-entrypoint.d/57-set-hiera_config.sh
index 4fc44c8..051d2ec 100755
--- a/openvoxserver/files/container-entrypoint.d/57-set-hiera_config.sh
+++ b/openvoxserver/files/container-entrypoint.d/57-set-hiera_config.sh
@@ -2,4 +2,6 @@
 
 set -e
 
-puppet config set --section server hiera_config $HIERACONFIG
+source /usr/local/share/openvox/config_lib.sh
+
+config_set server hiera_config $HIERACONFIG
diff --git a/openvoxserver/files/container-entrypoint.d/60-setup-autosign.sh b/openvoxserver/files/container-entrypoint.d/60-setup-autosign.sh
index d7dd30c..9e3626e 100755
--- a/openvoxserver/files/container-entrypoint.d/60-setup-autosign.sh
+++ b/openvoxserver/files/container-entrypoint.d/60-setup-autosign.sh
@@ -2,8 +2,10 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 # Configure puppet to use a certificate autosign script (if it exists)
 # AUTOSIGN=true|false|path_to_autosign.conf
-if test -n "${AUTOSIGN}" ; then
-  puppet config set autosign "$AUTOSIGN" --section server
+if test -n "${AUTOSIGN}"; then
+  config_set server autosign "$AUTOSIGN"
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/70-set-dns-alt-names.sh b/openvoxserver/files/container-entrypoint.d/70-set-dns-alt-names.sh
index 26df5fb..b907196 100755
--- a/openvoxserver/files/container-entrypoint.d/70-set-dns-alt-names.sh
+++ b/openvoxserver/files/container-entrypoint.d/70-set-dns-alt-names.sh
@@ -2,20 +2,22 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 config_section=main
 
 # Allow setting dns_alt_names for the compilers certificate. This
 # setting will only have an effect when the container is started without
 # an existing certificate on the /etc/puppetlabs/puppet volume
 if [ -n "${DNS_ALT_NAMES}" ]; then
-    certname=$(puppet config print certname)
-    if test ! -f "$(puppet config print ssldir)/certs/$certname.pem" ; then
-        puppet config set dns_alt_names "${DNS_ALT_NAMES}" --section "${config_section}"
-    else
-        actual=$(puppet config print dns_alt_names --section "${config_section}")
-        if test "${DNS_ALT_NAMES}" != "${actual}" ; then
-            echo "Warning: DNS_ALT_NAMES has been changed from the value in puppet.conf"
-            echo "         Remove/revoke the old certificate for this to become effective"
-        fi
+  certname=$(config_get certname)
+  if test ! -f "$(config_get ssldir)/certs/$certname.pem"; then
+    config_set "${config_section}" dns_alt_names "${DNS_ALT_NAMES}"
+  else
+    actual=$(config_get dns_alt_names)
+    if test "${DNS_ALT_NAMES}" != "${actual}"; then
+      echo "Warning: DNS_ALT_NAMES has been changed from the value in puppet.conf"
+      echo "         Remove/revoke the old certificate for this to become effective"
     fi
+  fi
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/83-environment-cache.sh b/openvoxserver/files/container-entrypoint.d/83-environment-cache.sh
index 49d38e1..bd3ce15 100755
--- a/openvoxserver/files/container-entrypoint.d/83-environment-cache.sh
+++ b/openvoxserver/files/container-entrypoint.d/83-environment-cache.sh
@@ -2,10 +2,12 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if [ -n "$OPENVOXSERVER_ENVIRONMENT_TIMEOUT" ]; then
   echo "Settings environment_timeout to ${OPENVOXSERVER_ENVIRONMENT_TIMEOUT}"
-  puppet config set --section server environment_timeout $OPENVOXSERVER_ENVIRONMENT_TIMEOUT
+  config_set server environment_timeout $OPENVOXSERVER_ENVIRONMENT_TIMEOUT
 else
   echo "Removing environment_timeout"
-  puppet config delete --section server environment_timeout
+  config_delete server environment_timeout
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/85-setup-storeconfigs.sh b/openvoxserver/files/container-entrypoint.d/85-setup-storeconfigs.sh
index 055475e..90ae43c 100755
--- a/openvoxserver/files/container-entrypoint.d/85-setup-storeconfigs.sh
+++ b/openvoxserver/files/container-entrypoint.d/85-setup-storeconfigs.sh
@@ -1,26 +1,28 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 if [ -n "$OPENVOX_STORECONFIGS_BACKEND" ]; then
-  puppet config set storeconfigs_backend $OPENVOX_STORECONFIGS_BACKEND --section server
+  config_set server storeconfigs_backend $OPENVOX_STORECONFIGS_BACKEND
 fi
 
