Open source Puppet 8.8.1

Puppet | Contents | ii

Contents

Puppet 8.8.1...............................................................................................................9

Release notes..............................................................................................................9

Puppet release notes........................................................................................................................................... 10

Puppet 8.8.1............................................................................................................................................ 11

Puppet 8.8.0............................................................................................................................................ 12

Puppet 8.7.0............................................................................................................................................ 12

Puppet 8.6.0............................................................................................................................................ 13

Puppet 8.5.1............................................................................................................................................ 14

Puppet 8.5.0............................................................................................................................................ 14

Puppet 8.4.0............................................................................................................................................ 15

Puppet 8.3.1............................................................................................................................................ 16

Puppet 8.3.0............................................................................................................................................ 19

Puppet 8.2.0............................................................................................................................................ 19

Puppet 8.1.0............................................................................................................................................ 21

Puppet 8.0.0............................................................................................................................................ 21

Puppet known issues...........................................................................................................................................23

Puppet Server release notes................................................................................................................................25

Puppet Server 8.6.2.................................................................................................................................25

Puppet Server 8.6.1.................................................................................................................................25

Puppet Server 8.6.0.................................................................................................................................25

Puppet Server 8.5.0.................................................................................................................................25

Puppet Server 8.4.0.................................................................................................................................26

Puppet Server 8.3.0.................................................................................................................................26

Puppet Server 8.2.1.................................................................................................................................26

Puppet Server 8.2.0.................................................................................................................................26

Puppet Server 8.1.0.................................................................................................................................27

Puppet Server 8.0.0.................................................................................................................................27

Puppet Server known Issues...............................................................................................................................27

Access CA endpoint to update CRLs.................................................................................................... 27

Cipher updates in Puppet Server 6.5......................................................................................................27

Server-side Ruby gems might need to be updated for upgrading from JRuby 1.7................................28

Potential JAVA ARGS settings..............................................................................................................28

tmp directory mounted noexec...........................................................................................................28

Puppet Server Fails to Connect to Load-Balanced Servers with Different SSL Certificates.................28

Facter release notes.............................................................................................................................................29

Facter 4.8.0............................................................................................................................................. 29

Facter 4.7.1............................................................................................................................................. 29

Facter 4.7.0............................................................................................................................................. 29

Facter 4.6.1............................................................................................................................................. 30

Facter 4.6.0............................................................................................................................................. 30

Facter 4.5.2............................................................................................................................................. 30

Facter 4.5.1............................................................................................................................................. 30

Facter 4.4.3............................................................................................................................................. 30

Facter 4.4.2............................................................................................................................................. 31

Facter known issues............................................................................................................................................43

Upgrading from Puppet 7 to Puppet 8...............................................................................................................43

Experimental features......................................................................................................................................... 46

Puppet | Contents | iii

Msgpack support.....................................................................................................................................47

Archived documentation.....................................................................................................................................47

Puppet overview......................................................................................................48

What is Puppet?..................................................................................................................................................48

Why use Puppet desired state management?.....................................................................................................49

Key concepts behind Puppet.............................................................................................................................. 50

The Puppet platform...........................................................................................................................................51

Puppet platform lifecycle................................................................................................................................... 53

Open source Puppet vs Puppet Enterprise (PE).................................................................................................56

The Puppet ecosystem........................................................................................................................................ 56

Use cases.............................................................................................................................................................57

Glossary...............................................................................................................................................................57

Navigating the documentation............................................................................................................................58

Set up Puppet..........................................................................................................60

Install Puppet...................................................................................................................................................... 60

System requirements...............................................................................................................................60

Installing Puppet..................................................................................................................................... 62

Installing and configuring agents...........................................................................................................64

Manually verify packages.......................................................................................................................73

Managing Platform versions...................................................................................................................75

Configure Puppet settings...................................................................................................................................75

Puppet settings........................................................................................................................................ 76

Key configuration settings......................................................................................................................79

Puppet's configuration files.................................................................................................................... 82

Adding file server mount points............................................................................................................ 93

Checking the values of settings..............................................................................................................94

Editing settings on the command line....................................................................................................97

Configuration Reference.........................................................................................................................98

Upgrading..........................................................................................................................................................126

Upgrade Puppet Server.........................................................................................................................127

Upgrade agents......................................................................................................................................127

Upgrade PuppetDB...............................................................................................................................129

Environments.....................................................................................................................................................130

About environments..............................................................................................................................130

Creating environments..........................................................................................................................132

Environment isolation...........................................................................................................................136

Directories and files..........................................................................................................................................137

Code and data directory (codedir)........................................................................................................138

Config directory (confdir).................................................................................................................... 139

Main manifest directory....................................................................................................................... 140

The modulepath.................................................................................................................................... 141

SSL directory (ssldir)........................................................................................................................... 143

Cache directory (vardir)........................................................................................................................144

Report reference................................................................................................................................................147

Platform components............................................................................................148

Puppet Server....................................................................................................................................................148

About Puppet Server.............................................................................................................................148

Deprecated features...............................................................................................................................150

Server and agent compatibility.............................................................................................................155

Installing Puppet Server....................................................................................................................... 156

Puppet | Contents | iv

Configuring Puppet Server...................................................................................................................157

Using and extending Puppet Server.....................................................................................................183

Developer information..........................................................................................................................212

Puppet Server HTTP API.....................................................................................................................220

API endpoints....................................................................................................................................... 258

Certificate authority and SSL...............................................................................................................275

Facter.................................................................................................................................................................296

Facter: CLI............................................................................................................................................297

Facter: Core Facts.................................................................................................................................300

Custom facts overview......................................................................................................................... 325

Writing custom facts.............................................................................................................................331

External facts........................................................................................................................................ 336

Configuring Facter with facter.conf.....................................................................................................339

PuppetDB.......................................................................................................................................................... 342

Puppet services and tools................................................................................................................................. 342

Puppet commands.................................................................................................................................343

Running Puppet commands on Windows............................................................................................345

primary Puppet server...........................................................................................................................349

Puppet agent on *nix systems..............................................................................................................351

Puppet agent on Windows....................................................................................................................354

Puppet apply......................................................................................................................................... 358

Puppet device........................................................................................................................................360

Puppet reports................................................................................................................................................... 366

Reporting...............................................................................................................................................366

Report reference....................................................................................................................................367

Writing custom report processors........................................................................................................ 368

Report format........................................................................................................................................369

Life cycle of a Puppet run............................................................................................................................... 374

Agent-server HTTPS communications.................................................................................................375

Catalog compilation..............................................................................................................................376

Static catalogs....................................................................................................................................... 379

Using Puppet code................................................................................................ 382

Classifying nodes..............................................................................................................................................383

Managing environment content with a Puppetfile...........................................................................................385

Using content from Puppet Forge....................................................................................................................391

Designing system configs (roles and profiles).................................................................................................392

The roles and profiles method..............................................................................................................392

Roles and profiles example.................................................................................................................. 395

Designing advanced profiles................................................................................................................ 398

Designing convenient roles.................................................................................................................. 415

Separating data (Hiera).....................................................................................................................................418

About Hiera...........................................................................................................................................418

Getting started with Hiera.................................................................................................................... 422

Configuring Hiera.................................................................................................................................425

Creating and editing data..................................................................................................................... 433

Looking up data with Hiera................................................................................................................. 442

Writing new data backends.................................................................................................................. 446

Debugging Hiera...................................................................................................................................454

Upgrading to Hiera 5............................................................................................................................456

Use case examples............................................................................................................................................469

Manage NTP.........................................................................................................................................469

Manage sudo.........................................................................................................................................472

Manage DNS.........................................................................................................................................475

Manage firewall rules...........................................................................................................................478

Puppet | Contents | v

Forge examples.....................................................................................................................................481

Syntax and settings...............................................................................................482

The Puppet language........................................................................................................................................ 482

Puppet language overview....................................................................................................................484

Puppet language syntax examples........................................................................................................486

The Puppet language style guide......................................................................................................... 492

Files and paths on Windows................................................................................................................516

Code comments.....................................................................................................................................517

Variables................................................................................................................................................517

Resources...............................................................................................................................................520

Resource types...................................................................................................................................... 528

Relationships and ordering...................................................................................................................675

Classes...................................................................................................................................................680

Defined resource types......................................................................................................................... 687

Bolt tasks...............................................................................................................................................690

Expressions and operators.................................................................................................................... 690

Conditional statements and expressions...............................................................................................700

Function calls........................................................................................................................................707

Built-in function reference....................................................................................................................710

Node definitions....................................................................................................................................789

Facts and built-in variables.................................................................................................................. 792

Reserved words and acceptable names................................................................................................798

Custom resources..................................................................................................................................803

Custom functions.................................................................................................................................. 834

Values, data types, and aliases.............................................................................................................854

Templates.............................................................................................................................................. 908

Advanced constructs............................................................................................................................. 924

Details of complex behaviors...............................................................................................................939

Securing sensitive data......................................................................................................................... 947

Metaparameter reference.................................................................................................................................. 949

Configuration Reference...................................................................................................................................953

Configuration settings...........................................................................................................................953

Built-in function reference................................................................................................................................983

undef values in Puppet 6...................................................................................................................983

abs........................................................................................................................................................983

alert...................................................................................................................................................984

all........................................................................................................................................................984

annotate............................................................................................................................................985

any........................................................................................................................................................986

assert_type.....................................................................................................................................987

binary_file.....................................................................................................................................988

break...................................................................................................................................................988

call..................................................................................................................................................... 989

camelcase......................................................................................................................................... 989

capitalize.......................................................................................................................................990

ceiling..............................................................................................................................................991

chomp...................................................................................................................................................991

chop..................................................................................................................................................... 991

compare..............................................................................................................................................992

contain..............................................................................................................................................993

convert_to.......................................................................................................................................993

create_resources.........................................................................................................................993

crit..................................................................................................................................................... 994

debug...................................................................................................................................................994

Puppet | Contents | vi

defined..............................................................................................................................................994

dig........................................................................................................................................................996

digest.................................................................................................................................................996

downcase............................................................................................................................................996

each..................................................................................................................................................... 997

emerg...................................................................................................................................................999

empty...................................................................................................................................................999

epp........................................................................................................................................................999

err......................................................................................................................................................1000

eyaml_lookup_key.......................................................................................................................1000

fail................................................................................................................................................... 1000

file................................................................................................................................................... 1000

filter...............................................................................................................................................1000

find_file....................................................................................................................................... 1002

find_template..............................................................................................................................1002

flatten............................................................................................................................................1003

floor.................................................................................................................................................1003

fqdn_rand....................................................................................................................................... 1004

generate..........................................................................................................................................1004

get......................................................................................................................................................1004

getvar...............................................................................................................................................1005

group_by..........................................................................................................................................1006

hiera.................................................................................................................................................1007

hiera_array...................................................................................................................................1008

hiera_hash.....................................................................................................................................1009

hiera_include..............................................................................................................................1010

hocon_data.....................................................................................................................................1011

import...............................................................................................................................................1011

include............................................................................................................................................1011

index.................................................................................................................................................1012

info................................................................................................................................................... 1013

inline_epp.....................................................................................................................................1013

inline_template.........................................................................................................................1014

join................................................................................................................................................... 1014

json_data....................................................................................................................................... 1015

keys................................................................................................................................................... 1015

length...............................................................................................................................................1015

lest................................................................................................................................................... 1015

lookup...............................................................................................................................................1016

lstrip...............................................................................................................................................1018

map......................................................................................................................................................1018

match.................................................................................................................................................1019

max......................................................................................................................................................1020

md5......................................................................................................................................................1021

min......................................................................................................................................................1022

module_directory.......................................................................................................................1023

new......................................................................................................................................................1023

next................................................................................................................................................... 1040

notice...............................................................................................................................................1040

partition....................................................................................................................................... 1041

realize............................................................................................................................................1041

reduce...............................................................................................................................................1041

regsubst..........................................................................................................................................1043

require............................................................................................................................................1044

return...............................................................................................................................................1045

reverse_each................................................................................................................................1045

Puppet | Contents | vii

round.................................................................................................................................................1046

rstrip...............................................................................................................................................1046

scanf.................................................................................................................................................1047

sha1................................................................................................................................................... 1047

sha256...............................................................................................................................................1047

shellquote.....................................................................................................................................1047

size................................................................................................................................................... 1048

slice.................................................................................................................................................1048

sort................................................................................................................................................... 1048

split.................................................................................................................................................1049

sprintf............................................................................................................................................1050

step................................................................................................................................................... 1050

strftime..........................................................................................................................................1050

strip.................................................................................................................................................1054

tag......................................................................................................................................................1055

tagged...............................................................................................................................................1055

template..........................................................................................................................................1055

then................................................................................................................................................... 1055

tree_each....................................................................................................................................... 1056

type................................................................................................................................................... 1058

unique...............................................................................................................................................1059

unwrap...............................................................................................................................................1060

upcase...............................................................................................................................................1061

values...............................................................................................................................................1062

versioncmp.....................................................................................................................................1062

warning............................................................................................................................................1062

with................................................................................................................................................... 1062

yaml_data....................................................................................................................................... 1063

Puppet Man Pages.......................................................................................................................................... 1063

Core Tools...........................................................................................................................................1063

Secondary subcommands....................................................................................................................1063

Niche subcommands........................................................................................................................... 1064

Core tools............................................................................................................................................1064

Occasionally useful.............................................................................................................................1076

Niche................................................................................................................................................... 1085

Developing modules............................................................................................1096

Modules...........................................................................................................................................................1097

Modules overview...............................................................................................................................1097

Plug-ins in modules............................................................................................................................ 1101

Module cheat sheet.............................................................................................................................1103

Installing and managing modules from the command line................................................................1104

Beginner's guide to writing modules..................................................................................................1113

Module metadata.................................................................................................................................1118

Documenting modules........................................................................................................................ 1124

Documenting modules with Puppet Strings.......................................................................................1128

Puppet Strings style guide..................................................................................................................1135

Publishing modules.............................................................................................................................1141

Contributing to Puppet modules.........................................................................................................1146

Puppet Development Kit (PDK).................................................................................................................... 1149

Puppet VSCode extension.............................................................................................................................. 1149

PowerShell DSC Resources............................................................................................................................1150

Converting DSC Resources................................................................................................................1150

Distributing arbitrary DSC resources.................................................................................................1151

Upgrading Puppet DSC modules....................................................................................................... 1152

Troubleshooting DSC Resources........................................................................................................1154

Puppet | Welcome to Puppet® 8.8.1 | 9

Welcome to Puppet® 8.8.1

Puppet provides tools to automate the management of your infrastructure. Puppet is an open source product with a

vibrant community of users and contributors. You can get involved by fixing bugs, influencing new feature direction,

publishing your modules, and engaging with the community to share knowledge and expertise.

Important: Before you use the product and its documentation, review the Copyright and trademark notices on page

1156.

Helpful Puppet docs links Other useful links

Getting started

Puppet overview

Release notes

Puppet Forge

Glossary

Install Puppet

Puppet platform

Puppet Server

PuppetDB

Facter

Puppet settings

Configuration reference

Metaparameter reference

Docs for related Puppet products

Puppet Bolt®

Puppet Enterprise®

Continuous Delivery

Puppet Development Kit

Puppet VSCode extension

Share and contribute

Puppet Forge

Puppet Community

Open source projects on GitHub

Learn more about Puppet

Blog posts about Puppet

Puppet training

Release notes

These release notes contain important information about the Puppet® 8.8 platform, including Puppet agent, Puppet

Server, Facter, and PuppetDB.

This release incorporates new features, enhancements, and resolved issues from all previous releases. If you're

upgrading from an earlier version of Puppet, check the release notes for any interim versions for details about

additional improvements in this release over your current release.

Version numbers use the format X.Y.Z, where:

• X must increase for major, backward-incompatible changes.

• Y can increase for backward-compatible new functionality or significant bug fixes.

• Z can increase for bug fixes.

The following table lists the maintained Puppet, Puppet Server, and PuppetDB versions. Developmental releases

(known as latest) are superseded by new versions about once a month. Open source releases that are associated with

Puppet Enterprise (PE) versions have projected End of Life (EOL) dates.

Puppet | Release notes | 10

Puppet version Puppet Server

version

PuppetDB version Associated PE

version

Projected EOL date

8.8.1 8.6.2 8.7.0 2023.x Superseded by next

developmental

release.

7.32.1 7.17.2 7.19.1 2021.7.x Superseded by next

developmental

release.

6.28.0 6.20.0 6.22 2019.8.x February 2023

Important: Security and vulnerability announcements are posted at Security: Puppet's Vulnerability Submission

Process.

Important: Before you upgrade from Puppet 7 toPuppet 8, see Upgrading from Puppet 7 to Puppet 8 on page

43.

See the following pages for a full list of platform release notes in the Puppet 8 series.

• Puppet release notes on page 10

These are the new features, resolved issues, and deprecations in this version of Puppet.

• Puppet known issues on page 23

These are the known issues in this version of Puppet.

• Puppet Server release notes on page 25

These are the new features, resolved issues, and deprecations in this version of Puppet Server.

• Puppet Server known Issues on page 27

These are the known issues in this version of Puppet Server.

• PuppetDB release notes (link)

These are the new features, resolved issues, and deprecations in this version of PuppetDB.

• Facter release notes on page 29

These are the new features, resolved issues, and deprecations in this version of Facter.

• Facter 4 known issues on page 43

These are the known issues in this version of Facter.

• Upgrading from Puppet 7 to Puppet 8 on page 43

Before upgrading to Puppet 8, review the following recommendations and changes so that you can plan your upgrade

accordingly.

• Experimental features on page 46

Released versions of Puppet can include experimental features to be considered for adoption but are not yet ready for

production. These features need to be tested in the field before they can be considered safe, and therefore are turned

off by default.

• Archived documentation on page 47

Open source Puppet docs for recent end-of-life (EOL) product versions are archived in place, meaning that we

continue to host them at their original URLs, but we limit their visibility on the main docs site and no longer update

them. You can access archived-in-place docs using their original URLs, or from the links here.

Puppet release notes

These are the new features, resolved issues, and deprecations in this version of Puppet.

Important: Security and vulnerability announcements are posted at Security: Puppet's Vulnerability Submission

Process.

Puppet | Release notes | 11

Important: Before you upgrade from Puppet 7 to Puppet 8, see Upgrading from Puppet 7 to Puppet 8 on page

43.

Puppet 8.8.1

Released July 2024. This release adds support for the following operating systems: AlmaLinux 9 (x86_64,

AARCH64), Rocky Linux 9 (x86_64, AARCH64), and Ubuntu 24.04 (x86_64, ARM). In addition, Puppet is updated

to ensure compatibility with Ruby 3.3.

GitHub releases

Additional details about release updates are available on GitHub. For more information, go to the following sites:

• Facter

• Puppet

• Puppet agent

• Puppet runtime

Enhancements

New operating systems

You can now install Puppet agent on the following new operating systems:

• AlmaLinux 9 (x86_64, AARCH64)

• Rocky Linux 9 (x86_64, AARCH64)

• Ubuntu 24.04 (x86_64, ARM)

Ruby update

Puppet is updated to ensure compatibility with Ruby 3.3.

Security

OpenSSL upgrade

Upgraded to OpenSSL 3.0.14 to address CVE-2024-4603 and CVE-2024-2511.

Resolved issues

Sensitive values returned by deferred functions are protected.

Previously, in certain circumstances, when a function of the Deferred type returned a value of the Sensitive

type, the value was displayed in clear text. The issue is resolved to help ensure that sensitive values are protected.

Windows agents now run as expected.

Previously, when a value of 0 was specified for the runinterval setting, Windows agents ran every 30 minutes.

Now, a setting of 0 causes the agents to run continuously as expected.

Resolved issue with catalog compilation.

Addressed an issue where catalog compilation would fail when running the puppet lookup command with the --

compile option when server facts were present in the catalog.

Puppet | Release notes | 12

Resolved issue to ensure that the Puppet agent service starts automatically.

In certain circumstances, when Puppet was successfully installed or upgraded on Microsoft Windows Server 2019 or

2022, the Puppet agent service did not restart automatically as expected. This fix helps to ensure that the service starts

running without user intervention. Community member rismoney submitted the issue, which was fixed by another

community member, vibe.

Deprecated Security-Enhanced Linux (SELinux) methods are replaced.

Deprecated SELinux methods of the matchpathcon family such as Selinux.matchpathcon are replaced by

supported SELinux methods such as Selinux.selabel_lookup. This update does not require any action by

Puppet users. Community member wbclark contributed to this fix.

For performance reasons, a change related to splay limits was reverted.

In the Puppet 8.7.0 release, a defect was corrected to ensure that any splay setting updates in the Puppet configuration

file (puppet.conf) would be applied to daemonized Puppet runs. However, the fix resulted in an unexpected side

issue that caused splays to be frequently recalculated, potentially delaying Puppet startup times. The change was

reverted.

Contributors

The Puppet team appreciates all Puppet Community members who contributed content to the July 2024 releases and

extends special thanks to the following first-time contributors: @jiwonaid and @jordanbreen28.

Puppet 8.8.0

Puppet 8.8.0 was not released because of tagging issues.

Puppet 8.7.0

Released June 2024. This release introduces support for new operating systems.

GitHub releases

Additional details about release updates are available on GitHub. For more information, go to the following sites:

Facter

Puppet

Puppet Agent

Puppet Runtime

Enhancements

New operating systems

You can now install Puppet agent on the following new operating systems:

• Amazon Linux 2 (aarch64)

• Fedora 40 (x86_64)

• Red Hat Enterprise Linux 9 for Power (ppc64le)

Major version upgrade for curl

Curl is now upgraded in Puppet agent to Version 8.7.1. This version of curl is designed to enhance security and

stability.

Puppet | Release notes | 13

Security

CVE-2024-27282

Upgraded to Ruby 3.2.4 to address CVE-2024-27282.

Contributors

The Puppet team appreciates the Puppet Community members who contributed content for recent releases and

extends special appreciation to these first-time contributors: anhpt37, Animeshz, garrettrowell, smokris, tlehman, and

yakatz.

Puppet 8.6.0

Released April 2024.

GitHub Releases

More details about what has changed in this release are available on GitHub. Visit the following links for more

information:

Facter

Puppet

Puppet Agent

Puppet Runtime

Enhancements

Option to disable catalog messages

Added a boolean Puppet setting to disable "notice" level messages specifying which server the agent requests a

catalog from and which server actually handles the request. Catalog messages are enabled by default. PUP-12023

package: pacman provider: Add purgeable feature

Added an option to the pacman provider to purge config files. This feature was contributed by community member

bastelfreak.

Update core modules

Updated all core modules. In particular, this update includes:

• Removal of concurrent-ruby as a dependency

• Support for Amazon Linux

Resolved issues

Non-literal class parameter types need to be deprecated.

Previously, non-literal class parameters caused errors due to the different default values of the strict setting.

puppet parser validate also returned non-zero exit codes. Now the issue is a language deprecation, so

a warning is generated and puppet parser validate returns 0. All language deprecation warnings can be

disabled by setting disable_warnings=deprecations in the main section of puppet.conf. PUP-12026

Package provider "pip" not fully functional with network urls on Ubuntu 22.04.

Puppet's pip package provider now supports installing python modules via network URLs, e.g. source => 'git

+https://github.com/<org>/<repo>.git'. Fix contributed by community member smokris. PUP-12027

Puppet | Release notes | 14

Provider dnfmodule prompts user to trust gpg key when performing module list.

Added assumeyes option to dnf module list. Fix contributed by community member loopiv.

Puppet resource returns zero if it fails to make changes

Added new --fail command line flag for Puppet resource.

Remove Accept-Encoding header on redirect

Previously, Puppet copied all request headers in an HTTP redirect, including Accept-Encoding. In some cases when

HTTP compression was enabled, the response failed to decompress, then failed to parse and triggered a vague error.

This change strips the Accept-Encoding headers on redirect, allowing Ruby's built-in Net::HTTP to both compress

and decompress the traffic.

Accept UnaryMinusExpression as class parameter type

Previously, class parameters of the form Integer[-1] $param failed compilation, because the value -1 was

lexed as a UnaryMinusExpression containing a LiteralInteger. And since the LiteralEvaluator didn't implement

theliteral_UnaryMinusExpression method, the visitor called literal_XXX for each ancestor class, until

reaching literal_Object, which always raises.

This adds the literal_UnaryMinusExpression method and returns -1 times the expression it wraps.

If strict is off, the issue is ignored. If strict is warning, a warning is reported, but compilation continues. If

strict is error, compilation fails.

Security

Upgrade OpenSSL

Upgraded openssl to version 3.0.13 to address the following CVEs: CVE-2023-5678; CVE-2023-6129;

CVE-2023-6237; CVE-2024-0727. PA-6131

Vulnerabilities in curl

Backported patches for CVE-2024-2004 and CVE-2024-2398 in curl 7.88.1. PA-6291

New Digicert code-signing cert

Windows MSI are now signed with a new certificate, valid until March 2027. The Issuing CA is "DigiCert Trusted

G4 Code Signing RSA4096 SHA384 2021 CA1".

Puppet 8.5.1

Released March 2024.

Resolved issues

Using a negative value with the integer type assertion on a class causes a compilation error.

Previously, negative values caused a compilation errors when used with the integer type assertion on a class. This

has been fixed. PUP-12024

Puppet 8.5.0

Released February 2024.

Puppet | Release notes | 15

Enhancements

Debian 12 (x86_64) support

Added support for Debian 12 (x86_64). PA-5549

Debian 12 (ARM) support

Added support for Debian 12 (ARM). PA-5747

Note: Support for Amazon Linux 2023 (ARM, x86_64), Debian 11 (ARM) and macOS 14 (ARM, x86_64) was

added in Puppet 8.4.0.

Resolved issues

Syntactically incorrect types cause nil types in

Puppet::InfoService::ClassInformationService

Previously, when a type was incorrectly specified, Puppet’s class_information_service ignored the error

and produced an empty type specification. Puppet now produces a warning and assigns a default type in the nil

case. PUP-11981.

Puppet 8.4.0

Released January 2024.

Enhancements

Bump concurrent-ruby to 1.2.2

Bumped concurrent-ruby gem to 1.2.2. PA-5960

Add logging of server hostnames when requesting configuration

Puppet agents now log server hostnames when requesting catalogs. PUP-11899

Add logging of which Puppet Server handled catalog requests

Puppet agents now log the FQDN name of the server that compiled the catalog. This is useful when there are multiple

compilers behind a load balancer. PUP-11900

Update package & service providers for Amazon Linux 2023

Updates Amazon Linux 2023's default package and service providers to DNF and SystemD, respectively. Contributed

by GitHub user vchepkov. PUP-11976

Debian 11 (ARM) support

Added support for Debian 11 (ARM).

Amazon Linux 2023 support

Added support for Amazon Linux 2023.

MacOS 14 support

Added support for MacOS 14.

Puppet | Release notes | 16

Resolved issues

puppet-agent-7.25: selinux Bindings broken on RHEL9.1

Fixed an issue introduced in 7.25.0 that prevented Puppet from managing selinux if the system libselinux libraries

were previous to version 3.5. PA-5632

RHEL 8 FIPS agent fails to start after upgrade to Puppet 8

Fixed an issue that prevented the RHEL 8 FIPS agent from starting after upgrading to Puppet 8. PA-5786

/opt/puppetlabs/puppet/bin/openssl fails to load library dependencies on AIX

Set RPATH for openssl 1.1.1 to load dependencies from Puppetlabs libdir in order to ensure that /opt/

puppetlabs/puppet/bin/opensslloads its library dependencies that were shipped in the puppet-agent

package. PA-5925

Puppet agent on Solaris 11 x86 fails when updated to SRU >= 57

Fixed a regression that prevented the ffi gem's native extension from loading on newer versions of Solaris 11.4.

PA-5929

Puppet chooses wrong service default provider on Gentoo if systemd is used

Systemd is now the default service provider on Gentoo. Fix contributed by community member bastelfreak.

PUP-11593

Resources resource type should be marked as apply_to_all

Enables resources metatype compatibility with both hosts and devices. Contributed by GitHub user seanmil.

PUP-11666

"Total number of facts" warning not counting array elements

Puppet incorrectly counted array elements and hash keys when determining if the number of facts exceeded the total

fact count soft limit. This has been fixed. PUP-11685

Lazily deferred evaluation may not work if type implements autorequire, etc

The command parameter for an exec resource can now be deferred. PUP-11937

dnfmodule fails to enable module with ensure version and no default stream

Puppet can now manage dnfmodule packages with ensure values other than present such as ensure =>

'1.4'. Fix contributed by community member evgeni. PUP-11985

Security

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.12. PA-5864

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38546. PA-5861

Puppet 8.3.1

Released November 2023.

Puppet | Release notes | 17

Enhancements

Ship FIPS compatible Java key store in fips agents

FIPS Puppet agent builds now include a FIPS-compatibile java keystore.

The following Certificate Authorities were also added and removed:

• create

Atos_TrustedRoot_Root_CA_ECC_TLS_2021:2.16.61.152.59.166.102.61.144.99.247.126.38.87.56.4.239.0.crt

• create

Atos_TrustedRoot_Root_CA_RSA_TLS_2021:2.16.83.213.207.230.25.147.11.251.43.5.18.216.194.42.162.164.crt

• create BJCA_Global_Root_CA1:2.16.85.111.101.227.180.217.144.106.27.9.209.108.62.192.108.32.crt

• create BJCA_Global_Root_CA2:2.16.44.23.8.125.100.42.192.254.133.24.89.6.207.180.74.235.crt

• create Certainly_Root_E1:2.16.6.37.51.177.71.3.51.39.92.249.141.154.185.191.204.248.crt

• create Certainly_Root_R1:2.17.0.142.15.249.75.144.113.104.101.51.84.244.212.68.57.183.224.crt

• create DigiCert_TLS_ECC_P384_Root_G5:2.16.9.224.147.101.172.247.217.200.185.62.28.11.4.42.46.243.crt

• create

DigiCert_TLS_RSA4096_Root_G5:2.16.8.249.180.120.168.250.126.218.106.51.55.137.222.124.207.138.crt

• delete E-Tugra_Certification_Authority:2.8.106.104.62.156.81.155.203.83.crt

• delete EC-ACC:2.16.238.43.61.235.212.33.222.20.168.98.172.4.243.221.196.1.crt

• delete Hellenic_Academic_and_Research_Institutions_RootCA_2011:2.1.0.crt

• delete Hongkong_Post_Root_CA_1:2.2.3.232.crt

• delete

Network_Solutions_Certificate_Authority:2.16.87.203.51.111.194.92.22.230.71.22.23.227.144.49.104.224.crt

• create SSL.com_TLS_ECC_Root_CA_2022:2.16.20.3.245.171.251.55.139.23.64.91.226.67.178.165.209.196.crt

• create

SSL.com_TLS_RSA_Root_CA_2022:2.16.111.190.218.173.115.189.8.64.226.139.77.190.212.247.91.145.crt

• create

Sectigo_Public_Server_Authentication_Root_E46:2.16.66.242.204.218.27.105.55.68.95.21.254.117.40.16.184.244.crt

• create

Sectigo_Public_Server_Authentication_Root_R46:2.16.117.141.253.139.174.124.7.0.250.169.37.167.225.199.173.20.crt

• create Security_Communication_ECC_RootCA1:2.9.0.214.93.155.179.120.129.46.235.crt

• create Security_Communication_RootCA3:2.9.0.225.124.55.64.253.27.254.103.crt

• delete Staat_der_Nederlanden_EV_Root_CA:2.4.0.152.150.141.crt

PA-4813

Bump augeas to 1.14.1

Updated the augeas component of Puppet agent to from 1.13.0 to 1.14.1. PA-4938

CAUTION: This update changes the PubkeyAcceptedAlgorithms setting in /etc/ssh/

sshd_config from a string to a list.

Example: the line 'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa' in the following

code block:

augeas { 'sshd_allow_rsa':

incl => '/etc/ssh/sshd_config',

lens => 'Sshd.lns',

context => '/files/etc/ssh/sshd_config/Match/',

changes => [

'set Condition/Address 192.168.0.3',

'set Condition/User user',

'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',

]

Puppet | Release notes | 18

}

must be changed to 'set Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"]

ssh-rsa' following this update.

Add RHEL 9 (ARM64) support

Puppet now supports RHEL 9 (ARM64). PA-4998

Add Ubuntu 22.04 (ARM64) support

Puppet now supports Ubuntu 22.04 (ARM64). PA-5050

Make split() sensitive aware

The split function now accepts sensitive values and returns a Sensitive[Array]. This change was contributed

by community user cocker-cc. PUP-11429

Freeze string literals

String literals are now frozen or immutable by default. PUP-11841

Log openssl version and fips mode

Puppet agent now logs the openssl version along with ruby and Puppet versions when running in debug mode.

PUP-11930

Monkey patch {File,Dir}.exists?

Added a monkey patch in Ruby for Puppet code using older Ruby language exists? method. PUP-11945

Resolved issues

puppet ssl clean <REMOTE CERT> clears local private key and local certificate

puppet ssl clean <argument> now prints an error that <argument> is unexpected instead of deleting the

local certificate and private key. PUP-11895

100% usage of a CPU core when an exec command sends EOF

Previously, Puppet could cause excessive CPU utilization on *nix if a child process closed stdin. This has been fixed.

Fix contributed by community user bugfood. PUP-11897

string.new generates strings with unexpected encoding

A regression was introduced in Puppet 8.0.0 which caused the epp and inline_epp functions to return a binary

string. If the value was assigned to the parameter of an exported resource, then the parameter's value was converted

to base64 in PuppetDB. Any agents that collected the resource then received the base64 encoded value. This release

fixes the regression so the functions return a UTF-8 string. PUP-11932

puppet/lib/puppet/pops/time/timespan.rb:637: warning: passing a block to

String#codepoints is deprecated

Eliminated a warning when running on JRuby 9.4 and using the Timespan data type. PUP-11934

Puppet | Release notes | 19

Correct inaccurate comment in find_file() function

Updated find_file function documentation. This fix was contributed by community member pillarsdotnet.

PUP-11940

epp and inline_epp functions return binary strings

Fixed a regression that caused the epp and inline_epp functions to return binary strings instead of UTF-8

encoded strings. This resulted in exported resources being stored as base64 in puppetdb, breaking any node that

collected those resources. Fix contributed by community member smortex. PUP-11943

Update host_autorenewal_interval Puppet setting documentation

Previously documentation implied that host_autorenewal_interval refreshes in 30 days regardless of

when it expires by default. Documentation was updated to better reflect actual behavior where implementation only

attempts to renew its client cert if the cert expires within N days from now. PUP-11944

Error when using {File,Dir}.exists? in Ruby

Added a patch for some Puppet code using older Ruby language exists? method.

Security

Upgrade OpenSSL

Upgraded OpenSSL to 3.0.11 to address CVE-2023-4807. PA-5783

Patch Curl in puppet-runtime

Patched Curl to address CVE-2023-38545. PA-5848

Deprecations and removals

Remove TrustCor CA certs

The following CA certs were removed:

• TrustCor_ECA-1:2.9.0.132.130.44.95.28.98.208.64.crt

• TrustCor_RootCert_CA-1:2.9.0.218.155.236.113.243.3.176.25.crt

• TrustCor_RootCert_CA-2:2.8.37.161.223.202.51.203.89.2.crt

PA-4809

Puppet 8.3.0

This version was never released.

Puppet 8.2.0

Released August 2023.

Enhancements

macOS 13 support

Added support for macOS 13. PA-4772

Puppet | Release notes | 20

Upgrade hiera-eyaml to 3.4+

Upgraded the hiera-eyaml component to 3.4. PA-5633

Add agent renew REST implementation

Added a method to send a client certificate renewal request to puppetserver. PUP-11854

Add Puppet setting to configure renewal interval

Added a setting for how often a node attempts to automatically renew its client certificate. PUP-11855

Retry failed CA & CRL refreshes sooner than the next interval

Puppet now attempts to refresh its CA and CRL sooner if initial attempts fail. PUP-11869

Send auto-renew attribute in CSR

Puppet now has an auto-renew attribute. If the agent supports auto-renewal, this attribute is added to the CSR

(Certificate Signing Request) when it is generated and is used by Puppet Server to determine if auto-renewal TTL

needs to be enabled for a given agent.

Agents that either do not have the hostcert_renewal_interval setting or have it set to 0 do not support auto-

renewal and do not have the auto-renew attribute. PUP-11896

Resolved issues

ffi and nokogiri gem use the wrong architecture when cross compiling

Fixed an issue where some gems would get built using the wrong architecture when cross compiling. PA-5666

certname with .pp in the middle doesn't pick up its own manifest

Fixed an issue where manifests with .pp in their file names were not imported. PUP-11788

The --no-preprocess_deferred option breaks deferring of Sensitive file content

It is now possible to specify the content property for file resources as containing a Deferred function that

returns a Sensitive value when lazily evaluating deferred values (the default behavior in 8.x or when setting

Puppet[:preprocess_deferred] false in 7.x). For example: content => Deferred('new',

[Sensitive, "password"]). PUP-11846

"Sleeping" agents raise "attempt to read body out of block (IOError)"

Previously, the agent erroneously tried to read a response body after closing the connection when a Puppet server

requested the agent retry. Now when the agent is told to retry, the agent waits the specified sleep duration and does

not error trying to read the request body after closing the connection. PUP-11853

puppet-resource_api bug with ruby 3.2 and integer munging

Updated puppet-resource_api to enable Ruby 3.2 compatibility. PA-5641

CRL authorityKeyIdentifier is not printed in Puppet 8

Fixed a regression in Puppet 8.x which caused the agent to omit the authorityKeyIdentifier extension for its CRL.

PUP-11849

Puppet | Release notes | 21

Security

Upgrade OpenSSL

Upgraded OpenSSL to address various vulnerabilities (CVE-2023-3817, CVE-2023-3446, CVE-2023-2975,

CVE-2023-0464). PA-5699

Bump Ruby URI component for CVE-2023-36617

Patched Ruby to address a vulnerability in the URI gem (CVE-2023-36617). PA-5638

Puppet 8.1.0

Released June 2023.

Enhancements

Refresh cached Puppet CA on Puppet client

Puppet agents will now attempt to refresh their CA certificate(s) once per day. The frequency is controlled by a new

Puppet setting: ca_refresh_interval. PUP-10639

Resolved issues

Removed dependency on private class Concurrent::RubyThreadLocalVar

The Puppet::ThreadLocal class no longer relies on concurrent-ruby's private

Concurrent::RubyThreadLocalVar class and instead uses Concurrent::ThreadLocalVar.

PUP-11723

Yumrepo target attribute does not work

Using the yumrepo resource, enables the target parameter to set the filepath for a Yum repository to an arbitrary

filepath or to an existing repository file. Thank you to community member nabertrand for this contribution. PA-5187

Security

Bump curl to 7.88.1

Upgraded the curl component from 7.86 to 7.88.1 to address several security vulnerabilities. PA-5393

Puppet 8.0.0

Released April 2023.

Enhancements

Freeze string literals

String literals are now immutable by default. PUP-11841

Strict mode enabled by default

For Puppet 8, strict mode is on by default, meaning strict defaults to error and strict_variables defaults

to true. With strict set to error, extra validation & checks are performed and fail as an error. This change could

be a breaking change if your code does not conform to strict mode.

Examples of code that does not conform to strict mode:

Puppet | Release notes | 22

• Accessing a variable without first defining it: notice($myvar)

• Accessing a legacy fact: notice($facts['osfamily'])

• Coercing a string into a numeric: "1" + 1

To return to the previous behavior, set, strict to warning and strict_variables to false. PUP-11725

Change default value of exclude_unchanged_resources

Puppet reports no longer contain detailed information about resources already matching their desired state. Doing so

reduces the amount of data stored in PuppetDB in the most common case when nothing has changed. The previous

behavior can be enabled by setting exclude_unchanged_resources=false in puppet.conf on each agent.

PUP-11684

Drop Hiera 3 Requirement

Hiera 3 is no longer a hard dependency for Puppet. PUP-11621

Change default crl_refresh_interval to 1 day

Puppet agent now defaults to refreshing its certificate revocation list (CRL) once every 24 hours. PUP-11602

Evaluate deferred functions lazily by default

Deferred functions follow normal resource relationships and ordering, so it is now possible to install a dependency

for a deferred function and call the deferred function in a single agent run. The previous behavior can be enabled by

setting preprocess_deferred=false in puppet.conf on each agent. PUP-11526

Exclude legacy facts by default

Legacy facts are no longer collected on Puppet agent or sent to Puppet server. This saves network bandwidth and

reduces Puppetserver's memory footprint when using templates.

Since legacy facts are not available during compilation, they cannot be referenced in Puppet code, ERB/EPP

templates or Hiera configuration. The legacy_facts puppet-lint plugin can help identify and automatically correct

legacy fact usage in Puppet code. For more information visit https://github.com/puppetlabs/puppet-lint/blob/main/lib/

puppet-lint/plugins/legacy_facts/legacy_facts.rb.

Legacy facts can be re-enabled by setting include_legacy_facts=true in puppet.conf on each agent.

PUP-11430

Replace c_rehash script with native openssl implementation

Puppet agent 8 no longer bundles the c_rehash binary. Instead, users must rely on the bundled openssl binary's

subcommand rehash. Example: /opt/puppetlabs/puppet/bin/openssl rehash. PA-4265

MRI Ruby 3.2

Puppet agent vendors Ruby 3.2. Ruby 3.2 has several notable breaking changes that may affect Puppet extensions,

such as functions, custom facts, types & providers, report processors, etc. For a complete list visit: https://github.com/

puppetlabs/puppet/wiki/Puppet-8-Compatibility#ruby-32-compatibility

If Puppet is installed as a gem, then it requires Ruby 3.1 or greater.

OpenSSL 3.0

Puppet agent vendors OpenSSL 3.0. If an application compiles against Puppet's openssl, then the application must be

recompiled. For more information visit https://www.openssl.org/docs/man3.0/man7/migration_guide.html

Puppet | Release notes | 23

Resolved issues

selinux: undefining the allocator of T_DATA class swig_runtime_data

Patch selinux ruby native extension for Ruby 3.2 compatibility. PA-4844

ruby-shadow failing in Ruby 3.2

Patch shadow ruby native extension for Ruby 3.2. PA-4843

Deprecations and removals

Remove Windows ENV patches on Ruby 3

The Puppet::Util methods for getting, setting, clearing and merging environment variables are still available,

but are deprecated and will be removed in the next major release. Puppet 8 now uses Ruby's built-in ENV class to

manage environment variables on Windows. PUP-11348

Remove extra cli option

The extra CLI option, which was previously hidden, has been entirely removed. PUP-11119

Drop openssl man pages and html docs

OpenSSL man pages and html docs are no longer included in Puppet agent. PA-4908

Drop Hiera 3 Component

This is a breaking change. The Hiera 3 gem is no longer vendored in puppet-agent packages, but may be installed

separately.