 if [ -n "$OPENVOX_STORECONFIGS" ]; then
-  puppet config set storeconfigs $OPENVOX_STORECONFIGS --section server
+  config_set server storeconfigs $OPENVOX_STORECONFIGS
 fi
 
 if [ -n "$OPENVOX_REPORTS" ]; then
-  puppet config set reports $OPENVOX_REPORTS --section server
+  config_set server reports $OPENVOX_REPORTS
 fi
 
 # reset defaults if USE_OPENVOXDB is false, but don't overwrite custom settings
 if [ "$USE_OPENVOXDB" = 'false' ]; then
   if [ "$OPENVOX_REPORTS" = 'puppetdb' ]; then
-    puppet config set reports log --section server
+    config_set server reports log
   fi
 
   if [ "$OPENVOX_STORECONFIGS_BACKEND" = 'puppetdb' ]; then
-    puppet config set storeconfigs false --section server
+    config_set server storeconfigs false
   fi
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/89-csr_attributes.sh b/openvoxserver/files/container-entrypoint.d/89-csr_attributes.sh
index 0873783..d0008dd 100755
--- a/openvoxserver/files/container-entrypoint.d/89-csr_attributes.sh
+++ b/openvoxserver/files/container-entrypoint.d/89-csr_attributes.sh
@@ -2,12 +2,14 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 # determine script location
 readonly SCRIPT_FILENAME=$(readlink -f "${BASH_SOURCE[0]}")
 readonly SCRIPT_PATH=$(dirname "$SCRIPT_FILENAME")
-readonly CSR_PATH=$(puppet config print csr_attributes)
+readonly CSR_PATH=$(config_get csr_attributes)
 
 if [ -n "${CSR_ATTRIBUTES}" ]; then
-    echo "CSR Attributes: ${CSR_ATTRIBUTES}"
-    /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
+  echo "CSR Attributes: ${CSR_ATTRIBUTES}"
+  /opt/puppetlabs/puppet/bin/ruby "$SCRIPT_PATH/89-csr_attributes.rb" "$CSR_PATH"
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/90-ca.sh b/openvoxserver/files/container-entrypoint.d/90-ca.sh
index 219f46d..0c9a2e7 100755
--- a/openvoxserver/files/container-entrypoint.d/90-ca.sh
+++ b/openvoxserver/files/container-entrypoint.d/90-ca.sh
@@ -2,6 +2,8 @@
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 ca_running() {
   status=$(curl --silent --fail --insecure "https://${CA_HOSTNAME}:${CA_PORT:-8140}/status/v1/simple")
   test "$status" = "running"
@@ -10,16 +12,15 @@ ca_running() {
 if [[ "$CA_ENABLED" != "true" ]]; then
   # we are just an ordinary compiler
   echo "turning off CA"
-  cat > /etc/puppetlabs/puppetserver/services.d/ca.cfg <<EOF
+  cat >/etc/puppetlabs/puppetserver/services.d/ca.cfg <<EOF
 puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
 puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service
 EOF
 
-  ssl_cert=$(puppet config print hostcert)
-  ssl_key=$(puppet config print hostprivkey)
-  ssl_ca_cert=$(puppet config print localcacert)
-  ssl_crl_path=$(puppet config print hostcrl)
-
+  ssl_cert=$(config_get hostcert)
+  ssl_key=$(config_get hostprivkey)
+  ssl_ca_cert=$(config_get localcacert)
+  ssl_crl_path=$(config_get hostcrl)
 
   cd /etc/puppetlabs/puppetserver/conf.d/
   hocon -f webserver.conf set webserver.ssl-cert $ssl_cert
@@ -38,9 +39,7 @@ EOF
   fi
 else
   # we are the CA
-  puppet config set --section server ca_ttl "${CA_TTL}"
-  puppet config set --section server ca_server "${CA_HOSTNAME}"
-  puppet config set --section server ca_port "${CA_PORT}"
+  config_set server ca_ttl "${CA_TTL}" ca_server "${CA_HOSTNAME}" ca_port "${CA_PORT}"
   hocon -f /etc/puppetlabs/puppetserver/conf.d/ca.conf \
     set certificate-authority.allow-subject-alt-names "${CA_ALLOW_SUBJECT_ALT_NAMES}"
 
@@ -59,7 +58,7 @@ else
       exit 99
     fi
 
-    ca_cert=$(puppet config print cacert)
+    ca_cert=$(config_get cacert)
     if [[ -f "$ca_cert" ]]; then
       echo "CA already imported."
     else
@@ -69,31 +68,31 @@ else
         --private-key $INTERMEDIATE_CA_KEY
     fi
   else
-    new_cadir=$(puppet config print cadir)
-    ssl_dir=$(puppet config print ssldir)
+    new_cadir=$(config_get cadir)
+    ssl_dir=$(config_get ssldir)
 
     if [ ! -f "$new_cadir/ca_crt.pem" ] && [ ! -f "$ssl_dir/ca/ca_crt.pem" ]; then
-        # There is no existing CA
+      # There is no existing CA
 
-        # Append user-supplied DNS Alt Names
-        if [ -n "$DNS_ALT_NAMES" ]; then
-            current="$(puppet config print --section main dns_alt_names)"
-            # shell parameter expansion to remove trailing comma if there is one
-            updated="${DNS_ALT_NAMES%,}"
-            if [ -n "$current" ]; then updated="$current","$updated"; fi
-            puppet config set --section main dns_alt_names "$updated"
-        fi
+      # Append user-supplied DNS Alt Names
+      if [ -n "$DNS_ALT_NAMES" ]; then
+        current="$(config_get dns_alt_names)"
+        # shell parameter expansion to remove trailing comma if there is one
+        updated="${DNS_ALT_NAMES%,}"
+        if [ -n "$current" ]; then updated="$current","$updated"; fi
+        config_set main dns_alt_names "$updated"
+      fi
 
-        timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
-        ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"
+      timestamp="$(date '+%Y-%m-%d %H:%M:%S %z')"
+      ca_name="Puppet CA generated on ${HOSTNAME} at $timestamp"
 
-        # See puppet.conf file for relevant settings
-        puppetserver ca setup \
-            --ca-name "$ca_name"
+      # See puppet.conf file for relevant settings
+      puppetserver ca setup \
+        --ca-name "$ca_name"
 
     elif [ ! -f "$new_cadir/ca_crt.pem" ] && [ -f "$ssl_dir/ca/ca_crt.pem" ]; then
-        # Legacy CA upgrade
-        puppetserver ca migrate
-        fi
+      # Legacy CA upgrade
+      puppetserver ca migrate
+    fi
   fi
 fi
diff --git a/openvoxserver/files/container-entrypoint.d/99-log-config.sh b/openvoxserver/files/container-entrypoint.d/99-log-config.sh
index 8c58677..9931218 100755
--- a/openvoxserver/files/container-entrypoint.d/99-log-config.sh
+++ b/openvoxserver/files/container-entrypoint.d/99-log-config.sh
@@ -1,14 +1,16 @@
-#! /bin/sh
+#!/bin/bash
 
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 ### Print configuration for troubleshooting
 echo "System configuration values:"
 # shellcheck disable=SC2039 # Docker injects $HOSTNAME
 echo "* HOSTNAME: '${HOSTNAME}'"
 echo "* hostname -f: '$(hostname -f)'"
 
-ssl_dir=$(puppet config print ssldir)
+ssl_dir=$(config_get ssldir)
 
 if [ -n "${CERTNAME}" ]; then
   echo "* CERTNAME: '${CERTNAME}'"
diff --git a/openvoxserver/files/healthcheck.sh b/openvoxserver/files/healthcheck.sh
index bf29cd1..ce36f7f 100755
--- a/openvoxserver/files/healthcheck.sh
+++ b/openvoxserver/files/healthcheck.sh
@@ -3,6 +3,8 @@
 set -x
 set -e
 