If you rely on a Hiera 3 backend (a class that extends Hiera::Backend), you must convert your backend to

Hiera 5 using the steps found at https://www.puppet.com/docs/puppet/latest/hiera_migrate.html, or manually

install the Hiera 3 gem on all Puppet Server hosts. This change does not affect Hiera 5, puppet lookup or the

hiera_include, hiera_hash, etc set of functions. PA-4646

Drop PSON support

Support for the PSON (Pure JSON) serialization format has been removed. Puppet agents may fail if binary data

is accidentally added to the catalog without using the Binary data type or binary_file function. For more

information visit https://www.puppet.com/docs/puppet/latest/lang_data_binary.html.

It is possible, but not recommended, to reenable PSON support by installing the puppet-pson gem on all agents and

server hosts and setting preferred_serialization_format=pson in puppet.conf on each agent.

Puppet known issues

These are the known issues in this version of Puppet.

Puppet lookups fail to interpolate topscope variables when an environment is specified

In Puppet 6.26 and 7.14, the lookup command fails to resolve toplevel facts in hiera configs if you're using the

--environment option. For example, if you use a toplevel variable like "nodes/%{fqdn}.yaml", Puppet

interpolates the variable as an empty string. As a workaround, use trusted facts or specify the fact value using

the "facts" hash, such as "%{facts.hostname}". This issue can be resolved by upgrading to Puppet 7.15.0.

PUP-11437

Puppet | Release notes | 24

User and group management on macOS 10.14 and above requires Full Disk Access (FDA)

To manage users and groups with Puppet on macOS 10.14 and above, you must grant Puppet Full Disk Access

(FDA). You must also grant FDA to the parent process that triggers your Puppet run. For example:

• To run Puppet in a server-agent infrastructure, you must grant FDA to the pxp-agent.

• To run Puppet from a remote machine with SSH commands, you must grant FDA to sshd.

• To run Puppet commands from the terminal, you must grant FDA to terminal.app.

To give Puppet access, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the

path to the Puppet executable, along with any other parent processes you use to run. For detailed steps, see Add full

disk access for Puppet on macOS 10.14 and newer. Alternatively, set up automatic access using Privacy Preferences

Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

The puppet node clean command fails for users who have their cadir in the legacy location

In Puppet 7, the default location of the cadir has moved. If you have it in the old location, most upgrades trigger

a warning when executing commands from Puppet. It causes the puppet node clean command to fail.

PUP-10786

Hiera knockout_prefix is ineffective in hierarchies more than three levels deep

When specifying a deep merge behaviour in Hiera, the knockout_prefix identifier is effective only against

values in an adjacent array, and not in hierarchies more than three levels deep. HI-223

Specify the epoch when using version ranges with the yum package provider

When using version ranges with the yum package provider, there is a limitation which requires you to specify the

epoch as part of the version in the range, otherwise it uses the implicit epoch `0`. For more information, see the RPM

packaging guide. PUP-10298

Deferred functions can only use built-in Puppet types

Deferred functions can only use types that are built into Puppet (for example String). They cannot use types from

modules like stdlib because Puppet does not plugin-sync these types to the agent. PUP-8600

The Puppet agent installer fails when systemd is not present on Debian 9

The puppet-agent package does not include sysv init scripts for Debian 9 (Stretch) and newer. If you have

disabled or removed systemd, puppet-agent installation and Puppet agent runs can fail.

Upgrading Windows agent fails with ScriptHalted error

Registry references to nssm.exe were removed in PA-3263. Upgrading from a version without this update to a

version that contains it triggers a Windows SecureRepair sequence that fails if any of the files delivered in the

original *.msi package are missing. This is an issue when upgrading to one of the following Puppet agent versions:

5.5.21, 5.5.22, 6.17.0, 6.18.0, 6.19.0, 6.19.1, 6.20.0, 7.0.0, 7.1.0 or 7.3.0. To work around this issue, put the *.msi

file for the currently installed version in the C:\Windows\Installer folder before you upgrade. Starting with

Puppet agent 6.21.0 and 7.4.0, the nssm.exe registry value will be replaced with an empty string, instead of the

registry key being removed, to avoid triggering Windows SecureRepair. PA-3545

The Puppet agent installer fails when systemd is not present on Debian 9

In versions less than 7.4.0, the puppet-agent package does not include sysv init scripts for Debian 9 (Stretch) and

newer. If you had disabled or removed systemd, the puppet-agent installation and agent runs could fail. This is

now fixed. PA-2028

Puppet | Release notes | 25

Puppet Server release notes

Puppet Server 8.6.2

Released July 2024 and shipped with Puppet 8.8.1.

JRuby is updated to address minor security issues. The JRuby implementation is updated from 9.4.7.0 to 9.4.8.0.

With this update, Puppet Server is shipped with Bouncy Castle 1.78.1, which addresses minor security issues.

Issues resolved to improve performance during JRuby initialization. When a JRuby instance is initialized, Puppet

compiles and applies a catalog containing resources for the configured directories. When several JRuby instances are

initialized in parallel, the catalog processes can impair performance and cause race conditions. This release resolves

issues to ensure that you can specify settings_catalog=false to successfully prevent the settings catalog

from being applied during initialization.

Puppet Server 8.6.1

Released June 2024 and shipped with Puppet 8.7.0.

In this release, Puppet Server supports machines with more than 2 TB of RAM. Additional updates were introduced

to reduce Puppet Server startup times. JRuby was upgraded to 9.4.7.0 to improve core functionality.

Puppet Server now supports machines with more than 2 TB of random-access memory (RAM). This update was

requested by Puppet Community member level-a.

Puppet Server creates JRuby instances concurrently to reduce startup times. You can specify a concurrency

level by setting a value for the jruby-puppet.instance-creation-concurrency option in the

puppetserver.conf file. The default value is 3. Puppet Server still creates one instance before other instances,

and then creates the other instances concurrently. The concurrency update is designed to reduce the time required for

starting Puppet Server and flushing JRuby instances. For more information, see puppetserver.conf.

JRuby is updated to improve core functionality. The JRuby implementation is updated from 9.4.3.0 to 9.4.7.0. The

update introduces many minor improvements in JRuby core functionality and provides additional support for Matz’s

Ruby Interpreter (Ruby MRI) 3.1.

An update is implemented to help prevent stack overflows. In previous releases, stack overflows could be

observed when too many events occurred in the certificate authority directory (cadir). In this release, a defect

related to the file-system watcher is resolved to help prevent stack overflows.

An update is implemented to prevent false warnings caused by variable shadowing. In previous releases, after

starting Puppet Server, shadowing warnings were sometimes issued. To resolve the issue, the relevant dependencies

were updated.

An update is implemented to help ensure that the Puppet::Util::Execution.execute method works as

designed. When running in Puppet Server, the method now passes the current working directory as the cwd option.

As an experimental feature to further reduce startup times, Puppet Server can now be started without

applying a settings catalog. To test this feature, create all configured paths before starting Puppet Server.

Then, disable the settings catalog by specifying settings_catalog=false in the server section of the

puppet.conf file. This experimental feature is designed to accelerate creation of JRuby instances and thus shorten

Puppet Server startup times.

Puppet Server 8.6.0

Released April 2024 and shipped with Puppet 8.6.0.

Include action collection functionality. Added action collection. This feature is only used in Puppet Enterprise.

Puppet Server 8.5.0

Released February 2024 and shipped with Puppet 8.5.0.

Puppet | Release notes | 26

Bulk signing logging. Adjusted logging for the bulk signing endpoint.

Improved schema validation logging.

Missing gems in JRuby 9.4. Re-bundled the following gems:

• matrix (0.4.2)

• minitest (5.15.0)

• net-ftp (0.1.3)

• net-imap (0.2.3)

• net-pop (0.1.1)

• net-smtp (0.3.1)

• power_assert (2.0.1)

• prime (0.1.2)

• rake (13.0.6)

• rexml (3.2.5)

• rss (0.2.9)

• test-unit (3.5.3)

SERVER-3264

Puppet Server 8.4.0

Released January 2024 and shipped with Puppet 8.4.0.

Added bulk signing endpoint.

Update CRL issuer. Updated the issuer for the generated CRL to ensure it has the same value as the original CRL.**

Regenerate CRLs. Ensured CRLs are regenerated when nearing expiration.

Analytics service. Adjusted analytics service to explicitly stop the jobs it is running when shutting down.

Added certname as header for help debugging. PUP-11973

Rubygems. Updated rubygems shipped with puppetserver (concurrent-ruby) to fix memory leak.

Fixed dropsonde configuration option CONFDIR env variable. (SERVER-3263)

Puppet Server 8.3.0

Released November 2023 and shipped with Puppet 8.3.1.

Update puppet-infra serial in CA. Ensured infra-serial is up to date. PE-36952

Puppet Server 8.2.1

Released August 2023 and shipped independently.

ca's reverse proxy service fails to proxy new renewal endpoints. Puppet Server now supports the use of x-

client-cert headers when the requesting server is also in the infrastructure inventory list. This allows agent

requests to be proxied through the Puppet Enterprise CA. PE-36761

Puppet Server 8.2.0

Released August 2023 and shipped with Puppet 8.2.0.

Operating Systems support. Added support for RHEL 9 and Ubuntu 22.04.

Default values for certificate renewal are changed. The default value of the auto-renewal-cert-ttl and

default-auto-ttl-renewal parameters was changed from 60 to 90 days.

Puppet | Release notes | 27

Puppet Server 8.1.0

Released June 2023 and shipped with Puppet 8.1.0.

No release notes.

Puppet Server 8.0.0

Released April 2023 and shipped with Puppet 8.0.0.

Enhancements

Upgrade JRuby to 9.4. Puppet Server vendors JRuby 9.4, which implements most of the Ruby 3.1 interface.

We recommend extension authors avoid Ruby language features added in 3.1 and later, as well as avoiding any

deprecated Ruby language features removed in Ruby 3.0, 3.1, or 3.2. SERVER-3167

Deprecations and removals

Deprecate Java 8 for Puppet Server in Platform 7. Puppet Server and PuppetDB no longer support Java 8, as

mentioned in https://groups.google.com/g/puppet-dev/c/yg0YjNwhnTg/m/URqRFzanAgAJ. Java 17 is the preferred

version to run Puppet Server and PuppetDB. Puppet Server will support Java 11 for as long as supported Operating

Systems only have Java 11 available. SERVER-2782

Puppet Server known Issues

For a list of all known issues, visit our Issue Tracker.

Access CA endpoint to update CRLs

Puppet Server 7.2.0 and 6.16.0 include the following new API endpoint: PUT /puppet-ca/v1/

certificate_revocation_list. To update this endpoint, you must update the endpoint's rule to be

type regex instead of path in the configuration file at /etc/puppetlabs/puppetserver/conf.d/

auth.conf.

Cipher updates in Puppet Server 6.5

Puppet Server 6.5 includes an upgrade to the latest release of Jetty's 9.4 series. With this update, you may see "weak

cipher" warnings about ciphers that were previously enabled by default. Puppet Server now defaults to stronger FIPS-

compliant ciphers, but you must first remove the weak ciphers.

The ciphers previously enabled by default have not been changed, but are considered weak by the updated standards.

Remove the weak ciphers by removing the cipher-suite configuration section from the webserver.conf.

After you remove the cipher-suite, Puppet Server uses the FIPS-compliant ciphers instead. This release includes

the weak ciphers for backward compatibility only.

The FIPS-compliant cipher suites, which are not considered weak, will be the default in a future version of Puppet. To

maintain backwards compatibility, Puppet Server explicitly enables all cipher suites that were available as of Puppet

Server 6.0. When you upgrade to Puppet Server 6.5.0, this affects you in in two ways:

The 6.5 package updates the webserver.conf file in Puppet Server's conf.d directory.

When Puppet Server starts or reloads, Jetty warns about weak cipher suites being enabled.

This update also removes the so-linger-seconds configuration setting. This setting is now ignored and a

warning is issued if it is set. See Jetty's so-linger-seconds for removal details.

Note: On some older operating systems, you might see additional warnings that newer cipher suites are

unavailable. In this case, manage the contents of the webserver.cipher-suites configuration

value to be those strong suites that available to you.

Puppet | Release notes | 28

Server-side Ruby gems might need to be updated for upgrading from JRuby 1.7

When upgrading from Puppet Server 5 using JRuby 1.7 (9k was optional in those releases), Server-side gems that

were installed manually with the puppetserver gem command or using the puppetserver_gem package

provider might need to be updated to work with the newer JRuby. In most cases gems do not have APIs that break

when upgrading from the Ruby versions implemented between JRuby 1.7 and JRuby 9k, so there might be no

necessary updates. However, two notable exceptions are that the autosign gem should be 0.1.3 or later and yard-doc

must be 0.9 or later.

Potential JAVA ARGS settings

If you're working outside of lab environment, increase ReservedCodeCache to 512m under normal load. If you're

working with 6-12 JRuby instances (or a max-requests-per-instance value significantly less than 100k), run

with a ReservedCodeCache of 1G. Twelve or more JRuby instances in a single server might require 2G or more.

Similar caveats regarding scaling ReservedCodeCache might apply if users are managing MaxMetaspace.

tmp directory mounted noexec

In some cases (especially for RHEL 7 installations) if the /tmp directory is mounted as noexec, Puppet Server may

fail to run correctly, and you may see an error in the Puppet Server logs similar to the following:

Nov 12 17:46:12 fqdn.com java[56495]: Failed to load feature test for posix:

can't find user for 0

Nov 12 17:46:12 fqdn.com java[56495]: Cannot run on Microsoft Windows

without the win32-process, win32-dir and win32-service gems: Win32API only

supported on win32

Nov 12 17:46:12 fqdn.com java[56495]: Puppet::Error: Cannot determine basic

system flavour

This is caused by the fact that JRuby contains some embedded files which need to be copied somewhere on the

filesystem before they can be executed (see this JRuby issue). To work around this issue, you can either mount the

/tmp directory without noexec, or you can choose a different directory to use as the temporary directory for the

Puppet Server process.

Either way, you'll need to set the permissions of the directory to 1777. This allows the Puppet Server JRuby process

to write a file to /tmp and then execute it. If permissions are set incorrectly, you'll get a massive stack trace without

much useful information in it.

To use a different temporary directory, you can set the following JVM property:

-Djava.io.tmpdir=/some/other/temporary/directory

When Puppet Server is installed from packages, add this property to the JAVA_ARGS and JAVA_ARGS_CLI

variables defined in either /etc/sysconfig/puppetserver or /etc/default/puppetserver,

depending on your distribution. Invocations of the gem, ruby, and irb subcommands use the updated

JAVA_ARGS_CLI on their next invocation. The service will need to be restarted in order to re-read the JAVA_ARGS

variable.

Puppet Server Fails to Connect to Load-Balanced Servers with Different SSL

Certificates

SERVER-207: Intermittent SSL connection failures have been seen when Puppet Server tries to make SSL requests

to servers via the same virtual ip address. This has been seen when the servers present different certificates during the

SSL handshake.

Puppet | Release notes | 29

Facter release notes

These are the new features, resolved issues, and deprecations in this version of Facter.

Facter 4.8.0

Released July 2024 and shipped with Puppet 8.8.1.

Enhancements

• Support for Microsoft Azure Linux. Operating system facts were added for users of the Microsoft Azure Linux

distribution.

• Update for the Arch Linux distribution. Operating system facts are now supported on Arch Linux. Community

member bastelfreak contributed this update.

• Support for the CRI-O container runtime. CRI-O is an implementation of the Kubernetes Container Runtime

Interface that supports Open Container Initiative-compatible runtimes. Community member lollipopman

contributed this update.

• New fact for x86_64 CPU microarchitecture levels. A fact was added to reflect the levels of x86_64 CPU

microarchitectures.

Resolved issues

AIX mountpoints now include server names. Previously, Facter excluded the server name for mountpoints on IBM

AIX. In this release, the mountpoint server names are included in the servername:/path/to/mountpoint

format as reported for other operating systems.

Facter 4.7.1

Released June 2024 and shipped with Puppet 8.7.0.

Enhancements

• Facter now accepts new versions of the ffi Ruby gem. An update was implemented to ensure that Facter will

remain compatible with new releases of ffi.

Facter 4.7.0

Released April 2024 and shipped with Puppet 8.6.0.

Enhancements

• Support for OpenBSD. Added support for OpenBSD. This addition contributed by community member

buzzdeee. FACT-3163

Resolved issues

• Re-add Ruby 2.5 support. Added support for Ruby 2.5.

• Use of cloud provider facts can result in nil dereferences. Patched the two cloud providers' access to metadata

to avoid nil dereferences.

• Evaluate confine block in case-insensitive way. Previously, when a user provided a confine block, Facter would

downcase the value when evaluating it. This change retains the existing behavior of evaluating a confine block

with a downcased fact value, while adding evaluation with the raw fact value to ensure expected behavior.

Puppet | Release notes | 30

Facter 4.6.1

Released March 2024 and shipped with Puppet 8.5.1.

Resolved issues

• Regression in os.windows facts. In Facter 4.6.0, the value parameter was misnamed, causing incorrect

values to be returned. This has been fixed. FACT-3455

Facter 4.6.0

Released February 2024 and shipped with Puppet 8.5.0.

No release notes.

Facter 4.5.2

Released January 2023 and shipped with Puppet 8.4.0.

Enhancements

• Add ssh {384,521} ecdsa facts. Fixed a regression in Facter 4 that prevented it from reporting on 384 and 521-bit

ecdsa ssh keys.

Resolved issues

• Reported memory usage is wrong on FreeBSD. Corrected memory usage facts on FreeBSD. Community

contribution from user smortex.

• Size calculations for AIX block device and partitions. Facter on AIX incorrectly reported the total size of disks

and overcounted the partition size when logical volumes were mirrored to multiple physical volumes. This has

been fixed. Community contribution from user loopway.

• uname resolver does not handle empty results. Fixed an issue where Facter would error when uname did not

return valid output.

• Facter on Solaris 10 does not close socket descriptors, causing puppet run failures. Fixed an issue where

Facter would error when many network interfaces were present on a Solaris machine.

• Not enough os.distro.release information for Amazon Linux. The os.distro.release.full and

os.release.full facts now return all version components such as "2023.1.20230912".

• Cloud fact does not resolve on Amazon Linux 2023. Facter now correctly resolves the cloud fact to aws and

virtual fact to kvm when running on Nitro hypervisors.

Facter 4.5.1

Released November 2023 and shipped with Puppet 8.3.1.

Resolved issues

• Non-hash external fact data in YAML or JSON files causes fatal exceptions in Facter 4. Fixed an issue where

an external fact of an invalid data type caused a fatal exception in Facter. FACT-3433

• New fact error after upgrading v2021.7.5. Fixed an issue where DMI facts caused an error in Solaris non-global

zones. FACT-3435

Facter 4.4.3

Released October 2023 and shipped individually.

Resolved issues

• Required gem not included as runtime dependency A runtime dependency (sys-filesystem) was mistakenly

removed in Facter 4.4.2, which caused some filesystem-related facts to cause an error when running Facter as a

gem. This dependency has been re-added to Facter. FACT-3423

Puppet | Release notes | 31

Facter 4.4.2

Released August 2023 and shipped with Puppet 8.2.0.

Resolved issues

• Facter 4 reports os.name as "SLES_SAP" on Suse Linux for SAP instead of just "SUSE". This along with

FACT-3422 fixed how Facter reads the /etc/os-release file. os.name and os.distro facts work on

SLES SAP operating system now. FACT-3162

• Facter fails on mountpoints fact on Solaris 10 with non-global zones which have NFS mounts. Fixed an

issue with the Solaris mountpoint resolver. FACT-3187

• Error on on Solaris non-global zone after upgrading to PE2021.7.2. Facter guards against nil when

determining the primary interface for the networking fact. FACT-3188

• Don't rescue NoMethodError. When rescuing LoadError and NameErrors, Facter logs a descriptive message

at an error level so debugging Facter will be easier and error messages will not be hidden in the debug level.

FACT-3207

Facter 4.4.1

Released June 2023 and shipped with Puppet 8.1.0.

Resolved issues

• Facter on Solaris 10 leak file descriptors, causing Puppet run failures. Facter no longer leaks file descriptors

when attempting to resolve network interfaces. FACT-3196

• Facts with regular expression matching characters in the name of the fact cause Facter 4 to crash.

Previously, regex metacharacters were not escaped when parsing names. The fix for FACT-3178 also fixed this

issue. FACT-3199

• Facter trying to resolve augeas version on Windows. Facter no longer tries to resolve the augeas fact on

Windows since augeas packages and gems are not shipped for any Windows platforms for Puppet agent packages.

FACT-3197

• facter -p --no-external-facts is unusable. Facter no longer raises when run with the -p and --

no-external-facts option. Previously, this occurred because Facter thought the --external-dir option

(which cannot be used with --no-external-facts) was also passed in.

• Facter mixes up Oracle Linux and Red Hat. os.distro.description and os.distro.id facts were

previously misreporting Oracle Linux as Red Hat Linux, fixed now. FACT-3180

• Facter ldom.domainrole.impl fails on Solaris 11, SPARC. Now, when Facter searches for a fact that

matches the user query, regex metacharacters, like dots (.), are escaped. Previously, metacharacters were not

escaped which resulted in a regex that compared fact names to the user query to resolve and return the wrong fact.

FACT-3178

• Networking facts on AIX incomplete if network device is in down state. On AIX, if the network was in down

state, Facter errored out. Now Facter correctly resolves the network information. FACT-3167

• Facter fails on the /etc/os-release that contains the #. /etc/os-release files can have comments

(#) without raising an error. Comments are allowed in these files according to: https://www.man7.org/linux/man-

pages/man5/os-release.5.html. FACT-3151

• gce.project.attributes.sshKeys is a string instead of an array. Facter 4 now correctly returns

the value of the gce.project.attributes.sshKeys fact as an array of strings as it did in Facter 3.

FACT-3136

• Processor ISA fact on Linux reports wrong data if the string contains a period. Facter no longer modifies

uname -p output when reporting the processors.isa fact on Linux platforms. FACT-3089

• Facter 4 fails to guard against recursion. Facter 3 guarded against recursive calls to facter inside external

facts; this has now been added to Facter 4. If an external fact calls out to facter without specifying the no-

external-facts, Facter warns the user and skips falling into calling facter recursively. FACT-2772

Puppet | Release notes | 32

Facter 4.4.0

Released April 2023 and shipped with Puppet 8.0.0.

Enhancements

• Switch to require_relative. Facter now uses require_relative instead of require. FACT-3184

Facter 4.3.1

Released April 2023 and shipped with Puppet 7.24.0.

No release notes.

Facter 4.3.0

Released February 2023 and shipped with Puppet 7.23.0.

We would like to thank the following Puppet community members for their contributions to this release: smortex.

Resolved issues

• facter.resolve returns a subclass of Hash, not Hash. The facter.resolve API in Facter 4 now

returns a Hash instead of a subclass of Hash, as it did in Facter 3. FACT-3179

• Facter resolves facts multiple times when providers are confined based on facts, especially on Windows.

Facter 4 previously did not use any cache information when looking up a fact or value Facter method. This now

uses cache information when using the fact or value methods. FACT-3170

• Facter incorrectly filters IPv6 link-local unicast addresses. Facter now excludes IPv6 link-local unicast

addresses (fe80::/10) correctly. Fix contributed by smortex. FACT-3171

Deprecations and removals

• Drop Ruby 2.3-2.4 support. Dropped support for Ruby 2.3 and 2.4, which went end-of-life in 2019 and 2020

respectively. FACT-3147

Facter 4.2.13

Released October 2022 and shipped with Puppet 7.20.0.

Resolved issues

• Networking facts generating conversion error: ERROR Facter::InternalFactManager - U+FFFF

to CP850 in conversion from UTF-16LE to UTF-8 to CP850. Fixed a bug that prevented Facter from

resolving its domain fact on Windows due to invalid strings in unrelated registry values. FACT-3145

• ec2_metadata is missing on FreeBSD. Restored ec2_metadata fact to Facter 4 on FreeBSD. Contirbuted

by Puppet community member raybellis. FACT-3137

• ipaddress_* and ipaddress6_* facts missing on FreeBSD. Restored the ipaddress legacy facts on

FreeBSD. Contributed by Puppet community member smortex. FACT-3130

• custom-dir is silently skipped if it is not absolute path. Fixed a regression in Facter 4 that prevented the user

from specifying a custom directory using a relative path on the command line. Contributed by Puppet community

member smortex. FACT-3078

Facter 4.2.12

Released September 2022 and shipped with Puppet 7.19.0.

Enhancements

• Support for ERB changes introduced in Ruby 3.1. Facter now supports ERB changes introduced in Ruby 3.1.

FACT-3102

Puppet | Release notes | 33

Resolved issues

• YAML anchors no longer function properly in Facter 4. Enabled YAML anchors in Facter 4, a feature that

was available previously in Facter 3. Additionally, testing was added to ensure Facter continues to behave as

expected when handling YAML anchors. FACT-3135

• Facter 4 Does Not Support Built-In Windows Commands. Facter 3.x special-cased echo for Windows to

allow it to run using the built-in for a Windows shell; Facter 4 upgrade neglected to include this special case. This

fix adds that special case back in. FACT-3133

Facter 4.2.11

Released August 2022 and shipped with Puppet 7.18.0.

Enhancements

• Extend cloud.provider fact to Google Compute Engine The cloud.provider fact now returns gce

when running on Google Compute Engine. Contributed by Puppet community member natemccurdy. FACT-1557

Resolved issues

• Facter does not parse UTF-8 encoded facts Fixed an issue where, in the C locale, Facter failed to parse YAML-

based external facts when the contents were UTF-8 encoded. FACT-3113

• Failed to get networking information: "\xE5" to UTF-8 in conversion from

ASCII-8BIT to UTF-8 to UTF-16LE Fixed an issue where Facter failed to collect networking

information on some Windows hosts due to encoding issues. FACT-3109

Facter 4.2.10

Released May 2022 and shipped with Puppet 7.17.0.

We would like to thank the following Puppet community members for their contributions to this release: kajinamit,

nbarrientos.

Resolved issues

• Facter fails when using cached facts in a read-only filesystem. Facter no longer errors when using cached facts

from a read-only filesystem. FACT-3116

• virt-what-1.22-1 changes virtual=kvm to virtual=redhat. Resolved issue parsing output from virt-what

on a KVM system. FACT-3115

• Windows 11 shows up as Windows 10 21H2. Corrected os.release facts for Windows 11. FACT-3090

Facter 4.2.9

This version was never released.

Facter 4.2.8

Released March 2022 and shipped with Puppet 7.15.0.

Resolved issues

• fact disks cannot get serial of disks. Updated Facter to use the full path for lsblk, so fact disks can

now show serial of disks. FACT-3100

Facter 4.2.7

Released January 2022 and shipped with Puppet 7.14.0.

No release notes.

Puppet | Release notes | 34

Facter 4.2.6

Released December 2021 and shipped with Puppet 7.12.0.

We would like to thank the following Puppet community members for their contributions to this release: johanfleury

and smortex.

New features

• Add serial number and WWID to disk fact. Added disks serial number and WWID to the disks fact.

FACT-3083

Resolved issues

• DEBUG Facter::Resolvers::Aix::Mountpoints - Could not resolve mountpoints

when running facter mountpoints --debug on AIX. Fixes Facter AIX mountpoint resolver to add

correct data to the mountpoint fact when using NFS mountpoints. FACT-3094

• os.name value changed for OS VirtuozzoLinux. Restored Facter3's value of os.name for VirtuozzoLinux.

FACT-3087

• Facter fails if there are invalid characters in dmidecode. Replaced invalid UTF characters in dmi.rb.

FACT-3081

• Caching not working for some custom facts. When using Facter.value(:fact_name) inside a custom

fact, caching did not work properly, as it cached the value from the inner fact instead of the actual fact. Now it

correctly caches the required fact, by skipping writing the cachefile when it is not required. FACT-3079

• Inconsistent values coming from facter-ng output. Fixed Facter 4 output for yaml external facts when the

fact value is false. FACT-3077

• --log-level none throws exception. Before this release, Facter 4 did not accept none as a log level even

though it was supported as per --help output. This fix aligns the behaviour with Facter 3 by accepting none as

a log level. FACT-3074

• Facter timezone utf8 problem. This release adds a new timezone resolver specific to Windows which checks

the system codepage and uses it for encoding the timezone fact to avoid unwanted characters on non-English OS.

FACT-3068

Facter 4.2.5

Released October 2021 and shipped with Puppet 7.12.0.

We would like to thank the following Puppet community members for their contributions to this release: johanfleury

and smortex.

New features

• DisplayVersion fact for Windows. This release adds a new fact called

os.windows.display_version. This fact reads the version from the DisplayVersion registry key.

FACT-3058

• Option to show HTTP debug logs. This release adds the --http_debug option to the Facter CLI. This option

displays the HTTP debug logs. FACT-3047

Resolved issues

• Mismatched processor frequencies found on AIX. Previously, Facter added all the processors found in

the ODM query, without checking their status. Now if the status is not available, Facter skips the processor.

FACT-2955

• Facter API does not resolve custom facts that match legacy facts. Previously, custom facts with names that

partially matched core legacy facts were resolved as expected in the Facter CLI, but not when using the API. In

these cases, the Facter::FactManager did not resolve custom facts if core or external facts had results.

This release adds a new method to check if the user query matches the name of resolved facts, and then decides

whether to resolve the custom facts. FACT-3067

Puppet | Release notes | 35

• Inconsistencies with the Facter::Core::Execution.execute timeout. This release fixes

inconsistencies with the Facter::Core::Execution.execute arguments between Facter 3 and Facter

4. The .execute method now accepts a timeout option, and warns when unsupported options are passed in.

Contributed by Puppet community members johanfleury and smortex. FACT-3073

• Windows 2022 detected as Windows 2019. The os.release.full and os.release.major facts now

correctly detect Windows 2022 and output 2022, instead of 2019. FACT-3075

Facter 4.2.4

Released September 2021 and shipped with Puppet 7.11.0.

Resolved issues

• AIX reporting "could not resolve mountpoints" error. This release fixes a faulty regex on AIX that skipped

lines with a node substring and resulted in the "could not resolve mountpoints" error. FACT-3060

• AIX reporting "odd number of arguments for hash". This release fixes a faulty regex on AIX that reported the

“odd number of arguments” error when resolving mountpoint facts. FACT-3059

• Facter Ruby API binding fails to resolve facts from environment variables. This release fixes an issue where

environment facts were not downcased before being added to the fact collection. Note that names are always

downcased internally and are case-insensitive. FACT-3057

• Facter unable to get processor speed on macOS 11 arm64. This release fixes an issue with sysctl that

resulted in Facter reporting invalid values for the processors fact. FACT-3063

Facter 4.2.3

Released August 2021 and shipped with Puppet 7.10.0.

Enhancements

• Reduced logs emitted. This release reduces the number of redundant logs emitted by Facter. FACT-3001

Resolved issues

• The pacman package provider fails in Facter >= 4.1.1. This release fixes the operatingsystem fact on

Archlinux and Manjarolinux. FACT-3043

Facter 4.2.2

Released July 2021 and shipped with Puppet 8.8.1.

Resolved issues

• Incorrect license for lib/facter/custom_facts/core/legacy_facter.rb?. The top level

LICENSE file has been changed from MIT to Apache 2.0. FACT-3053

Facter 4.2.1

Released June 2021 and shipped with Puppet 7.8.0.

Enhancements

• Add flags to the help menu. This release adds the following short flags to the help menu: -v [--version], -

p [--puppet] and -h [--help]. FACT-3044

• Facter retrieves Ec2 metadata using IMDSv2. This release improves the way Facter retrieves

ec2_metadata by using IMDSv2 instead of IMDSv1. In this release, Facter automatically uses IMDSv2 to

retrieve an AWS token to add to the X-aws-ec2-metadata-token header. FACT-3042

Puppet | Release notes | 36

Resolved issues

• Facter 4 CLI did not accept concatenated short flags. Facter 3 allowed short flags to be combined, such as `-

jp` or -jd. In Facter 4, you must declare short flags separately, such as -j -p or -j -d. FACT-3046

• Ec2 resolver failed because of nil tokens. Facter returned failing Rspec tests if a token was nil before sending

an HTTP request. The HTTP request gathers any required data to resolve the Ec2 fact. To solve this issue, Facter

now no longer sends HTTP requests if a token is nil.FACT-3050

• Incorrect use of ffi_lib on Windows. This release fixes how ntdll.dll was loaded on Windows.

FACT-3048

Facter 4.2.0

Released June 2021 and shipped with Puppet 7.7.0.

We would like to thank the following Puppet community members for their contributions to this release: ccaviness,

b4ldr, ekohl, and lollipopman.

New features

• New os.macosx.version.patch fact. The os.macosx.version.minor fact has been split into an

additional os.macosx.version.patch fact (on macOS 11+). Contributed by Puppet community member

ccaviness. FACT-3031

• New flags key. This release adds a flags key to the networking.interfaces.*.bindings6

fact, which parses the lower 8-bit encoded flags from /proc/net/if_inet6. Note that the higher bit flags

(managetempaddr, noprefixroute, mcautojoin, stableprivacy) are not shown in the fact output.

Contributed by Puppet community member b4ldr. FACT-2907

Enhancements

• Ruby 3 added to the test matrix. This release adds support for Ruby 3 and updates the test matrix. Contributed

by Puppet community member ekohl. FACT-3029

• Facter gem on Ruby 3. You can now install the Facter gem on Ruby 3. FACT-3027

• Improved fact matching and filtering. This release improves the mechanism of fact filtering and matching by

unifying the functionality. FACT-3006

Resolved issues

• Invalid rubysitedir value when Ruby is compiled without sitedir. This release fixes an issue where

Facter reported an invalid value for the ruby.sitedir fact — if Ruby was compiled without the sitedir

option. FACT-3041

• Undefined method each_line for nil:NilClass. This release fixes a bug where multi-line commands

executed through the Facter::Util::Resolution API were not expanded correctly. FACT-3040

• Facter executes which lsblk and which blkid for each partition. This release fixes an issue where

Facter executed which lsblk and which blkid for each partition. Now these commands are executed once

per Facter run, improving performance and log readability. FACT-3035

• Facter returns TypeError on non-existent indexes. Previously, when accessing array values by indexes,

Facter raised a TypeError if a non-existent index was searched. This is now fixed and Facter no longer errors.

FACT-3030

• Facter 4 calls deprecated xen-toolstack script when resolving the xen fact. Previously, Facter called the

xen-toolstack script when resolving the xen fact. This script is deprecated, and now Facter only calls it if

multiple xen stacks are installed. Contributed by Puppet community member lollipopman. FACT-3023

• Mountpoint file error. Previously, when a mountpoint file could not be read, or was missing, Facter threw an

error, without specifying which mountpoint file had failed. The error is now silent, allowing Facter to continue

resolving facts. You can still see the error when running Facter with debug logging enabled. FACT-2928

Puppet | Release notes | 37

Facter 4.1.1

Released April 2021 and shipped with Puppet 7.6.1.

We would like to thank the following Puppet community members for their contributions to this release: ananace.

Enhancements

• The processors fact includes sockets and threads details. This release adds the cores per

socket and threads per core information to the processors fact. FACT-2992

Resolved issues

• Facter 4 user query overwritten when Facter is called outside of setcode in a custom fact file. This release

fixes an issue where custom facts failed to resolve because nested Facter calls overwrote user queries. FACT-3025

• Facter.fact returns an object when the queried fact does not exist. When resolving facts that do not exist,

Facter now returns nil, instead of an object of the ResolvedFact type with the value nil. FACT-3024

• InfiniBand MAC addresses not resolved. Facter can now handle InfiniBand when reporting MAC addresses.

Contributed by Puppet community member ananace. FACT-3021

Facter 4.1.0

Released April 2021.

Resolved issues

• Auto promoting dotted facts to structured facts is incompatible. This release reverts the way Facter 4 treats

dots in fact names to the same behaviour as Facter 3. This means that by default, any dot in a custom or external

fact name is considered part of the fact name and not a delimiter for structured facts. This fix also adds the

force-dot-resolution global setting — which you can set to re-enable the Facter 4 behavior, converting

dotted facts to structured facts. FACT-3004

• Facter cannot autoload the provider from stdlib inside puppetserver REPL shell. Previously, Facter

failed to execute the first external command when running under JRuby. This issue only appeared when running

puppetserver from source — packaged versions were not affected. This is now fixed. FACT-2999

• Facter breaks when querying custom facts. Previously, Facter showed misleading values or errors when

querying for non-existent facts via CLI and Facter.value. This is now fixed. FACT-2998

• Domain facts cannot be resolved on travis without the FFI gem. This release fixes an issue that prevented

FQDN facts resolving in situations where FFI was not installed. FACT-2997

• Performance regression networking facts in Facter 4.x. This release fixes an issue with primary interface

detection where the default route discarded packages. FACT-2996

• The selinux fact is not properly detected by Facter 4. Facter 4 now takes the same approach as Facter 3 —

checking for both the mounted selinux filesystem and the configuration file. If either are absent, Facter does

not fill in the selinux fact. FACT-2994

• Facter 4.0.52 does not return the fqdn fact. The Linux networking resolver now loads FFI if previous tries of

getting the host information have failed. FACT-2989

• Facter takes 20+ seconds on Windows due to Azure metadata query. Previously, the cloud fact could take

over 20 seconds to resolve on Windows because Ruby was not respecting the HTTP connection timeout. Now

the fact is only resolved on HyperV machines and a new implementation in the Facter HTTP client avoids long

timeouts. FACT-2988

• Facter 4 outputs hypervisor facts differently on Amazon 7. This release changes the value of

hypervisor facts from a boolean to a string, matching the behavior of Facter 3. FACT-3007

• Facter 4 outputs hypervisors.zone.id facts differently on Solaris. This release changes the value of the

hypervisors.zone.id fact from a String to an Integer, matching the behavior of Facter 3. FACT-2987

• Facter 4 outputs mountpoints facts differently on macOS. This release fixes differences in the

mountpoints.options facts on macOS, matching the behavior of Facter 3. FACT-2984

Puppet | Release notes | 38

• Facter 4 outputs mountpoints facts differently on Solaris. This release fixes differences in the

mountpoints fact on Solaris, matching the behavior of Facter 3. FACT-2982

• Facter 4 outputs ldom facts differently on Solaris SPARC. Facter 4 reported boolean values as strings for

Solaris LDOM facts. This is now fixed and the values are represented as boolean. FACT-2983

• Facter 4 outputs uptime facts differently on Windows. This release fixes differences in the uptime fact on

Windows, matching the behavior of Facter 3. FACT-2966

• Facter 4 outputs the processors.speed fact differently on AIX. This release fixes differences in the

processors.speed fact on AIX, matching the behavior of Facter 3. FACT-2965

• Facter 4 outputs MB facts differently to Facter 3. Facter no longer rounds values for MB facts, for example

memorysize_mb. FACT-2967

• Facter 4 outputs virtual facts differently on Amazon 6. The virtual fact is now detected as xen instead of

xenhvm on Amazon Linux 6. FACT-2986

• Facter 4 outputs the hypervisors fact differently on Amazon 7. This release fixes differences in the

hypervisors fact on Amazon 7, matching the behavior of Facter 3. FACT-3007

• Loopback IPv6 IP is not returned correctly. This release fixes the IPv6 address fact on Solaris. FACT-2981

• Facter ensures core facts are resolved before loading custom facts. This release updates the Facter.value

API to resolve facts in a similar way to Facter 3 — loading the fact_name.rb from the configured custom

directory, and then loading all core facts, external facts, environmental facts, and custom facts. FACT-2956

• VLAN interfaces are not properly discovered. VLAN interfaces with a dot in the name were not correctly

displayed in the networking fact. This is now fixed and the default networking resolver recognizes interfaces with

a dot in the name. FACT-2946

• Inconsistent handling of date types in custom facts. This release adds Date and Time as supported values for

custom facts. FACT-2930

Facter 4.0.52

Released March 2021 and shipped with Puppet 7.5.0.

We would like to thank the following Puppet community members for their contributions to this release: smokris..

New features

• Azure metadata fact. This release adds the az_metadata fact which provides information on Azure virtual

machine instances. For more information, see the Microsoft Azure instance metadata documentation. FACT-1383

• Azure identification fact. This release adds the cloud.provider fact for Azure identification on Linux and

Windows platforms. FACT-1847

Enhancements

• Dependency to lsb packages are missing The os.distro facts are now resolved without the lsb_release

on the following platforms: RHEL, Amazon, SLES. The information is read from the system in the same way.

Note that the os.distro.specification fact, which refers to lsb version, is available only if the

lsb_release has been installed. FACT-2931

• Linux networking resolver split into four classes. The Linux networking resolver was too large and has now

been split into four classes. The classes are: toSocketParser (gets data from the Ruby Socket library), DHCP

(gets all DHCP related data), RoutingTable (gets interface data from the ip route show command, if

something can not be retrieved with SocketParser) and the Linux resolver (combines the data from the other

classes). FACT-2915

Resolved issues

• Permission denied error when reading Facter cache during PE 2021 upgrade. Facter 4 no longer loads

facter.conf from the default location when running on jRuby. FACT-2959

• Facter 4 reports lsbmajdistrelease on Ubuntu differently from Facter 3. Previously, the

lsbmajdistrelease fact from Facter 4 was not showing the correct value on Ubuntu. This is now fixed and

aligns the fact's output with Facter 3. FACT-2952

Puppet | Release notes | 39

• Root of structured core facts cannot be overridden by a custom fact. Previously, the root of structured core

facts could not be overridden by a custom fact — because the top-level fact did not exist. This release updates the

QueryParser logic to return the root fact — if present in the loaded facts list — and allows redefinition of core

facts. FACT-2950

• Facter tries to load an incompatible libsocket.so on SmartOS. Previously, Facter tried to load an

incompatible (32-bit) libsocket.so from a hardcoded path using ffi and failed to retrieve networking facts.

Now, the library name is preferred and networking facts can be retrieved on SmartOS. Contributed by Puppet

community member smokris. FACT-2947

• Puppet Server creates another certname during upgrade. Previously, when upgrading Puppet 6 to Puppet 7 on

Linux, Facter failed to retrieve the domain using JRuby because the Socket.getaddrinfo calls failed. Now,

if any of the Socket method calls fail, Facter can retrieve the information using FFI methods. FACT-2944

• The puppet facts show command logs error when stdlib is installed. This release fixes an issue where

Facter.value did not return the fact value for a legacy fact. This happened when calling a legacy fact from a

custom fact or calling other Facter API methods before calling Facter.value. FACT-2937

• Facter 4 pe-bolt-server raises access denied error if cache is enabled. When Facter is unable to delete

the cache files, it now logs a warning message instead of returning error. FACT-2961

• Facter 4 does not accept the same time units as Facter 3. This release makes the following ttls time

units available in Facter 4: ns, nanos, nanoseconds, us, micros, microseconds, ms, milis,

milliseconds, s, m, h, d. Note that singular time units are also accepted, for example, mili and

nano.FACT-2962

• The Facter.conf file does not accept singular ttls units. Previously, Facter failed if the ttls unit in the

facter.conf file was a plural ("days" and "hours"). Facter now accepts a singular noun ("day" and "hour").

Facter 4.0.51

Released February 2021.

This release includes a resolved issue and minor maintenance changes. For the latest features, see the release notes for

Facter 4.0.50.

Resolved issues

• The facter -p command is now supported. The facter -p command did not work in versions Facter

4.0.50 and earlier. FACT-2818

Facter 4.0.50

Released February 2021 and shipped with Puppet 7.4.0.

Enhancements

• Networking fact improvements for AIX. The AIX networking resolver now uses FFI to detect networking

interfaces and IPs. Previously, VLANs and secondary IPs were not displayed. FACT-2878

• Improved performance for blocking legacy facts. This release improves the performance of blocking

legacy facts by implementing a different mechanism. The new mechanism does not allow legacy groups to be

overriden by a group with the same name in fact-groups. If you add a legacy group in fact-groups, it is

ignored. The new implementation is faster for use cases involving multiple custom facts that depend on core facts.

FACT-2917

Resolved issues

• Facter::Core::Execution does not set status variables in Facter 4. This release reimplements

Open3.popen3 to use Process.wait instead of Process.detach. FACT-2934

• Facter error message — no implicit conversion of nil into String — when determining

processor speed on Linux. Facter now handles processor speed values where log10 is not set (3, 6, 9, 12).

FACT-2927

Puppet | Release notes | 40

• Facter fails "closed" if the facter.conf file is invalid. Previously, Facter failed when an invalid config file

was provided. Facter now logs a warning message stating that the parsing of the config file failed and continues

retrieving facts with the default options. FACT-2924

• Domain on Windows does not prioritise registry. Facter now prioritises information from registry on Windows,

instead of network interface domain names. FACT-2923

• LinuxMint Tessa not recognized. Previously, the os.release fact was retrieved from the /etc/os-

release file, but Facter 3 read other release files based on operating system (OS). Now Facter retrieves

os.release from the specific release file for every OS. FACT-2921

Facter 4.0.49

Released January 2021 and shipped with Puppet Platform 7.3.0.

Resolved issues

• Aggregate facts are broken. Previously, Facter broke when trying to add a debug message for the location where

aggregate facts are resolved from. This only happened with aggregate facts that returned an array or hash without

having an aggregate block call. FACT-2919

Facter 4.0.48

Released January 2021.

Enhancements

• Rewritten tests for Linux networking resolver. This release refactors the Linux networking resolver, including

fixing the unit tests and adding new ones. FACT-2901

Resolved issues

• Facter 4.0.x does not return the domain correctly when set in the registry. Previously, Facter did not retrieve

the domain correctly on Linux and resulted in a faulty FQDN facts. Facter also failed to retrieve domain facts

when Windows did not expose the host's primary DNS suffix. This is now fixed. FACT-2882

• Legacy group blocks processors core fact. Blocking legacy facts no longer blocks processors core fact.

FACT-2911

• Facter Hocon output format. The --hocon option now functions as intended. FACT-2909

• Legacy blockdevice vendor and size facts not resolving. This release fixes blockdevice_*_size facts not

resolving on AIX, and blockdevice_*_vendor facts not resolving on Linux and Solaris. FACT-2903

• Facter detects OS family without checking or translating the information. Previously, Facter detected the OS

family by reading /etc/os-release without checking or translating the information. This is now fixed and

Facter translates the id_like field from /etc/os-release to Facter known families. FACT-2902

Facter 4.0.47

Released December 2020 and shipped with Puppet 7.1.0.

New features

• Added scope6 fact for per binding. This release adds the scope6 fact under every ipv6 address from the

interface.bindings6 fact. FACT-2843

• Support for AWS IMDSv2. This release updates the EC2 fact to use IMDSv2 to authenticate. To use v2, set the

AWS_IMDSv2 environment variable to true. Note that the token is cached for a maximum of 100 seconds.

Resolved issues

• Facter 4 does not resolve hostname facts. Previously, Facter failed when Socket.getaddrinfo was called,

which prevented retrieval of FQDN information. This is now fixed. FACT-2894

Puppet | Release notes | 41

• Gem-based Facter 4 does not log the facts in debug mode. This release adds log messages for resolved fact

values. FACT-2883

• Gem-based Facter 4 does not return the complete FQDN. Previously, domain was not retrieved correctly

on Linux based systems and resulted in a faulty FQDN fact. This release uses Ruby Socket methods to retrieve

domain correctly. FACT-2882

• Puppet 7 treats non existent facts differently to Puppet 6. This release excludes custom facts with nil value

from to_user_output, values and to_hash Ruby Facter API's. The custom facts with nil value are still

returned by value, fact and [] API's. FACT-2881

• Facts failing on machines with VLANs. With this release, dots in legacy fact names are ignored. They are

not used as an indicator of a fact hierarchy because legacy facts cannot compose and have a flat (key - value)

structure. FACT-2870

• Facter 4 changes is_virtual fact from boolean to string. This release fixes a regression that caused the

is_virtual to be a string instead of a boolean. FACT-2869

• External facts are loaded when using puppet lookup for a different node. The load_external API

method was missing in Facter 4. This is now fixed. FACT-2859

• Facter fails when the interface name is not UTF-8. Previously, a pointer used to indicate networking

information was being released by the GC too early and the memory was overridden, resulting in inconsistent

data. The fix extends the scope of the pointer so that the memory it points to does not release prematurely.

FACT-2856

• Failure when a structured custom fact has the wrong layout. This release adds a log message when custom

fact names are incompatible and a fact hierarchy cannot be created. FACT-2851

• Cannot retrieve local facts error. This release fixes an error thrown on systems with a low file descriptor limit.

FACT-2898

• Dig method fails on Puppet $facts. The Facter 4 API method to_hash returned a different data type to

Facter 3. This release ensures the to_hash method returns a Ruby Hash instance. FACT-2897

• Facter fails when trying to retrieve ssh facts. Facter now skips reading ssh keys it does not recognise.

FACT-2896

• Missing primary interface check on all platforms. Similar to Facter 3, this release adds a final check that

detects the primary interface from the IP. Localhost IPs are excluded. FACT-2892

• Facter 4.0.46 breaks virtual flag. Facter now checks whether the /proc/lve/list file is a regular file,

instead of checking if it is executable. FACT-2891

• Facter 4.0.46 does not load external fact files in lexicographical order. This is now fixed. FACT-2874

• Secondary interfaces are not reported. Networking.interfaces now display secondary interfaces (with

or without the label) and the VLANs.MAC address is correctly displayed for bonded interfaces. If DHCP is not

found, use the dhcpcd -U <interface_name> command to search. FACT-2872

Deprecations and removals

Update rake task for generating facts and tests. The scripts used to generate facts were outdated and had never

been used. This release removes them. FACT-2298

Facter 4.0.46

Released November 2020 and shipped with Puppet 7.0.0.

New features

• Operating system hierarchy. Facter 4 introduces a hierarchy for operating systems. The hierarchy allows you to

load facts from the child and all parents. If the same fact is present in a child and a parent, the one from the child

takes precedence. FACT-2555

• Rake task for mapping fact name and fact class. To improve the visibility of which facts are loaded for an

operating system, Facter 4 has a rake task that prints all facts and the class that resolved that fact. FACT-2557

• Blocklist. Facter 4 allows you to block facts at a granular level — you can block any fact from the fact hierarchy,

for both groups of facts and individual facts. FACT-1976

Puppet | Release notes | 42

• Block legacy facts. Legacy facts are a subtype of core facts and you can now block them, like any core fact, using

the blocklist from facter.conf. FACT-2259

• Block custom facts. Facter 4 allows you to block custom facts. You can add the fact to the blocklist from

facter.conf. FACT-2718

• Block external facts. Facter 4 allows you to block external facts. Blocking external facts is different from

blocking core and custom facts — you need to specify the name of the file from which external facts are loaded to

blocklist in facter.conf. FACT-2717

• The puppet facts show command. The facter -p and facter --puppet commands have been replaced

with puppet facts show. FACT-2719

• Group for legacy facts. The legacy group contains all the legacy facts. You can find it in lib/facter/

config.rb and can block it in facter.conf. FACT-2296

• The fact-groups group. You can define your own custom groups in facter.conf using the new fact-

groups group. The blocklist and ttls groups from facter.conf accept predefined groups, custom

groups or fact names. You must use the file name when using external facts. FACT-2331

• Define fact groups for blocking or caching. You can define new fact groups in facter.conf, and use the

group to block or cache facts. FACT-2515

• External fact caching. To cache external facts, use the filename of the external fact when setting the ttls in

facter.conf. FACT-2619

Enhancements

• CLI compatible with Facter 3. Facter 4 reimplemented the Facter 3 command line interface using thor gem.

FACT-1955

• Loaded facts based on operating system hierarchy. To improve performance, Facter 4 only loads the files and

facts that are needed for the operating system it is running on. FACT-2093

• Log class name in log messages. Improved logging in Facter 4 prints the class from which the log was generated.

FACT-2036

• Restored --timing option to native facter. The restored --timing and -t arguments allow you to see how

much time it took each fact to resolve. FACT-1380

• (Experimental). Reverted parallel resolution of facts. To improve performance, facts are resolved in parallel on

JRuby. FACT-2819

• Timeout on resolution. You can now specify the timeout attribute in custom fact options. FACT-2643

• Caching core facts . To cache core facts, add the fact group to facter.conf ttls. Fact values are stored and

retrieved on future runs. After the ttls expires, the fact is refreshed. FACT-2486

Resolved issues

• Fix Ruby 2.7 warning on Facter 4. Facter 4 now supports Ruby 2.7. FACT-2649

• Facter does not support timeout for shell calls. External commands have a timeout, and if they do not complete

in the given time, they are forced stop. The default timeout is 300 seconds. You can now specify a timeout using

the limit attribute in Facter::Core::Execution.execute. FACT-2793

• Fact names are treated as regex and can lead to caching of unwanted facts. The regex used to detect facts

has been improved to distinguish between fact groups and legacy facts. FACT-2787

• Facter uptime shows host uptime inside docker container. Previously, the kernel only reported the host uptime

inside a Docker container. You can now see the container uptime. FACT-2737

• A fact present in two groups does not get cached if the second groups has a ttls. If a fact is present in

two groups, and both of them have a ttls defined in facter.conf, the lowest ttls is takes precedence.

FACT-2786

Puppet | Release notes | 43

Facter 4 known issues

These are the known issues in this version of Facter.

Facter 4.7.1 cannot collect Google Cloud metadata

Because of a regression, Facter 4.7.1 cannot collect or read Google Cloud metadata. A fix has been identified and is

scheduled for inclusion in the next Puppet releases. #2731

The implementation of the dot notation is not compatible with the Puppet ecosystem

The implementation of the dot notation feature is not compatible with other parts of the Puppet ecosystem, and does

not give the fact the same name as Facter 3. For example, the supported puppetlabs-lvm module creates facts for

each volume group in the form of lvm_vg_<name>_pvs. If the volume group name contains a dot, Facter converts

the fact from a legacy fact to a structured fact. To access the fact using Puppet's dotted notation, you would need

to change your Puppet manifests, Hiera lookups, and Puppet Enterprise (PE) classification rules, causing breaking

changes. As a result, Facter 4.1 reverts back to the way Facter 3 handled facts with dotted names.

If you want to re-enable the Facter 4 behaviour — that converts a dotted fact to a structured fact — add the following

setting to your manifest:

global : {

force-dot-resolution : true

}

FACT-3004

Incorrect OS description output on Debian 9

Running the facter command in Facter 4 returns incorrect output for the os.distro.description fact on

Debian 9. This facts work correctly in Facter 3 and appears differently when running the puppet facts diff

command. FACT-2985

Incorrect output of the processors.speed fact on Linux

This is issue affects non-virtualized systems — with processors that support variable frequency. FACT-2980

Upgrading from Puppet 7 to Puppet 8

Before upgrading to Puppet 8, review the following recommendations and changes so that you can plan your upgrade

accordingly.

Note that this list is not intended to be exhaustive. It highlights changes that might require action after you upgrade.

For a full list of changes, including all deprecations and removals, see the Puppet 8 release notes.

Important: Always back up your installation before performing any upgrade.

MRI Ruby 3.2

Puppet 8 vendors Ruby 3.2. Ruby 3.2 has several notable breaking changes that may affect Puppet extensions, such as

functions, custom facts, types & providers, report processors, etc.

For a complete list visit: https://github.com/puppetlabs/puppet/wiki/Puppet-8-Compatibility#ruby-32-compatibility

Puppet | Release notes | 44

OpenSSL 3.0

Puppet agent vendors OpenSSL 3.0. If an application compiles against Puppet's openssl, then the application must be

recompiled when upgrading.

For more information visit https://www.openssl.org/docs/man3.0/man7/migration_guide.html

Hiera 3 component dropped

If you rely on a Hiera 3 backend (a class that extends Hiera::Backend), you must convert your backend to Hiera 5

using the steps found at https://www.puppet.com/docs/puppet/latest/hiera_migrate.html, or manually install the Hiera

3 gem on all Puppet Server hosts. This change does not affect Hiera 5, puppet lookup or the hiera_include,

hiera_hash, etc set of functions.

Legacy facts

Legacy facts are no longer collected on the agent or sent to Puppet server. Since legacy facts are not available during

compilation, they cannot be referenced in puppet code, ERB/EPP templates or Hiera configuration. If your puppet

code uses legacy facts, there are two ways to handle them when upgrading:

The legacy_facts puppet-lint plugin can help identify and automatically correct legacy fact usage in puppet code

(https://github.com/puppetlabs/puppet-lint/blob/main/lib/puppet-lint/plugins/legacy_facts/legacy_facts.rb).

If you need to keep legacy facts in your code, they can be re-enabled by setting include_legacy_facts=true

in puppet.conf on each agent.

The following table lists the unmapped legacy facts that cannot be automatically converted. If any of these unmapped

legacy facts are included in any Puppet code you use, you must remove the facts or manually replace them with a

close equivalent structured fact.

Unmapped legacy fact Close equivalent structured facts

memoryfree_mb

Returned a double specifying the size of the free system

memory, in mebibytes.

$facts['memory']['system'][available']

$facts['memory']['system']

['available_bytes']

See Facter documentation on memory.

memorysize_mb

Returned a double specifying the size of the total system

memory, in mebibytes.

$facts['memory']['system']['total']

$facts['memory']['system']

['total_bytes']

See Facter documentation on memory.

swapfree_mb

Returned a string specifying the size of the free swap

memory, in mebibytes.

$facts['memory']['swap']['available']

$facts['memory']['swap']

['available_bytes']

See Facter documentation on memory.

Puppet | Release notes | 45

Unmapped legacy fact Close equivalent structured facts

swapsize_mb

Returned a string specifying the size of the total swap

memory, in mebibytes.

$facts['memory']['swap']['used']

$facts['memory']['swap']['used_bytes']

See Facter documentation on memory.

blockdevices

Returned a string containing all block devices separated

by a comma.

Can be replicated using puppetlabs/stdlib and the

following:

join(keys($facts['disks']), ',')

interfaces

Returned a string containing all interfaces separated by a

comma.

Can be replicated using puppetlabs/stdlib and the

following:

join(keys($facts['networking']

['interfaces']), ',')

zones

Returned a string containing all zone names separated by

a comma.

Can be replicated using puppetlabs/stdlib and the

following:

join(keys($facts['solaris_zones']

['zones']), ',')

sshfp_dsa

Returned a string containing both the SHA1 and

SHA256 fingerprint for the DSA algorithm.

Can be replicated using the following string:

"$facts['ssh']['dsa']['fingerprints']

['sha1'] $facts['ssh']['dsa']

['fingerprints']['sha256']"

See Facter documentation on SSH.

sshfp_ecdsa

Returned a string containing both the SHA1 and

SHA256 fingerprint for the ECDSA algorithm.

Can be replicated using the following string:

"$facts['ssh']['ecdsa']

['fingerprints']['sha1'] $facts['ssh']

['ecdsa']['fingerprints']['sha256']"

See Facter documentation on SSH.

sshfp_ed25519

Returned a string containing both the SHA1 and

SHA256 fingerprint for the Ed25519 algorithm.

Can be replicated using the following string:

"$facts['ssh']['ed25519']

['fingerprints']['sha1'] $facts['ssh']

['ed25519']['fingerprints']['sha256']"

See Facter documentation on SSH.

sshfp_rsa

Returned a string containing both the SHA1 and

SHA256 fingerprint for the RSA algorithm.

Can be replicated using the following string:

"$facts['ssh']['rsa']['fingerprints']

['sha1'] $facts['ssh']['rsa']

['fingerprints']['sha256']"

See Facter documentation on SSH.

Puppet | Release notes | 46

Strict mode

Strict mode is now enabled by default. If Puppet code does not conform to strict mode, then catalog compilation will

fail. Examples of non-conforming code:

• Accessing a variable without first defining it: notice($myvar)

• Accessing a legacy fact: notice($facts['osfamily'])

• Coercing a string into a numeric: "1" + 1

The previous behavior can be enabled by setting strict_variables=false and strict=warning in

puppet.conf.

Experimental features

Released versions of Puppet can include experimental features to be considered for adoption but are not yet ready for

production. These features need to be tested in the field before they can be considered safe, and therefore are turned

off by default.

Experimental features can have a solid design but with an unknown performance and resource usage. Sometimes even

the design is tentative, and because of this, we need feedback from users. By shipping these features early in disabled

form, we want it to be easier for testing and giving feedback.

Risks and support

CAUTION: Experimental features are not officially supported by Puppet, and we do not recommend

that you turn them on in a production environment. They are available for testing in relatively safe scratch

environments, and are used at your own risk.

Puppet employees and community members do their best to help you in informal channels like IRC, and the puppet-

users and puppet-dev mailing lists, but we make no promises about experimental functionality.

Enabling experimental features might degrade the performance of your Puppet infrastructure, interfere with the

normal operation of your managed nodes, introduce unexpected security risks, or have other undesired effects.

This is especially relevant to Puppet Enterprise customers. If Puppet support is assisting you with a problem, we

might ask you to disable any experimental features.

Changes to experimental features

Experimental features are exempt from semantic versioning, which means that they can change at any time, and are

not limited to major or minor release boundaries.

These changes might include adding or removing functionality, changing the names of settings and other affordances,

and more.

Documentation of experimental features

The Puppet documentation contains pages for currently available experimental features. These pages are focused on

enabling a feature and running through the interesting parts of its functionality; they might lag slightly behind the

feature as implemented.

When a feature has experienced major changes across minor versions, we note the differences at the top of that

feature page.

Each feature page attempts to give some context about the status of that feature and its prospects for official release.

Giving feedback on experimental features

To help us keep improving Puppet, tell us more about your experience.

Puppet | Release notes | 47

The best places to talk about experimental features are the puppet-users and puppet-dev mailing lists. This tells us

what’s working and what isn’t, while also helping others learn from your experience. For more information about the

Puppet mailing lists, see the community guidelines for mailing lists.

For more immediate conversations, you can use the #puppet and #puppet-dev channels on irc.freenode.net. For more

information about these channels, see the community guidelines for IRC.

• Msgpack support on page 47

Puppet agents and primary servers communicate over HTTPS, exchanging structured data in JSON.

Msgpack support

Puppet agents and primary servers communicate over HTTPS, exchanging structured data in JSON.

Msgpack is an efficient serialization protocol that behaves similarly to JSON. It provides faster and more robust

serialization for agent-server communications, without requiring many changes in our code.

Important: When msgpack is enabled, the primary Puppet server and agent communicates using msgpack instead of

JSON.

Enabling Msgpack serialization

Enabling msgpack is easy, but first, it must be installed because the gem is not included in the puppet-agent or

puppetserver packages.

Install the msgpack gem on your primary server and all agent nodes.

If you are using the Puppet Enterprise test environment, make sure to use PE gem command instead of the system

gem command.

On *nix nodes, run the following command:

/opt/puppetlabs/puppet/bin/gem install msgpack

On Windows nodes, run the following command:

"C:\Program Files\Puppet Labs\Puppet\sys\ruby\bin\gem" install msgpack

On Puppet Server, run the following command and then restart the Puppet Server service:

puppetserver gem install msgpack

In the [agent] or [main] section of puppet.conf on any number of agent nodes, set the

preferred_serialization_format setting to msgpack. Read about the preferred_serialization_format

setting in the Configuration Reference.

After this is configured, the primary Puppet server uses msgpack when serving any agents that have

preferred_serialization_format set to msgpack. Any agents without that setting continue to receive

JSON as normal.

Archived documentation

Open source Puppet docs for recent end-of-life (EOL) product versions are archived in place, meaning that we

continue to host them at their original URLs, but we limit their visibility on the main docs site and no longer update

them. You can access archived-in-place docs using their original URLs, or from the links here.

Open Source Puppet docs for EOL versions earlier than those listed here are archived in our open source Puppet docs

archive.

Puppet | Puppet overview | 48

Puppet Version URL

6.28 https://puppet.com/docs/puppet/6/puppet_index.html

5.5 https://puppet.com/docs/puppet/5.5/puppet_index.html

Puppet overview

This introduction is intended for new users to Puppet. We go over what Puppet is, what problems it solves, and the

concepts and practices that are key to being successful with Puppet.

• What is Puppet? on page 48

Puppet is a tool that helps you manage and automate the configuration of servers.

• Why use Puppet desired state management? on page 49

There are many benefits to implementing a declarative configuration tool like Puppet into your environment — most

notably consistency and automation.

• Key concepts behind Puppet on page 50

Using Puppet is not just about the tool, but also about a different culture and a way of working. The following

concepts and practices are key to using and being successful with Puppet.

• The Puppet platform on page 51

Puppet is made up of several packages. Together these are called the Puppet platform, which is what you use to

manage, store and run your Puppet code. These packages include puppetserver, puppetdb, and puppet-

agent — which includes Facter and Hiera.

• Puppet platform lifecycle on page 53

The open source Puppet platform is made up of several packages: puppet-agent, puppetserver, and,

optionally, puppetdb. Understanding what versions are maintained and which versions go together is important

when upgrading and troubleshooting.

• Open source Puppet vs Puppet Enterprise (PE) on page 56

• The Puppet ecosystem on page 56

Alongside Puppet the configuration tool, there are additional Puppet tools and resources to help you use and be

successful. These make up the Puppet ecosystem

• Use cases on page 57

Puppet Forge has existing modules and code examples that assist with automating the following use cases:

• Glossary on page 57

The glossary defines terms used in Puppet documentation.

• Navigating the documentation on page 58

Puppet maintains a large amount of documentation and learning resources to help you learn Puppet. When navigating

the documentation, take note of the following.

What is Puppet?

Puppet is a tool that helps you manage and automate the configuration of servers.

When you use Puppet, you define the desired state of the systems in your infrastructure that you want to manage.

You do this by writing infrastructure code in Puppet's Domain-Specific Language (DSL) — Puppet code — which

you can use with a wide array of devices and operating systems. Puppet code is declarative, which means that you

describe the desired state of your systems, not the steps needed to get there. Puppet then automates the process of

getting these systems into that state and keeping them there. Puppet does this through Puppet server and a Puppet

agent. The Puppet server is the server that stores the code that defines your desired state. The Puppet agent translates

your code into commands and then executes it on the systems you specify, in what is called a Puppet run.

The diagram below shows how the server-agent architecture of a Puppet run works.

Puppet | Puppet overview | 49

The server and the agent are part of the Puppet platform, which is described in The Puppet platform — along with

facts, catalogs and reports.

Why use Puppet desired state management?

There are many benefits to implementing a declarative configuration tool like Puppet into your environment — most

notably consistency and automation.

• Consistency. Troubleshooting problems with servers is a time-consuming and manually intensive process.

Without configuration management, you are unable to make assumptions about your infrastructure — such as

which version of Apache you have or whether your colleague configured the machine to follow all the manual

steps correctly. But when you use configuration management, you are able to validate that Puppet applied the

desired state you wanted. You can then assume that state has been applied, helping you to identify why your

model failed and what was incomplete, and saving you valuable time in the process. Most importantly, once you

figure it out, you can add the missing part to your model and ensure that you never have to deal with that same

problem again.

Puppet | Puppet overview | 50

• Automation. When you manage a set of servers in your infrastructure, you want to keep them in a certain state.

If you only have to manage homogeneous 10 servers, you can do so with a script or by manually going into each

server. In this case, a tool like Puppet may not provide much extra value. But if you have 100 or 1,000 servers, a

mixed environment, or you have plans to scale your infrastructure in the future, it is difficult to do this manually.

This is where Puppet can help you — to save you time and money, to scale effectively, and to do so securely.

Check out the following video of how a DevOps engineer uses Puppet:

Key concepts behind Puppet

Using Puppet is not just about the tool, but also about a different culture and a way of working. The following

concepts and practices are key to using and being successful with Puppet.

Infrastructure-as-code

Puppet is built on the concept of infrastructure-as-code, which is the practice of treating infrastructure as if it were

code. This concept is the foundation of DevOps — the practice of combining software development and operations.

Treating infrastructure as code means that system administrators adopt practices that are traditionally associated with

software developers, such as version control, peer review, automated testing, and continuous delivery. These practices

that test code are effectively testing your infrastructure. When you get further along in your automation journey, you

can choose to write your own unit and acceptance tests — these validate that your code, your infrastructure changes,

do as you expect. To learn more about infrastructure-as-code and how it applies to Puppet, see our blog What is

infrastructure as code?.

Idempotency

A key feature of Puppet is idempotency — the ability to repeatedly apply code to guarantee a desired state on a

system, with the assurance that you will get the same result every time. Idempotency is what allows Puppet to run

continuously. It ensures that the state of the infrastructure always matches the desired state. If a system state changes

from what you describe, Puppet will bring it back to where it is meant to be. It also means that if you make a change

to your desired state, your entire infrastructure automatically updates to match. To learn more about idempotency, see

our Understanding idempotency documentation.

Agile methodology

When adopting a tool like Puppet, you will be more successful with an agile methodology in mind — working in

incremental units of work and reusing code. Trying to do too much at once is a common pitfall. The more familiar

you get with Puppet, the more you can scale, and the more you get used to agile methodology, the more you can

democratize work. When you share a common methodology, a common pipeline, and a common language (the

Puppet language) with your colleagues, your organization becomes more efficient at getting changes deployed

quickly and safely.

Git and version control

Git is a version control system that tracks changes in code. While version control is not required to use Puppet, it

is highly recommended that you store your Puppet code in a Git repository. Git is the industry standard for version

control, and using it will help your team gain the benefits of the DevOps and agile methodologies

When you develop and store your Puppet code in a Git repository, you will likely have multiple branches — feature

branches for developing and testing code and a production branch for releasing code. You test all of your code on

a feature branch before you merge it to the production branch. This process, known as Git flow, allows you to test,

track, and share code, making it easier to collaborate with colleagues. For example, if someone on your team wants

to make a change to an application's firewall requirements, they can create a pull request that shows their proposed

changes to the existing code, which everyone on your team can review before it gets pushed to production. This

process leaves far less room for errors that could cause an outage. For more information on version control, see the

GitHub guides Git flow and What is version control?.

Puppet | Puppet overview | 51

The Puppet platform

Puppet is made up of several packages. Together these are called the Puppet platform, which is what you use to

manage, store and run your Puppet code. These packages include puppetserver, puppetdb, and puppet-

agent — which includes Facter and Hiera.

Puppet is configured in an agent-server architecture, in which a primary node (system) controls configuration

information for one or more managed agent nodes. Servers and agents communicate by HTTPS using SSL

certificates. Puppet includes a built-in certificate authority for managing certificates. Puppet Server performs the role

of the primary node and also runs an agent to configure itself.

Facter, Puppet’s inventory tool, gathers facts about an agent node such as its hostname, IP address, and operating

system. The agent sends these facts to the primary server in the form of a special Puppet code file called a manifest.

This is the information the primary server uses to compile a catalog — a JSON document describing the desired state

of a specific agent node. Each agent requests and receives its own individual catalog and then enforces that desired

state on the node it's running on. In this way, Puppet applies changes all across your infrastructure, ensuring that each

node matches the state you defined with your Puppet code. The agent sends a report back to the primary server.

You keep nearly all of your Puppet code, such as manifests, in modules. Each module manages a specific task in your

infrastructure, such as installing and configuring a piece of software. Modules contain both code and data. The data

is what allows you to customize your configuration. Using a tool called Hiera, you can separate the data from the

code and place it in a centralized location. This allows you to specify guardrails and define known parameters and

variations, so that your code is fully testable and you can validate all the edge cases of your parameters. If you have

just joined an existing team that uses Puppet, take a look at how they organize their Hiera data.

All of the data generated by Puppet (for example facts, catalogs, reports) is stored in the Puppet database

(PuppetDB). Storing data in PuppetDB allows Puppet to work faster and provides an API for other applications

to access Puppet's collected data. Once PuppetDB is full of your data, it becomes a great tool for infrastructure

discovery, compliance reporting, vulnerability assessment, and more. You perform all of these tasks with PuppetDB

queries.

The diagram below shows how the Puppet package components fit together.

Puppet | Puppet overview | 52

Puppet | Puppet overview | 53

Puppet platform lifecycle

The open source Puppet platform is made up of several packages: puppet-agent, puppetserver, and,

optionally, puppetdb. Understanding what versions are maintained and which versions go together is important

when upgrading and troubleshooting.

Puppet releases and lifecycle

Open source Puppet has two release tracks:

• Update track: Puppet versions that are not associated with any PE version get updated minor (or "y") releases

about once a month. Releases in this track include fixes and new features, but typically do not get patch (or "z")

releases. Each update in this track supersedes the previous minor release. Documentation for the current release

is available at Welcome to Puppet. The latest Release notes on page 9 contain a history of all updates to this

release track.

• Long-term releases: Puppet versions associated with Puppet Enterprise LTS (long-term support) releases get

patch (or "z") releases about quarterly. Each release contains bug and security fixes from several developmental

releases, but does not get new features. Versioned documentation for long-term releases is available at

puppet.com/docs/puppet/<X.Y> (for example, puppet.com/docs/puppet/7.3).

Important: To ensure that you have the most recent features, fixes, and security patches, update your Puppet version

whenever there is a new version in your release track.

The following table lists the maintained Puppet, Puppet Server, and PuppetDB versions, with links to their respective

documentation. Developmental releases (known as latest) are superseded by new versions about once a month. Open

source releases that are associated with PE versions have projected End of Life (EOL) dates.

Puppet version Puppet Server

version

PuppetDB version Associated PE

version

Projected EOL date

8.8.1 8.6.2 8.7.0 2023.x Superseded by next

developmental

release.

7.32.1 7.17.2 7.19.1 2021.7.x Superseded by next

developmental

release.

6.28.0 6.20.0 6.22 2019.8.x February 2023

Tip: To access documentation for unmaintained Puppet versions, see Archived documentation on page 47.

For information about Puppet's operating system support, see System requirements on page 60.

Puppet platform packages

The Puppet platform bundles the components required for a successful deployment. Open source Puppet is distributed

in the following packages:

Package Contents

puppet-agent

This package contains Puppet’s main code and all of the

dependencies needed to run it, including Facter, Hiera,

the PXP agent, root certificates, and bundled versions

of Ruby and OpenSSL. After the package is installed,

you have everything you need to run the Puppet agent

service and the puppet apply command.

Puppet | Puppet overview | 54

Package Contents

puppetserver Puppet Server is a JVM-based application that, among

other things, runs instances of the primary Puppet server

application and serves catalogs to nodes running the

agent service. It has its own version number and might

be compatible with more than one Puppet version.

This package depends on puppet-agent. After it’s

installed, Puppet Server can serve catalogs to nodes

running the agent service.

puppetdb PuppetDB (optional) collects data generated by Puppet.

It enables additional features such as Exported resources

on page 935, advanced queries, and reports about your

infrastructure.

puppetdb-termini Plugins to connect your primary server to PuppetDB

The puppetserver component of the Puppet platform is available only for Linux. The puppet-agent

component is available independently for over 30 platforms and architectures, including Windows and macOS.

Restriction: As of Puppet agent 5.5.4, MCollective was deprecated. It was removed in Puppet 6.0. If you use Puppet

Enterprise, consider Puppet orchestrator. If you use open source Puppet, migrate MCollective agents and filters using

tools such as Bolt and PuppetDB’s Puppet Query Language (PQL). For details, see the Reference guide.

puppet-agent component version numbers

Each puppet-agent package contains several components. This table shows the components shipped in this

release track, and contains links to available component release notes. Agent release notes are included on the same

page as Puppet release notes.

Tip: Hiera 5 is a backward-compatible evolution of Hiera, which is built into Puppet. To provide some backward-

compatible features, Hiera 5 uses the classic Hiera 3 codebase. This means that Hiera is still shown as version 3.x in

the following table, even though this Puppet version uses Hiera 5.

puppet-

agent

Puppet Facter Hiera Resource API Ruby OpenSSL

8.8.1 8.8.1 4.8.0 None 1.9.0 3.2.4 3.0.14

8.7.0 8.7.0 4.7.1 None 1.9.0 3.2.4 3.0.13

8.6.0 8.6.0 4.7.0 None 1.9.0 3.2.3 3.0.13

8.5.1 8.5.1 4.6.1 None 1.9.0 3.2.3 3.0.12

8.5.0 8.5.0 4.6.0 None 1.9.0 3.2.3 3.0.12

8.4.0 8.4.0 4.5.2 None 1.9.0 3.2.2 3.0.12

8.3.1 8.3.1 4.5.1 None 1.9.0 3.2.2 3.0.11

8.2.0 8.2.0 4.4.2 None 1.9.0 3.2.2 3.0.10

8.1.0 8.1.0 4.4.1 None 1.8.16 3.2.2 3.0.8

8.0.0 8.0.0 4.4.0 None 1.8.16 3.2.2 3.0.8

7.32.1 7.32.1 4.8.0 3.12.0 1.9.0 2.7.8 1.1.1v

7.31.0 7.31.0 4.7.1 3.12.0 1.9.0 2.7.8 1.1.1v

7.30.0 7.30.0 4.7.0 3.12.0 1.9.0 2.7.8 1.1.1v

Puppet | Puppet overview | 55

puppet-

agent

Puppet Facter Hiera Resource API Ruby OpenSSL

7.29.1 7.29.1 4.6.1 3.12.0 1.9.0 2.7.8 1.1.1v

7.29.0 7.29.0 4.6.0 3.12.0 1.9.0 2.7.8 1.1.1v

7.28.0 7.28.0 4.5.2 3.12.0 1.9.0 2.7.8 1.1.1v

7.27.0 7.27.0 4.5.1 3.12.0 1.9.0 2.7.8 1.1.1v

7.26.0 7.26.0 4.4.2 3.12.0 1.9.0 2.7.8 1.1.1v

7.25.0 7.25.0 4.4.1 3.12.0 1.8.16 2.7.7 1.1.1t

7.24.0 7.24.0 4.3.1 3.12.0 1.8.16 2.7.7 1.1.1t

7.23.0 7.23.0 4.3.0 3.11.0 1.8.16 2.7.7 1.1.1q

7.21.0 7.21.0 4.1.14 3.11.0 1.8.16 2.7.7 1.1.1q

7.20.0 7.20.0 4.2.13 3.10.0 1.8.16 2.7.6 1.1.1q

7.19.0 7.19.0 4.2.12 3.10.0 1.8.14 2.7.6 1.1.1q

7.18.0 7.18.0 4.2.11 3.10.0 1.8.14 2.7.6 1.1.1q

7.17.0 7.17.0 4.2.10 3.9.0 1.8.14 2.7.6 1.1.1n

7.16.0 7.16.0 4.2.8 3.8.1 1.8.14 2.7.6 1.1.1n

7.15.0 7.15.0 4.2.8 3.8.1 1.8.14 2.7.5 1.1.1l

7.14.0 7.14.0 4.2.7 3.8.0 1.8.14 2.7.5 1.1.1l

7.13.1 7.13.1 4.2.6 3.8.0 1.8.14 2.7.3 1.1.1l

7.21.1 7.21.1 4.2.5 3.7.0 1.8.14 2.7.3 1.1.1l

7.12.0 7.12.0 4.2.5 3.7.0 1.8.14 2.7.3 1.1.1l

7.11.0 7.11.0 4.2.4 3.7.0 1.8.14 2.7.3 1.1.1l

7.10.0 7.10.0 4.2.3 3.7.0 1.8.14 2.7.3 1.1.1k

7.9.0 7.9.0 4.2.2 3.7.0 1.8.14 2.7.3 1.1.1k

7.8.0 7.8.0 4.2.1 3.7.0 1.8.14 2.7.3 1.1.1k

7.7.0 7.7.0 4.2.0 3.7.0 1.8.13 2.7.0 1.1.1i

7.6.1 7.6.1 4.1.1 3.6.0 1.8.13 2.7.0 1.1.1i

7.5.0 7.5.0 4.0.52 3.6.0 1.8.13 2.7.0 1.1.1i

7.4.1 7.4.1 4.0.51 3.6.0 1.8.13 2.7.0 1.1.1i

7.4.0 7.4.0 4.0.50 3.6.0 1.8.13 2.7.0 1.1.1i

7.3.0 7.3.0 4.0.49 3.6.0 1.8.13 2.7.0 1.1.1i

7.1.0 7.1.0 4.0.47 3.6.0 1.8.13 2.7.0 1.1.1i

7.0.0 7.0.0 4.0.46 3.6.0 1.8.13 2.7.0 1.1.1g

Server and agent compatibility

Use this table to verify that you're using a compatible version of the agent for your PE or Puppet Server.

Restriction: Puppet Server 6.x is no longer developed or tested.

Puppet | Puppet overview | 56

ServerAgent

Puppet 6.x

PE 2019.1 through 2019.8

Puppet 7.x

PE 2021.0 through 2023.2

Puppet 8.x

PE 2023.4 and later

6.x # # #

7.x # #

8.x #

Open source Puppet vs Puppet Enterprise (PE)

Puppet Enterprise (PE) is the commercial version of Puppet and is built on top of the open source Puppet platform.

Both products allow you to manage the configuration of thousands of nodes. Open source Puppet does this with

desired state management. PE provides an imperative, as well as declarative, approach to infrastructure automation.

If you have a complex or large infrastructure that is used and managed by multiple teams, PE is a more suitable

option, as it provides a graphical user interface, point-and-click code deployment strategies, continuous testing and

integration, and the ability to predict the impact of code changes before deployment.

For additional information on PE, visit the PE documentation.

The Puppet ecosystem

Alongside Puppet the configuration tool, there are additional Puppet tools and resources to help you use and be

successful. These make up the Puppet ecosystem

Install existing modules from Puppet Forge

Modules manage a specific technology in your infrastructure and serve as the basic building blocks of Puppet desired

state management. On the Puppet Forge, there is a module to manage almost any part of your infrastructure. Whether

you want to manage packages or patch operating systems, a module is already set up for you. See each module’s

README for installation instructions, usage, and code examples.

When using an existing module from the Forge, most of the Puppet code is written for you. You just need to install

the module and its dependencies and write a small amount of code (known as a profile) to tie things together. Take

a look at our Getting started with PE guide to see an example of writing a profile for an existing module. For more

information about existing modules, see the module fundamentals documentation and Puppet Forge.

Develop existing or new modules with Puppet Development Kit (PDK)

You can write your own Puppet code and modules using Puppet Development Kit (PDK), which is a framework to

successfully build, test and validate your modules. Note that most Puppet users won’t have to write full Puppet code

at all, though you can if you want to. For installation instructions and more information, see the PDK documentation.

Write Puppet code with the VSCode extension

The Puppet VSCode extension makes writing and managing Puppet code easier and ensures your code is high

quality. Its features include Puppet DSL intellisense, linting, and built-in commands. You can use the extension with

Windows, Linux, or macOS. For installation instructions and a full list of features, see the Puppet VSCode extension

documentation.

Puppet | Puppet overview | 57

Run acceptance tests with Litmus

Litmus is a command line tool that allows you to run acceptance tests against Puppet modules for a variety of

operating systems and deployment scenarios. Acceptance tests validate that your code does what you intend it to do.

For more information, see the Litmus documentation.

Use cases

Puppet Forge has existing modules and code examples that assist with automating the following use cases:

• Base system configuration. Including registry, NTP, firewalls, services

• Manage web servers. Including apache, tomcat, IIS, nginx

• Manage database systems. Including Oracle, Microsoft SQL Server, MySQL, PostgreSQL

• Manage middleware/application systems. Including Java, WebLogic/Fusion, IBM MQ, IBM IIB, RabbitMQ,

ActiveMQ, Redis, ElasticSearch

• Source control. Including Github, Gitlab

• Monitoring. Including Splunk, Nagios, Zabbix, Sensu, Prometheus, NewRelic, Icinga, SNMP

• Patch management. OS patching on Enterprise Linux, Debian, SLES, Ubuntu, Windows

• Package management.

• Linux: Puppet integrates directly with native package managers

• Windows: Use Puppet to install software directly on Windows, or integrate with Chocolatey

• Containers and cloud native. Including Docker, Kubernetes, Terraform, OpenShift

• Networking. Including Cisco Catalyst, Cisco Nexus, F5, Palo Alto, Barracuda

• Secrets management. Including Hashicorp Vault, CyberArk Conjur, Azure Key Vault, Consul Data

See each module’s README for installation, usage, and code examples.

If you don’t see your use case listed above, have a look at the following list to see what else we might be able to help

you with:

• Continuous integration and delivery of Puppet code. Continuous Delivery offers a prescriptive workflow to

test and deploy Puppet code across environments. To harness the full power of PE, you need a robust system

for testing and deploying your Puppet code. Continuous Delivery offers prescriptive, customizable work flows

and intuitive tools for Puppet code testing, deployment, and impact analysis — so you know how code changes

will affect your infrastructure before you deploy them — helping you ship changes and additions with speed and

confidence. For more information, see Continuous Delivery.

• Incident remediation. If you need to minimize the risk of external attacks and data breaches by increasing your

visibility into the vulnerabilities across your infrastructure, take a look at Puppet Remediate. With Remediate, you

can eliminate the repetitive and error-prone steps of manual data handovers between teams. For more information,

see Puppet Remediate.

• Integrate Puppet into your existing workflows. Take a look at our integrations with other technology, including

Splunk and VMware vRA.

Glossary

The glossary defines terms used in Puppet documentation.

Puppet | Puppet overview | 58

Navigating the documentation

Puppet maintains a large amount of documentation and learning resources to help you learn Puppet. When navigating

the documentation, take note of the following.

The search bar

The Puppet documentation search bar at the top of the page can be useful when you know exactly what you are

looking for. Unlike search engines, it has the added benefit of being able to filter by Puppet product and version. The

filter appears on the right side of the page after you search for something.

The version switcher

If you land on a documentation page from an external search engine, make sure you are looking at the correct Puppet

version. You can see what version of the documentation you are viewing by looking at the version switcher in the top

left corner.

Note that, other than the latest version, we only maintain and update the open source Puppet versions that are built

into Puppet Enterprise (PE) versions receiving long-term support. For information on which versions we currently

support, see Puppet packages and versions. If we no longer update a page, the following banner is shown across the

top.

Code examples

We have code examples throughout the docs. These are often general examples designed to help a wide audience.

To see more real-life and specific examples, take a look at the relevant module on Puppet Forge. For example, to see

what a code example for managing NTP services looks like, take a look at the NTP README. However, if you spot

a place in the documentation where you would like more examples, please let us know.

Puppet | Puppet overview | 59

The glossary

If you come across a term that you are unfamiliar with, you will likely find a definition for it in our glossary.

We welcome your feedback!

If you don’t see what you need, if something isn't clear enough, or if you spot a mistake, please let the Puppet

documentation team know, either by using the star rating at the bottom of the page or by opening a ticket (you'll need

a Jira account). Whichever feedback method you choose, a member of the docs team reads every piece of feedback,

so the more specific you can be about the request or issue, the more quickly and easily we’ll be able to help and

update the documentation. As noted before, we can only update maintained Puppet versions. We greatly appreciate

your feedback!

Puppet | Set up Puppet | 60

Set up Puppet

A Puppet deployment typically includes a primary Puppet server and agents, which are installed on nodes in your

environment.

• Install Puppet on page 60

Puppet can be installed and upgraded in various configurations to fit the needs of your environment.

• Configure Puppet settings on page 75

You can configure Puppet's commands and services extensively, and its settings are specified in a variety of places.

• Upgrading on page 126

To upgrade your deployment, you must upgrade both the infrastructure components and agents.

• Environments on page 130

Environments are isolated groups of agent nodes.

• Directories and files on page 137

Puppet consists of a number of directories and files, and each one has an important role ranging from Puppet code

storage and configuration files to manifests and module paths.

• Report reference on page 147

Puppet has a set of built-in report processors, which you can configure.

Install Puppet

Puppet can be installed and upgraded in various configurations to fit the needs of your environment.

• System requirements on page 60

Puppet system requirements depend on your deployment type and size. Before installing Puppet, ensure your systems

are compatible with infrastructure and agent requirements.

• Installing Puppet on page 62

To get started using Puppet, you must first complete the initial installation and setup process.

• Installing and configuring agents on page 64

You can install agents on *nix, Windows, or macOS.

• Manually verify packages on page 73

Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature

proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use

GPG to verify package signatures.

• Managing Platform versions on page 75

To receive the most up-to-date software without introducing breaking changes, pin your infrastructure to known

versions, and update the pinned version manually when you’re ready to update.

System requirements

Puppet system requirements depend on your deployment type and size. Before installing Puppet, ensure your systems

are compatible with infrastructure and agent requirements.

Restriction: Puppet primary servers must run on some variant of *nix. You can't run primary servers on Windows.

Hardware requirements

The primary server is fairly resource intensive, and must be installed on a robust, dedicated server. The agent service

has few system requirements and can run on a less powerful server.

The Puppet agent has been run and tested on a various servers. The following table lists the minimum hardware

specifications that have been successfully tested. In these tests, Intel Xeon processors were used.

Puppet | Set up Puppet | 61

CPUs GHz GiB memory OS

1 2.4 0.5 Amazon Linux 2 AMI

1 2.5 1 Windows Server 2019

The demands on the primary server vary widely between deployments. Resource needs are affected by the number of

agents being served, how frequently agents check in, how many resources are being managed on each agent, and the

complexity of the manifests and modules in use.

The following minimum hardware requirements are based on internal testing.

Node volume Cores Heap ReservedCodeCache

Dozens 2 1 GB Not applicable

1,000 2-4 4 GB 512m

Supported agent platforms

Puppet provides official packages for various operating systems and versions. Although you are not required to use

official packages, their use helps to simplify installation and maintenance.

Packaged platforms

puppet-agent packages are available for the platforms listed in the table.

For Puppet Server system requirements, see Supported operating systems.

Operating system Tested versions Untested versions

Debian 10, 11, 11 (aarch64), 12, 12 (aarch64,

x86_64)

Fedora 36 (x86_64), 40 (x86_64)

macOS 11 Big Sur (x86_64), 12 Monterey

(x86_64), 12 (M1), 13 Ventura

(x86_64, ARM), 14 (x86_64, ARM)

Microsoft Windows 10 Enterprise, 11 Enterprise (x86_64) 8, 10

Microsoft Windows Server 2012R2, 2016, 2019, 2022 2012

Red Hat Enterprise Linux, including:

• Amazon Linux v2 x86_64 (using

RHEL 7 packages)

7 (x86_64), 8 (x86_64, aarch64,

ppc64le), 9 (x86_64, ARM64,

ppc64le)

Amazon Linux 2 (AARCH64), 2023 (x86_64,

AARCH64)

SUSE Linux Enterprise Server 12 (x86_64), 15 (x86_64)

AlmaLinux 8 (x86_64), 9 (x86_64, AARCH64)

Rocky Linux 8 (x86_64), 9 (x86_64, AARCH64)

Oracle Linux 7 (x86_64), 8 (x86_64), 8 (aarch64),

8 (ppc64le)

Scientific Linux 7 (x86_64), 8 (x86_64, aarch64,

ppc64le)

Puppet | Set up Puppet | 62

Operating system Tested versions Untested versions

Ubuntu 18.04, 18.04 (AARCH), 20.04, 20.04

(aarch64), 22.04 (x86_64, aarch64),

24.04 (x86_64, ARM)

Dependencies

If you install the agent by using an official package, your system’s package manager ensures that dependencies are

installed. If you install the agent on a platform without a supported package, you must manually install the following

packages, libraries, and gems:

• Ruby 3.1 or later

• Facter 2.0 or later

• Optional gems such hiera-eyaml, hocon, msgpack, ruby-shadow, and so on.

Important: If you use the SELinux security module, you must grant a compliance exception for Puppet and the PXP

agent in order for those services to effectively manage configuration.

Timekeeping and name resolution

Before you install Puppet, prepare to meet the network requirements. The most important requirements include

syncing time and creating a plan for name resolution.

Timekeeping

Use NTP or an equivalent service to ensure that time is in sync between your primary server, which acts as the

certificate authority, and any agent nodes. If time drifts out of sync in your infrastructure, you might encounter issues

such as agents receiving outdated certificates. A service like NTP (available as a supported module) helps to ensure

accurate timekeeping.

Name resolution

Decide on a preferred name or set of names that agent nodes can use to contact the primary server. Ensure that the

primary server can be reached by domain name lookup by all future agent nodes.

You can simplify configuration of agent nodes by using a CNAME record to make the primary server reachable at the

hostname puppet, which is the default primary server hostname that is suggested when installing an agent node.

Firewall configuration

In the agent-server architecture, your primary server must support incoming connections on port 8140, and agent

nodes must be able to connect to the primary server on that port.

Installing Puppet

To get started using Puppet, you must first complete the initial installation and setup process.

Puppet is distributed in several packages. These include puppetserver, puppet-agent and puppetdb.

Puppet Server controls the configuration information for one or more managed agent nodes. PuppetDB is where the

data generated by Puppet is stored.

This guide walks you through the following steps in installing Puppet:

• Enabling the Puppet platform repository

• Installing Puppet Server

• Installing Puppet agent

• Installing PuppetDB (optional)

You install each of these components separately, operating on a single node. From here, you can scale up to the large

installation as your infrastructure grows, or customize configuration as needed.

Puppet | Set up Puppet | 63

Note: The puppetserver component of the Puppet platform is available only for Linux. The puppet-agent

component is available independently for over 30 platforms and architectures, including Windows and macOS. For

more information on Puppet's packages, see Puppet platform lifecycle.

1. Enable the Puppet platform repository

Enabling the Puppet platform repository makes the components needed for installation available on your system. The

process for enabling the repository depends on your package management system, such as Yum or Apt.

Before you begin

Identify the URL of the package you want to enable based on your operating system and version. *nix platform

packages are located in Puppet.com repositories corresponding to the Yum and Apt package management systems.

Yum is used with Red Hat operating systems, such as Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise

Server (SLES). Go to yum.puppet.com for a list of packages and corresponding URLs. The Yum package URL

naming convention is generally:

https://yum.puppet.com/<PLATFORM_NAME>-release-<OS_ABBREVIATION>-

<OS_VERSION>.noarch.rpm

For example: https://yum.puppet.com/puppet8-release-el-8.noarch.rpm.

Apt is used with Debian and Ubuntu. Go to apt.puppet.com for a list of packages and corresponding URLs. The Apt

package URL naming convention is generally:

https://apt.puppet.com/<PLATFORM_VERSION>-release-<VERSION_CODE_NAME>.deb

For example: https://apt.puppet.com/puppet8-release-focal.deb. Note that for Ubuntu releases,

the VERSION_CODE_NAME is the adjective, not the animal.

Enable the Puppet platform on Yum

Logged in as root, run the RPM tool in upgrade mode:

sudo rpm -U <PACKAGE_URL>

For example, to enable the Enterprise Linux 8 repository:

sudo rpm -Uvh https://yum.puppet.com/puppet8-release-el-8.noarch.rpm

Enable the Puppet platform on Apt

Logged in as root, download the package and run the dpkg tool in install mode:

wget <PACKAGE_URL>

sudo dpkg -i <FILE_NAME>.deb

For example, to enable the Ubuntu 20.04 focal repository:

wget https://apt.puppet.com/puppet8-release-focal.deb

sudo dpkg -i puppet8-release-focal.deb

Update the apt package lists:

sudo apt-get update

Certain operating systems and installation methods automatically verify package signatures. In these cases, you don’t

need to do anything to verify the package signature. These methods include:

Puppet | Set up Puppet | 64

• If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also

installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you

install them.

• If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature

before installing the package.

If you need to manually verify packages, see Verify packages.

2. Install Puppet Server

Puppet Server is a required application that runs on the Java Virtual Machine (JVM) on the primary server.

In addition to hosting endpoints for the certificate authority service, Puppet Server also powers the catalog compiler,

which compiles configuration catalogs for agent nodes, using Puppet code and various other data sources.

In this section, you will install the puppetserver package and start the service.

Follow the steps in install Puppet Server

3. Install Puppet agent

Puppet agents translates code into commands and then executes it on the systems you specify.

In this section, you will install agents on your chosen operating system, configure them, and sign their certificates.

Follow the steps in install agents.

4. Install PuppetDB (optional)

All of the data generated by Puppet is stored in Puppet DB.

You can optionally install PuppetDB to enable extra features, including enhanced queries and reports about your

infrastructure. In this section, you will assign PuppetDB module’s classes to your servers. Follow the steps in install

PuppetDB.

Installing and configuring agents

You can install agents on *nix, Windows, or macOS.

After you install an agent, you must complete the steps in Configure agents.

Install agents

Install *nix agents

You can install *nix agents using an install script.

Before you begin

Enable the Puppet platform repository.

Install the agent using the command appropriate to your environment.

• Yum:

sudo yum install puppet-agent

• Apt:

sudo apt-get install puppet-agent

Note: The Puppet repository for the APT package management system is: http://apt.puppet.com/

• Zypper:

sudo zypper install puppet-agent

Puppet | Set up Puppet | 65

Start the Puppet service:

sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running

enable=true

Install Windows agents

You can install Windows agents graphically or from the command line using an .msi package.

Install Windows agents with the .msi package

Use the Windows .msi package if you need to specify agent configuration details during installation, or if you need to

install Windows agents locally without internet access.

Before you begin

• Install Powershell. The .msi package requires PowerShell 5 or higher.

• Download the .msi package.

Install Windows agents with the installer

Use the MSI installer for a more automated installation process. The installer can configure puppet.conf, create

CSR attributes, and configure the agent to talk to your primary server.

Run the installer as administrator.

When prompted, provide the hostname of your primary server, for example puppet.

Install Windows agents using msiexec from the command line

Install the MSI manually from the the command line if you need to customize puppet.conf, CSR attributes, or

certain agent properties.

On the command line of the node that you want to install the agent on, run the install command:

msiexec /qn /norestart /i <PACKAGE_NAME>.msi

Tip: You can specify /l*v install.txt to log the progress of the installation to a file.

MSI properties

If you install Windows agents from the command line using the .msi package, you can optionally specify these

properties.

Important: If you set a non-default value for PUPPET_SERVER, PUPPET_CA_SERVER,

PUPPET_AGENT_CERTNAME, or PUPPET_AGENT_ENVIRONMENT, the installer replaces the existing value in

puppet.conf and re-uses the value at upgrade unless you specify a new value. Therefore, if you've customized

these properties, don't change the setting directly in puppet.conf; instead, re-run the installer and set a new value

at installation.

Property Definition Setting in pe.conf Default

INSTALLDIR Location to install Puppet

and its dependencies.

n/a

• 32-bit — C:

\Program Files

\Puppet Labs

\Puppet

• 64-bit — C:

\Program Files

\Puppet Labs

\Puppet

Puppet | Set up Puppet | 66

Property Definition Setting in pe.conf Default

ENABLE_LONG_PATHS Long filename support.

Set to TRUE and set

HKLM:\SYSTEM

\CurrentControlSet

\Control

\FileSystem

\LongPathsEnabled to

n/a No value

PUPPET_SERVER Hostname where the

primary server can be

reached.

server puppet

PUPPET_CA_SERVER Hostname where the CA

server can be reached,

if you're using multiple

servers and only one of

them is acting as the CA.

ca_server Value of

PUPPET_SERVER

PUPPET_AGENT_CERTNAME

Node's certificate name,

and the name it uses when

requesting catalogs.

For best compatibility, limit

the value of certname to

lowercase letters, numbers,

periods, underscores, and

dashes.

certname Value of facter fdqn

PUPPET_AGENT_ENVIRONMENTNode's environment.

Note: If a value for

the environment

variable already exists

in puppet.conf,

specifying it during

installation does not

override that value.

environment production

Puppet | Set up Puppet | 67

Property Definition Setting in pe.conf Default

PUPPET_AGENT_STARTUP_MODEWhether and how the agent

service is allowed to run.

Allowed values are:

• Automatic —

Agent starts up when

Windows starts and

remains running in the

background.

• Manual — Agent

can be started in the

services console or with

net start on the

command line.

• Disabled — Agent is

installed but disabled.

You must change

its startup type in

the services console

before you can start the

service.

n/a Automatic

Puppet | Set up Puppet | 68

Property Definition Setting in pe.conf Default

PUPPET_AGENT_ACCOUNT_USER

Windows user account

the agent service uses.

This property is useful

if the agent needs to

access files on UNC

shares, because the default

LocalService account

can't access these network

resources.

The user account must

already exist, and can be

either a local or domain

user. The installer allows

domain users even if

they have not accessed

the machine before. The

installer grants Logon as

Service to the user, and

if the user isn't already a

local administrator, the

installer adds it to the

Administrators group.

If you specify

PUPPET_AGENT_ACCOUNT_USER,

you must also specify

PUPPET_AGENT_ACCOUNT_PASSWORD

and

PUPPET_AGENT_ACCOUNT_DOMAIN

unless the node is

under a gMSA. For

gMSAs, you must specify

PUPPET_AGENT_ACCOUNT_USER

(the user for

the gMSA) and

PUPPET_AGENT_ACCOUNT_DOMAIN.

Do not specify

PUPPET_AGENT_ACCOUNT_PASSWORD.

n/a LocalSystem

PUPPET_AGENT_ACCOUNT_PASSWORDPassword for the agent's

user account.

n/a No value

PUPPET_AGENT_ACCOUNT_DOMAINDomain of the agent's user

account.

n/a .

Puppet | Set up Puppet | 69

Property Definition Setting in pe.conf Default

REINSTALLMODE A default MSI property

used to control the behavior

of file copies during

installation.

Important: If you need

to downgrade agents, use

REINSTALLMODE=amus

when calling

msiexec.exe at the

command line to prevent

removing files that the

application needs.

n/a

amus as of puppet-agent

1.10.10 and puppet-agent

5.3.4

omus in prior releases

SKIP_NSSM_REGISTRY_CLEANUP

Setting to true skips the

Non-Sucking Service

Manager (NSSM) registry

cleanup. This allows you

to install in a restrictive

User Account Control

(UAC) context, or when the

installer does not have the

necessary permissions to

read certain registry keys.

Note: This might cause a

restart of DHCP Server or

other services.

n/a No value

To install the agent with the primary server at puppet.acme.com:

msiexec /qn /norestart /i puppet.msi PUPPET_SERVER=puppet.acme.com

To install the agent to a domain user ExampleCorp\bob:

msiexec /qn /norestart /i puppet-<VERSION>.msi

PUPPET_AGENT_ACCOUNT_DOMAIN=ExampleCorp PUPPET_AGENT_ACCOUNT_USER=bob

PUPPET_AGENT_ACCOUNT_PASSWORD=password

Upgrading or downgrading between 32-bit and 64-bit Puppet on Windows

If necessary, you can upgrade or downgrade between 32-bit and 64-bit Puppet on Windows nodes.

Upgrading to 64-bit

To upgrade from 32-bit to 64-bit Puppet, simply install 64-bit Puppet. You don't need to uninstall the 32-bit version

first.

The installer specifically stores information in different areas of the registry to allow rolling back to the 32-bit agent.

Downgrading to 32-bit

If you need to replace a 64-bit version of Puppet with a 32-bit version, you must uninstall Puppet before installing the

new package.

Puppet | Set up Puppet | 70

You can uninstall Puppet through the Add or Remove Programs interface or from the command line.

To uninstall Puppet from the command line, you must have the original MSI file or know the ProductCode of the

installed MSI:

msiexec /qn /norestart /x puppet-agent-1.3.0-x64.msi

msiexec /qn /norestart /x <PRODUCT CODE>

When you uninstall Puppet, the uninstaller removes the Puppet program directory, agent services, and all related

registry keys. It leaves the $confdir, $codedir, and $vardir intact, including any SSL keys. To completely remove

Puppet from the system, manually delete these directories.

Install macOS agents

You can install macOS agents from Finder, the command line or Homebrew.

Important: For macOS agents, the certname is derived from the name of the machine (such as My-Example-Mac).

To prevent installation issues, make sure the name of the node uses lowercases letters. If you don’t want to change

your computer’s name, you can enter the agent certname in all lowercase letters when prompted by the installer.

Add full disk access for Puppet on macOS 10.14 and newer

Beginning with macOS 10.14, you must add Puppet to the full disk access list, or allowlist, in order to run Puppet

with full permissions and for it to properly manage resources like user and group on your system.

Complete these steps before attempting to install macOS agents.

Run the following command to remove the .sh extension from the wrapper.sh file:

mv /opt/puppetlabs/puppet/bin/wrapper.sh /opt/puppetlabs/puppet/bin/

wrapper

Run the following commands to relink facter, hiera, and puppet with the newly renamed file:

ln -sf /opt/puppetlabs/puppet/bin/wrapper /opt/puppetlabs/bin/facter

ln -sf /opt/puppetlabs/puppet/bin/wrapper /opt/puppetlabs/bin/hiera

ln -sf /opt/puppetlabs/puppet/bin/wrapper /opt/puppetlabs/bin/puppet

In your Mac Preferences, click Security & Privacy, select the Privacy tab, and click Full Disk Access in the left

column.

Click the lock icon, enter your password, and click Unlock.

Click the + button, then type the # (Command) + Shift + G shortcut key.

Enter /opt/puppetlabs/bin, then click Go.

Click on the puppet file, then click Open.

Install macOS agents from Finder

You can use Finder to install the agent on your macOS machine.

Before you begin

Download the appropriate agent tarball.

Open the agent package .dmg and click the installer .pkg.

Follow prompts in the installer dialog.

You must include the primary server hostname and the agent certname.

Puppet | Set up Puppet | 71

Install macOS agents from the command line

You can use the command line to install the agent on a macOS machine.

Before you begin

Download the appropriate agent tarball.

SSH into the node as a root or sudo user.

Mount the disk image: sudo hdiutil mount <DMGFILE>

A line appears ending with /Volumes/puppet-agent-VERSION. This directory location is the mount point

for the virtual volume created from the disk image.

Change to the directory indicated as the mount point in the previous step, for example: cd /Volumes/

puppet-agent-VERSION

Install the agent package: sudo installer -pkg puppet-agent-installer.pkg -target /

Verify the installation: /opt/puppetlabs/bin/puppet --version

Install macOS agents with Homebrew

You can use Homebrew to install the agent on your macOS machine.

Before you begin

Install Homebrew.

Install the latest version of the Puppet agent:

brew install --cask puppetlabs/puppet/puppet-agent

Configure agents

Once you have installed your agents, you must complete the following three configuration steps.

1. Configure your PATH to access Puppet commands

Puppet's command line interface (CLI) consists of a single Puppet command with many subcommands, for example

puppet --help.

Puppet commands are located in the bin directory — /opt/puppetlabs/bin/ on *nix and C:\Program

Files\Puppet Labs\puppet\bin on Windows. The bin directory is not in your PATH environment variable

by default. To have access to the Puppet commands, you must add the bin directory to your PATH.

Choose from the following options.

Linux: source a script for puppet-agent to install

If you are on Linux, you can source a script that puppet-agent installs. Run the following command:

source /etc/profile.d/puppet-agent.sh

*nix: Add the Puppet labs bin directory to your PATH

To add the bin directory to your PATH on *nix, run:

export PATH=/opt/puppetlabs/bin:$PATH

Alternatively, you can add this location wherever you configure your PATH, such as your .profile or .bashrc

configuration files.

Puppet | Set up Puppet | 72

Windows: Add the Puppet labs bin directory to your PATH

To run Puppet commands on Windows, start a command prompt with administrative privileges. You can do so by

right-clicking the Start Command Prompts with Puppet program and clicking Run as administrator. Click Yes if the

system asks for UAC confirmation.

The Puppet agent .msi adds the Puppet bin directory to the system path automatically. If you are not using the

Start Command Prompts, you may need to manually add the bin directory to your PATH using one of the following

commands:

For cmd.exe, run:

set PATH=%PATH%;"C:\Program Files\Puppet Labs\Puppet\bin"

For PowerShell, run:

$env:PATH += ";C:\Program Files\Puppet Labs\Puppet\bin"

2. Configure the server setting

The server is setting, which allows you to connect the agent to the primary Puppet server, is the only mandatory

setting.

You can add configuration to agents by using the puppet config set sub-command, which edits puppet.conf

automatically, or editing /etc/puppetlabs/puppet/puppet.conf directly.

To configure the server setting, choose from one of the following options:

• On the agent node, run:

puppet config set server puppetserver.example.com --section main

• Manually edit /etc/puppetlabs/puppet/puppet.conf or C:\ProgramData\PuppetLabs

\puppet\etc\puppet.conf.

Note that the location on Windows depends on whether you are running with administrative privileges. If you are

not, it will be in home directory, not system location.

This command adds the setting server = puppetserver.example.com to the [main] section of

puppet.conf.

Note that there are other optional settings, for example, serverport, ca_server, ca_port,

report_server, report_port, which you might need for more complicated Puppet deployments, such as

when using a CA server and multiple compilers.

3. Connect the agent to the primary server and sign the certificate

Once you had added the server, you must connect the Puppet agent to the primary server so that it will check in at

regular intervals to report its state, retrieve its catalog, and update its configuration if needed.

To connect the agent to the primary server, run:

puppet ssl bootstrap

Note: For Puppet 5 agents, run puppet agent --test instead.

You will see a message that looks like:

Info: Creating a new RSA SSL key for <agent node>

On the primary server node, sign the certificate:

sudo puppetserver ca sign --certname <name>

Puppet | Set up Puppet | 73

On the agent node, run the agent again:

puppet ssl bootstrap

Manually verify packages

Puppet signs most of its packages, Ruby gems, and release tarballs with GNU Privacy Guard (GPG). This signature

proves that the packages originate from Puppet and have not been compromised. Security-conscious users can use

GPG to verify package signatures.

Tip:

Certain operating systems and installation methods automatically verify package signatures. In these cases, you don’t

need to do anything to verify the package signature.

• If you install from the Puppet Yum and Apt repositories, the release package that enables the repository also

installs our release signing key. The Yum and Apt tools automatically verify the integrity of packages as you

install them.

• If you install a Windows agent using an .msi package, the Windows installer automatically verifies the signature

before installing the package.

Verify a source tarball or gem

You can manually verify the signature for Puppet source tarballs or Ruby gems.

Import the public key: gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key

4528B6CD9E61EF26

Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration

file and keyring. You can run the command a second time to import the key into your newly created keyring.

The gpg tool imports the key:

gpg: /home/username/.gnupg/trustdb.gpg: trustdb created

gpg: key 4528B6CD9E61EF26: public key "Puppet, Inc. Release Key (Puppet,

Inc. Release Key) <[email protected]>" imported

gpg: Total number processed: 1

gpg: imported: 1

Verify the fingerprint: gpg --list-key --fingerprint 4528B6CD9E61EF26

The fingerprint of the Puppet release signing key is D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD

9E61 EF26. Ensure the fingerprint listed matches this value.

Download the tarball or gem and its corresponding .asc file from https://downloads.puppet.com/puppet/.

Verify the tarball or gem, replacing <VERSION> with the Puppet version number, and <FILE TYPE> with

tar.gz for a tarball or gem for a Ruby gem: gpg --verify puppet-<VERSION>.<FILE TYPE>.asc

puppet-<VERSION>.<FILE TYPE>

The output confirms that the signature matches:

gpg: Signature made Mon 09 Nov 2020 12:19:14 PM PST using RSA key ID

9E61EF26

gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release

Key) <[email protected]>"

Tip: If you haven't set up a trust path to the key, you receive a warning that the key is not certified. If you’ve

verified the fingerprint of the key, GPG has verified the archive’s integrity; the warning simply means that GPG

can’t automatically prove the key’s ownership.

Puppet | Set up Puppet | 74

Verify an RPM package

RPM packages include an embedded signature, which you can verify after importing the Puppet public key.

Import the public key: gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-key

4528B6CD9E61EF26

Tip: If this is your first time running the gpg tool, it might fail to import the key after creating its configuration

file and keyring. You can run the command a second time to import the key into your newly created keyring.

The gpg tool imports the key:

gpg: /home/username/.gnupg/trustdb.gpg: trustdb created

gpg: key 4528B6CD9E61EF26: public key "Puppet, Inc. Release Key (Puppet,

Inc. Release Key) <[email protected]>" imported

gpg: Total number processed: 1

gpg: imported: 1

Verify the fingerprint: gpg --list-key --fingerprint 4528B6CD9E61EF26

The fingerprint of the Puppet release signing key is D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD

9E61 EF26. Ensure the fingerprint listed matches this value.

Retrieve the Puppet public key and place it in a file on your node.

Use the RPM tool to import the public key, replacing <PUBLIC KEY FILE> with the path to the file containing

the public key: sudo rpm --import <PUBLIC KEY FILE>

The RPM tool doesn’t output anything if the command is successful.

Use the RPM tool to check the signature of a downloaded RPM package: sudo rpm -vK

<RPM_FILE_NAME>

The embedded signature is verified and displays OK:

puppet-agent-1.5.1-1.el6.x86_64.rpm:

Header V4 RSA/SHA512 Signature, key ID EF8D349F: OK

Header SHA1 digest: OK (95b492a1fff452d029aaeb59598f1c78dbfee0c5)

V4 RSA/SHA512 Signature, key ID EF8D349F: OK

MD5 digest: OK (4878909ccdd0af24fa9909790dd63a12)

Verify a macOS puppet-agent package

puppet-agent packages for macOS are signed with a developer ID and certificate. You can verify the package

signature using the pkgutil tool or the installer.

Use one of these methods to verify the package signature:

• Download and mount the puppet-agent disk image, and then use the pkgutil tool to check the package's

signature:

/usr/bin/hdiutil attach puppet-agent-<AGENT-VERSION>-1.osx10.15.dmg

...

pkgutil --check-signature /Volumes/puppet-agent-<AGENT-

VERSION>-1.osx10.15/puppet-agent-<AGENT-VERSION>-1-installer.pkg

The tool confirms the signature and outputs fingerprints for each certificate in the chain:

Package "puppet-agent-<AGENT-VERSION>-1-installer.pkg":

Status: signed by a developer certificate issued by Apple for

distribution

Certificate Chain:

1. Developer ID Installer: PUPPET LABS, INC. (VKGLGN2B6Y)

SHA256 Fingerprint:

Puppet | Set up Puppet | 75

F9 6D CA EF 1B D8 FF 30 1D 25 67 54 90 CF 7F C3 BF 39 91 50 A6

65 FA B2 19 4B 1E 2A B6 D1 9E

------------------------------------------------------------------------

2. Developer ID Certification Authority

SHA256 Fingerprint:

7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D

F2 9C 88 CF B0 B1 BA 63 58 7F

------------------------------------------------------------------------

3. Apple Root CA

SHA256 Fingerprint:

B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E

68 C5 BE 91 B5 A1 10 01 F0 24

• When you install the package, click the lock icon in the top right corner of the installer.

The installer displays details about the package's certificate.

Tip: Puppet Labs® is a registered trademark that you might see during installation processes.

Managing Platform versions

To receive the most up-to-date software without introducing breaking changes, pin your infrastructure to known

versions, and update the pinned version manually when you’re ready to update.

For example, if you’re using the puppetlabs/puppet_agent module to manage the installed puppet-agent

package, use this resource to pin it to version 8.0.0:

class { '::puppet_agent':

collection => 'puppet8',

package_version => '8.0.0',

}

To upgrade to newer versions within the puppet7 collection, update the package_version. If you're

upgrading from an earlier collection, simply update the collection and package_version.

Configure Puppet settings

You can configure Puppet's commands and services extensively, and its settings are specified in a variety of places.

• Puppet settings on page 76

Customize Puppet settings in the main configuration file, called puppet.conf.

• Key configuration settings on page 79

Puppet has about 200 settings, all of which are listed in the configuration reference. Most of the time, you interact

with only a couple dozen of them. This page lists the most important ones, assuming that you're okay with default

values for things like the port Puppet uses for network traffic. See the configuration reference for more details on

each.

Puppet | Set up Puppet | 76

• Puppet's configuration files on page 82

Puppet settings can be configured in the main config file, called puppet.conf. There are several additional

configuration files, for new settings and ones that need to be in separate files with complex data structures.

• Adding file server mount points on page 93

Puppet Server includes a file server for transferring static file content to agents. If you need to serve large files that

you don't want to store in source control or distribute with a module, you can make a custom file server mount point

and let Puppet serve those files from another directory.

• Checking the values of settings on page 94

Puppet settings are highly dynamic, and their values can come from several different places. To see the actual settings

values that a Puppet service uses, run the puppet config print command.

• Editing settings on the command line on page 97

Puppet loads most of its settings from the puppet.conf config file. You can edit this file directly, or you can

change individual settings with the puppet config set command.

• Configuration Reference on page 98

Puppet settings

Customize Puppet settings in the main configuration file, called puppet.conf.

When Puppet documentation mentions “settings,” it usually means the main settings. These are the settings that are

listed in the configuration reference. They are valid in puppet.conf and available for use on the command line.

These settings configure nearly all of Puppet’s core features.

However, there are also several additional configuration files — such as auth.conf and puppetdb.conf. These

files exist for several reasons:

• The main settings support only a few types of values. Some things just can’t be configured without complex data

structures, so they needed separate files. (Authorization rules and custom CSR attributes are in this category.)

• Puppet doesn’t allow extensions to add new settings to puppet.conf. This means some settings that are

supposed to be main settings (such as the PuppetDB server) can’t be.

Puppet Server configuration

Puppet Server honors almost all settings in puppet.conf and picks them up automatically. However, for some

tasks, such as configuring the webserver or an external Certificate Authority, there are Puppet Server-specific

configuration files and settings.

For more information, see Puppet Server: Configuration.

Settings are loaded on startup

When a Puppet command or service starts up, it gets values for all of its settings. Any of these settings can change the

way that command or service behaves.

A command or service reads its settings only one time. If you need to reconfigured it, you must restart the service or

run the command again after changing the setting.

Settings on the command line

Settings specified on the command line have top priority and always override settings from the config file. When a

command or service is started, you can specify any setting as a command line option.

Settings require two hyphens and the name of the setting on the command line:

$ sudo puppet agent --test --noop --certname temporary-name.example.com

Basic settings

For most settings, you specify the option and follow it with a value. An equals sign between the two (=) is optional,

and you can optionally put values in quotes.

Puppet | Set up Puppet | 77

All three of these are equivalent to setting certname = temporary-name.example.com in puppet.conf.

--certname=temporary-name.example.com

--certname temporary-name.example.com

--certname "temporary-name.example.com"

Boolean settings

Settings whose only valid values are true and false, use a shorter format. Specifying the option alone sets the

setting to true. Prefixing the option with no- sets it to false.

This means:

• --noop is equivalent to setting noop = true in puppet.conf.

• --no-noop is equivalent to setting noop = false in puppet.conf.

Default values

If a setting isn’t specified on the command line or in puppet.conf, it falls back to a default value. Default values

for all settings are listed in the configuration reference.

Some default values are based on other settings — when this is the case, the default is shown using the other setting

as a variable (similar to $ssldir/certs).

Configuring locale settings

Puppet supports locale-specific strings in output, and it detects your locale from your system configuration. This

provides localized strings, report messages, and log messages for the locale’s language when available.

Upon startup, Puppet looks for a set of environment variables on *nix systems, or the code page setting on Windows.

When Puppet finds one that is set, it uses that locale whether it is run from the command line or as a service.

For help setting your operating system locale or adding new locales, consult its documentation. This section covers

setting the locale for Puppet services.

Checking your locale settings on *nix and macOS

To check your current locale settings, run the locale command. This outputs the settings used by your current shell.

$ locale

LANG="en_US.UTF-8"

LC_COLLATE="en_US.UTF-8"

LC_CTYPE="en_US.UTF-8"

LC_MESSAGES="en_US.UTF-8"

LC_MONETARY="en_US.UTF-8"

LC_NUMERIC="en_US.UTF-8"

LC_TIME="en_US.UTF-8"

LC_ALL=

To see which locales are supported by your system, run locale -a, which outputs a list of available locales. Note

that Puppet might not have localized strings for every available locale.

To check the current status of environment variables that might conflict with or override your locale settings, use

the set command. For example, this command lists the set environment variables and searches for those containing

LANG or LC_:

sudo set | egrep 'LANG|LC_'

Puppet | Set up Puppet | 78

Checking your locale settings on Windows

To check your current locale setting, run the Get-WinSystemLocale command from PowerShell.

PS C:\> Get-WinSystemLocale

LCID Name DisplayName

---- ---- -----------

1033 en-US English (United States)

To check your system’s current code page setting, run the chcp command.

Setting your locale on *nix with an environment variable

You can use environment variables to set your locale for processes started on the command line. For most Linux

distributions, set the LANG variable to your preferred locale, and the LANGUAGE variable to an empty string. On

SLES, also set the LC_ALL variable to an empty string.

For example, to set the locale to Japanese for a terminal session on SLES:

export LANG=ja_JP.UTF-8

export LANGUAGE=''

export LC_ALL=''

To set the locale for the Puppet agent service, you can add these export statements to:

• /etc/sysconfig/puppet on RHEL and its derivatives

• /etc/default/puppet on Debian, Ubuntu, and their derivatives

After updating the file, restart the Puppet service to apply the change.

Setting your locale for the Puppet agent service on macOS

To set the locale for the Puppet agent service on macOS, update the LANG setting in the /Library/

LaunchDaemons/com.puppetlabs.puppet.plist file.

<dict>

</dict>

After updating the file, restart the Puppet service to apply the change.

Setting your locale on Windows

On Windows, Puppet uses the LANG environment variable if it is set. If not, it uses the configured region, as set in the

Administrator tab of the Region control panel.

On Windows 10, you can use PowerShell to set the system locale:

Set-WinSystemLocale en-US

Disabling internationalized strings

Use the optional Boolean disable_i18n setting to disable the use of internationalized strings. You can configure

this setting in puppet.conf. If set to true, Puppet disables localized strings in log messages, reports, and parts

of the command line interface. This can improve performance when using Puppet modules, especially if environment

caching is disabled, and even if you don’t need localized strings or the modules aren’t localized. This setting is

false by default in open source Puppet.

Puppet | Set up Puppet | 79

If you’re experiencing performance issues, configure this setting in the [server] section of the primary Puppet

server's puppet.conf file. To force unlocalized messages, which are in English by default, configure this section

in a node’s [main] or [user] sections of puppet.conf.

Key configuration settings

Puppet has about 200 settings, all of which are listed in the configuration reference. Most of the time, you interact

with only a couple dozen of them. This page lists the most important ones, assuming that you're okay with default

values for things like the port Puppet uses for network traffic. See the configuration reference for more details on

each.

There are a lot of settings that are rarely useful but still make sense, but there are also at least a hundred that are not

configurable at all. This is a Puppet design choice. Because of the way Puppet code is arranged, the settings system is

the easiest way to publish global constants that are dynamically initialized on startup. This means a lot of things have

been introduced to Puppet as configurable settings regardless of whether they needed to be configurable.

For a full list of Puppet settings, see the configuration reference.

Settings for agents (all nodes)

The following settings for agents are listed approximately in order of importance. Most of these can go in either

[main] or [agent] sections, or be specified on the command line.

Basics

• server — The primary server to request configurations from. Defaults to puppet. Change it if that’s not your

server’s name.

• ca_server and report_server — If you’re using multiple Puppet primary servers, you’ll need to

centralize the CA. One of the ways to do this is by configuring ca_server on all agents. See Scaling Puppet

Server with compile servers for more details. The report_server setting works the same way, although

whether you need to use it depends on how you’re processing reports.

• certname — The node’s certificate name, and the unique identifier it uses when requesting catalogs. Defaults to

the fully qualified domain name.

• For best compatibility, limit the value of certname to only use lowercase letters, numbers, periods,

underscores, and dashes. That is, it matches /\A[a-z0-9._-]+\Z/.

• The special value ca is reserved, and can’t be used as the certname for a normal node.

• environment — The environment to request when contacting the primary server. It’s only a request, though;

the primary server’s ENC can override this if it chooses. Defaults to production.

• sourceaddress — The address on a multihomed host to use for the agent’s communication with the primary

server.

Note: Although it’s possible to set something other than the certname as the node name (using either the

node_name_fact or node_name_value setting), we don’t generally recommend it. It allows you to re-use one

node certificate for many nodes, but it reduces security, makes it harder to reliably identify nodes, and can interfere

with other features. Setting a non-certname node name is not officially supported in Puppet Enterprise.

Run behavior

These settings affect the way Puppet applies catalogs:

• noop — If enabled, the agent won’t make any changes to the node. Instead, it looks for changes that would be

made if the catalog were applied, and report to the primary server about what it would have done. This can be

overridden per-resource with the noop metaparameter.

• priority — Allows you to make the agent share CPU resources so that other applications have access to

processing power while agent is applying a catalog.

• report — Indicates whether to send reports. Defaults to true.

• tags — Lets you limit the Puppet run to include only those resources with certain tags.

Puppet | Set up Puppet | 80

• trace, profile, graph, and show_diff — Tools for debugging or learning more about an agent run.

Useful when combined with the --test and --debug command options.

• usecacheonfailure — Indicates whether to fall back to the last known good catalog if the primary server

fails to return a good catalog. The default behavior is usually what you want, but you might have a reason to

disable it.

• ignoreschedules — If you use schedules, this can be useful when doing an initial Puppet run to set up new

nodes.

• prerun_command and postrun_command — Commands to run on either side of a Puppet run.

• ignore_plugin_errors — If set to false, the agent aborts the run if pluginsync fails. Defaults to true.

Service behavior

These settings affect the way Puppet agent acts when running as a long-lived service:

• runinterval — How often to do a Puppet run, when running as a service.

• waitforcert — Whether to keep trying if the agent can’t initially get a certificate. The default behavior is

good, but you might have a reason to disable it.

Useful when running agent from cron

• splay and splaylimit — Together, these allow you to spread out agent runs. When running the agent as

a daemon, the services usually have been started far enough out of sync to make this a non-issue, but it’s useful

with cron agents. For example, if your agent cron job happens on the hour, you could set splay = true and

splaylimit = 60m to keep the primary server from getting briefly overworked and then left idle for the next

50 minutes.

• daemonize — Whether to daemonize. Set this to false when running the agent from cron.

• onetime — Whether to exit after finishing the current Puppet run. Set this to true when running the agent from

cron.

For more information on these settings, see the configuration reference.

Settings for primary servers

Many of these settings are also important for standalone Puppet apply nodes, because they act as their own primary

server. These settings go in the [server] section, unless you’re using Puppet apply in production, in which case

put them in the [main] section instead.

Basics

• dns_alt_names — A list of hostnames the server is allowed to use when acting as a primary server. The

hostname your agents use in their server setting must be included in either this setting or the primary server’s

certname setting. Note that this setting is only used when initially generating the primary server’s certificate —

if you need to change the DNS names, you must:

Run: sudo puppetserver ca clean --certname <SERVER'S CERTNAME>

Turn off the Puppet Server service.

Run: sudo puppetserver ca generate --certname <SERVER'S CERTNAME> --

subject-alt-names <ALT NAME 1>,<ALT NAME 2>,...

Re-start the Puppet Server service.

• environment_timeout — For better performance, you can set this to unlimited and make refreshing the

primary server a part of your standard code deployment process.

• environmentpath — Controls where Puppet finds directory environments. For more information on

environments, see Creating environments.

• basemodulepath — A list of directories containing Puppet modules that can be used in all environments. See

modulepath for details.

• reports — Which report handlers to use. For a list of available report handlers, see the report reference. You

can also write your own report handlers. Note that the report handlers might require settings of their own.

Puppet | Set up Puppet | 81

• digest_algorithm — To accept requests from older agents when using a remote filebucket, Puppet Server

needs to specify digest_algorithm=md5.

Puppet Server related settings

Puppet Server has its own configuration files; consequently, there are several settings in puppet.conf that Puppet

Server ignores.

• puppet-admin — Settings to control which authorized clients can use the admin interface.

• jruby-puppet — Provides details on tuning JRuby for better performance.

• JAVA_ARGS — Instructions on tuning the Puppet Server memory allocation.

Extensions

These features configure add-ons and optional features:

• node_terminus and external_nodes — The ENC settings. If you’re using an ENC, set these to exec

and the path to your ENC script, respectively.

• storeconfigs and storeconfigs_backend — Used for setting up PuppetDB. See the PuppetDB docs

for details.

• catalog_terminus — This can enable the optional static compiler. If you have lots of file resources in

your manifests, the static compiler lets you sacrifice some extra CPU work on your primary server to gain faster

configuration and reduced HTTPS traffic on your agents. See the indirection reference for details.

CA settings

• ca_ttl — How long newly signed certificates are valid. Deprecated.

• autosign — Whether and how to autosign certificates. See Autosigning for detailed information.

For more information on these settings, see the configuration reference.

Puppet | Set up Puppet | 82

Puppet's configuration files

Puppet settings can be configured in the main config file, called puppet.conf. There are several additional

configuration files, for new settings and ones that need to be in separate files with complex data structures.

• puppet.conf: The main config file on page 82

The puppet.conf file is Puppet’s main config file. It configures all of the Puppet commands and services,

including Puppet agent, the primary Puppet server, Puppet apply, and puppetserver ca. Nearly all of the settings

listed in the configuration reference can be set in puppet.conf.

• environment.conf: Per-environment settings on page 85

Environments are isolated groups of agent nodes. Any environment can contain an environment.conf file. This

file can override several settings whenever the primary server is serving nodes assigned to that environment.

• fileserver.conf: Custom fileserver mount points on page 87

The fileserver.conf file configures custom static mount points for Puppet’s file server. If custom mount points

are present, file resources can access them with their source attributes.

• puppetdb.conf: PuppetDB server locations on page 87

The puppetdb.conf file configures how Puppet connects to one or more servers. It is only used if you are using

PuppetDB and have connected your primary server to it.

• autosign.conf: Basic certificate autosigning on page 87

The autosign.conf file can allow certain certificate requests to be automatically signed. It is only valid on the

CA primary Puppet server; a primary server not serving as a CA does not use autosign.conf.

• csr_attributes.yaml: Certificate extensions on page 88

The csr_attributes.yaml file defines custom data for new certificate signing requests (CSRs).

• custom_trusted_oid_mapping.yaml: Short names for cert extension OIDs on page 90

The custom_trusted_oid_mapping.yaml file lets you set your own short names for certificate extension

object identifiers (OIDs), which can make the $trusted variable more useful.

• device.conf: Network hardware access on page 91

The puppet-device subcommand retrieves catalogs from the primary Puppet server and applies them to remote

devices. Devices to be managed by the puppet-device subcommand are configured in device.conf.

• routes.yaml: Advanced plugin routing on page 92

The routes.yaml file overrides configuration settings involving indirector termini, and allows termini to be set in

greater detail than puppet.conf allows.

puppet.conf: The main config file

The puppet.conf file is Puppet’s main config file. It configures all of the Puppet commands and services,

including Puppet agent, the primary Puppet server, Puppet apply, and puppetserver ca. Nearly all of the settings

listed in the configuration reference can be set in puppet.conf.

It resembles a standard INI file, with a few syntax extensions. Settings can go into application-specific sections, or

into a [main] section that affects all applications.

For a complete list of Puppet's settings, see the configuration reference.

Location

The puppet.conf file is always located at $confdir/puppet.conf.

Although its location is configurable with the config setting, it can be set only on the command line. For example:

puppet agent -t --config ./temporary_config.conf

The location of the confdir depends on your operating system. See the confdir documentation for details.

Examples

Example agent config:

[main]

certname = agent01.example.com

Puppet | Set up Puppet | 83

server = puppet

runinterval = 1h

Example server config:

[main]

certname = puppetserver01.example.com

server = puppet

runinterval = 1h

strict_variables = true

[server]

dns_alt_names =

primaryserver01,primaryserver01.example.com,puppet,puppet.example.com

reports = puppetdb

storeconfigs_backend = puppetdb

storeconfigs = true

Format

The puppet.conf file consists of one or more config sections, each of which can contain any number of settings.

The file can also include comment lines at any point.

Config sections

[main]

certname = primaryserver01.example.com

A config section is a group of settings. It consists of:

• Its name, enclosed in square brackets. The [name] of the config section must be on its own line, with no leading

space.

• Any number of setting lines, which can be indented for readability.

• Any number of empty lines or comment lines

As soon as a new config section [name] appears in the file, the former config section is closed and the new one

begins. A given config section only occurs one time in the file.

Puppet uses four config sections:

• main is the global section used by all commands and services. It can be overridden by the other sections.

• server is used by the primary Puppet server service and the Puppet Server ca command.

Important: Be sure to apply settings only in main unless there is a specific case where you have to override

a setting for the server run mode. For example, when Puppet Server is configured to use an external node

classifier, you must add these settings to the server section. If those settings are added to main, then the agent

tries and fails to run the server-only script /usr/local/bin/puppet_node_classifier during its run.

• agent is used by the Puppet agent service.

• user is used by the Puppet apply command, as well as many of the less common Puppet subcommands

Puppet prefers to use settings from one of the three application-specific sections (server, agent, or user). If it

doesn’t find a setting in the application section, it uses the value from main. (If main doesn’t set one, it falls back to

the default value.)

Note: Puppet Server ignores some config settings. It honors almost all settings in puppet.conf and picks them up

automatically. However, some Puppet Server settings differ from a Ruby primary server's puppet.conf settings.

Puppet | Set up Puppet | 84

Comment lines

# This is a comment.

Comment lines start with a hash sign (#). They can be indented with any amount of leading space.

Partial-line comments such as report = true # this enables reporting are not allowed, and the

intended comment is treated as part of the value of the setting. To be treated as a comment, the hash sign must be the

first non-space character on the line.

Setting lines

certname = primaryserver01.example.com

A setting line consists of:

• Any amount of leading space (optional).

• The name of a setting.

• An equals sign (=), which can optionally be surrounded by any number of spaces.

• A value for the setting.

Special types of values for settings

Generally, the value of a setting is a single word. However, listed below are a few special types of values.

List of words: Some settings (like reports) can accept multiple values, which are specified as a comma-separated list

(with optional spaces after commas). Example: report = http,puppetdb

Paths: Some settings (like environmentpath) take a list of directories. The directories are separated by the system

path separator character, which is colon (:) on *nix platforms and semicolon (;) on Windows.

# *nix version:

environmentpath = $codedir/special_environments:$codedir/environments

# Windows version:

environmentpath = $codedir/environments;C:\ProgramData\PuppetLabs\code

\environment

Path lists are ordered;Puppet always checks the first directory first, then moves on to the others if it doesn’t find what

it needs.

Files or directories: Settings that take a single file or directory (like ssldir) can accept an optional hash of

permissions. When starting up, Puppet enforces those permissions on the file or directory.

We do not recommend you do this because the defaults are good for most users. However, if you need to, you can

specify permissions by putting a hash like this after the path:

ssldir = $vardir/ssl {owner = service, mode = 0771}

The allowed keys in the hash areowner, group, and mode. There are only two valid values for the owner and

group keys:

• root — the root or Administrator user or group owns the file.

• service — the user or group that the Puppet service is running as owns the file. The service’s user and group

are specified by the user and group settings. On a primary server running open source Puppet, these default to

puppet; on Puppet Enterprise they default to pe-puppet.

Puppet | Set up Puppet | 85

Interpolating variables in settings

The values of settings are available as variables within puppet.conf, and you can insert them into the values of

other settings. To reference a setting as a variable, prefix its name with a dollar sign ($):

ssldir = $vardir/ssl

Not all settings are equally useful; there’s no real point in interpolating$ssldir into basemodulepath, for

example. We recommend that you use only the following variables:

• $codedir

• $confdir

• $vardir

environment.conf: Per-environment settings

Environments are isolated groups of agent nodes. Any environment can contain an environment.conf file. This

file can override several settings whenever the primary server is serving nodes assigned to that environment.

Location

Each environment.conf file is stored in an environment. It will be at the top level of its home environment, next

to the manifests and modules directories.

For example, if your environments are in the default directory ($codedir/environments), the test

environment’s config file is located at $codedir/environments/test/environment.conf.

Example

# /etc/puppetlabs/code/environments/test/environment.conf

# Puppet Enterprise requires $basemodulepath; see note below under

"modulepath".

modulepath = site:dist:modules:$basemodulepath

# Use our custom script to get a git commit for the current state of the

code:

config_version = get_environment_commit.sh

Format

The environment.conf file uses the same INI-like format as puppet.conf, with one exception: it cannot

contain config sections like [main]. All settings in environment.conf must be outside any config section.

Relative paths in values

Most of the allowed settings accept file paths or lists of paths as their values.

If any of these paths are relative paths — that is, they start without a leading slash or drive letter — they are resolved

relative to that environment’s main directory.

For example, if you set config_version = get_environment_commit.sh in the test

environment, Puppet uses the file at /etc/puppetlabs/code/environments/test/

get_environment_commit.sh.

Interpolation in values

The settings in environment.conf can use the values of other settings as variables (such as $codedir).

Additionally, the config_version setting can use the special $environment variable, which gets replaced

with the name of the active environment.

Puppet | Set up Puppet | 86

The most useful variables to interpolate into environment.conf settings are:

• $basemodulepath — useful for including the default module directories in the modulepath setting. We

recommend Puppet Enterprise (PE) users include this in the value of modulepath, because PE uses modules in

the basemodulepath to configure orchestration and other features.

• $environment — useful as a command line argument to your config_version script. You can interpolate

this variable only in the config_version setting.

• $codedir — useful for locating files.

Allowed settings

The environment.conf file can override these settings:

modulepath

The list of directories Puppet loads modules from.

If this setting isn’t set, the modulepath for the environment is:

<MODULES DIRECTORY FROM ENVIRONMENT>:$basemodulepath

That is, Puppet adds the environment’s modules directory to the value of the basemodulepath setting from

puppet.conf, with the environment’s modules getting priority. If the modules directory is empty of absent,

Puppet only uses modules from directories in the basemodulepath. A directory environment never uses the global

modulepath from puppet.conf.

manifest

The main manifest the primary server uses when compiling catalogs for this environment. This can be one file

or a directory of manifests to be evaluated in alphabetical order. Puppet manages this path as a directory if one

exists or if the path ends with a slash (/) or dot (.).

If this setting isn’t set, Puppet uses the environment’s manifests directory as the main manifest, even if it is

empty or absent. A directory environment never uses the global manifest from puppet.conf.

config_version

A script Puppet can run to determine the configuration version.

Puppet automatically adds a config version to every catalog it compiles, as well as to messages in reports. The

version is an arbitrary piece of data that can be used to identify catalogs and events.

You can specify an executable script that determines an environment’s config version by setting

config_version in its environment.conf file. Puppet runs this script when compiling a catalog for a node in

the environment, and use its output as the config version.

Note: If you’re using a system binary like git rev-parse, make sure to specify the absolute path to it. If

config_version is set to a relative path, Puppet looks for the binary in the environment, not in the system’s

PATH.

If this setting isn’t set, the config version is the time at which the catalog was compiled (as the number of

seconds since January 1, 1970). A directory environment never uses the global config_version from

puppet.conf.

environment_timeout

How long the primary server caches the data it loads from an environment. If present, this overrides the value of

environment_timeout from puppet.conf. Unless you have a specific reason, we recommend only setting

environment_timeout globally, in puppet.conf. We also don’t recommend using any value other than 0 or

unlimited.

For more information about configuring the environment timeout, see the timeout section of the Creating

Environments page.

Puppet | Set up Puppet | 87

fileserver.conf: Custom fileserver mount points

The fileserver.conf file configures custom static mount points for Puppet’s file server. If custom mount points

are present, file resources can access them with their source attributes.

When to use fileserver.conf

This file is necessary only if you are creating custom mount points.

Puppet automatically serves files from the files directory of every module, and most users find this sufficient. For

more information, see Modules fundamentals. However, custom mount points are useful for things that you don’t

store in version control with your modules, like very large files and sensitive credentials.

Location

The fileserver.conf file is located at $confdir/fileserver.conf by default. Its location is

configurable with the fileserverconfig setting.

The location of the confdir depends on your operating system. See the confdir documentation for details.

Example

# Files in the /path/to/files directory are served

# at puppet:///extra_files/.

[extra_files]

path /etc/puppetlabs/puppet/extra_files

This fileserver.conf file creates a new mount point named extra_files. Authorization to extra_files

is controlled by Puppet Server. See creating custom mount points for more information.

CAUTION: Always restrict write access to mounted directories. The file server follows any symlinks in a

file server mount, including links to files that agent nodes shouldn’t access (like SSL keys). When following

symlinks, the file server can access any files readable by Puppet Server’s user account.

Format

fileserver.conf uses a one-off format that resembles an INI file without the equals (=) signs. It is a series of

mount-point stanzas, where each stanza consists of:

• A [mount_point_name] surrounded by square brackets. This becomes the name used in puppet:///

URLs for files in this mount point.

• A path <PATH> directive, where <PATH> is an absolute path on disk. This is where the mount point’s files are

stored.

puppetdb.conf: PuppetDB server locations

The puppetdb.conf file configures how Puppet connects to one or more servers. It is only used if you are using

PuppetDB and have connected your primary server to it.

This configuration file is documented in the PuppetDB docs. See Configuring a Puppet/PuppetDB connection for

details.

autosign.conf: Basic certificate autosigning

The autosign.conf file can allow certain certificate requests to be automatically signed. It is only valid on the

CA primary Puppet server; a primary server not serving as a CA does not use autosign.conf.

CAUTION: Because any host can provide any certname when requesting a certificate, basic autosigning is

insecure. Use it only when you fully trust any computer capable of connecting to the primary server.

Puppet also provides a policy-based autosigning interface using custom policy executables, which can be more

flexible and secure than the autosign.conf allowlist but more complex to configure.

Puppet | Set up Puppet | 88

For more information, see the documentation about certificate autosigning.

Location

Puppet looks for autosign.conf at $confdir/autosign.conf by default. To change this path, configure

the autosign setting in the [server] section of puppet.conf.

The default confdir path depends on your operating system. See the confdir documentation for more information.

Note: The autosign.conf file must not be executable by the primary server user account. If the autosign

setting points to an executable file, Puppet instead treats it like a custom policy executable even if it contains a valid

autosign.conf allowlist.

Format

The autosign.conf file is a line-separated list of certnames or domain name globs. Each line represents a node

name or group of node names for which the CA primary server automatically signs certificate requests.

rebuilt.example.com

*.scratch.example.com

*.local

Domain name globs do not function as normal globs: an asterisk can only represent one or more subdomains at the

front of a certname that resembles a fully qualified domain name (FQDN). If your certnames don’t look like FQDNs,

the autosign.conf allowlist might not be effective.

Note: The autosign.conf file can safely be an empty file or not-existent, even if the autosign setting is

enabled. An empty or non-existent autosign.conf file is an empty allowlist, meaning that Puppet does not

autosign any requests. If you create autosign.conf as a non-executable file and add certnames to it, Puppet then

automatically uses the file to allow incoming requests without needing to modify puppet.conf.

To explicitly disable autosigning, set autosign = false in the [server] section of the CA primary server's

puppet.conf, which disables CA autosigning even if autosign.conf or a custom policy executable exists.

csr_attributes.yaml: Certificate extensions

The csr_attributes.yaml file defines custom data for new certificate signing requests (CSRs).

The csr_attributes.yaml file can set:

• CSR attributes (transient data used for pre-validating requests)

• Certificate extension requests (permanent data to be embedded in a signed certificate)

This file is only consulted when a new CSR is created, for example when an agent node is first attempting to join a

Puppet deployment. It cannot modify existing certificates.

For information about using this file, see CSR attributes and certificate extensions.

Location

The csr_attributes.yaml file is located at $confdir/csr_attributes.yaml by default. Its location is

configurable with the csr_attributes setting.

The location of the confdir depends on your operating system. See the confdir documentation for details.

Example

---

custom_attributes:

1.2.840.113549.1.9.7: 342thbjkt82094y0uthhor289jnqthpc2290

extension_requests:

Puppet | Set up Puppet | 89

pp_uuid: ED803750-E3C7-44F5-BB08-41A04433FE2E

pp_image_name: my_ami_image

pp_preshared_key: 342thbjkt82094y0uthhor289jnqthpc2290

Format

The csr_attributes file must be a YAML hash containing one or both of the following keys:

• custom_attributes

• extension_requests

The value of each key must also be a hash, where:

• Each key is a valid object identifier (OID). Note that Puppet-specific OIDs can optionally be referenced by short

name instead of by numeric ID. In the example above, pp_uuid is a short name for a Puppet-specific OID.

• Each value is an object that can be cast to a string. That is, numbers are allowed but arrays are not.

Allowed OIDs for custom attributes

Custom attributes can use any public or site-specific OID, with the exception of the OIDs used for core X.509

functionality. This means you can’t re-use existing OIDs for things like subject alternative names.

One useful OID is the “challengePassword” attribute — 1.2.840.113549.1.9.7. This is a rarely-used corner

of X.509 which can be repurposed to hold a pre-shared key. The benefit of using this instead of an arbitrary OID is

that it appears by name when using OpenSSL to dump the CSR to text; OIDs that openssl req can’t recognize are

displayed as numerical strings.

Also note that the Puppet-specific OIDs listed below can also be used in CSR attributes.

Allowed OIDs for extension requests

Extension request OIDs must be under the “ppRegCertExt” (1.3.6.1.4.1.34380.1.1) or

“ppPrivCertExt” (1.3.6.1.4.1.34380.1.2) OID arcs.

Puppet provides several registered OIDs (under “ppRegCertExt”) for the most common kinds of extension

information, as well as a private OID range (“ppPrivCertExt”) for site-specific extension information. The benefits of

using the registered OIDs are:

• They can be referenced in csr_attributes.yaml using their short names instead of their numeric IDs.

• When using Puppet tools to print certificate info, they appear using their descriptive names instead of their

numeric IDs.

The private range is available for any information you want to embed into a certificate that isn’t already in wide use

elsewhere. It is completely unregulated, and its contents are expected to be different in every Puppet deployment.

The “ppRegCertExt” OID range contains the following OIDs.

Numeric ID Short name Descriptive name

1.3.6.1.4.1.34380.1.1.1 pp_uuid Puppet node UUID

1.3.6.1.4.1.34380.1.1.2 pp_instance_id Puppet node instance ID

1.3.6.1.4.1.34380.1.1.3 pp_image_name Puppet node image name

1.3.6.1.4.1.34380.1.1.4 pp_preshared_key Puppet node preshared key

1.3.6.1.4.1.34380.1.1.5 pp_cost_center Puppet node cost center name

1.3.6.1.4.1.34380.1.1.6 pp_product Puppet node product name

1.3.6.1.4.1.34380.1.1.7 pp_project Puppet node project name

1.3.6.1.4.1.34380.1.1.8 pp_application Puppet node application name

Puppet | Set up Puppet | 90

Numeric ID Short name Descriptive name

1.3.6.1.4.1.34380.1.1.9 pp_service Puppet node service name

1.3.6.1.4.1.34380.1.1.10 pp_employee Puppet node employee name

1.3.6.1.4.1.34380.1.1.11 pp_created_by Puppet node created_by tag

1.3.6.1.4.1.34380.1.1.12 pp_environment Puppet node environment name

1.3.6.1.4.1.34380.1.1.13 pp_role Puppet node role name

1.3.6.1.4.1.34380.1.1.14 pp_software_version Puppet node software version

1.3.6.1.4.1.34380.1.1.15 pp_department Puppet node department name

1.3.6.1.4.1.34380.1.1.16 pp_cluster Puppet node cluster name

1.3.6.1.4.1.34380.1.1.17 pp_provisioner Puppet node provisioner name

1.3.6.1.4.1.34380.1.1.18 pp_region Puppet node region name

1.3.6.1.4.1.34380.1.1.19 pp_datacenter Puppet node datacenter name

1.3.6.1.4.1.34380.1.1.20 pp_zone Puppet node zone name

1.3.6.1.4.1.34380.1.1.21 pp_network Puppet node network name

1.3.6.1.4.1.34380.1.1.22 pp_securitypolicy Puppet node security policy name

1.3.6.1.4.1.34380.1.1.23 pp_cloudplatform Puppet node cloud platform name

1.3.6.1.4.1.34380.1.1.24 pp_apptier Puppet node application tier

1.3.6.1.4.1.34380.1.1.25 pp_hostname Puppet node hostname

The “ppAuthCertExt” OID range contains the following OIDs:

1.3.6.1.4.1.34380.1.3.1 pp_authorization Certificate extension authorization

1.3.6.1.4.1.34380.1.3.13 pp_auth_role Puppet node role name for

authorization. For PE internal use

only.

custom_trusted_oid_mapping.yaml: Short names for cert extension OIDs

The custom_trusted_oid_mapping.yaml file lets you set your own short names for certificate extension

object identifiers (OIDs), which can make the $trusted variable more useful.

The file must be present on each Puppet Server infrastructure node. The compiler does not add certificate extensions

to $trusted in a serverless approach such as puppet apply.

Certificate extensions

When a node requests a certificate, it can ask the CA to include some additional, permanent metadata in that cert.

Puppet agent uses the csr_attributes.yaml file to decide what extensions to request.

If the CA signs a certificate with extensions included, those extensions are available as trusted facts in the top-scope

$trusted variable. Your manifests or node classifier can then use those trusted facts to decide which nodes can

receive which configurations.

By default, the Puppet-specific registered OIDs appear as keys with convenient short names in the

$trusted[extensions] hash, and any other OIDs appear as raw numerical IDs. You can use the

custom_trusted_oid_mapping.yaml file to map other OIDs to short names, which replaces the numerical

OIDs in $trusted[extensions].

For more information, see CSR attributes and certificate extensions, Trusted facts, The csr_attributes.yaml

file.

Puppet | Set up Puppet | 91

Limitations of OID mapping

Mapping OIDs in this file only affects the keys in the $trusted[extensions] hash. It does not affect what an

agent can request in its csr_attributes.yaml file — anything but Puppet-specific registered extensions must

still be numerical OIDs.

After setting custom OID mapping values and restarting puppetserver, you can reference variables using only the

short name.

Location

The OID mapping file is located at $confdir/custom_trusted_oid_mapping.yaml by default. Its

location is configurable with the trusted_oid_mapping_file setting.

The location of the confdir depends on your OS. See the confdir documentation for details.

Example

---

oid_mapping:

1.3.6.1.4.1.34380.1.2.1.1:

shortname: 'myshortname'

longname: 'My Long Name'

1.3.6.1.4.1.34380.1.2.1.2:

shortname: 'myothershortname'

longname: 'My Other Long Name'

Format

The custom_trusted_oid_mapping.yaml must be a YAML hash containing a single key called

oid_mapping.

The value of the oid_mapping key must be a hash whose keys are numerical OIDs. The value for each OID must

be a hash with two keys:

• shortname for the case-sensitive one-word name that is used in the $trusted[extensions] hash.

• longname for a more descriptive name (not used elsewhere).

device.conf: Network hardware access

The puppet-device subcommand retrieves catalogs from the primary Puppet server and applies them to remote

devices. Devices to be managed by the puppet-device subcommand are configured in device.conf.

For more information on Puppet device, see the Puppet device documentation.

Location

The device.conf file is located at $confdir/device.conf by default, and its location is configurable with

the deviceconfig setting.

The location of confdir depends on your operating system. See the confdir documentation for details.

Format

The device.conf file is an INI-like file, with one section per device:

[device001.example.com]

type cisco

url ssh://admin:[email protected]

debug

The section name specifies the certname of the device.

Puppet | Set up Puppet | 92

The values for the type and url properties are specific to each type of device.

The the optional debug property specifies transport-level debugging, and is limited to telnet and ssh transports.

For Cisco devices, the url is in the following format:

scheme://user:password@hostname/query

With:

• Scheme: either ssh or telnet

• user: optional connection username, depending on the device configuration

• password: connection password

• query: optional ?enable= parameter whose value is the enable password

Note: Reserved non-alphanumeric characters in the url must be percent-encoded.

routes.yaml: Advanced plugin routing

The routes.yaml file overrides configuration settings involving indirector termini, and allows termini to be set in

greater detail than puppet.conf allows.

The routes.yaml file makes it possible to use certain extensions to Puppet, most notably PuppetDB. Usually

you edit this file only to make changes that are explicitly specified by the setup instructions for an extension you are

trying to install.

routes.yaml allows you to configure a terminus to have a cache. The cache is simply another terminus used for

quick retrieval of facts. When saving facts, Puppet always saves to the main terminus. When loading facts, Puppet

loads first from the cache. If the requested value is not present in the cache, Puppet instead loads from the main

terminus.

Location

The routes.yaml file is located at $confdir/routes.yaml by default. Its location is configurable with the

route_file setting.

The location of the confdir depends on your operating system. See the confdir documentation for details.

Example

---

server:

facts:

terminus: puppetdb

cache: yaml

Format

The routes.yaml file is a YAML hash.

Each top level key is the name of a run mode (server, agent, or user), and its value is another hash.

Each key of the second-level hash is the name of an indirection, and its value is another hash.

The only keys allowed in the third-level hash are terminus and cache. The value of each of these keys is the

name of a valid terminus for the indirection named above.

Puppet | Set up Puppet | 93

Adding file server mount points

Puppet Server includes a file server for transferring static file content to agents. If you need to serve large files that

you don't want to store in source control or distribute with a module, you can make a custom file server mount point

and let Puppet serve those files from another directory.

In Puppet code, you can tell the file server is being used when you see a file resource that has a source =>

puppet:///... attribute specified.

To set up a mount point:

Choose a directory on disk for the mount point, make sure Puppet Server can access it, and add your files to the

directory.

Edit fileserver.conf on your Puppet Server node, so Puppet knows which directory to associate with the

new mount point.

(Optional) Edit Puppet Server's auth.conf to allow access to the new mount point.

After the mount point is set up, Puppet code can reference the files you added to the directory at puppet:///

<MOUNT POINT>/<PATH>.

Mount points in the Puppet URI

Puppet URIs look like this: puppet://<SERVER>/<MOUNT POINT>/<PATH>.

The <SERVER> is optional, so it common practice to use puppet:/// URIs with three slashes. Usually, there is

no reason to specify the server. For Puppet agent, <SERVER> defaults to the value of the server setting. For Puppet

apply, <SERVER> defaults to a special mock server with a modules mount point.

<MOUNT POINT> is a unique identifier for some collection of files. There are different kinds of mount points:

• Custom mount points correspond to a directory that you specify.

• The task mount point works in a similar way to the modules mount point but for files that live under the

modules tasks directory, rather than the files directory.

• The special modules mount point serves files from the files directory of every module. It behaves as if

someone had copied the files directory from every module into one big directory, renaming each of them

with the name of their module. For example, the files in apache/files/... are available at puppet:///

modules/apache/....

• The special plugins mount point serves files from the lib directory of every module. It behaves as if someone

had copied the contents of every lib directory into one big directory, with no additional namespacing. Puppet

agent uses this mount point when syncing plugins before a run, but there’s no reason to use it in a file resource.

• The special pluginfacts mount point serves files from the facts.d directory of every module to support

external facts. It behaves like the plugins mount point, but with a different source directory.

• The special locales mount point serves files from the locales directory of every module to support

automatic downloading of module translations to agents. It also behaves like the plugins mount point, and also

has a different source directory.

<PATH> is the remainder of the path to the file, starting from the directory (or imaginary directory) that corresponds

to the mount point.

Creating a new mount point in fileserver.conf

The fileserver.conf file uses the following syntax to define mount points:

[<NAME OF MOUNT POINT>]

path <PATH TO DIRECTORY>

In the following example, a file at /etc/puppetlabs/puppet/installer_files/oracle.pkg would be

available in manifests as puppet:///installer_files/oracle.pkg:

[installer_files]

Puppet | Set up Puppet | 94

path /etc/puppetlabs/puppet/installer_files

Make sure that the puppet user has the right permissions to access that directory and its contents.

CAUTION: Always restrict write access to mounted directories. The file server follows any symlinks in a

file server mount, including links to files that agent nodes cannot access (such as SSL keys). When following

symlinks, the file server can access any files readable by Puppet Server’s user account.

Controlling access to a custom mount point in auth.conf

By default, any node with a valid certificate can access the files in your new mount point. If a node can fetch a

catalog, it can fetch files. If the node can’t fetch a catalog, it can’t fetch files. This is the same behavior as the

special modules and plugins mount points. If necessary, you can restrict access to a custom mount point in

auth.conf.

To add a new auth rule to Puppet Server’s HOCON-format auth.conf file, located at /etc/puppetlabs/

puppetserver/conf.d/auth.conf. , you must meet the following requirements:

• It must match requests to all four of these prefixes:

• /puppet/v3/file_metadata/<MOUNT POINT>

• /puppet/v3/file_metadatas/<MOUNT POINT>

• /puppet/v3/file_content/<MOUNT POINT>

• /puppet/v3/file_contents/<MOUNT POINT>

• Its sort-order must be lower than 500, so that it overrides the default rule for the file server.

For example:

{

# Allow limited access to files in /etc/puppetlabs/puppet/

installer_files:

match-request: {

path: "^/puppet/v3/file_(content|metadata)s?/installer_files"

type: regex

}

allow: "*.dev.example.com"

sort-order: 400

Related topics: Module fundamentals, fileserver.conf: Custom fileserver mount points, puppetserver.conf, auth.conf.

Checking the values of settings

Puppet settings are highly dynamic, and their values can come from several different places. To see the actual settings

values that a Puppet service uses, run the puppet config print command.

General usage

The puppet config print command loads and evaluates settings, and can imitate any of Puppet’s other

commands and services when doing so. The --section and --environment options let you control how

settings are loaded; for details, see the sections below on imitating different services.

Note: To ensure that you’re seeing the values Puppet use when running as a service, be sure to use sudo or run the

command as root or Administrator. If you run puppet config print as some other user, Puppet might

not use the system config file.

Puppet | Set up Puppet | 95

To see the value of one setting:

sudo puppet config print <SETTING NAME> [--section <CONFIG SECTION>] [--

environment <ENVIRONMENT>]

This displays just the value of <SETTING NAME>.

To see the value of multiple settings:

sudo puppet config print <SETTING 1> <SETTING 2> [...] [--section <CONFIG

SECTION>] [--environment <ENVIRONMENT>]

This displays name = value pairs for all requested settings.

To see the value of all settings:

sudo puppet config print [--section <CONFIG SECTION>] [--environment

<ENVIRONMENT>]

This displays name = value pairs for all settings.

Config sections

The --section option specifies which section of puppet.conf to use when finding settings. It is optional, and

defaults to main. Valid sections are:

• main (default) — used by all commands and services

• server — used by the primary Puppet server service and the puppetserver ca command

• agent — used by the Puppet agent service

• user — used by the Puppet apply command and most other commands

As usual, the other sections override the main section if they contain a setting; if they don’t, the value from main is

used, or a default value if the setting isn’t present there.

Environments

The --environment option specifies which environment to use when finding settings. It is optional and defaults

to the value of the environment setting in the user section (usually production, because it’s rare to specify an

environment in user).

You can only specify environments that exist.

This option is primarily useful when looking up settings used by the primary server service, because it’s rare to use

environment config sections for Puppet apply and Puppet agent.

Imitating Puppet server and puppetserver ca

To see the settings the Puppet server service and the puppetserver ca command would use:

• Specify --section server.

• Use the --environment option to specify the environment you want settings for, or let it default to

production.

• Remember to use sudo.

• If your primary Puppet server is managed as a Rack application (for example, with Passenger), check the

config.ru file to make sure it’s using the confdir and vardir that you expect. If it’s using non-standard ones,

you need to specify them on the command line with the --confdir and --vardir options; otherwise you

might not see the correct values for settings.

Puppet | Set up Puppet | 96

To see the effective modulepath used in the dev environment:

sudo puppet config print modulepath --section server --environment dev

This returns something like:

/etc/puppetlabs/code/environments/dev/modules:/etc/puppetlabs/code/modules:/

opt/puppetlabs/puppet/modules

To see whether PuppetDB is configured for exported resources:

sudo puppet config print storeconfigs storeconfigs_backend --section server

This returns something like:

storeconfigs = true

storeconfigs_backend = puppetdb

Imitating Puppet agent

To see the settings the Puppet agent service would use:

• Specify --section agent.

• Remember to use sudo.

• If you are seeing something unexpected, check your Puppet agent init script or cron job to make sure it is using the

standard confdir and vardir, is running as root, and isn’t overriding other settings with command line options. If

it’s doing anything unusual, you might have to set more options for the config print command.

To see whether the agent is configured to use manifest ordering when applying the catalog:

sudo puppet config print ordering --section agent

This returns something like:

manifest

Imitating puppet apply

To see the settings the Puppet apply command would use:

• Specify --section user.

• Remember to use sudo.

• If you are seeing something unexpected, check the cron job or script that is responsible for configuring the

machine with Puppet apply. Make sure it is using the standard confdir and vardir, is running as root, and isn’t

overriding other settings with command line options. If it’s doing anything unusual, you might have to set more

options for the config print command.

To see whether Puppet apply is configured to use reports:

sudo puppet config print report reports --section user

This returns something like:

report = true

reports = store,http

Puppet | Set up Puppet | 97

Editing settings on the command line

Puppet loads most of its settings from the puppet.conf config file. You can edit this file directly, or you can

change individual settings with the puppet config set command.

Use puppet config set for:

• Fast one-off config changes,

• Scriptable config changes in provisioning tools,

If you find yourself changing many settings, edit the puppet.conf file instead, or manage it with a template.

Usage

To assign a new value to a setting, run:

sudo puppet config set <SETTING NAME> <VALUE> --section <CONFIG SECTION>

This declaratively sets the value of <SETTING NAME> to <VALUE> in the specified config section, regardless of

whether the setting already had a value.

Config sections

The --section option specifies which section of puppet.conf to modify. It is optional, and defaults to main.

Valid sections are:

• main (default) — used by all commands and services

• server — used by the primary Puppet server service and the puppetserver ca command

• agent — used by the Puppet agent service

• user — used by the puppet apply command and most other commands

When modifying the system config file, use sudo or run the command as root or Administrator.

Example

Consider the following puppet.conf file:

[main]

certname = agent01.example.com

server = server.example.com

vardir = /var/opt/lib/pe-puppet

[agent]

report = true

graph = true

pluginsync = true

[server]

dns_alt_names = server,server.example.com,puppet,puppet.example.com

If you run the following commands:

sudo puppet config set reports puppetdb --section server

sudo puppet config set ordering manifest

The puppet.conf file now looks like this:

[main]

certname = agent01.example.com

server = server.example.com

vardir = /var/opt/lib/pe-puppet

ordering = manifest

Puppet | Set up Puppet | 98

[agent]

report = true

graph = true

pluginsync = true

[server]

dns_alt_names = server,server.example.com,server,server.example.com

reports = puppetdb

Configuration Reference

NOTE: This page was generated from the Puppet source code on 2024-08-01 18:15:53 -0700

This page is autogenerated; any changes will get overwritten

Configuration settings

• Each of these settings can be specified in puppet.conf or on the command line.

• Puppet Enterprise (PE) and open source Puppet share the configuration settings documented here. However,

PE defaults differ from open source defaults for some settings, such as node_terminus, storeconfigs,

always_retry_plugins, disable18n, environment_timeout (when Code Manager is enabled),

and the Puppet Server JRuby max-active-instances setting. To verify PE configuration defaults, check the

puppet.conf or pe-puppet-server.conf file after installation.

• When using boolean settings on the command line, use --setting and --no-setting instead of --

setting (true|false). (Using --setting false results in "Error: Could not parse application

options: needless argument".)

• Settings can be interpolated as $variables in other settings; $environment is special, in that puppet master

will interpolate each agent node's environment instead of its own.

• Multiple values should be specified as comma-separated lists; multiple directories should be separated with the

system path separator (usually a colon).

• Settings that represent time intervals should be specified in duration format: an integer immediately followed

by one of the units 'y' (years of 365 days), 'd' (days), 'h' (hours), 'm' (minutes), or 's' (seconds). The unit cannot

be combined with other units, and defaults to seconds when omitted. Examples are '3600' which is equivalent to

'1h' (one hour), and '1825d' which is equivalent to '5y' (5 years).

• If you use the splay setting, note that the period that it waits changes each time the Puppet agent is restarted.

• Settings that take a single file or directory can optionally set the owner, group, and mode for their value: rundir

= $vardir/run { owner = puppet, group = puppet, mode = 644 }

• The Puppet executables ignores any setting that isn't relevant to their function.

See the configuration guide for more details.

agent_catalog_run_lockfile

A lock file to indicate that a puppet agent catalog run is currently in progress. The file contains the pid of the process

that holds the lock on the catalog run.

• Default: $statedir/agent_catalog_run.lock

agent_disabled_lockfile

A lock file to indicate that puppet agent runs have been administratively disabled. File contains a JSON object with

state information.

• Default: $statedir/agent_disabled.lock

allow_duplicate_certs

Whether to allow a new certificate request to overwrite an existing certificate request. If true, then the old certificate

must be cleaned using puppetserver ca clean, and the new request signed using puppetserver ca

sign.

Puppet | Set up Puppet | 99

• Default: false

allow_pson_serialization

Whether to allow PSON serialization. When unable to serialize to JSON or other formats, Puppet falls back to PSON.

This option affects the configuration management service responses of Puppet Server and the process by which the

agent saves its cached catalog. With a default value of false, this option is useful in preventing the loss of data

because rich data cannot be serialized via PSON.

• Default: false

always_retry_plugins

Affects how we cache attempts to load Puppet resource types and features. If true, then calls to

Puppet.type.<type>? Puppet.feature.<feature>? will always attempt to load the type or feature

(which can be an expensive operation) unless it has already been loaded successfully. This makes it possible for a

single agent run to, e.g., install a package that provides the underlying capabilities for a type or feature, and then

later load that type or feature during the same run (even if the type or feature had been tested earlier and had not been

available).

If this setting is set to false, then types and features will only be checked once, and if they are not available, the

negative result is cached and returned for all subsequent attempts to load the type or feature. This behavior is almost

always appropriate for the server, and can result in a significant performance improvement for types and features that

are checked frequently.

• Default: true

autoflush

Whether log files should always flush to disk.

• Default: true

autosign

Whether (and how) to autosign certificate requests. This setting is only relevant on a Puppet Server acting as a

certificate authority (CA).

Valid values are true (autosigns all certificate requests; not recommended), false (disables autosigning certificates), or

the absolute path to a file.

The file specified in this setting may be either a configuration file or a custom policy executable. Puppet will

automatically determine what it is: If the Puppet user (see the user setting) can execute the file, it will be treated as a

policy executable; otherwise, it will be treated as a config file.

If a custom policy executable is configured, the CA Puppet Server will run it every time it receives a CSR. The

executable will be passed the subject CN of the request as a command line argument, and the contents of the CSR in

PEM format on stdin. It should exit with a status of 0 if the cert should be autosigned and non-zero if the cert should

not be autosigned.

If a certificate request is not autosigned, it will persist for review. An admin user can use the puppetserver ca

sign command to manually sign it, or can delete the request.

For info on autosign configuration files, see the guide to Puppet's config files.

• Default: $confdir/autosign.conf

basemodulepath

The search path for global modules. Should be specified as a list of directories separated by the system path separator

character. (The POSIX path separator is ':', and the Windows path separator is ';'.)

These are the modules that will be used by all environments. Note that the modules directory of the active

environment will have priority over any global directories. For more info, see https://puppet.com/docs/puppet/latest/

environments_about.html

• Default: $codedir/modules:/opt/puppetlabs/puppet/modules

Puppet | Set up Puppet | 100

binder_config

The binder configuration file. Puppet reads this file on each request to configure the bindings system. If set to nil (the

default), a $confdir/binder_config.yaml is optionally loaded. If it does not exists, a default configuration is used. If the

setting :binding_config is specified, it must reference a valid and existing yaml file.

• Default: ``

bucketdir

Where FileBucket files are stored.

• Default: $vardir/bucket

ca_fingerprint

The expected fingerprint of the CA certificate. If specified, the agent will compare the CA certificate fingerprint that

it downloads against this value and reject the CA certificate if the values do not match. This only applies during the

first download of the CA certificate.

• Default: ``

ca_name

The name to use the Certificate Authority certificate.

• Default: Puppet CA: $certname

ca_port

The port to use for the certificate authority.

• Default: $serverport

ca_refresh_interval

How often the Puppet agent refreshes its local CA certificates. By default, CA certificates are refreshed every 24

hours. If a different interval is specified, the agent refreshes its CA certificates during the next agent run if the elapsed

time since the certificates were last refreshed exceeds the specified duration.

In general, the interval should be greater than the runinterval value. Setting the ca_refresh_interval

value to 0 or an equal or lesser value than runinterval causes the CA certificates to be refreshed on every run.

If the agent downloads new CA certs, the agent uses those for subsequent network requests. If the refresh request fails

or if the CA certs are unchanged on the server, then the agent run will continue using the local CA certs it already has.

This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 1d

ca_server

The server to use for certificate authority requests. It's a separate server because it cannot and does not need to

horizontally scale.

• Default: $server

ca_ttl

The default TTL for new certificates. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours

(6h), days (2d), or years (5y).

• Default: 5y

cacert

The CA certificate.

• Default: $cadir/ca_crt.pem

Puppet | Set up Puppet | 101

cacrl

The certificate revocation list (CRL) for the CA.

• Default: $cadir/ca_crl.pem

cadir

The root directory for the certificate authority.

• Default: /etc/puppetlabs/puppetserver/ca

cakey

The CA private key.

• Default: $cadir/ca_key.pem

capub

The CA public key.

• Default: $cadir/ca_pub.pem

catalog_cache_terminus

How to store cached catalogs. Valid values are 'json', 'msgpack' and 'yaml'. The agent application defaults to 'json'.

• Default: ``

catalog_terminus

Where to get node catalogs. This is useful to change if, for instance, you'd like to pre-compile catalogs and store them

in memcached or some other easily-accessed store.

• Default: compiler

cert_inventory

The inventory file. This is a text file to which the CA writes a complete listing of all certificates.

• Default: $cadir/inventory.txt

certdir

The certificate directory.

• Default: $ssldir/certs

certificate_revocation

Whether certificate revocation checking should be enabled, and what level of checking should be performed.

When certificate revocation is enabled, Puppet expects the contents of its CRL to be one or more PEM-encoded CRLs

concatenated together. When using a cert bundle, CRLs for all CAs in the chain of trust must be included in the crl

file. The chain should be ordered from least to most authoritative, with the first CRL listed being for the root of the

chain and the last being for the leaf CA.

When certificate_revocation is set to 'true' or 'chain', Puppet ensures that each CA in the chain of trust has not been

revoked by its issuing CA.

When certificate_revocation is set to 'leaf', Puppet verifies certs against the issuing CA's revocation list, but it does

not verify the revocation status of the issuing CA or any CA above it within the chain of trust.

When certificate_revocation is set to 'false', Puppet disables all certificate revocation checking and does not attempt to

download the CRL.

• Default: chain

Puppet | Set up Puppet | 102

certname

The name to use when handling certificates. When a node requests a certificate from the CA Puppet Server, it uses the

value of the certname setting as its requested Subject CN.

This is the name used when managing a node's permissions in Puppet Server's auth.conf. In most cases, it is also used

as the node's name when matching node definitions and requesting data from an ENC. (This can be changed with the

node_name_value and node_name_fact settings, although you should only do so if you have a compelling

reason.)

A node's certname is available in Puppet manifests as $trusted['certname']. (See Facts and Built-In

Variables for more details.)

• For best compatibility, you should limit the value of certname to only use lowercase letters, numbers, periods,

underscores, and dashes. (That is, it should match /A[a-z0-9._-]+Z/.)

• The special value ca is reserved, and can't be used as the certname for a normal node.

Note: You must set the certname in the main section of the puppet.conf file. Setting it in a different section causes

errors.

Defaults to the node's fully qualified domain name.

• Default: the Host's fully qualified domain name, as determined by Facter

ciphers

The list of ciphersuites for TLS connections initiated by puppet. The default value is chosen to support TLS 1.0 and

up, but can be made more restrictive if needed. The ciphersuites must be specified in OpenSSL format, not IANA.

• Default: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-

ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-

POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-

AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-

RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-

ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-

RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-

SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256

classfile

The file in which puppet agent stores a list of the classes associated with the retrieved configuration. Can be loaded in

the separate puppet executable using the --loadclasses option.

• Default: $statedir/classes.txt

client_datadir

The directory in which serialized data is stored on the client.

• Default: $vardir/client_data

clientbucketdir

Where FileBucket files are stored locally.

• Default: $vardir/clientbucket

clientyamldir

The directory in which client-side YAML data is stored.

• Default: $vardir/client_yaml

code

Code to parse directly. This is essentially only used by puppet, and should only be set if you're writing your own

Puppet executable.

Puppet | Set up Puppet | 103

codedir

The main Puppet code directory. The default for this setting is calculated based on the user. If the process is running

as root or the user that Puppet is supposed to run as, it defaults to a system directory, but if it's running as any other

user, it defaults to being in the user's home directory.

• Default: Unix/Linux: /etc/puppetlabs/code -- Windows: C:\ProgramData\PuppetLabs

\code -- Non-root user: ~/.puppetlabs/etc/code

color

Whether to use colors when logging to the console. Valid values are ansi (equivalent to true), html, and false,

which produces no color.

• Default: ansi

confdir

The main Puppet configuration directory. The default for this setting is calculated based on the user. If the process is

running as root or the user that Puppet is supposed to run as, it defaults to a system directory, but if it's running as any

other user, it defaults to being in the user's home directory.

• Default: Unix/Linux: /etc/puppetlabs/puppet -- Windows: C:\ProgramData

\PuppetLabs\puppet\etc -- Non-root user: ~/.puppetlabs/etc/puppet

config

The configuration file for the current puppet application.

• Default: $confdir/${config_file_name}

config_file_name

The name of the puppet config file.

• Default: puppet.conf

config_version

How to determine the configuration version. By default, it will be the time that the configuration is parsed, but you

can provide a shell script to override how the version is determined. The output of this script will be added to every

log message in the reports, allowing you to correlate changes on your hosts to the source version on the server.

Setting a global value for config_version in puppet.conf is not allowed (but it can be overridden from the

commandline). Please set a per-environment value in environment.conf instead. For more info, see https://

puppet.com/docs/puppet/latest/environments_about.html

configprint

Prints the value of a specific configuration setting. If the name of a setting is provided for this, then the value is

printed and puppet exits. Comma-separate multiple values. For a list of all values, specify 'all'. This setting is

deprecated, the 'puppet config' command replaces this functionality.

crl_refresh_interval

How often the Puppet agent refreshes its local Certificate Revocation List (CRL). By default, the CRL is refreshed

every 24 hours. If a different interval is specified, the agent refreshes its CRL on the next Puppet agent run if the

elapsed time since the CRL was last refreshed exceeds the specified interval.

In general, the interval should be greater than the runinterval value. Setting the crl_refresh_interval

value to 0 or an equal or lesser value than runinterval causes the CRL to be refreshed on every run.

If the agent downloads a new CRL, the agent will use it for subsequent network requests. If the refresh request fails or

if the CRL is unchanged on the server, then the agent run will continue using the local CRL it already has.This setting

can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 1d

Puppet | Set up Puppet | 104

csr_attributes

An optional file containing custom attributes to add to certificate signing requests (CSRs). You should ensure that

this file does not exist on your CA Puppet Server; if it does, unwanted certificate extensions may leak into certificates

created with the puppetserver ca generate command.

If present, this file must be a YAML hash containing a custom_attributes key and/or an

extension_requests key. The value of each key must be a hash, where each key is a valid OID and each value

is an object that can be cast to a string.

Custom attributes can be used by the CA when deciding whether to sign the certificate, but are then discarded.

Attribute OIDs can be any OID value except the standard CSR attributes (i.e. attributes described in RFC 2985

section 5.4). This is useful for embedding a pre-shared key for autosigning policy executables (see the autosign

setting), often by using the 1.2.840.113549.1.9.7 ("challenge password") OID.

Extension requests will be permanently embedded in the final certificate. Extension OIDs must be in the

"ppRegCertExt" (1.3.6.1.4.1.34380.1.1), "ppPrivCertExt" (1.3.6.1.4.1.34380.1.2), or

"ppAuthCertExt" (1.3.6.1.4.1.34380.1.3) OID arcs. The ppRegCertExt arc is reserved for four of the

most common pieces of data to embed: pp_uuid (.1), pp_instance_id (.2), pp_image_name (.3), and

pp_preshared_key (.4) --- in the YAML file, these can be referred to by their short descriptive names instead

of their full OID. The ppPrivCertExt arc is unregulated, and can be used for site-specific extensions. The ppAuthCert

arc is reserved for two pieces of data to embed: pp_authorization (.1) and pp_auth_role (.13). As with

ppRegCertExt, in the YAML file, these can be referred to by their short descriptive name instead of their full OID.

• Default: $confdir/csr_attributes.yaml

csrdir

Where the CA stores certificate requests.

• Default: $cadir/requests

daemonize

Whether to send the process into the background. This defaults to true on POSIX systems, and to false on Windows

(where Puppet currently cannot daemonize).

• Default: true

data_binding_terminus

This setting has been deprecated. Use of any value other than 'hiera' should instead be configured in a version 5

hiera.yaml. Until this setting is removed, it controls which data binding terminus to use for global automatic data

binding (across all environments). By default this value is 'hiera'. A value of 'none' turns off the global binding.

• Default: hiera

default_file_terminus

The default source for files if no server is given in a uri, e.g. puppet:///file. The default of rest causes the file to be

retrieved using the server setting. When running apply the default is file_server, causing requests to be

filled locally.

• Default: rest

default_manifest

The default main manifest for directory environments. Any environment that doesn't set the manifest setting in its

environment.conf file will use this manifest.

This setting's value can be an absolute or relative path. An absolute path will make all environments default to the

same main manifest; a relative path will allow each environment to use its own manifest, and Puppet will resolve the

path relative to each environment's main directory.

In either case, the path can point to a single file or to a directory of manifests to be evaluated in alphabetical order.

• Default: ./manifests

Puppet | Set up Puppet | 105

default_schedules

Boolean; whether to generate the default schedule resources. Setting this to false is useful for keeping external report

processors clean of skipped schedule resources.

• Default: true

deviceconfdir

The root directory of devices' $confdir.

• Default: $confdir/devices

deviceconfig

Path to the device config file for puppet device.

• Default: $confdir/device.conf

devicedir

The root directory of devices' $vardir.

• Default: $vardir/devices

diff

Which diff command to use when printing differences between files. This setting has no default value on Windows,

as standard diff is not available, but Puppet can use many third-party diff tools.

• Default: diff

diff_args

Which arguments to pass to the diff command when printing differences between files. The command to use can be

chosen with the diff setting.

• Default: -u

digest_algorithm

Which digest algorithm to use for file resources and the filebucket. Valid values are sha256, sha384, sha512, sha224,

md5. Default is sha256.

• Default: sha256

disable_i18n

If true, turns off all translations of Puppet and module log messages, which affects error, warning, and info log

messages, as well as any translations in the report and CLI.

• Default: true

disable_per_environment_manifest

Whether to disallow an environment-specific main manifest. When set to true, Puppet will use the manifest

specified in the default_manifest setting for all environments. If an environment specifies a different main

manifest in its environment.conf file, catalog requests for that environment will fail with an error.

This setting requires default_manifest to be set to an absolute path.

• Default: false

disable_warnings

A comma-separated list of warning types to suppress. If large numbers of warnings are making Puppet's logs too large

or difficult to use, you can temporarily silence them with this setting.

If you are preparing to upgrade Puppet to a new major version, you should re-enable all warnings for a while.

Valid values for this setting are:

Puppet | Set up Puppet | 106

• deprecations --- disables deprecation warnings.

• undefined_variables --- disables warnings about non existing variables.

• undefined_resources --- disables warnings about non existing resources.

• Default: []

dns_alt_names

A comma-separated list of alternate DNS names for Puppet Server. These are extra hostnames (in addition to its

certname) that the server is allowed to use when serving agents. Puppet checks this setting when automatically

creating a certificate for Puppet agent or Puppet Server. These can be either IP or DNS, and the type should be

specified and followed with a colon. Untyped inputs will default to DNS.

In order to handle agent requests at a given hostname (like "puppet.example.com"), Puppet Server needs a certificate

that proves it's allowed to use that name; if a server shows a certificate that doesn't include its hostname, Puppet

agents will refuse to trust it. If you use a single hostname for Puppet traffic but load-balance it to multiple Puppet

Servers, each of those servers needs to include the official hostname in its list of extra names.

Note: The list of alternate names is locked in when the server's certificate is signed. If you need to change the list

later, you can't just change this setting; you also need to regenerate the certificate. For more information on that

process, see the cert regen docs.

To see all the alternate names your servers are using, log into your CA server and run puppetserver ca list

--all, then check the output for (alt names: ...). Most agent nodes should NOT have alternate names; the

only certs that should have them are Puppet Server nodes that you want other agents to trust.

document_all

Whether to document all resources when using puppet doc to generate manifest documentation.

• Default: false

environment

The environment in which Puppet is running. For clients, such as puppet agent, this determines the environment

itself, which Puppet uses to find modules and much more. For servers, such as puppet server, this provides the

default environment for nodes that Puppet knows nothing about.

When defining an environment in the [agent] section, this refers to the environment that the agent requests from

the primary server. The environment doesn't have to exist on the local filesystem because the agent fetches it from the

primary server. This definition is used when running puppet agent.

When defined in the [user] section, the environment refers to the path that Puppet uses to search for code and

modules related to its execution. This requires the environment to exist locally on the filesystem where puppet is

being executed. Puppet subcommands, including puppet module and puppet apply, use this definition.

Given that the context and effects vary depending on the config section in which the environment setting is

defined, do not set it globally.

• Default: production

environment_data_provider

The name of a registered environment data provider used when obtaining environment specific data. The three built

in and registered providers are 'none' (no data), 'function' (data obtained by calling the function 'environment::data()')

and 'hiera' (data obtained using a data provider configured using a hiera.yaml file in root of the environment). Other

environment data providers may be registered in modules on the module path. For such custom data providers see the

respective module documentation. This setting is deprecated.

• Default: ``

environment_timeout

How long the Puppet server should cache data it loads from an environment.

Puppet | Set up Puppet | 107

A value of 0 will disable caching. This setting can also be set to unlimited, which will cache environments until

the server is restarted or told to refresh the cache. All other values will result in Puppet server evicting environments

that haven't been used within the last environment_timeout seconds.

You should change this setting once your Puppet deployment is doing non-trivial work. We chose the default value

of 0 because it lets new users update their code without any extra steps, but it lowers the performance of your Puppet

server. We recommend either:

• Setting this to unlimited and explicitly refreshing your Puppet server as part of your code deployment process.

• Setting this to a number that will keep your most actively used environments cached, but allow testing

environments to fall out of the cache and reduce memory usage. A value of 3 minutes (3m) is a reasonable value.

Once you set environment_timeout to a non-zero value, you need to tell Puppet server to read new code from

disk using the environment-cache API endpoint after you deploy new code. See the docs for the Puppet Server

administrative API.

• Default: 0

environmentpath

A search path for directory environments, as a list of directories separated by the system path separator character.

(The POSIX path separator is ':', and the Windows path separator is ';'.)

This setting must have a value set to enable directory environments. The recommended value is $codedir/

environments. For more details, see https://puppet.com/docs/puppet/latest/environments_about.html

• Default: $codedir/environments

evaltrace

Whether each resource should log when it is being evaluated. This allows you to interactively see exactly what is

being done.

• Default: false

exclude_unchanged_resources

Specifies how unchanged resources are listed in reports. When set to true, resources that have had no changes after

catalog application will not have corresponding unchanged resource status updates listed in a report.

• Default: true

external_nodes

The external node classifier (ENC) script to use for node data. Puppet combines this data with the main manifest to

produce node catalogs.

To enable this setting, set the node_terminus setting to exec.

This setting's value must be the path to an executable command that can produce node information. The command

must:

• Take the name of a node as a command-line argument.

• Return a YAML hash with up to three keys:

• classes --- A list of classes, as an array or hash.

• environment --- A string.

• parameters --- A list of top-scope variables to set, as a hash.

• For unknown nodes, exit with a non-zero exit code.

Generally, an ENC script makes requests to an external data source.

For more info, see the ENC documentation.

• Default: none

Puppet | Set up Puppet | 108

fact_name_length_soft_limit

The soft limit for the length of a fact name.

• Default: 2560

fact_value_length_soft_limit

The soft limit for the length of a fact value.

• Default: 4096

factpath

Where Puppet should look for facts. Multiple directories should be separated by the system path separator character.

(The POSIX path separator is ':', and the Windows path separator is ';'.)

• Default: $vardir/lib/facter:$vardir/facts

facts_terminus

The node facts terminus.

• Default: facter

fileserverconfig

Where the fileserver configuration is stored.

• Default: $confdir/fileserver.conf

filetimeout

The minimum time to wait between checking for updates in configuration files. This timeout determines how

quickly Puppet checks whether a file (such as manifests or puppet.conf) has changed on disk. The default will

change in a future release to be 'unlimited', requiring a reload of the Puppet service to pick up changes to its internal

configuration. Currently we do not accept a value of 'unlimited'. To reparse files within an environment in Puppet

Server please use the environment_cache endpoint

• Default: 15s

forge_authorization

The authorization key to connect to the Puppet Forge. Leave blank for unauthorized or license based connections

• Default: ``

freeze_main

Freezes the 'main' class, disallowing any code to be added to it. This essentially means that you can't have any code

outside of a node, class, or definition other than in the site manifest.

• Default: false

genconfig

When true, causes Puppet applications to print an example config file to stdout and exit. The example will include

descriptions of each setting, and the current (or default) value of each setting, incorporating any settings overridden

on the CLI (with the exception of genconfig itself). This setting only makes sense when specified on the command

line as --genconfig.

• Default: false

genmanifest

Whether to just print a manifest to stdout and exit. Only makes sense when specified on the command line as --

genmanifest. Takes into account arguments specified on the CLI.

• Default: false

Puppet | Set up Puppet | 109

graph

Whether to create .dot graph files, which let you visualize the dependency and containment relationships in Puppet's

catalog. You can load and view these files with tools like OmniGraffle (OS X) or graphviz (multi-platform).

Graph files are created when applying a catalog, so this setting should be used on nodes running puppet agent or

puppet apply.

The graphdir setting determines where Puppet will save graphs. Note that we don't save graphs for historical runs;

Puppet will replace the previous .dot files with new ones every time it applies a catalog.

See your graphing software's documentation for details on opening .dot files. If you're using GraphViz's dot

command, you can do a quick PNG render with dot -Tpng <DOT FILE> -o <OUTPUT FILE>.

• Default: false

graphdir

Where to save .dot-format graphs (when the graph setting is enabled).

• Default: $statedir/graphs

group

The group Puppet Server will run as. Used to ensure the agent side processes (agent, apply, etc) create files and

directories readable by Puppet Server when necessary.

• Default: puppet

hiera_config

The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet server every time

you edit it.

• Default: $confdir/hiera.yaml. However, for backwards compatibility, if a file

exists at $codedir/hiera.yaml, Puppet uses that instead.

hostcert

Where individual hosts store and look for their certificates.

• Default: $certdir/$certname.pem

hostcert_renewal_interval

How often the Puppet agent renews its client certificate. By default, the client certificate is renewed 30 days before

the certificate expires. If a different interval is specified, the agent renews its client certificate during the next agent

run, assuming that the client certificate has expired within the specified duration.

In general, the hostcert_renewal_interval value should be greater than the runinterval value. Setting

the hostcert_renewal_interval value to 0 disables automatic renewal.

If the agent downloads a new certificate, the agent will use it for subsequent network requests. If the refresh request

fails, the agent run continues to use its existing certificate. This setting can be a time interval in seconds (30 or 30s),

minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 30d

hostcrl

Where the host's certificate revocation list can be found. This is distinct from the certificate authority's CRL.

• Default: $ssldir/crl.pem

hostcsr

Where individual hosts store their certificate request (CSR) while waiting for the CA to issue their certificate.

• Default: $requestdir/$certname.pem

Puppet | Set up Puppet | 110

hostprivkey

Where individual hosts store and look for their private key.

• Default: $privatekeydir/$certname.pem

hostpubkey

Where individual hosts store and look for their public key.

• Default: $publickeydir/$certname.pem

http_connect_timeout

The maximum amount of time to wait when establishing an HTTP connection. The default value is 2 minutes. This

setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 2m

http_debug

Whether to write HTTP request and responses to stderr. This should never be used in a production environment.

• Default: false

http_extra_headers

The list of extra headers that will be sent with http requests to the primary server. The header definition consists of a

name and a value separated by a colon.

• Default: []

http_keepalive_timeout

The maximum amount of time a persistent HTTP connection can remain idle in the connection pool, before

it is closed. This timeout should be shorter than the keepalive timeout used on the HTTP server, e.g. Apache

KeepAliveTimeout directive. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h),

days (2d), or years (5y).

• Default: 4s

http_proxy_host

The HTTP proxy host to use for outgoing connections. The proxy will be bypassed if the server's hostname matches

the NO_PROXY environment variable or no_proxy setting. Note: You may need to use a FQDN for the server

hostname when using a proxy. Environment variable http_proxy or HTTP_PROXY will override this value.

• Default: none

http_proxy_password

The password for the user of an authenticated HTTP proxy. Requires the http_proxy_user setting.

Note that passwords must be valid when used as part of a URL. If a password contains any characters with special

meanings in URLs (as specified by RFC 3986 section 2.2), they must be URL-encoded. (For example, # would

become %23.)

• Default: none

http_proxy_port

The HTTP proxy port to use for outgoing connections

• Default: 3128

http_proxy_user

The user name for an authenticated HTTP proxy. Requires the http_proxy_host setting.

• Default: none

Puppet | Set up Puppet | 111

http_read_timeout

The time to wait for data to be read from an HTTP connection. If nothing is read after the elapsed interval then the

connection will be closed. The default value is 10 minutes. This setting can be a time interval in seconds (30 or 30s),

minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 10m

http_user_agent

The HTTP User-Agent string to send when making network requests.

• Default: Puppet/8.9.0 Ruby/3.1.1-p18 (x86_64-linux)

ignore_plugin_errors

Whether the puppet run should ignore errors during pluginsync. If the setting is false and there are errors during

pluginsync, then the agent will abort the run and submit a report containing information about the failed run.

• Default: false

ignoremissingtypes

Skip searching for classes and definitions that were missing during a prior compilation. The list of missing objects is

maintained per-environment and persists until the environment is cleared or the primary server is restarted.

• Default: false

ignoreschedules

Boolean; whether puppet agent should ignore schedules. This is useful for initial puppet agent runs.

• Default: false

include_legacy_facts

Whether to include legacy facts when requesting a catalog. This option can be set to false if all puppet manifests,

hiera.yaml, and hiera configuration layers no longer access legacy facts, such as $osfamily, and instead access

structured facts, such as $facts['os']['family'].

• Default: false

key_type

The type of private key. Valid values are rsa and ec. Default is rsa.

• Default: rsa

keylength

The bit length of keys.

• Default: 4096

lastrunfile

Where puppet agent stores the last run report summary in yaml format.

• Default: $publicdir/last_run_summary.yaml

lastrunreport

Where Puppet Agent stores the last run report, by default, in yaml format. The format of the report can be changed

by setting the cache key of the report terminus in the routes.yaml file. To avoid mismatches between content and

file extension, this setting needs to be manually updated to reflect the terminus changes.

• Default: $statedir/last_run_report.yaml

ldapattrs

The LDAP attributes to include when querying LDAP for nodes. All returned attributes are set as variables in the top-

level scope. Multiple values should be comma-separated. The value 'all' returns all attributes.

Puppet | Set up Puppet | 112

• Default: all

ldapbase

The search base for LDAP searches. It's impossible to provide a meaningful default here, although the LDAP libraries

might have one already set. Generally, it should be the 'ou=Hosts' branch under your main directory.

ldapclassattrs

The LDAP attributes to use to define Puppet classes. Values should be comma-separated.

• Default: puppetclass

ldapparentattr

The attribute to use to define the parent node.

• Default: parentnode

ldappassword

The password to use to connect to LDAP.

ldapport

The LDAP port.

• Default: 389

ldapserver

The LDAP server.

• Default: ldap

ldapssl

Whether SSL should be used when searching for nodes. Defaults to false because SSL usually requires certificates to

be set up on the client side.

• Default: false

ldapstackedattrs

The LDAP attributes that should be stacked to arrays by adding the values in all hierarchy elements of the tree.

Values should be comma-separated.

• Default: puppetvar

ldapstring

The search string used to find an LDAP node.

• Default: (&(objectclass=puppetClient)(cn=%s))

ldaptls

Whether TLS should be used when searching for nodes. Defaults to false because TLS usually requires certificates to

be set up on the client side.

• Default: false

ldapuser

The user to use to connect to LDAP. Must be specified as a full DN.

libdir

An extra search path for Puppet. This is only useful for those files that Puppet will load on demand, and is only

guaranteed to work for those cases. In fact, the autoload mechanism is responsible for making sure this directory is in

Ruby's search path

• Default: $vardir/lib

Puppet | Set up Puppet | 113

localcacert

Where each client stores the CA certificate.

• Default: $certdir/ca.pem

localedest

Where Puppet should store translation files that it pulls down from the central server.

• Default: $vardir/locales

localesource

From where to retrieve translation files. The standard Puppet file type is used for retrieval, so anything that is a

valid file source can be used here.

• Default: puppet:///locales

location_trusted

This will allow sending the name + password and the cookie header to all hosts that puppet may redirect to. This may

or may not introduce a security breach if puppet redirects you to a site to which you'll send your authentication info

and cookies.

• Default: false

log_level

Default logging level for messages from Puppet. Allowed values are:

• debug

• info

• notice

• warning

• err

• alert

• emerg

• crit

• Default: notice

logdest

Where to send log messages. Choose between 'syslog' (the POSIX syslog service), 'eventlog' (the Windows Event

Log), 'console', or the path to a log file. Multiple destinations can be set using a comma separated list (eg: /path/

file1,console,/path/file2)

• Default: ``

logdir

The directory in which to store log files

• Default: Unix/Linux: /var/log/puppetlabs/puppet -- Windows: C:\ProgramData

\PuppetLabs\puppet\var\log -- Non-root user: ~/.puppetlabs/var/log

manage_internal_file_permissions

Whether Puppet should manage the owner, group, and mode of files it uses internally. Note: For Windows agents, the

default is false for versions 4.10.13 and greater, versions 5.5.6 and greater, and versions 6.0 and greater.

• Default: true

manifest

The entry-point manifest for the primary server. This can be one file or a directory of manifests to be evaluated in

alphabetical order. Puppet manages this path as a directory if one exists or if the path ends with a / or .

Puppet | Set up Puppet | 114

Setting a global value for manifest in puppet.conf is not allowed (but it can be overridden from the commandline).

Please use directory environments instead. If you need to use something other than the environment's manifests

directory as the main manifest, you can set manifest in environment.conf. For more info, see https://puppet.com/

docs/puppet/latest/environments_about.html

• Default: ``

masterport

The default port puppet subcommands use to communicate with Puppet Server. (eg puppet facts upload,

puppet agent). May be overridden by more specific settings (see ca_port, report_port).

• Default: 8140

max_deprecations

Sets the max number of logged/displayed parser validation deprecation warnings in case multiple deprecation

warnings have been detected. A value of 0 blocks the logging of deprecation warnings. The count is per manifest.

• Default: 10

max_errors

Sets the max number of logged/displayed parser validation errors in case multiple errors have been detected. A value

of 0 is the same as a value of 1; a minimum of one error is always raised. The count is per manifest.

• Default: 10

max_warnings

Sets the max number of logged/displayed parser validation warnings in case multiple warnings have been detected. A

value of 0 blocks logging of warnings. The count is per manifest.

• Default: 10

maximum_uid

The maximum allowed UID. Some platforms use negative UIDs but then ship with tools that do not know how to

handle signed ints, so the UIDs show up as huge numbers that can then not be fed back into the system. This is a

hackish way to fail in a slightly more useful way when that happens.

• Default: 4294967290

maxwaitforcert

The maximum amount of time the Puppet agent should wait for its certificate request to be signed. A value of

unlimited will cause puppet agent to ask for a signed certificate indefinitely. This setting can be a time interval in

seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: unlimited

maxwaitforlock

The maximum amount of time the puppet agent should wait for an already running puppet agent to finish before

starting a new one. This is set by default to 1 minute. A value of unlimited will cause puppet agent to wait

indefinitely. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years

(5y).

• Default: 1m

merge_dependency_warnings

Whether to merge class-level dependency failure warnings.

When a class has a failed dependency, every resource in the class generates a notice level message about the

dependency failure, and a warning level message about skipping the resource.

If true, all messages caused by a class dependency failure are merged into one message associated with the class.

• Default: false

Puppet | Set up Puppet | 115

mkusers

Whether to create the necessary user and group that puppet agent will run as.

• Default: false

module_groups

Extra module groups to request from the Puppet Forge. This is an internal setting, and users should never change it.

• Default: ``

module_repository

The module repository

• Default: https://forgeapi.puppet.com

module_working_dir

The directory into which module tool data is stored

• Default: $vardir/puppet-module

modulepath

The search path for modules, as a list of directories separated by the system path separator character. (The POSIX

path separator is ':', and the Windows path separator is ';'.)

Setting a global value for modulepath in puppet.conf is not allowed (but it can be overridden from the

commandline). Please use directory environments instead. If you need to use something other than the default

modulepath of <ACTIVE ENVIRONMENT'S MODULES DIR>:$basemodulepath, you can set modulepath

in environment.conf. For more info, see https://puppet.com/docs/puppet/latest/environments_about.html

name

The name of the application, if we are running as one. The default is essentially $0 without the path or .rb.

• Default: ``

named_curve

The short name for the EC curve used to generate the EC private key. Valid values must be one of the curves in

OpenSSL::PKey::EC.builtin_curves. Default is prime256v1.

• Default: prime256v1

no_proxy

List of host or domain names that should not go through http_proxy_host. Environment variable no_proxy

or NO_PROXY will override this value. Names can be specified as an FQDN host.example.com, wildcard

*.example.com, dotted domain .example.com, or suffix example.com.

• Default: localhost, 127.0.0.1

node_cache_terminus

How to store cached nodes. Valid values are (none), 'json', 'msgpack', or 'yaml'.

• Default: ``

node_name_fact

The fact name used to determine the node name used for all requests the agent makes to the primary server.

WARNING: This setting is mutually exclusive with node_name_value. Changing this setting also requires changes to

Puppet Server's default auth.conf.

Puppet | Set up Puppet | 116

node_name_value

The explicit value used for the node name for all requests the agent makes to the primary server. WARNING: This

setting is mutually exclusive with node_name_fact. Changing this setting also requires changes to Puppet Server's

default auth.conf.

• Default: $certname

node_terminus

Which node data plugin to use when compiling node catalogs.

When Puppet compiles a catalog, it combines two primary sources of info: the main manifest, and a node data plugin

(often called a "node terminus," for historical reasons). Node data plugins provide three things for a given node name:

A list of classes to add to that node's catalog (and, optionally, values for their parameters).

Which Puppet environment the node should use.

A list of additional top-scope variables to set.

The three main node data plugins are:

• plain --- Returns no data, so that the main manifest controls all node configuration.

• exec --- Uses an external node classifier (ENC), configured by the external_nodes setting. This lets you

pull a list of Puppet classes from any external system, using a small glue script to perform the request and format

the result as YAML.

• classifier (formerly console) --- Specific to Puppet Enterprise. Uses the PE console for node data."

• Default: plain

noop

Whether to apply catalogs in noop mode, which allows Puppet to partially simulate a normal run. This setting affects

puppet agent and puppet apply.

When running in noop mode, Puppet will check whether each resource is in sync, like it does when running normally.

However, if a resource attribute is not in the desired state (as declared in the catalog), Puppet will take no action,

and will instead report the changes it would have made. These simulated changes will appear in the report sent to the

primary Puppet server, or be shown on the console if running puppet agent or puppet apply in the foreground. The

simulated changes will not send refresh events to any subscribing or notified resources, although Puppet will log that

a refresh event would have been sent.

Important note: The noop metaparameter allows you to apply individual resources in noop mode, and will override

the global value of the noop setting. This means a resource with noop => false will be changed if necessary,

even when running puppet agent with noop = true or --noop. (Conversely, a resource with noop => true

will only be simulated, even when noop mode is globally disabled.)

• Default: false

number_of_facts_soft_limit

The soft limit for the total number of facts.

• Default: 2048

onetime

Perform one configuration run and exit, rather than spawning a long-running daemon. This is useful for interactively

running puppet agent, or running puppet agent from cron.

• Default: false

passfile

Where puppet agent stores the password for its private key. Generally unused.

• Default: $privatedir/password

Puppet | Set up Puppet | 117

path

The shell search path. Defaults to whatever is inherited from the parent process.

This setting can only be set in the [main] section of puppet.conf; it cannot be set in [server], [agent], or an

environment config section.

• Default: none

payload_soft_limit

The soft limit for the size of the payload.

• Default: 16777216

pidfile

The file containing the PID of a running process. This file is intended to be used by service management frameworks

and monitoring systems to determine if a puppet process is still in the process table.

• Default: $rundir/${run_mode}.pid

plugindest

Where Puppet should store plugins that it pulls down from the central server.

• Default: $libdir

pluginfactdest

Where Puppet should store external facts that are being handled by pluginsync

• Default: $vardir/facts.d

pluginfactsource

Where to retrieve external facts for pluginsync

• Default: puppet:///pluginfacts

pluginsignore

What files to ignore when pulling down plugins.

• Default: .svn CVS .git .hg

pluginsource

From where to retrieve plugins. The standard Puppet file type is used for retrieval, so anything that is a valid file

source can be used here.

• Default: puppet:///plugins

pluginsync

Whether plugins should be synced with the central server. This setting is deprecated.

• Default: true

postrun_command

A command to run after every agent run. If this command returns a non-zero return code, the entire Puppet run will be

considered to have failed, even though it might have performed work during the normal run.

preferred_serialization_format

The preferred means of serializing ruby instances for passing over the wire. This won't guarantee that all instances

will be serialized using this method, since not all classes can be guaranteed to support this format, but it will be used

for all classes that support it.

• Default: json

Puppet | Set up Puppet | 118

preprocess_deferred

Whether Puppet should call deferred functions before applying the catalog. If set to true, all prerequisites required

for the deferred function must be satisfied before the Puppet run. If set to false, deferred functions follow Puppet

relationships and ordering. In this way, Puppet can install the prerequisites required for a deferred function and call

the deferred function in the same run.

• Default: false

prerun_command

A command to run before every agent run. If this command returns a non-zero return code, the entire Puppet run will

fail.

preview_outputdir

The directory where catalog previews per node are generated.

• Default: $vardir/preview

priority

The scheduling priority of the process. Valid values are 'high', 'normal', 'low', or 'idle', which are mapped to platform-

specific values. The priority can also be specified as an integer value and will be passed as is, e.g. -5. Puppet must be

running as a privileged user in order to increase scheduling priority.

• Default: ``

privatedir

Where the client stores private certificate information.

• Default: $ssldir/private

privatekeydir

The private key directory.

• Default: $ssldir/private_keys

profile

Whether to enable experimental performance profiling

• Default: false

publicdir

Where Puppet stores public files.

• Default: Unix/Linux: /opt/puppetlabs/puppet/public -- Windows: C:\ProgramData

\PuppetLabs\puppet\public -- Non-root user: ~/.puppetlabs/opt/puppet/public

publickeydir

The public key directory.

• Default: $ssldir/public_keys

puppet_trace

Whether to print the Puppet stack trace on some errors. This is a noop if trace is also set.

• Default: false

puppetdlog

The fallback log file. This is only used when the --logdest option is not specified AND Puppet is running on an

operating system where both the POSIX syslog service and the Windows Event Log are unavailable. (Currently, no

supported operating systems match that description.)

Despite the name, both puppet agent and puppet server will use this file as the fallback logging destination.

Puppet | Set up Puppet | 119

For control over logging destinations, see the --logdest command line option in the manual pages for puppet

server, puppet agent, and puppet apply. You can see man pages by running puppet <SUBCOMMAND> --help, or

read them online at https://puppet.com/docs/puppet/latest/man/.

• Default: $logdir/puppetd.log

report

Whether to send reports after every transaction.

• Default: true

report_configured_environmentpath

Specifies how environment paths are reported. When the value of versioned_environment_dirs is true,

Puppet applies the readlink function to the environmentpath setting when constructing the environment's

modulepath. The full readlinked path is referred to as the "resolved path," and the configured path potentially

containing symlinks is the "configured path." When reporting where resources come from, users may choose between

the configured and resolved path.

When set to false, the resolved paths are reported instead of the configured paths.

• Default: true

report_include_system_store

Whether the 'http' report processor should include the system certificate store when submitting reports to HTTPS

URLs. If false, then the 'http' processor will only trust HTTPS report servers whose certificates are issued by the

puppet CA or one of its intermediate CAs. If true, the processor will additionally trust CA certificates in the system's

certificate store.

• Default: false

report_port

The port to communicate with the report_server.

• Default: $serverport

report_server

The server to send transaction reports to.

• Default: $server

reportdir

The directory in which to store reports. Each node gets a separate subdirectory in this directory. This setting is only

used when the store report processor is enabled (see the reports setting).

• Default: $vardir/reports

reports

The list of report handlers to use. When using multiple report handlers, their names should be comma-separated, with

whitespace allowed. (For example, reports = http, store.)

This setting is relevant to puppet server and puppet apply. The primary Puppet server will call these report handlers

with the reports it receives from agent nodes, and puppet apply will call them with its own report. (In all cases, the

node applying the catalog must have report = true.)

See the report reference for information on the built-in report handlers; custom report handlers can also be loaded

from modules. (Report handlers are loaded from the lib directory, at puppet/reports/NAME.rb.)

To turn off reports entirely, set this to none

• Default: store

Puppet | Set up Puppet | 120

reporturl

The URL that reports should be forwarded to. This setting is only used when the http report processor is enabled

(see the reports setting).

• Default: http://localhost:3000/reports/upload

requestdir

Where host certificate requests are stored.

• Default: $ssldir/certificate_requests

resourcefile

The file in which puppet agent stores a list of the resources associated with the retrieved configuration.

• Default: $statedir/resources.txt

resubmit_facts

Whether to send updated facts after every transaction. By default puppet only submits facts at the beginning of the

transaction before applying a catalog. Since puppet can modify the state of the system, the value of the facts may

change after puppet finishes. Therefore, any facts stored in puppetdb may not be consistent until the agent next runs,

typically in 30 minutes. If this feature is enabled, puppet will resubmit facts after applying its catalog, ensuring facts

for the node stored in puppetdb are current. However, this will double the fact submission load on puppetdb, so it is

disabled by default.

• Default: false

rich_data

Enables having extended data in the catalog by storing them as a hash with the special key __ptype. When enabled,

resource containing values of the data types Binary, Regexp, SemVer, SemVerRange, Timespan and

Timestamp, as well as instances of types derived from Object retain their data type.

• Default: true

route_file

The YAML file containing indirector route configuration.

• Default: $confdir/routes.yaml

rundir

Where Puppet PID files are kept.

• Default: Unix/Linux: /var/run/puppetlabs -- Windows: C:\ProgramData\PuppetLabs

\puppet\var\run -- Non-root user: ~/.puppetlabs/var/run

runinterval

How often puppet agent applies the catalog. Note that a runinterval of 0 means "run continuously" rather than "never

run." This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 30m

runtimeout

The maximum amount of time an agent run is allowed to take. A Puppet agent run that exceeds this timeout will be

aborted. A value of 0 disables the timeout. Defaults to 1 hour. This setting can be a time interval in seconds (30 or

30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: 1h

serial

Where the serial number for certificates is stored.

• Default: $cadir/serial

Puppet | Set up Puppet | 121

server

The primary Puppet server to which the Puppet agent should connect.

• Default: puppet

server_datadir

The directory in which serialized data is stored, usually in a subdirectory.

• Default: $vardir/server_data

server_list

The list of primary Puppet servers to which the Puppet agent should connect, in the order that they will be tried.

Each value should be a fully qualified domain name, followed by an optional ':' and port number. If a port is omitted,

Puppet uses masterport for that host.

• Default: []

serverport

The default port puppet subcommands use to communicate with Puppet Server. (eg puppet facts upload,

puppet agent). May be overridden by more specific settings (see ca_port, report_port).

• Default: 8140

settings_catalog

Whether to compile and apply the settings catalog

• Default: true

show_diff

Whether to log and report a contextual diff when files are being replaced. This causes partial file contents to pass

through Puppet's normal logging and reporting system, so this setting should be used with caution if you are sending

Puppet's reports to an insecure destination. This feature currently requires the diff/lcs Ruby library.

• Default: false

signeddir

Where the CA stores signed certificates.

• Default: $cadir/signed

skip_logging_catalog_request_destination

Specifies whether to suppress the notice of which compiler supplied the catalog. A value of true suppresses the

notice.

• Default: false

skip_tags

Tags to use to filter resources. If this is set, then only resources not tagged with the specified tags will be applied.

Values must be comma-separated.

sourceaddress

The address the agent should use to initiate requests.

• Default: ``

splay

Whether to sleep for a random amount of time, ranging from immediately up to its $splaylimit, before

performing its first agent run after a service restart. After this period, the agent runs periodically on its

$runinterval.

Puppet | Set up Puppet | 122

For example, assume a default 30-minute $runinterval, splay set to its default of false, and an agent starting

at :00 past the hour. The agent would check in every 30 minutes at :01 and :31 past the hour.

With splay enabled, it waits any amount of time up to its $splaylimit before its first run. For example, it might

randomly wait 8 minutes, then start its first run at :08 past the hour. With the $runinterval at its default 30

minutes, its next run will be at :38 past the hour.

If you restart an agent's puppet service with splay enabled, it recalculates its splay period and delays its first agent

run after restarting for this new period. If you simultaneously restart a group of puppet agents with splay enabled,

their checkins to your primary servers can be distributed more evenly.

• Default: false

splaylimit

The maximum time to delay before an agent's first run when splay is enabled. Defaults to the agent's

$runinterval. The splay interval is random and recalculated each time the agent is started or restarted. This

setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

• Default: $runinterval

srv_domain

The domain which will be queried to find the SRV records of servers to use.

• Default: example.com

ssl_client_header

The header containing an authenticated client's SSL DN. This header must be set by the proxy to the authenticated

client's SSL DN (e.g., /CN=puppet.puppetlabs.com). Puppet will parse out the Common Name (CN) from the

Distinguished Name (DN) and use the value of the CN field for authorization.

Note that the name of the HTTP header gets munged by the web server common gateway interface: an HTTP_ prefix

is added, dashes are converted to underscores, and all letters are uppercased. Thus, to use the X-Client-DN header,

this setting should be HTTP_X_CLIENT_DN.

• Default: HTTP_X_CLIENT_DN

ssl_client_verify_header

The header containing the status message of the client verification. This header must be set by the proxy to

'SUCCESS' if the client successfully authenticated, and anything else otherwise.

Note that the name of the HTTP header gets munged by the web server common gateway interface: an HTTP_ prefix

is added, dashes are converted to underscores, and all letters are uppercased. Thus, to use the X-Client-Verify

header, this setting should be HTTP_X_CLIENT_VERIFY.

• Default: HTTP_X_CLIENT_VERIFY

ssl_lockfile

A lock file to indicate that the ssl bootstrap process is currently in progress.

• Default: $ssldir/ssl.lock

ssl_trust_store

A file containing CA certificates in PEM format that puppet should trust when making HTTPS requests. This only

applies to https requests to non-puppet infrastructure, such as retrieving file metadata and content from https file

sources, puppet module tool and the 'http' report processor. This setting is ignored when making requests to puppet://

URLs such as catalog and report requests.

• Default: ``

ssldir

Where SSL certificates are kept.

Puppet | Set up Puppet | 123

• Default: $confdir/ssl

statedir

The directory where Puppet state is stored. Generally, this directory can be removed without causing harm (although

it might result in spurious service restarts).

• Default: $vardir/state

statefile

Where Puppet agent and Puppet Server store state associated with the running configuration. In the case of Puppet

Server, this file reflects the state discovered through interacting with clients.

• Default: $statedir/state.yaml

statettl

How long the Puppet agent should cache when a resource was last checked or synced. This setting can be a time

interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y). A value of 0 or unlimited will

disable cache pruning.

This setting affects the usage of schedule resources, as the information about when a resource was last checked

(and therefore when it needs to be checked again) is stored in the statefile. The statettl needs to be large

enough to ensure that a resource will not trigger multiple times during a schedule due to its entry expiring from the

cache.

• Default: 32d

static_catalogs

Whether to compile a static catalog, which occurs only on Puppet Server when the code-id-command and code-

content-command settings are configured in its puppetserver.conf file.

• Default: true

storeconfigs

Whether to store each client's configuration, including catalogs, facts, and related data. This also enables the import

and export of resources in the Puppet language - a mechanism for exchange resources between nodes.

By default this uses the 'puppetdb' backend.

You can adjust the backend using the storeconfigs_backend setting.

• Default: false

storeconfigs_backend

Configure the backend terminus used for StoreConfigs. By default, this uses the PuppetDB store, which must be

installed and configured before turning on StoreConfigs.

• Default: puppetdb

strict

The strictness level of puppet. Allowed values are:

• off - do not perform extra validation, do not report

• warning - perform extra validation, report as warning

• error - perform extra validation, fail with error (default)

The strictness level is for both language semantics and runtime evaluation validation. In addition to controlling the

behavior with this primary server switch some individual warnings may also be controlled by the disable_warnings

setting.

No new validations will be added to a micro (x.y.z) release, but may be added in minor releases (x.y.0). In major

releases it expected that most (if not all) strictness validation become standard behavior.

Puppet | Set up Puppet | 124

• Default: error

strict_environment_mode

Whether the agent specified environment should be considered authoritative, causing the run to fail if the retrieved

catalog does not match it.

• Default: false

strict_variables

Causes an evaluation error when referencing unknown variables. (This does not affect referencing variables that are

explicitly set to undef).

• Default: true

summarize

Whether to print a transaction summary.

• Default: false

supported_checksum_types

Checksum types supported by this agent for use in file resources of a static catalog. Values must be comma-separated.

Valid types are sha256, sha256lite, sha384, sha512, sha224, sha1, sha1lite, md5, md5lite, mtime, ctime. Default is

sha256, sha384, sha512, sha224, md5.

• Default: ["sha256", "sha384", "sha512", "sha224", "md5"]

syslogfacility

What syslog facility to use when logging to syslog. Syslog has a fixed list of valid facilities, and you must choose one

of those; you cannot just make one up.

• Default: daemon

Related topics: modulepath.

environment_timeout

The environment_timeout setting sets how often the primary server refreshes information about environments.

It can be overridden per-environment.

This setting defaults to 0 (caching disabled), which lowers the performance of your primary server but makes it easy

for new users to deploy updated Puppet code. After your code deployment process is mature, change this setting to

unlimited.

All code in Ruby and Puppet loaded from the environment is cached. Inputs to compilation (for example, facts and

looked up values) and the resulting catalog, are not cached.

disable_per_environment_manifest

The disable_per_environment_manifest setting lets you specify that all environments use a shared main

manifest.

When disable_per_environment_manifest is set to true, Puppet uses the same global manifest for every

environment. If an environment specifies a different manifest in environment.conf, Puppet does not compile

catalogs nodes in that environment, to avoid serving catalogs with potentially wrong contents.

If this setting is set to true, the default_manifest value must be an absolute path.

default_manifest

The default_manifest setting specifies the main manifest for any environment that doesn’t set a manifest value

in environment.conf. The default value of default_manifest is ./manifests — the environment’s

own manifests directory.

The value of this setting can be:

• An absolute path to one manifest that all environments share.

• A relative path to a file or directory inside each environment’s directory.

Related topics: default_manifest setting.

Configure the environment timeout setting

The enviroment_timeout setting determines how often the primary Puppet server caches the data it loads from

an environment. For best performance, change the settings after you have a mature code deployment process.

Set environment_timeout = unlimited in puppet.conf.

Change your code deployment process to refresh the primary server whenever you deploy updated code. For

example, set a postrun command in your r10k config or add a step to your continuous integration job.

• With Puppet Server, refresh environments by calling the environment-cache API endpoint. Ensure you

have write access to the puppet-admin section of the puppetserver.conf file.

• With a Rack primary server, restart the web server or the application server. Passenger lets you touch a

restart.txt file to refresh an application without restarting Apache. See the Passenger docs for details.

The environment-timeout setting can be overridden per-environment in environment.conf.

Puppet | Set up Puppet | 136

Note: Only use the value 0 or unlimited. Most primary servers use a pool of Ruby interpreters, which all have their

own cache timers. When these timers are out of sync, agents can be served inconsistent catalogs. To avoid that

inconsistency, refresh the primary server when deploying.

Environment isolation

Environment isolation prevents resource types from leaking between your various environments.

If you use multiple environments with Puppet, you might encounter issues with multiple versions of the same

resource type leaking between your various environments on the primary server. This doesn’t happen with built-in

resource types, but it can happen with any other resource types.

This problem occurs because Ruby resource type bindings are global in the Ruby runtime. The first loaded version

of a Ruby resource type takes priority, and then subsequent requests to compile in other environments get that first-

loaded version. Environment isolation solves this issue by generating and using metadata that describes the resource

type implementation, instead of using the Ruby resource type implementation, when compiling catalogs.

Note: Other environment isolation problems, such as external helper logic issues or varying versions of required

gems, are not solved by the generated metadata approach. This fixes only resource type leaking. Resource type

leaking is a problem that affects only primary servers, not agents.

Enable environment isolation with Puppet

To use environment isolation, generate metadata files that Puppet can use instead of the default Ruby resource type

implementations.

On the command line, run puppet generate types --environment <ENV_NAME> for each of your

environments. For example, to generate metadata for your production environment, run: puppet generate

types --environment production

Whenever you deploy a new version of Puppet, overwrite previously generated metadata by running puppet

generate types --environment <ENV_NAME> --force

Enable environment isolation with r10k

To use environment isolation with r10k, generate types for each environment every time r10k deploys new code.

To generate types with r10k, use one of the following methods:

• Modify your existing r10k hook to run the generate types command after code deployment.

• Create and use a script that first runs r10k for an environment, and then runs generate types as a post run

command.

If you have enabled environment-level purging in r10k, allow the resource_types folder so that r10k does

not purge it.

Note: In Puppet Enterprise (PE), environment isolation is provided by Code Manager. Environment isolation is not

supported for r10k with PE.

Troubleshoot environment isolation

If the generate types command cannot generate certain types, if the type generated has missing or inaccurate

information, or if the generation itself has errors or fails, you get a catalog compilation error of “type not

found” or “attribute not found.”

To fix catalog compilation errors:

a) Ensure that your Puppet resource types are correctly implemented. In addition to implementation errors, check

for types with title patterns that contain a proc or a lambda, as these types cannot be generated. Refactor any

problem resource types.

b) Regenerate the metadata by removing the environment’s .resource_types directory and running the

generate types command again.

c) If you continue to get catalog compilation errors, disable environment isolation to help you isolate the error.

Puppet | Set up Puppet | 137

To disable environment isolation in open source Puppet:

a) Remove the generate types command from any r10k hooks.

b) Remove the .resource_types directory.

To disable environment isolation in Puppet Enterprise (PE):

a) In /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf, remove the pre-

commit-hook-commands setting.

b) In Hiera, set

puppet_enterprise::server::puppetserver::pre_commit_hook_commands: []

c) On the command line, run service pe-puppetserver reload

d) Delete the .resource_types directories from your staging code directory, /etc/puppetlabs/code-

staging

e) Deploy the environments.

The generate types command

When you run the generate types command, it scans the entire environment for resource type implementations,

excluding core Puppet resource types.

The generate types command accepts the following options:

• --environment <ENV_NAME>: The environment for which to generate metadata. If you do not specify this

argument, the metadata is generated for the default environment (production).

• --force: Use this flag to overwrite all previously generated metadata.

For each resource type implementation it finds, the command generates a corresponding metadata file, named

after the resource type, in the <env-root>/.resource_types directory. It also syncs the files in the

.resource_types directory so that:

• Types that have been removed in modules are removed from resource_types.

• Types that have been added are added to resource_types.

• Types that have not changed (based on timestamp) are kept as is.

• Types that have changed (based on timestamp) are overwritten with freshly generated metadata.

The generated metadata files, which have a .pp extension, exist in the code directory. If you are using Puppet

Enterprise with Code Manager and file sync, these files appear in both the staging and live code directories. The

generated files are read-only. Do not delete them, modify them, or use expressions from them in manifests.

Directories and files

Puppet consists of a number of directories and files, and each one has an important role ranging from Puppet code

storage and configuration files to manifests and module paths.

Puppet | Set up Puppet | 138

• Code and data directory (codedir) on page 138

The codedir is the main directory for Puppet code and data. It is used by the primary Puppet server and Puppet apply,

but not by Puppet agent. It contains environments (which contain your manifests and modules) and a global modules

directory for all environments.

• Config directory (confdir) on page 139

Puppet’s confdir is the main directory for the Puppet configuration. It contains configuration files and the SSL

data.

• Main manifest directory on page 140

Puppet starts compiling a catalog either with a single manifest file or with a directory of manifests that are treated like

a single file. This starting point is called the main manifest or site manifest.

• The modulepath on page 141

The primary server service and the puppet apply command load most of their content from modules found in one

or more directories. The list of directories where Puppet looks for modules is called the modulepath. The modulepath

is set by the current node's environment.

• SSL directory (ssldir) on page 143

Puppet stores its certificate infrastructure in the SSL directory (ssldir) which has a similar structure on all Puppet

nodes, whether they are agent nodes, primary Puppet servers, or the certificate authority (CA) server.

• Cache directory (vardir) on page 144

As part of its normal operations, Puppet generates data which is stored in a cache directory called vardir. You can

mine the data in vardir for analysis, or use it to integrate other tools with Puppet.

Code and data directory (codedir)

The codedir is the main directory for Puppet code and data. It is used by the primary Puppet server and Puppet apply,

but not by Puppet agent. It contains environments (which contain your manifests and modules) and a global modules

directory for all environments.

Location

The codedir is located in one of the following locations:

• *nix: /etc/puppetlabs/code

• *nix non-root users: ~/.puppetlabs/etc/code

• Windows: %PROGRAMDATA%\PuppetLabs\code (usually C:\ProgramData\PuppetLabs\code)

When Puppet is running as root, as a Windows user with administrator privileges, or as the puppet user, it uses a

system-wide codedir. When running as a non-root user, it uses a codedir in that user's home directory.

When running Puppet commands and services as root or puppet, use the system codedir. To use the same codedir

as the Puppet agent, or the primary server, run admin commands such as puppet module with sudo.

To configure the location of the codedir, set the codedir setting in your puppet.conf file, such as:

codedir = /etc/puppetlabs/code

Important: Puppet Server doesn't use the codedir setting in puppet.conf, and instead uses the jruby-

puppet.master-code-dir setting in puppetserver.conf . When using a non-default codedir, you must

change both settings.

Interpolation of $codedir

The value of the codedir is discovered before other settings, so you can refer to it in other puppet.conf settings by

using the $codedir variable in the value. For example, the $codedir variable is used as part of the value for the

environmentpath setting:

[server]

environmentpath = $codedir/override_environments:$codedir/environments

Puppet | Set up Puppet | 139

This allows you to avoid absolute paths in your settings and keep your Puppet-related files together.

Contents

The codedir contains environments, including manifests and modules, and a global modules directory for all

environments.

The code and data directories are:

• environments : Contains alternate versions of the modules and manifests directories, to enable code

changes to be tested on smaller sets of nodes before entering production.

• modules : The main directory for modules.

Config directory (confdir)

Puppet’s confdir is the main directory for the Puppet configuration. It contains configuration files and the SSL

data.

Location

The confdir is located in one of the following locations:

• *nix root users: /etc/puppetlabs/puppet

• Non-root users: ~/.puppetlabs/etc/puppet

• Windows: %PROGRAMDATA%\PuppetLabs\puppet\etc (usually C:\ProgramData\PuppetLabs

\puppet\etc)

When Puppet is running as root, a Windows user with administrator privileges, or the puppet user, it uses a

system-wide confdir. When running as a non-root user, it uses a confdir in that user's home directory.

When running Puppet commands and services as root or puppet, usually you want to use the system codedir. To

use the same codedir as the Puppet agent or the primary Puppet server, run admin commands with sudo.

Puppet’s confdir can’t be set in the puppet.conf, because Puppet needs the confdir to locate that config file.

Instead, run commands with the --confdir parameter to specify the confdir. If --confdir isn’t specified when a

Puppet application is started, the command uses the default confdir location.

Puppet Server uses the jruby-puppet.server-conf-dir setting in puppetserver.conf to configure its

confdir. If you are using a non-default confdir, you must specify --confdir when you run commands like puppet

module to ensure they use the same directories as Puppet Server.

Interpolation of $confdir

The value of the confdir is discovered before other settings, so you can reference it, using the $confdir variable, in

the value of any other setting in puppet.conf.

If you need to set nonstandard values for some settings, using the $confdir variable allows you to avoid absolute

paths and keep your Puppet-related files together.

Contents

The confdir contains several config files and the SSL data. You can change their locations, but unless you have

a technical reason that prevents it, use the default structure. Click the links to see documentation for the files and

directories in the codedir.

On all nodes, agent and primary server, the confdir contains the following directories and config files:

• ssl directory: contains each node’s certificate infrastructure.

• puppet.conf: Puppet’s main config file.

• csr_attributes.yaml: Optional data to be inserted into new certificate requests.

On primary server nodes, and sometimes standalone nodes that run Puppet apply, the confdir also contains:

Puppet | Set up Puppet | 140

• auth.conf: Access control rules for the primary server's network services.

• fileserver.conf: Configuration for additional fileserver mount points.

• hiera.yaml: The global configuration for Hiera data lookup. Environments and modules can also have their

own hiera.yaml files.

Note: To provide backward compatibility for some existing Puppet 4 installations, if a hiera.yaml file

exists in the codedir, it takes precedence over hiera.yaml in the confdir. To ensure that Puppet honors the

configuration in the confdir, remove any hiera.yaml file that is present in the codedir.

• routes.yaml : Advanced configuration of indirector behavior.

On certificate authority servers, the confdir also contains:

• autosign.conf : List of pre-approved certificate requests.

On nodes that are acting as a proxy for configuring network devices, the confdir also contains:

• device.conf: Configuration for network devices managed by the puppet device command.

Main manifest directory

Puppet starts compiling a catalog either with a single manifest file or with a directory of manifests that are treated like

a single file. This starting point is called the main manifest or site manifest.

For more information about how the site manifest is used in catalog compilation, see Catalog compilation.

Specifying the manifest for Puppet apply

The puppet apply command uses the manifest you pass to it as an argument on the command line:

puppet apply /etc/puppetlabs/code/environments/production/manifests/site.pp

You can pass Puppet apply either a single .pp file or a directory of .pp files. Puppet apply uses the manifest you

pass it, not an environment's manifest.

Specifying the manifest for primary Puppet server

The primary Puppet server uses the main manifest set by the current node's environment, whether that manifest is a

single file or a directory of .pp files.

By default, the main manifest for an environment is <ENVIRONMENTS DIRECTORY>/<ENVIRONMENT>/

manifests, for example /etc/puppetlabs/code/environments/production/manifests. You can

configure the manifest per-environment, and you can also configure the default for all environments.

To determine its main manifest, an environment uses the manifest setting in environment.conf. This can be

an absolute path or a path relative to the environment’s main directory.

If the environment.confmanifest setting is absent, it uses the value of the default_manifest setting

from the puppet.conf file. The default_manifest setting defaults to ./manifests. Similar to the

environment's manifest setting, the value of default_manifest can be an absolute path or a path relative to

the environment’s main directory.

To force all environments to ignore their own manifest setting and use the default_manifest setting instead,

set disable_per_environment_manifest = true in puppet.conf.

To check which manifest your primary server uses for a given environment, run:

puppet config print manifest --section server --environment <ENVIRONMENT>

For more information, see Creating environments, and Checking values of configuration settings.

Puppet | Set up Puppet | 141

Manifest directory behavior

When the main manifest is a directory, Puppet parses every .pp file in the directory in alphabetical order and

evaluates the combined manifest. It descends into all subdirectories of the manifest directory and loads files in depth-

first order. For example, if the manifest directory contains a directory named 01, and a file named 02.pp, it parses

the files in 01 before it parses 02.pp.

Puppet treats the directory as one manifest, so, for example, a variable assigned in the file 01_all_nodes.pp is

accessible in node_web01.pp.

Note: Puppet does not follow symlinks when the manifest setting refers to a directory.

The modulepath

The primary server service and the puppet apply command load most of their content from modules found in one

or more directories. The list of directories where Puppet looks for modules is called the modulepath. The modulepath

is set by the current node's environment.

The modulepath is an ordered list of directories, with earlier directories having priority over later ones. Use the

system path separator character to separate the directories in the modulepath list. On *nix systems, use a colon (:); on

Windows use a semi-colon (;).

For example, on *nix:

/etc/puppetlabs/code/environments/production/modules:/etc/puppetlabs/code/

modules:/opt/puppetlabs/puppet/modules

On Windows:

C:/ProgramData/PuppetLabs/code/environments/production/modules;C:/

ProgramData/PuppetLabs/code/modules

Each directory in the modulepath must contain only valid Puppet modules, and the names of those modules must

follow the modules naming rules. Dashes and periods in module names cause errors. For more information, see

Modules fundamentals.

By default, the modulepath is set by the current node's environment in environment.conf. For example, using

*nix paths:

modulepath = site:dist:modules:$basemodulepath

To see what the modulepath is for an environment, run:

sudo puppet config print modulepath --section server --environment

<ENVIRONMENT_NAME>

For more information about environments, see Environments.

Setting the modulepath and base modulepath

Each environment sets its full modulepath in the environment.conf file with the modulepath setting.

The modulepath setting can only be set in environment.conf. It configures the entire modulepath for that

environment.

The modulepath can include relative paths, such as ./modules or ./site. Puppet looks for these paths inside the

environment’s directory.

The default modulepath value for an environment is the environment’s modules directory, plus the base modulepath.

On *nix, this is ./modules:$basemodulepath.

Puppet | Set up Puppet | 142

The base modulepath is a list of global module directories for use with all environments. You can configure it with

the basemodulepath setting in the puppet.conf file, but its default value is probably suitable. The default on

*nix:

$codedir/modules:/opt/puppetlabs/puppet/modules

On Windows:

$codedir\modules

If you want an environment to have access to the global module directories, include $basemodulepath in the

environment's modulepath setting:

modulepath = site:dist:modules:$basemodulepath

Using the --modulepath option with Puppet apply

When running Puppet apply on the command line, you can optionally specify a modulepath with the --

modulepath option, which overrides the modulepath from the current environment.

Absent, duplicate, and conflicting content from modules

Puppet uses modules it finds in every directory in the modulepath. Directories in the modulepath can be empty or

absent. This is not an error; Puppet does not attempt to load modules from those directories. If no modules are present

across the entire modulepath, or if modules are present but none of them contains a lib directory, the agent logs an

error when attempting to sync plugins from the primary server. This error is benign and doesn't prevent the rest of the

run.

If the modulepath contains multiple modules with the same name, Puppet uses the version from the directory that

comes earliest in the modulepath. Modules in directories earlier in the modulepath override those in later directories.

For most content, this earliest-module-wins behavior is on an all-or-nothing, per-module basis — all of the

manifests, files, and templates in the first-encountered version are available for use, and none of the content from any

subsequent versions is available. This behavior covers:

• Puppet code (from manifests).

• Files (from files).

• Templates (from templates).

• External facts (from facts.d).

• Ruby plugins synced to agent nodes (from lib).

CAUTION: Puppet sometimes displays unexpected behavior with Ruby plugins that are loaded directly

from modules. This includes:

• Plugins used by the primary server (custom resource types, custom functions).

• Plugins used by puppet apply.

• Plugins present in the agent’s modulepath (which is usually empty but night not be when running an agent

on a node that is also a primary server).

In this case, the plugins are handled on a per-file basis instead of per-module. If a duplicate module in an later

directory has additional plugin files that don’t exist in the first instance of the module, those extra files are

loaded, and Puppet uses a a mixture of files from both versions of the module.

If you refactor a module’s Ruby plugins, and maintain two versions of that module in your modulepath, it can

have unexpected results.

This is a byproduct of how Ruby works and is not intentional or controllable by Puppet; a fix is not expected.

Puppet | Set up Puppet | 143

SSL directory (ssldir)

Puppet stores its certificate infrastructure in the SSL directory (ssldir) which has a similar structure on all Puppet

nodes, whether they are agent nodes, primary Puppet servers, or the certificate authority (CA) server.

Location

By default, the ssldir is a subdirectory of the confdir.

You can change its location using the ssldir setting in the puppet.conf file. See the Configuration reference for

more information.

Note: The content of the ssldir is generated, grows over time, and is relatively difficult to replace. Some third-

party Puppet packages for Linux place the ssldir in the cache directory (vardir) instead of the confdir. When a distro

changes the ssldir location, it sets ssldir in the $confdir/puppet.conf file, usually in the [main] section.

To see the location of the ssldir on one of your nodes, run: puppet config print ssldir

Contents

The ssldir contains Puppet certificates, private keys, certificate signing requests (CSRs), and other cryptographic

documents.

The ssldir on an agent or primary server contains:

• A private key: private_keys/<certname>.pem

• A signed certificate: certs/<certname>.pem

• A copy of the CA certificate: certs/ca.pem

• A copy of the certificate revocation list (CRL): crl.pem

• A copy of its sent CSR: certificate_requests/<certname>.pem

Tip: Puppet does not save its public key to disk, because the public key is derivable from its private key and is

contained in its certificate. If you need to extract the public key, use $ openssl rsa -in $(puppet config

print hostprivkey) -pubout

If these files don’t exist on a node, it's because they are generated locally or requested from the CA server.

Agent and primary server credentials are identified by certname, so an agent process and a primary server process

running on the same server can use the same credentials.

The ssldir for the Puppet CA, which runs on the CA server, contains similar credentials: private and public keys, a

certificate, and a primary server copy of the CRL. It maintains a list of all signed certificates in the deployment, a

copy of each signed certificate, and an incrementing serial number for new certificates. To keep it separated from

general Puppet credentials on the same server, all of the CA’s data is stored in the ca subdirectory.

The ssldir directory structure

All of the files and directories in the ssldir directory have corresponding Puppet settings, which can be used to

change their locations. Generally, though, don't change the default values unless you have a specific problem to work

around.

Ensure the permissions mode of the ssldir is 0771. The directory and each file in it is owned by the user that Puppet

runs as: root or Administrator on agents, and defaulting to puppet or pe-puppet on a primary server. Set up

automated management for ownership and permissions on the ssldir.

The ssldir has the following structure. See the Configuration reference for details about each puppet.conf setting

listed:

Puppet | Set up Puppet | 144

• ca directory (on the CA server only): Contains the files used by Puppet’s certificate authority. Mode: 0755.

Setting: cadir.

• ca_crl.pem: The primary server copy of the certificate revocation list (CRL) managed by the CA. Mode:

0644. Setting: cacrl.

• ca_crt.pem: The CA’s self-signed certificate. This cannot be used as a primary server or agent certificate; it

can only be used to sign certificates. Mode: 0644. Setting: cacert.

• ca_key.pem: The CA’s private key, and one of the most security-critical files in the Puppet certificate

infrastructure. Mode: 0640. Setting: cakey.

• ca_pub.pem: The CA’s public key. Mode: 0644. Setting: capub.

• inventory.txt: A list of the certificates the CA signed, along with their serial numbers and validity

periods. Mode: 0644. Setting: cert_inventory.

• requests (directory): Contains the certificate signing requests (CSRs) that have been received but not yet

signed. The CA deletes CSRs from this directory after signing them. Mode: 0755. Setting: csrdir.

• <name>.pem: CSR files awaiting signing.

• serial: A file containing the serial number for the next certificate the CA signs. This is incremented with

each new certificate signed. Mode: 0644. Setting: serial.

• signed (directory): Contains copies of all certificates the CA has signed. Mode: 0755. Setting: signeddir.

• <name>.pem: Signed certificate files.

• certificate_requests (directory): Contains CSRs generated by this node in preparation for submission

to the CA. CSRs stay in this directory even after they have been submitted and signed. Mode: 0755. Setting:

requestdir.

• <certname>.pem: This node’s CSR. Mode: 0644. Setting: hostcsr.

• certs (directory): Contains signed certificates present on the node. This includes the node’s own certificate, and

a copy of the CA certificate for validating certificates presented by other nodes. Mode: 0755. Setting: certdir.

• <certname>.pem: This node’s certificate. Mode: 0644. Setting: hostcert.

• ca.pem: A local copy of the CA certificate. Mode: 0644. Setting: localcacert.

• crl.pem: A copy of the certificate revocation list (CRL) retrieved from the CA, for use by agents or primary

servers. Mode: 0644. Setting: hostcrl.

• private (directory): Usually, does not contain any files. Mode: 0750. Setting: privatedir.

• password: The password to a node’s private key. Usually not present. The conditions in which this file

would exist are not defined. Mode: 0640. Setting: passfile.

• private_keys (directory): Contains the node's private key and, on the CA, private keys created by the

puppetserver ca generate command. It never contains the private key for the CA certificate. Mode:

0750. Setting: privatekeydir.

• <certname>.pem: This node’s private key. Mode: 0600. Setting: hostprivkey.

• public_keys (directory): Contains public keys generated by this node in preparation for generating a CSR.

Mode: 0755. Setting: publickeydir.

• <certname>.pem: This node’s public key. Mode: 0644. Setting: hostpubkey.

Cache directory (vardir)

As part of its normal operations, Puppet generates data which is stored in a cache directory called vardir. You can

mine the data in vardir for analysis, or use it to integrate other tools with Puppet.

Location

The cache directory for Puppet Server defaults to /opt/puppetlabs/server/data/puppetserver.

The cache directory for the Puppet agent and Puppet apply can be found at one of the following locations:

• *nix systems: /opt/puppetlabs/puppet/cache.

• Non-root users: ~/.puppetlabs/opt/puppet/cache.

Puppet | Set up Puppet | 145

• Windows: %PROGRAMDATA%\PuppetLabs\puppet\cache (usually C:\Program Data\PuppetLabs

\puppet\cache).

When Puppet is running as root, a Windows user with administrator privileges, or the puppet user, uses a system-

wide cache directory. When running as a non-root user, it uses a cache directory in the user’s home directory.

Because you usually run Puppet’s commands and services as root or puppet, the system cache directory is what you

usually want to use.

Important: To use the same directories as the agent or primary server, admin commands like puppetserver ca,

must run with sudo.

Note: When the primary server is running as a Rack application, the config.ru file must explicitly set --

vardir to the system cache directory. The example config.ru file provided with the Puppet source does this.

You can specify Puppet’s cache directory on the command line by using the --vardir option, but you can’t set it in

puppet.conf. If --vardir isn’t specified when a Puppet application is started, it uses the default cache directory

location.

To configure the Puppet Server cache directory, use the jruby-puppet.server-var-dir setting in

puppetserver.conf .

Interpolation of $vardir

The value of the vardir is discovered before other settings, so you can reference it using the $vardir variable in the

value of any other setting in puppet.conf or on the command line.

For example:

[main]

ssldir = $vardir/ssl

If you need to set nonstandard values for some settings, using the $vardir variable allows you to avoid absolute

paths and keep your Puppet-related files together.

Contents

The vardir contains several subdirectories. Most of these subdirectories contain a variable amount of generated data,

some contain notable individual files, and some directories are used only by agent or primary server processes.

To change the locations of specific vardir files and directories, edit the settings in puppet.conf. For more

information about each item below, see the Configuration reference.

Directory name Config setting Notes

bucket bucketdir

client_data client_datadir

clientbucket clientbucketdir

client_yaml clientyamldir

devices devicedir

lib/facter factpath

facts factpath

facts.d pluginfactdest

Puppet | Set up Puppet | 146

Directory name Config setting Notes

lib libdir, plugindest Puppet uses this as a cache for

plugins (custom facts, types and

providers, functions) synced from

a primary server. Do not change its

contents. If you delete it, the plugins

are restored on the next Puppet run.

puppet-module module_working_dir

puppet-module/skeleton module_skeleton_dir

reports reportdir When the option to store reports

is enabled, a primary server stores

reports received from agents as

YAML files in this directory. You

can mine these reports for analysis.

server_data serverdatadir

state statedir See table below for more details

about the state directory contents.

yaml yamldir

The state directory contains the following files and directories:

File or directory name Config setting Notes

agent_catalog_run.lock agent_catalog_run_lockfile

agent_disabled.lock agent_disabled_lockfile

classes.txt classfile This file is useful for external

integration. It lists all of the classes

assigned to this agent node.

graphs directory graphdir When graphing is enabled, agent

nodes write a set of .dot graph

files to this directory. Use these

graphs to diagnose problems with the

catalog application, or visualizing the

configuration catalog.

last_run_summary.yaml lastrunfile

This file is stored in a public

directory and is visible to external

monitoring tools — making sure the

Puppet agent is running every 30

minutes.

last_run_report.yaml lastrunreport

resources.txt resourcefile

state.yaml statefile

Puppet | Set up Puppet | 147

Report reference

Puppet has a set of built-in report processors, which you can configure.

By default, after applying a catalog, Puppet generates a report that includes information about the run: events, log

messages, resource statuses, metrics, and metadata. Each host sends its report as a YAML dump.

The agent sends its report to the primary server for processing, whereas agents running puppet apply process

their own reports. Either way, Puppet handles every report with a set of report processors, which are specified in the

reports setting in the agent's puppet.conf file.

By default, Puppet uses the store report processor. You can enable other report processors or disable reporting in

the reports setting.

http

Sends reports via HTTP or HTTPS. This report processor submits reports as POST requests to the address in

the reporturl setting. When you specify an HTTPS URL, the remote server must present a certificate issued

by the Puppet CA or the connection fails validation. The body of each POST request is the YAML dump of a

Puppet::Transaction::Report object, and the content type is set as application/x-yaml.

log

Sends all received logs to the local log destinations. The usual log destination is syslog.

store

Stores the yaml report in the configured reportdir. By default, this is the report processor Puppet uses. These

files collect quickly — one every half hour — so be sure to perform maintenance on them if you use this report.

Puppet | Platform components | 148

Platform components

Puppet is made up of several packages. Together these are called the Puppet platform, which is what you use to

manage, store and run your Puppet code. These packages include puppetserver, puppetdb, and puppet-

agent — which includes Facter.

• Facter on page 296

Facter is Puppet’s cross-platform system profiling library. It discovers and reports per-node facts, which are available

in your Puppet manifests as variables.

• PuppetDB on page 342

All of the data generated by Puppet (for example facts, catalogs, reports) is stored in PuppetDB.

• Puppet services and tools on page 342

Puppet provides a number of core services and administrative tools to manage systems with or without a primary

Puppet server, and to compile configurations for Puppet agents.

• Puppet reports on page 366

Puppet creates a report about its actions and your infrastructure each time it applies a catalog during a Puppet run.

You can create and use report processors to generate insightful information or alerts from those reports.

• Life cycle of a Puppet run on page 374

Learn the details of Puppet's internals, including how primary servers and agents communicate via host-verified

HTTPS, and about the process of catalog compilation.

Puppet Server

About Puppet Server

Puppet is configured in an agent-server architecture, in which a primary server node manages the configuration

information for a fleet of agent nodes. Puppet Server acts as the primary server node. Puppet Server is a Ruby and

Clojure application that runs on the Java Virtual Machine (JVM). Puppet Server runs Ruby code for compiling Puppet

catalogs and for serving files in several JRuby interpreters. It also provides a certificate authority through Clojure.

This page describes the general requirements and the run environment for Puppet Server.

Puppet Server releases

Puppet Server and Puppet share the same major release (Puppet Server 6.x and Puppet 6.x). However, they are

versioned separately and might have different minor or patch versions (Puppet Server 6.5 versus Puppet 6.8). For a

list of the maintained versions of Puppet and Puppet Server, visit Puppet releases and lifecycles.

Controlling the Service

The Puppet Server service name is puppetserver. To start and stop the service, use commands such as service

puppetserver restart, service puppetserver status for your OS.

Puppet Server's Run Environment

Puppet Server consists of several related services. These services share state and route requests among themselves.

The services run inside a single JVM process, using the Trapperkeeper service framework.

Embedded Web Server

Puppet Server uses a Jetty-based web server embedded in the service's JVM process. No additional or unique actions

are required to configure and enable the web server. You can modify the web server's settings in webserver.conf on

page 171. You might need to edit this file if you use an external CA or run Puppet on a non-standard port.

Puppet | Platform components | 149

Puppet API Service

Puppet Server provides APIs that are used by the Puppet agent to manage the configuration of your nodes. Visit

Puppet V3 HTTP API on page 220 for more information on the basic APIs.

Certificate Authority Service

Puppet Server includes a certificate authority (CA) service that:

• Accepts certificate signing requests (CSRs) from nodes.

• Serves certificates and a certificate revocation list (CRL) to nodes.

• Optionally accepts commands to sign or revoke certificates.

Signing and revoking certificates over the network is disabled by default. You can use the auth.conf file to allow

specific certificate owners the ability to issue commands.

The CA service uses .pem files to stores credentials. You can use the puppetserver ca command to interact

with these credentials, including listing, signing, and revoking certificates. See CA V1 HTTP API on page 222 for

more information on these APIs.

Admin API Service

Puppet Server includes an administrative API for triggering maintenance tasks. The most common task refreshes

Puppet’s environment cache, which causes all of your Puppet code to reload without the requirement to restart the

service. Consequently, you can deploy new code to long-timeout environments without executing a full restart of the

service.

For API docs, visit:

• Environment cache on page 264.

• JRuby pool on page 265.

For details about environment caching, visit:

• About environments.

JRuby Interpreters

Most of Puppet Server's work is done by Ruby code running in JRuby. JRuby is an implementation of the Ruby

interpreter that runs on the JVM. Note that you can’t use the system gem command to install Ruby Gems for the

Puppet primary server. Instead, Puppet Server includes a separate puppetserver gem command for installing any

libraries your Puppet extensions might require. Visit Using Ruby gems on page 187 for details.

If you want to test or debug code to be used by the Puppet Server, you can use the puppetserver ruby and

puppetserver irb commands to execute Ruby code in a JRuby environment.

To handle parallel requests from agent nodes, Puppet Server maintains separate JRuby interpreters. These JRuby

interpreters individually run Puppet's application code, and distribute agent requests among them. You can configure

the JRuby interpreters in the jruby-puppet section of puppetserver.conf on page 167.

Tuning Guide

You can maximize Puppet Server's performance by tuning your JRuby configuration. To learn more, visit the Puppet

Server Tuning guide on page 203.

User

If you are running Puppet Enterprise:

• Puppet Server user runs as pe-puppet.

• You must specify the user in /etc/sysconfig/pe-puppetserver.

If you are running open source Puppet:

• Puppet Server needs to run as the user puppet.

• You must specify the user in /etc/sysconfig/puppetserver.

Puppet | Platform components | 150

All of the Puppet Server's files and directories must be readable and writable by this user. Note that Puppet Server

ignores the user and group settings from puppet.conf.

Ports

By default, Puppet's HTTPS traffic uses port 8140. The OS and firewall must allow Puppet Server's JVM process to

accept incoming connections on port 8140. If necessary, you can change the port in webserver.conf. See the

webserver.conf on page 171 page for details.

Logging

All of Puppet Server's logging is routed through the JVM Logback library. By default, it logs to /var/log/

puppetlabs/puppetserver/puppetserver.log. The default log level is 'INFO'. By default, Puppet

Server sends nothing to syslog. All log messages follow the same path, including HTTP traffic, catalog

compilation, certificate processing, and all other parts of Puppet Server's work.

Puppet Server also relies on Logback to manage, rotate, and archive Server log files. Logback archives Server logs

when they exceed 200MB. Also, when the total size of all Server logs exceeds 1GB, Logback automatically deletes

the oldest logs. Logback is heavily configurable. If you need something more specialized than a unified log file, it

may be possible to obtain. Visit Logging on page 159 for more details.

Finally, any errors that cause the logging system to die or occur before logging is set up, display in journalctl.

SSL Termination

By default, Puppet Server handles SSL termination automatically. For network configurations that require external

SSL termination (e.g. with a hardware load balancer), additional configuration is required. See the External SSL

termination on page 192 page for details. In summary, you must:

• Configure Puppet Server to use HTTP instead of HTTPS.

• Configure Puppet Server to accept SSL information via insecure HTTP headers.

• Secure your network so that Puppet Server cannot be directly reached by any untrusted clients.

• Configure your SSL terminating proxy to set the following HTTP headers:

• X-Client-Verify (mandatory).

• X-Client-DN (mandatory for client-verified requests).

• X-Client-Cert (optional; required for trusted facts).

Configuring Puppet Server

Puppet Server uses a combination of Puppet's configuration files along with its own separate configuration files,

which are located in the conf.d directory. Refer to the Config directory for a list of Puppet's configuration files. For

detailed information about Puppet Server settings and the conf.d directory, refer to the Configuring Puppet Server

on page 157 page.

Deprecated features

The following features and configuration settings are deprecated and will be removed in a future major release of

Puppet Server.

certificate-status settings

Now

If the certificate-authority.certificate-status.authorization-required setting is

false, all requests that are successfully validated by SSL (if applicable for the port settings on the server) are

permitted to use the Certificate Status HTTP API endpoints. This includes requests which do not provide an SSL

client certificate.

If the certificate-authority.certificate-status.authorization-required setting is true

or not specified and the puppet-admin.client-whitelist setting has one or more entries, only the requests

whose Common Name in the SSL client certificate subject matches one of the client-whitelist entries are

permitted to use the certificate status HTTP API endpoints.

Puppet | Platform components | 151

For any other configuration, requests are only permitted to access the certificate status HTTP API endpoints if

allowed per the rule definitions in the trapperkeeper-authorization "auth.conf" file. See the auth.conf on

page 160 page for more information.

In a Future Major Release

The certificate-status settings will be ignored completely by Puppet Server. Requests made to the

certificate-status HTTP API will only be allowed per the trapperkeeper-authorization

"auth.conf" configuration.

Detecting and Updating

Look at the certificate-status settings in your configuration. If authorization-required is set to

false or client-whitelist has one or more entries, these settings would be used to authorize access to the

certificate status HTTP API instead of trapperkeeper-authorization.

If authorization-required is set to true or is not specified and if the client-whitelist was empty,

you could just remove the certificate-authority section from your configuration. The only behavior that

would change in Puppet Server from doing this would be that a warning message would no longer be written to the

"puppetserver.log" file at startup.

If authorization-required is set to false, you would need to create a corresponding rule in the

trapperkeeper-authorization file which would allow unauthenticated client access to the certificate status

API.

For example:

authorization: {

version: 1

rules: [

{

match-request: {

path: "/certificate_status/"

type: path

method: [ get, put, delete ]

}

allow-unauthenticated: true

sort-order: 200

{

match-request: {

path: "/certificate_statuses/"

type: path

method: get

}

allow-unauthenticated: true

sort-order: 200

...

]

}

If authorization-required is set to true or not set but the client-whitelist has one or more custom

entries in it, you would need to create a corresponding rule in the trapperkeeper-authorization "auth.conf"

file which would allow only specific clients access to the certificate status API.

For example, the current certificate status configuration could have:

certificate-authority:

certificate-status: {

client-whitelist: [ admin1, admin2 ]

}

Puppet | Platform components | 152

}

Corresponding trapperkeeper-authorization rules could have:

authorization: {

version: 1

rules: [

{

match-request: {

path: "/certificate_status/"

type: path

method: [ get, put, delete ]

}

allow: [ admin1, admin2 ]

sort-order: 200

{

match-request: {

path: "/certificate_statuses/"

type: path

method: get

}

allow: [ admin1, admin2 ]

sort-order: 200

...

]

}

After adding the desired rules to the trapperkeeper-authorization "auth.conf" file, remove the

certificate-authority section from the "puppetserver.conf" file and restart the puppetserver service.

Context

In previous Puppet Server releases, there was no unified mechanism for controlling access to the various endpoints

that Puppet Server hosts. Puppet Server used core Puppet "auth.conf" to authorize requests handled via Ruby Puppet

and custom client whitelists for the CA and Admin endpoints. The custom client whitelists do not provide granular

enough control to meet some use cases.

trapperkeeper-authorization unifies authorization configuration across all of these endpoints into a single

file and provides more granular control.

puppet-admin Settings

Now

If the puppet-admin.authorization-required setting is false, all requests that are successfully

validated by SSL (if applicable for the port settings on the server) are permitted to use the puppet-admin HTTP

API endpoints. This includes requests which do not provide an SSL client certificate.

If the puppet-admin.authorization-required setting is true or not specified and the puppet-

admin.client-whitelist setting has one or more entries, only the requests whose Common Name in the SSL

client certificate subject matches one of the client-whitelist entries are permitted to use the puppet-admin

HTTP API endpoints.

For any other configuration, requests are only permitted to access the puppet-admin HTTP API endpoints if

allowed per the rule definitions in the trapperkeeper-authorization "auth.conf" file. See the auth.conf on

page 160 page for more information.

Puppet | Platform components | 153

In a Future Major Release

The puppet-admin settings will be ignored completely by Puppet Server. Requests made to the puppet-admin

HTTP API will only be allowed per the trapperkeeper-authorization "auth.conf" configuration.

Detecting and Updating

Look at the puppet-admin settings in your configuration. If authorization-required is set to false or

client-whitelist has one or more entries, these settings would be used to authorize access to the puppet-

admin HTTP API instead of trapperkeeper-authorization.

If authorization-required is set to true or is not specified and if the client-whitelist was empty,

you could just remove the puppet-admin section from your configuration and restart your puppetserver service in

order for Puppet Server to start using the trapperkeeper-authorization "auth.conf" file. The only behavior

that would change in Puppet Server from doing this would be that a warning message would no longer be written to

the puppetserver.log file.

If authorization-required is set to false, you would need to create corresponding rules in the

trapperkeeper-authorization file which would allow unauthenticated client access to the "puppet-admin"

API endpoints.

For example:

authorization: {

version: 1

rules: [

{

match-request: {

path: "/puppet-admin-api/v1/environment-cache"

type: path

method: delete

}

allow-unauthenticated: true

sort-order: 200

{

match-request: {

path: "/puppet-admin-api/v1/jruby-pool"

type: path

method: delete

}

allow-unauthenticated: true

sort-order: 200

...

]

}

If authorization-required is set to true or not set but the client-whitelist has one or more custom

entries in it, you would need to create corresponding rules in the trapperkeeper-authorization "auth.conf"

file which would allow only specific clients access to the "puppet-admin" API endpoints.

For example, the current "puppet-admin" configuration could have:

puppet-admin: {

client-whitelist: [ admin1, admin2 ]

}

Corresponding trapperkeeper-authorization rules could have:

authorization: {

Puppet | Platform components | 154

version: 1

rules: [

{

match-request: {

path: "/puppet-admin-api/v1/environment-cache"

type: path

method: delete

}

allow: [ admin1, admin2 ]

sort-order: 200

{

match-request: {

path: "/puppet-admin-api/v1/jruby-pool"

type: path

method: delete

}

allow: [ admin1, admin2 ]

sort-order: 200

...

]

}

After adding the desired rules to the trapperkeeper-authorization "auth.conf" file, remove the puppet-

admin section from the "puppetserver.conf" file and restart the puppetserver service.

Context

In previous Puppet Server releases, there was no unified mechanism for controlling access to the various endpoints

that Puppet Server hosts. Puppet Server used core Puppet "auth.conf" to authorize requests handled by Ruby Puppet

and custom client whitelists for the CA and Admin endpoints. The custom client allowlists do not provide granular

enough control to meet some use cases.

trapperkeeper-authorization unifies authorization configuration across all of these endpoints into a single

file and provides more granular control.

Puppet's "resource_types" API endpoint

Now

The resource_type and resource_types HTTP APIs were removed in Puppet Server 5.0.

Previously

The resource_type and resource_types Puppet HTTP API endpoints return information about classes,

defined types, and node definitions.

The Environment classes on page 266 serves as a replacement for the Puppet resource type API for classes.

Detecting and Updating

If your application calls the resource_type or resource_types HTTP API endpoints for information about

classes, point those calls to the environment_classes endpoint. The environment_classes endpoint has

different features and returns different values than resource_type; see the Environment classes on page 266

for details.

The environment_classes endpoint ignores Puppet's Ruby-based authorization methods and configuration in

favor of Puppet Server's Trapperkeeper authorization. For more information, see the Environment classes on page

266 of the environment classes API documentation.

Puppet | Platform components | 155

Context

Users often rely on the resource_types endpoint for lists of classes and associated parameters in an

environment. For such requests, the resource_types endpoint is inefficient and can trigger problematic events,

such as manifests being parsed during a catalog request.

To fulfill these requests more efficiently and safely, Puppet Server 2.3.0 introduced the narrowly defined

environment_classes endpoint.

Puppet's node cache terminus

Now

Puppet 5.0 (and by extension, Puppet Server 5.0) no longer writes node YAML files to its cache by default.

Previously

Puppet wrote YAML to its node cache.

Detecting and Updating

To retain the Puppet 4.x behavior, add the Configuring Puppet Server on page 157 setting

node_cache_terminus = write_only_yaml. The write_only_yaml option is deprecated.

Context

This cache was used in workflows where external tooling needs a list of nodes. PuppetDB is the preferred source of

node information.

JRuby's "compat-version" setting

Now

Puppet Server 5.0 removes the jruby-puppet.compat-version setting in puppetserver.conf on page 167,

and exits the puppetserver service with an error if you start the service with that setting.

Previously

Puppet Server 2.7.x allowed you to set compat-version to 1.9 or 2.0 to choose a preferred Ruby interpreter

version.

Detecting and Updating

Launching the puppetserver service with this setting enabled will cause it to exit with an error message. The

error includes information on Configuring Puppet Server on page 157.

For Ruby language 2.x support in Puppet Server, configure Puppet Server to use JRuby 9k instead of JRuby 1.7.27.

See the "Configuring the JRuby Version" section of Configuring Puppet Server on page 157 for details.

Context

Puppet Server 5.0 updated JRuby v1.7 to v1.7.27, which in turn updated the jruby-openssl gem to v0.9.19 and

bouncycastle libraries to v1.55. JRuby 1.7.27 breaks setting jruby-puppet.compat-version to 2.0.

Server 5.0 also added optional, experimental support for JRuby 9k, which includes Ruby 2.x language support.

Server and agent compatibility

Use this table to verify that you're using a compatible version of the agent for your PE or Puppet Server.

Restriction: Puppet Server 6.x is no longer developed or tested.

ServerAgent

Puppet 6.x

PE 2019.1 through 2019.8

Puppet 7.x

PE 2021.0 through 2023.2

Puppet 8.x

PE 2023.4 and later

6.x # # #

Puppet | Platform components | 156

ServerAgent

Puppet 6.x

PE 2019.1 through 2019.8

Puppet 7.x

PE 2021.0 through 2023.2

Puppet 8.x

PE 2023.4 and later

7.x # #

8.x #

Installing Puppet Server

Puppet Server is a required application that runs on the Java Virtual Machine (JVM). It controls the configuration

information for one or more managed agent nodes.

Before you begin

Review the supported operating systems and make sure you have a supported version of Java. Note that, unlike

Puppet Agent, Puppet Server is not supported on MacOS. If you encounter any issues with the steps below, submit

them to our Bug Tracker.

Supported operating systems

Puppet provides official packages that install Puppet Server and all of its prerequisites for the following platforms:

Operating Systems Version

Red Hat Enterprise Linux 7, 8, 9

Debian 9 (Stretch), 10 (Buster), 11 (Bullseye)

Ubuntu 16.04 (Xenial, amd64 only), 18.04 (Bionic), 20.04

(Focal), 22.04

SLES 12 SP1, 15 (x86_64)

If we don't provide a package for your system, you can run Puppet Server from source on any x86_64 Linux server

with JDK 1.8 or 11. For more details, visit Running from source on page 214.

Note: For help with non-supported operating systems, architectures, or JRE versions, join our Community

Slack.

Important: If you implement Linux hardening techniques, consider customizing your settings, including

but not limited to the following:

• SELinux: Grant exceptions for Puppet and the PXP agent to allow these services to run effectively.

• File Access Policy Daemon (fapolicyd): Grant exceptions for PE services to prevent potential

restrictions.

• umask: Ensure your operating system's default umask is set to 022 or less restrictive. A more restrictive

setting can lead to unintended failures, as Puppet users might be denied access to necessary files.

Java support

Puppet Server versions are tested against the following versions of Java:

Puppet Server Java

7.y and later 8, 11, 17

8.y and later 11, 17

The preferred version of Java is version 17. Some Java versions may work with other Puppet Server versions, but we

do not test or support those cases. Both Java 8 and 11 are considered long-term support versions and are planned to be

supported by upstream maintainers until 2022 or later.

Puppet | Platform components | 157

Install Puppet Server

Puppet Server is configured to use 2 GB of RAM by default. If you're simply testing an installation on a Virtual

Machine, this amount of memory is not necessary. To change the memory allocation, see Running Puppet Server on a

VM.

Important: If you're upgrading, stop any existing puppetserver service by running service

<service_name> stop or systemctl stop <service_name>.

Enable the Puppet package repositories, if you haven't already done so.

Install the Puppet Server package by running one of the following commands:

• Red Hat operating systems: yum install puppetserver

• Debian and Ubuntu operating systems: apt-get install puppetserver

Start the Puppet Server service: sudo systemctl start puppetserver

Open a new shell, or use exec bash to update your PATH.

Tip: If you're installing Puppet Server on Ubuntu, use bash -l instead of exec bash.

To check if you installed the Puppet Server correctly, run: puppetserver -v

Step Result: If you correctly installed Puppet Server, the command displays the correct version.

Install a Puppet Agent

After you successfully install Puppet Server, next install the following:

Install a Puppet agent

(Optional) Install PuppetDB, if you want to enable extra features, including enhanced queries and reports about

your infrastructure.

Running Puppet Server on a VM

By default, Puppet Server is configured to use 2GB of RAM. However, if you want to experiment with Puppet Server

on a VM, you can safely allocate as little as 512MB of memory. To change the Puppet Server memory allocation, you

can edit the init config file.

Open the applicable file:

• For RHEL or CentOS, open: /etc/sysconfig/puppetserver

• For Debian or Ubuntu, open: /etc/default/puppetserver

Update the following line to display the amount of memory you want to allocate to Puppet Server:

# Modify this if you'd like to change the memory allocation, enable JMX,

etc

JAVA_ARGS="-Xms2g -Xmx2g"

For example, to allocate 1GB of memory, use JAVA_ARGS="-Xms1g -Xmx1g"; for 512MB, use

JAVA_ARGS="-Xms512m -Xmx512m".

Restart the puppetserver service.

Note: For more information about the recommended settings for the JVM, visit Oracle's docs on JVM Tuning.

Configuring Puppet Server

Puppet Server uses a combination of Puppet's configuration files along with its own configuration files. You can refer

to a complete list of Puppet’s configuration files in the Config directory.

Puppet Server and puppet.conf settings

Puppet Server uses Puppet's configuration files, including most of the settings in puppet.conf. However, Puppet

Server treats some puppet.conf settings differently. You must be aware of these differences. You can visit

Puppet | Platform components | 158

a complete list of these differences at Differing behavior in puppet.conf. Puppet Server automatically loads the

puppet.conf settings in the configuration file’s main and server sections. Puppet Server uses the values in the

server section but if they are not present, it uses the values in the main section.

Puppet Server honors the following puppet.conf settings:

• allow_duplicate_certs

• autosign

• cacert

• cacrl

• cakey

• ca_name

• capub

• ca_ttl

• certdir

• certname

• cert_inventory

• codedir (PE only)

• csrdir

• csr_attributes

• dns_alt_names

• hostcert

• hostcrl

• hostprivkey

• hostpubkey

• keylength

• localcacert

• manage_internal_file_permissions

• privatekeydir

• requestdir

• serial

• signeddir

• ssl_client_header

• ssl_client_verify_header

• trusted_oid_mapping_file

Configuration Files

Most of Puppet Server's configuration files and settings (with the exception of the logging config file) are in the

conf.d directory. The conf.d directory is located at /etc/puppetlabs/puppetserver/conf.d by

default. These configuration files are in the HOCON format, which retains the basic structure of JSON but is more

readable. For more information, visit the HOCON documentation.

At startup, Puppet Server reads all the .conf files in the conf.d directory. You must restart Puppet Server to

implement your changes to these files. The conf.d directory contains the following files and settings:

• global.conf on page 164

• webserver.conf on page 171

• web-routes.conf on page 171

• puppetserver.conf on page 167

• auth.conf on page 160

• ca.conf on page 163

Puppet | Platform components | 159

Note: The product.conf file is optional and is not included by default. You can create product.conf in

the conf.d directory to configure product-related settings (such as automatic update checking and analytics data

collection).

Logging

There is a Logback configuration file that controls how Puppet Server logs. Its default location is at /etc/

puppetlabs/puppetserver/logback.xml. If you want to place it elsewhere, visit the documentation on

global.conf.

For additional information on the logback.xml file, visit Logback.xm or Logback documentation. For tips on

configuring Logstash or outputting logs in JSON, visit Advanced logging configuration

HTTP Traffic

Puppet Server logs HTTP traffic in a format similar to Apache and to a separate file that isn’t the main log file.

By default, the access log is located at /var/log/puppetlabs/puppetserver/puppetserver-

access.log.

The following information is logged for each HTTP request by default:

• remote host

• remote log name

• remote user

• date of the logging event

• URL requested

• status code of the request

• response content length

• remote IP address

• local port

• elapsed time to serve the request, in milliseconds

There is a Logback configuration file that controls Puppet Server’s logging behavior. Its default location is at /

etc/puppetlabs/puppetserver/request-logging.xml. If you want to place it elsewhere, visit the

documentation on webserver.conf

Authorization

To enable additional logging related to auth.conf, edit Puppet Server's logback.xml file. By default, only a

single message is logged when a request is denied.

To enable a one-time logging of the parsed and transformed auth.conf file, add the following to Puppet Server's

logback.xml file:

<logger name="puppetlabs.trapperkeeper.services.authorization.authorization-

service" level="DEBUG"/>

To enable rule-by-rule logging for each request as it's checked for authorization, add the following to Puppet Server's

logback.xml file:

Service Bootstrapping

Puppet Server is built on top of our open-source Clojure application framework, Trapperkeeper.

One of the features that Trapperkeeper provides is the ability to enable or disable individual services that an

application provides. In Puppet Server, you can use this feature to enable or disable the CA service. The CA service

is enabled by default, but if you're running a multi-server environment or using an external CA, you might want to

disable the CA service on some nodes.

The service bootstrap configuration files are in two locations:

Puppet | Platform components | 160

• /etc/puppetlabs/puppetserver/services.d/: For services that users are expected to manually

configure if necessary, such as CA-related services.

• /opt/puppetlabs/server/apps/puppetserver/config/services.d/: For services users

shouldn’t need to configure.

Any files with a .cfg extension in either of these locations are combined to form the final set of services Puppet

Server will use.

The CA-related configuration settings are set in /etc/puppetlabs/puppetserver/services.d/ca.cfg.

If services added in future versions have user-configurable settings, the configuration files will also be in this

directory. When upgrading Puppet Server with a package manager, it should not overwrite files already in this

directory.

In the ca.cfg file, find and modify these lines as directed to enable or disable the service:

# To enable the CA service, leave the following line uncommented

puppetlabs.services.ca.certificate-authority-service/certificate-authority-

service

# To disable the CA service, comment out the above line and uncomment the

line below

#puppetlabs.services.ca.certificate-authority-disabled-service/certificate-

authority-disabled-service

Adding Java JARs

Puppet Server can load any provided Java Jars upon its initial startup. When launched, Puppet Server automatically

loads any JARs placed in /opt/puppetlabs/server/data/puppetserver/jars into the classpath.

JARs placed here are not modified or removed when upgrading Puppet Server.

Puppet Server configuration files

auth.conf

Puppet Server's auth.conf file contains rules for authorizing access to Puppet Server's HTTP API endpoints. For

an overview, see Configuring Puppet Server on page 157.

The rules are defined in a file named auth.conf, and Puppet Server applies the settings when a request's endpoint

matches a rule.

Note: You can also use the puppetlabs-puppet_authorization module to manage the new

auth.conf file's authorization rules in the new HOCON format, and the puppetlabs-hocon

module to use Puppet to manage HOCON-formatted settings in general.

To configure how Puppet Server authenticates requests, use the supported HOCON auth.conf file and

authorization methods, and see the parameters and rule definitions in the HOCON Parameters section.

You can find the Puppet Server auth.conf file here.

HOCON example

Here is an example authorization section using the HOCON configuration format:

authorization: {

version: 1

rules: [

{

match-request: {

path: "^/my_path/([^/]+)$"

type: regex

method: get

}

allow: [ node1, node2, node3, {extensions:{ext_shortname1:

value1, ext_shortname2: value2}} ]

sort-order: 1

Puppet | Platform components | 161

{

match-request: {

path: "/my_other_path"

type: path

}

allow-unauthenticated: true

sort-order: 2

]

}

For a more detailed example of how to use the HOCON configuration format, see Configuring The Authorization

Service.

For descriptions of each setting, see the following sections.

HOCON parameters

Use the following parameters when writing or migrating custom authorization rules using the new HOCON format.

version

The version parameter is required. In this initial release, the only supported value is 1.

allow-header-cert-info

Note: Puppet Server ignores the setting of the same name in puppetserver.conf on page 167 in favor of

this setting in the auth.conf file.

This optional authorization section parameter determines whether to enable External SSL termination on page

192 on all HTTP endpoints that Puppet Server handles, including the Puppet API, the certificate authority API, and

the Puppet Admin API. It also controls how Puppet Server derives the user's identity for authorization purposes. The

default value is false.

If this setting is true, Puppet Server ignores any presented certificate and relies completely on header data to

authorize requests.

Warning! This is very insecure; do not enable this parameter unless you've secured your network to

prevent any untrusted access to Puppet Server.

You cannot rename any of the X-Client headers when this setting is enabled, and you must specify identity

through the X-Client-Verify, X-Client-DN, and X-Client-Cert headers.

For more information, see Disable HTTPS for Puppet Server on page 192 in the Puppet Server documentation and

Configuring the Authorization Service in the trapperkeeper-authorization documentation.

rules

The required rules array of a Puppet Server's HOCON auth.conf file determines how Puppet Server responds

to a request. Each element is a map of settings pertaining to a rule, and when Puppet Server receives a request, it

evaluates that request against each rule looking for a match.

You define each rule by adding parameters to the rule's match-request section. A rules array can contain as

many rules as you need, each with a single match-request section.

If a request matches a rule in a match-request section, Puppet Server determines whether to allow or deny the

request using the rules parameters that follow the rule's match-request section:

• At least one of:

• allow

• allow-unauthenticated

• deny

• sort-order (required)

Puppet | Platform components | 162

• name (required)

If no rule matches, Puppet Server denies the request by default and returns an HTTP 403/Forbidden response.

match-request

A match-request can take the following parameters, some of which are required:

• path and type (required): A match-request rule must have a path parameter, which returns a match

when a request's endpoint URL starts with or contains the path parameter's value. The parameter can be a literal

string or regular expression as defined in the required type parameter.

# Regular expression to match a path in a URL.

path: "^/puppet/v3/report/([^/]+)$"

type: regex

# Literal string to match the start of a URL's path.

path: "/puppet/v3/report/"

type: path

Note: While the HOCON format doesn't require you to wrap all string values with double quotation

marks, some special characters commonly used in regular expressions --- such as * --- break HOCON

parsing unless the entire value is enclosed in double quotes.

• method: If a rule contains the optional method parameter, Puppet Server applies that rule only to requests that

use its value's listed HTTP methods. This parameter's valid values are get, post, put, delete, and head,

provided either as a single value or array of values.

# Use GET and POST.

method: [get, post]

# Use PUT.

method: put

Note: While the new HOCON format does not provide a direct equivalent to the Deprecated features

on page 150 method parameter's search indirector, you can create the equivalent rule by passing

GET and POST to method and specifying endpoint paths using the path parameter.

• query-params: Use the optional query-params setting to provide the list of query parameters. Each entry is a

hash of the param name followed by a list of its values.

For example, this rule would match a request URL containing the environment=production or

environment=test query parameters:

``` hocon

query-params: {

environment: [ production, test ]

}

```

allow, allow-unauthenticated, and deny

After each rule's match-request section, it must also have an allow, allow-unauthenticated, or deny

parameter. (You can set both allow and deny parameters for a rule, though Puppet Server always prioritizes deny

over allow when a request matches both.)

If a request matches the rule, Puppet Server checks the request's authenticated "name" (see allow-header-cert-

info) against these parameters to determine what to do with the request.

• allow-unauthenticated: If this Boolean parameter is set to true, Puppet Server allows the request ---

even if it can't determine an authenticated name. This is a potentially insecure configuration --- be careful when

enabling it. A rule with this parameter set to true can't also contain the allow or deny parameters.

Puppet | Platform components | 163

• allow: This parameter can take a single string value, an array of string values, a single map value with either an

extensions or certname key, or an array of string and map values.

The string values can contain:

• An exact domain name, such as www.example.com.

• A glob of names containing a * in the first segment, such as *.example.com or simply *.

• A regular expression surrounded by / characters, such as /example/.

• A backreference to a regular expression's capture group in the path value, if the rule also contains a type

value of regex. For example, if the path for the rule were "^/example/([^/]+)$", you can make a

backreference to the first capture group using a value like $1.domain.org.

The map values can contain:

• An extensions key that specifies an array of matching X.509 extensions. Puppet Server authenticates the

request only if each key in the map appears in the request, and each key's value exactly matches.

• A certname key equivalent to a bare string.

If the request's authenticated name matches the parameter's value, Puppet Server allows it.

Note: If you are using Puppet Server with the CA disabled, you must use OID values for the extensions.

Puppet Server will not be able to resolve short names in this mode.

• deny: This parameter can take the same types of values as the allow parameter, but refuses the request if the

authenticated name matches --- even if the rule contains an allow value that also matches.

Also, in the HOCON Puppet Server authentication method, there is no directly equivalent behavior to the

Deprecated features on page 150 auth parameter's on value.

sort-order

After each rule's match-request section, the required sort-order parameter sets the order in which Puppet

Server evaluates the rule by prioritizing it on a numeric value between 1 and 399 (to be evaluated before default

Puppet rules) or 601 to 998 (to be evaluated after Puppet), with lower-numbered values evaluated first. Puppet Server

secondarily sorts rules lexicographically by the name string value's Unicode code points.

sort-order: 1

name

After each rule's match-request section, this required parameter's unique string value identifies the rule to Puppet

Server. The name value is also written to server logs and error responses returned to unauthorized clients.

Note: If multiple rules have the same name value, Puppet Server will fail to launch.

ca.conf

The ca.conf file configures settings for the Puppet Server Certificate Authority (CA) service. For an overview, see

Configuring Puppet Server on page 157.

Signing settings

The allow-subject-alt-names setting in the certificate-authority section enables you to sign

certificates with subject alternative names. It is false by default for security reasons but can be enabled if you need

to sign certificates with subject alternative names. Be aware that enabling the setting could allow agent nodes

to impersonate other nodes (including the nodes that already have signed certificates). Consequently, you must

carefully inspect any CSRs with SANs attached. puppet cert sign previously allowed this via a flag, but

puppetserver ca sign requires it to be configured in the config file.

The allow-authorization-extensions setting in the certificate-authority section also enables

you to sign certs with authorization extensions. It is false by default for security reasons, but can be enabled

Puppet | Platform components | 164

if you know you need to sign certificates this way. puppet cert sign used to allow this via a flag, but

puppetserver ca sign requires it to be configued in the config file.

Infrastructure CRL settings

Puppet Server is able to create a separate CRL file containing only revocations of Puppet infrastructure nodes. This

behavior is turned off by default. To enable it, set certificate-authority.enable-infra-crl to true.

global.conf

The global.conf file contains global configuration settings for Puppet Server. For an overview, see Configuring

Puppet Server on page 157.

You shouldn't typically need to make changes to this file. However, you can change the logging-config path

for the logback logging configuration file if necessary. For more information about the logback file, see http://

logback.qos.ch/manual/configuration.html.

Example

global: {

logging-config: /etc/puppetlabs/puppetserver/logback.xml

}

logback.xml

Puppet Server’s logging is routed through the Java Virtual Machine's Logback library and configured in an XML file

typically named logback.xml.

Note: This document covers basic, commonly modified options for Puppet Server logs. Logback is a

powerful library with many options. For detailed information on configuring Logback, see the Logback

Configuration Manual.

For advanced logging configuration tips specific to Puppet Server, such as configuring Logstash or

outputting logs in JSON format, see Advanced logging configuration on page 177.

Puppet Server logging

By default, Puppet Server logs messages and errors to /var/log/puppetlabs/puppetserver/

puppetserver.log. The default log level is ‘INFO’, and Puppet Server sends nothing to syslog. You can

change Puppet Server's logging behavior by editing /etc/puppetlabs/puppetserver/logback.xml, and

you can specify a different Logback config file in global.conf.

You can restart the puppetserver service for changes to take effect, or enable configuration scanning to allow

changes to be recognized at runtime.

Puppet Server also relies on Logback to manage, rotate, and archive Server log files. Logback archives Server logs

when they exceed 10MB, and when the total size of all Server logs exceeds 1GB, it automatically deletes the oldest

logs.

Settings

level

To modify Puppet Server's logging level, change the level attribute of the root element. By default, the logging

level is set to info:

Supported logging levels, in order from most to least information logged, are trace, debug, info, warn, and

error. For instance, to enable debug logging for Puppet Server, change info to debug:

Puppet Server profiling data is included at the debug logging level.

Puppet | Platform components | 165

You can also change the logging level for JRuby logging from its defaults of error and info by setting the level

attribute of the jruby element. For example, to enable debug logging for JRuby, set the attribute to debug:

Logging location

You can change the file to which Puppet Server writes its logs in the appender section named F1. By default, the

location is set to /var/log/puppetlabs/puppetserver/puppetserver.log:

...

<file>/var/log/puppetlabs/puppetserver/puppetserver.log</file>

...

To change this to /var/log/puppetserver.log, modify the contents of the file element:

<file>/var/log/puppetserver.log</file>

The user account that owns the Puppet Server process must have write permissions to the destination path.

scan and scanPeriod

Logback supports noticing and reloading configuration changes without requiring a restart, a feature Logback

calls scanning. To enable this, set the scan and scanPeriod attributes in the <configuration> element of

logback.xml:

Due to a bug in Logback, the scanPeriod must be set to a value; setting only scan="true" will not enable

configuration scanning. Scanning is enabled by default in the logback.xml configuration packaged with Puppet

Server.

Note: The HTTP request log does not currently support the scan feature. Adding the scan or scanPeriod settings

to request-logging.xml will have no effect.

HTTP request logging

Puppet Server logs HTTP traffic separately, and this logging is configured in a different Logback configuration file

located at /etc/puppetlabs/puppetserver/request-logging.xml. To specify a different Logback

configuration file, change the access-log-config setting in Puppet Server's webserver.conf on page 171 file.

The HTTP request log uses the same Logback configuration format and settings as the Puppet Server log. It also lets

you configure what it logs using patterns, which follow Logback's PatternLayout format.

metrics.conf

The metrics.conf file configures Puppet Server's Monitoring Puppet Server metrics on page 193 and v2

(Jolokia) metrics on page 259.

Settings

All settings in the file are contained in a HOCON metrics section.

• server-id: A unique identifier to be used as part of the namespace for metrics that this server produces.

• registries: A section that contains settings to control which metrics are reported, and how they're reported.

• <REGISTRY NAME>: A section named for a registry that contains its settings. In Puppet Server's case, this

section should be puppetserver.

• metrics-allowed: An array of metrics to report. See the Monitoring Puppet Server metrics on page

193 for details about individual metrics.

• reporters: Can contain jmx and graphite sections with a single Boolean enabled setting to

enable or disable each reporter type.

Puppet | Platform components | 166

• reporters: Configures reporters that distribute metrics to external services or viewers.

• graphite: Contains settings for the Graphite reporter.

• host: A string containing the Graphite server's hostname or IP address.

• port: Contains the Graphite service's port number.

• update-interval-seconds: Sets the interval on which Puppet Server will send metrics to the

Graphite server.

Example

Puppet Server ships with a default metrics.conf file in Puppet Server's conf.d directory, similar to the below

example with additional comments.

metrics: {

server-id: localhost

registries: {

puppetserver: {

# specify metrics to allow in addition to those in the default

list

#metrics-allowed: ["compiler.compile.production"]

reporters: {

jmx: {

enabled: true

}

# enable or disable Graphite metrics reporter

#graphite: {

# enabled: true

}

reporters: {

#graphite: {

# # graphite host

# host: "127.0.0.1"

# # graphite metrics port

# port: 2003

# # how often to send metrics to graphite

# update-interval-seconds: 5

}

product.conf

The product.conf file contains settings that determine how Puppet Server interacts with Puppet, Inc., such as

automatic update checking and analytics data collection.

Settings

The product.conf file doesn't exist in a default Puppet Server installation; to configure its settings, you must

create it in Puppet Server's conf.d directory (located by default at /etc/puppetlabs/puppetserver/

conf.d). This file is a HOCON-formatted configuration file with the following settings:

Puppet | Platform components | 167

• Settings in the product section configure update checking and analytics data collection:

• check-for-updates: If set to false, Puppet Server will not automatically check for updates, and will

not send analytics data to Puppet.

If this setting is unspecified (default) or set to true, Puppet Server checks for updates upon start or restart,

and every 24 hours thereafter, by sending the following data to Puppet:

• Product name

• Puppet Server version

• IP address

• Data collection timestamp

Puppet requests this data as one of the many ways we learn about and work with our community. The more we

know about how you use Puppet, the better we can address your needs. No personally identifiable information

is collected, and the data we collect is never used or shared outside of Puppet.

Example

# Disabling automatic update checks and corresponding analytic data

collection

product: {

check-for-updates: false

}

puppetserver.conf

The puppetserver.conf file contains settings for the Puppet Server application. For an overview, see

Configuring Puppet Server on page 157.

Settings

Note: Under most conditions, you won't change the default settings for server-conf-dir or

server-code-dir. However, if you do, also change the equivalent Puppet settings (confdir or

codedir) to ensure that commands like puppetserver ca and puppet module use the same

directories as Puppet Server. You must also specify the non-default confdir when running commands,

because that setting must be set before Puppet tries to find its config file.

• The jruby-puppet settings configure the interpreter.

Deprecation Note: Puppet Server 5.0 removed the compat-version setting, which is incompatible

with JRuby 1.7.27, and the service won't start if compat-version is set. Puppet Server 6.0 uses

JRuby 9.1 which supports Ruby 2.3.

• ruby-load-path: The location where Puppet Server expects to find Puppet, Facter, and other components.

• gem-home: The location where JRuby looks for gems. It is also used by the puppetserver gem

command line tool. If nothing is specified, JRuby uses the Puppet default:

• /opt/puppetlabs/server/data/puppetserver/jruby-gems

• gem-path: The complete "GEM_PATH" for jruby. If set, it should include the gem-home directory, as well

as any other directories that gems can be loaded from (including the vendored gems directory for gems that

ship with puppetserver). The default value is: ["/opt/puppetlabs/server/data/puppetserver/

jruby-gems", "/opt/puppetlabs/server/data/puppetserver/vendored-jruby-

gems", "/opt/puppetlabs/puppet/lib/ruby/vendor_gems"]

• instance-creation-concurrency: Optional. Specifies the number of JRuby instances that are

created concurrently when Puppet Server is started. The default value is 3, which means that a single JRuby

instance is created when Puppet Server is started, and then additional instances are created up to three at a

time. Concurrent creation helps to accelerate the Puppet Server startup process. You can set a value of 1 to

Puppet | Platform components | 168

revert to the previous behavior of creating one JRuby instance at a time. Valid values are 1 up to the max-

active-instances value minus 1.

• environment-vars: Optional. A map of environment variables which are made visible to Ruby code

running within JRuby, for example, via the Ruby ENV class.

By default, the only environment variables whose values are set into JRuby from the shell are HOME and

PATH.

The default value for the GEM_HOME environment variable in JRuby is set from the value provided for the

jruby-puppet.gem-home key.

Any variable set from the map for the environment-vars key overrides these defaults. Avoid overriding

HOME, PATH, or GEM_HOME here because these values are already configurable via the shell or jruby-

puppet.gem-home.

• server-conf-dir: Optional. The path to the Puppet configuration directory. The default is /etc/

puppetlabs/puppet.

• server-code-dir: Optional. The path to the Puppet code directory. The default is /etc/puppetlabs/

code.

• server-var-dir: Optional. The path to the Puppet cache directory. The default is /opt/puppetlabs/

server/data/puppetserver.

• server-run-dir: Optional. The path to the run directory, where the service's PID file is stored. The

default is /var/run/puppetlabs/puppetserver.

• server-log-dir: Optional. The path to the log directory. If nothing is specified, it uses the Puppet default

/var/log/puppetlabs/puppetserver.

• max-active-instances: Optional. The maximum number of JRuby instances allowed. The default is

'num-cpus - 1', with a minimum value of 1 and a maximum value of 4. In multithreaded mode, this controls the

number of threads allowed to run concurrently through the single JRuby instance.

• max-requests-per-instance: Optional. The number of HTTP requests a given JRuby instance will

handle in its lifetime. When a JRuby instance reaches this limit, it is flushed from memory and replaced with a

fresh one. The default is 0, which disables automatic JRuby flushing.

JRuby flushing can be useful for working around buggy module code that would otherwise cause memory

leaks, but it slightly reduces performance whenever a new JRuby instance reloads all of the Puppet Ruby code.

If memory leaks from module code are not an issue in your deployment, the default value of 0 performs best.

• multithreaded: Optional, false by default. Configures Puppet Server to use a single JRuby instance to

process requests that require a JRuby, processing a number of threads up to max-active-instances at a

time. Reduces the memory footprint of the server by only requiring a single JRuby.

Note: Multithreaded mode is an experimental feature which might experience breaking changes in

future releases. Test the feature in a non-production environment before enabling it in production.

• max-queued-requests: Optional. The maximum number of requests that may be queued waiting to

borrow a JRuby from the pool. When this limit is exceeded, a 503 "Service Unavailable" response will be

returned for all new requests until the queue drops below the limit. If max-retry-delay is set to a positive

value, then the 503 responses will include a Retry-After header indicating a random sleep time after

which the client may retry the request. The default is 0, which disables the queue limit.

• max-retry-delay: Optional. Sets the upper limit for the random sleep set as a Retry-After header

on 503 responses returned when max-queued-requests is enabled. A value of 0 will cause the Retry-

After header to be omitted. Default is 1800 seconds which corresponds to the default run interval of the

Puppet daemon.

• borrow-timeout: Optional. The timeout in milliseconds, when attempting to borrow an instance from the

JRuby pool. The default is 1200000.

• environment-class-cache-enabled: Optional. Used to control whether the master service maintains

a cache in conjunction with the use of the Environment classes on page 266.

If this setting is set to true, Puppet Server maintains the cache. It also returns an Etag header for each GET

request to the API. For subsequent GET requests that use the prior Etag value in an If-None-Match header,

Puppet | Platform components | 169

when the class information available for an environment has not changed, Puppet Server returns an HTTP 304

(Not Modified) response with no body.

If this setting is set to false or is not specified, Puppet Server doesn't maintain a cache, an Etag header is

not returned for GET requests, and the If-None-Match header for an incoming request is ignored. It therefore

parses the latest available code for an environment from disk on every incoming request.

For more information, see the Environment classes on page 266.

• compile-mode: The default value depends on JRuby versions, for 1.7 it is off, for 9k it is jit. Used to

control JRuby's "CompileMode", which may improve performance. A value of jit enables JRuby's "just-in-

time" compilation of Ruby code. A value of force causes JRuby to attempt to pre-compile all Ruby code.

• profiling-mode: Optional. Used to enable JRuby's profiler for service startup and set it to one of the

supported modes. The default value is off, but it can be set to one of api, flat, graph, html, json,

off, and service. See ruby-prof for details on what the various modes do.

• profiler-output-file: Optional. Used to set the output file to direct JRuby profiler output. Should be

a fully qualified path writable by the service user. If not set will default to a random name inside the service

working directory.

• The profiler settings configure profiling:

• enabled: If this is set to true, Puppet Server enables profiling for the Puppet Ruby code. The default is

true.

• The versioned-code settings configure commands required to use static catalogs:

• code-id-command: the path to an executable script that Puppet Server invokes to generate a code_id.

When compiling a static catalog, Puppet Server uses the output of this script as the catalog's code_id. The

code_id associates the catalog with the compile-time version of any file on page 536 that has a source

attribute with a puppet:/// URI value.

• code-content-command contains the path to an executable script that Puppet Server invokes when an

agent makes a Static file content on page 274 API request for the contents of a file on page 536 that has a

source attribute with a puppet:/// URI value.

• The dropsonde settings configure whether and how often Puppet Server submits usage telemetry:

• enabled: If this is set to true, Puppet Server submits public content usage data to Puppet development.

Defaults to false.

• interval: how long, in seconds, Puppet Server waits between telemetry submissions if enabled. Defaults to

604800 (one week).

Note: The Puppet Server process must be able to execute the code-id-command and code-

content-command scripts, and the scripts must return valid content to standard output and an

error code of 0. For more information, see the static catalogs and Static file content on page 274

documentation.

If you're using static catalogs, you must set and use both code-id-command and code-content-

command. If only one of those settings are specified, Puppet Server fails to start. If neither setting is

specified, Puppet Server defaults to generating catalogs without static features even when an agent

requests a static catalog, which the agent will process as a normal catalog.

Examples

# Configuration for the JRuby interpreters.

jruby-puppet: {

ruby-load-path: [/opt/puppetlabs/puppet/lib/ruby/vendor_ruby]

gem-home: /opt/puppetlabs/server/data/puppetserver/jruby-gems

gem-path: [/opt/puppetlabs/server/data/puppetserver/jruby-gems, /opt/

puppetlabs/server/data/puppetserver/vendored-jruby-gems]

environment-vars: { "FOO" : ${FOO}

"LANG" : "de_DE.UTF-8" }

server-conf-dir: /etc/puppetlabs/puppet

server-code-dir: /etc/puppetlabs/code

Puppet | Platform components | 170

server-var-dir: /opt/puppetlabs/server/data/puppetserver

server-run-dir: /var/run/puppetlabs/puppetserver

server-log-dir: /var/log/puppetlabs/puppetserver

max-active-instances: 1

max-requests-per-instance: 0

}

# Settings related to HTTP client requests made by Puppet Server.

# These settings only apply to client connections using the

Puppet::Network::HttpPool

# classes. Client connections using net/http or net/https directly will not

# configured with these settings automatically.

http-client: {

# A list of acceptable protocols for making HTTP requests

#ssl-protocols: [TLSv1, TLSv1.1, TLSv1.2]

# A list of acceptable cipher suites for making HTTP requests. For more

info on available cipher suites, see:

# http://docs.oracle.com/javase/7/docs/technotes/guides/security/

SunProviders.html#SunJSSEProvider

#cipher-suites: [TLS_RSA_WITH_AES_256_CBC_SHA256,

# TLS_RSA_WITH_AES_256_CBC_SHA,

# TLS_RSA_WITH_AES_128_CBC_SHA256,

# TLS_RSA_WITH_AES_128_CBC_SHA]

# The amount of time, in milliseconds, that an outbound HTTP connection

# will wait for data to be available before closing the socket. If not

# defined, defaults to 20 minutes. If 0, the timeout is infinite and if

# negative, the value is undefined by the application and governed by

the

# system default behavior.

#idle-timeout-milliseconds: 1200000

# The amount of time, in milliseconds, that an outbound HTTP connection

will

# wait to connect before giving up. Defaults to 2 minutes if not set. If

# the timeout is infinite and if negative, the value is undefined in the

# application and governed by the system default behavior.

#connect-timeout-milliseconds: 120000

# Whether to enable http-client metrics; defaults to 'true'.

#metrics-enabled: true

}

# Settings related to profiling the puppet Ruby code.

profiler: {

enabled: true

}

# Settings related to static catalogs. These paths are examples. There are

no default

# scripts provided with Puppet Server, and no default path for the scripts.

To use static catalog features, you must set

# the paths and provide your own scripts.

versioned-code: {

code-id-command: /opt/puppetlabs/server/apps/puppetserver/code-id-

command_script.sh

code-content-command: /opt/puppetlabs/server/apps/puppetserver/code-

content-command_script.sh

}

Puppet | Platform components | 171

web-routes.conf

The web-routes.conf file configures the Puppet Server web-router-service, which sets mount points for

Puppet Server's web applications. You should not modify these mount points, because Puppet agents rely on Puppet

Server mounting them to specific URLs.

For an overview, see Configuring Puppet Server on page 157. To configure the webserver service, see the

webserver.conf on page 171.

Example

Here is an example of a web-routes.conf file:

# Configure the mount points for the web apps.

web-router-service: {

# These two should not be modified because the Puppet 4 agent expects

them to

# be mounted at these specific paths.

"puppetlabs.services.ca.certificate-authority-service/certificate-

authority-service": "/puppet-ca"

"puppetlabs.services.master.master-service/master-service": "/puppet"

# This controls the mount point for the Puppet administration API.

"puppetlabs.services.puppet-admin.puppet-admin-service/puppet-admin-

service": "/puppet-admin-api"

# This controls the mount point for the status API

"puppetlabs.trapperkeeper.services.status.status-service/status-

service": "/status"

# This controls the mount point for the metrics API

"puppetlabs.trapperkeeper.services.metrics.metrics-service/metrics-

webservice": "/metrics"

}

webserver.conf

The webserver.conf file configures the Puppet Server webserver service. For an overview, see Configuring

Puppet Server on page 157. To configure the mount points for the Puppet administrative API web applications, see

the web-routes.conf on page 171.

Examples

The webserver.conf file looks something like this:

# Configure the webserver.

webserver: {

# Log webserver access to a specific file.

access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml

# Require a valid certificate from the client.

client-auth: need

# Listen for HTTPS traffic on all available hostnames.

ssl-host: 0.0.0.0

# Listen for HTTPS traffic on port 8140.

ssl-port: 8140

}

These are the main values for managing a Puppet Server installation. For further documentation, including a complete

list of available settings and values, see Configuring the Webserver Service.

Puppet | Platform components | 172

By default, Puppet Server is configured to use the correct Puppet primary server and certificate authority (CA)

certificates. If you're using an external CA and providing your own certificates and keys, make sure the SSL-related

parameters in webserver.conf point to the correct file.

webserver: {

...

ssl-cert : /path/to/server.pem

ssl-key : /path/to/server.key

ssl-ca-cert : /path/to/ca_bundle.pem

ssl-cert-chain : /path/to/ca_bundle.pem

ssl-crl-path : /etc/puppetlabs/puppet/ssl/crl.pem

}

Migrating to the HOCON auth.conf format

Puppet Server 2.2.0 introduced a significant change in how it manages authentication to API endpoints. The older

Puppet auth.conf file and whitelist-based authorization method were deprecated in the same release and are

now removed in Puppet Server 7. Puppet Server's current auth.conf file format (which is different than the old

auth.conf) is illustrated below in examples.

Use the following examples and methods to convert your authorization rules when upgrading to Puppet Server 2.2.0

and newer. For detailed information about using auth.conf rules with Puppet Server, see the auth.conf on page

160.

Note: To support both Puppet 3 and Puppet 4 agents connecting to Puppet Server, see Backward

Compatibility with Puppet 3 Agents.

Managing rules with Puppet modules

You can reimplement and manage your authorization rules in the new HOCON format and auth.conf file by using

the puppetlabs-puppet_authorization Puppet module. See the module's documentation for details.

Converting rules directly

Most of the deprecated authorization rules and settings are available in the new format.

Unavailable rules, settings, or values

The following rules, settings, and values have no direct equivalent in the new HOCON format. If you require them,

you must reimplement them differently in the new format.

• on value of auth: The deprecated auth parameter's on value results in a match only when a request provides a

client certificate. There is no equivalent behavior in the HOCON format.

• allow_ip or deny_ip parameters

• method parameter's search indirector: While there is no direct equivalent to the deprecated search indirector,

you can create an equivalent HOCON rule. See below for an example.

Note: Puppet Server considers the state of a request's authentication differently depending on whether

the authorization rules use the older Puppet auth.conf or newer HOCON formats. An authorization

rule that uses the deprecated format evaluates the auth parameter as part of rule-matching process.

A HOCON authorization rule first determines whether the request matches other parameters of the

rule, and then considers the request's authentication state (using the rule's allow, deny, or allow-

authenticated values) after a successful match only.

Basic HOCON structure

The HOCON auth.conf file has some fundamental structural requirements:

Puppet | Platform components | 173

• An authorization section, which contains:

• A version on page 161 setting.

• A rules on page 161 array of map values, each representing an authorization rule. Each rule must contain:

• A match-request on page 162 section.

• Each match-request section must contain at least one path and type.

• A numeric sort-order on page 163 value.

• If the value is between 1 and 399, the rule supersedes Puppet Server's default authorization rules.

• If the value is between 601 and 998, the rule can be overridden by Puppet Server's default authorization

rules.

• A string name on page 163 value.

• At least one of the following:

• An allow, allow-unauthenticated, and deny on page 162. The allow or deny values can contain:

• A single string, representing the request's "name" derived from the Common Name (CN) attribute

within an X.509 certificate's Subject Distinguished Name (DN). This string can be an exact name, a

glob, or a regular expression.

• A single map value containing an extension key.

• A single map value containing a certname key.

• An array of values, including string and map values.

• An allow, allow-unauthenticated, and deny on page 162 value, but if present, there cannot also be an

allow value.

For an