+source /usr/local/share/openvox/config_lib.sh
+
 timeout=10
 
 if [ "$#" -gt 0 ]; then
@@ -10,12 +12,12 @@ if [ "$#" -gt 0 ]; then
 fi
 
 curl --fail \
-    --no-progress-meter \
-    --max-time ${timeout} \
-    --resolve "${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}:127.0.0.1" \
-    --cert     $(puppet config print hostcert) \
-    --key      $(puppet config print hostprivkey) \
-    --cacert   $(puppet config print localcacert) \
-    "https://${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}/status/v1/simple" \
-    |  grep -q '^running$' \
-    || exit 1
+  --no-progress-meter \
+  --max-time ${timeout} \
+  --resolve "${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}:127.0.0.1" \
+  --cert $(config_get hostcert) \
+  --key $(config_get hostprivkey) \
+  --cacert $(config_get localcacert) \
+  "https://${HOSTNAME}:${OPENVOXSERVER_PORT:-8140}/status/v1/simple" |
+  grep -q '^running$' ||
+  exit 1
diff --git a/openvoxserver/files/usr/local/bin/config_ini.rb b/openvoxserver/files/usr/local/bin/config_ini.rb
new file mode 100755
index 0000000..d99052a
--- /dev/null
+++ b/openvoxserver/files/usr/local/bin/config_ini.rb
@@ -0,0 +1,28 @@
+#!/opt/puppetlabs/puppet/bin/ruby
+
+# Helper script using Puppet's own INI manipulator in place of `pupppet config`.
+# See /usr/local/share/openvox/config_lib.sh for the companion script.
+
+module Puppet
+  class Settings
+  end
+end
+require 'puppet/settings/ini_file'
+
+command = ARGV.shift
+section = ARGV.shift
+
+# This bit is largely referencing openvox's lib/puppet/face/config.rb
+File.open('/etc/puppetlabs/puppet/puppet.conf', 'r+') do |file|
+  Puppet::Settings::IniFile.update(file) do |config|
+    if command == 'set'
+      ARGV.each_slice(2) do |key, value|
+        config.set(section, key, value)
+      end
+    else
+      ARGV.each do |key|
+        config.delete(section, key)
+      end
+    end
+  end
+end
diff --git a/openvoxserver/files/usr/local/share/openvox/config_lib.sh b/openvoxserver/files/usr/local/share/openvox/config_lib.sh
new file mode 100755
index 0000000..323a40e
--- /dev/null
+++ b/openvoxserver/files/usr/local/share/openvox/config_lib.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Helper script to avoid `puppet config` calls, as each invocation takes time and adds up.
+# See /usr/local/bin/config_ini.rb for the INI manipulation logic.
+# We have to reference a file instead of environment variables because the output of any
+# `set` command would otherwise be lost in the sequence (ie 50-* cannot be sourced by 70-*)
+
+# Put the cache under /run so it's recreated every container start
+OPENVOX_CONFIG_CACHE=/run/openvox/config-lib-cache
+
+# Check if the above cache exists. If not, create and populate it.
+config_load() {
+  [ -s "$OPENVOX_CONFIG_CACHE" ] && return 0
+  mkdir -p "${OPENVOX_CONFIG_CACHE%/*}"
+  puppet config print \
+    confdir ssldir cadir certname csr_attributes dns_alt_names \
+    hostcert hostprivkey localcacert hostcrl cacert \
+    >"$OPENVOX_CONFIG_CACHE"
+}
+
+# We now have a file with key pair values. Take in an argument, use sed to
+# substitute (s/) the parameter ($1 =) with nothing (//) and print (p) the remainder of the line.
+config_get() {
+  config_load
+  sed -n "s/^$1 = //p" "$OPENVOX_CONFIG_CACHE"
+}
+
+config_set() {
+  /usr/local/bin/config_ini.rb set "$@"
+}
+
+config_delete() {
+  /usr/local/bin/config_ini.rb delete "$@"
+}
diff --git a/openvoxserver/prep_release_container.sh b/openvoxserver/prep_release_container.sh
index f51854c..7436ed3 100755
--- a/openvoxserver/prep_release_container.sh
+++ b/openvoxserver/prep_release_container.sh
@@ -117,12 +117,11 @@ ln -sf /var/log/puppetlabs ${HOME}/.puppetlabs/var/log
 ln -sf /var/run/puppetlabs ${HOME}/.puppetlabs/var/run
 
 # mirror user permissions to group, set group to root, and set gid bit on dirs
-for d in /etc/puppetlabs /var/log/puppetlabs /var/run/puppetlabs /opt/puppetlabs/
-do
-  mkdir -p "$d";
-  chgrp -R 0 "$d";
-  chmod -R g=u "$d";
-  find "$d" -type d -exec chmod g+s {} +;
+for d in /etc/puppetlabs /var/log/puppetlabs /var/run/puppetlabs /opt/puppetlabs/ /run/openvox; do
+  mkdir -p "$d"
+  chgrp -R 0 "$d"
+  chmod -R g=u "$d"
+  find "$d" -type d -exec chmod g+s {} +
 done
 
 # the foreground starting script has this check before running the server: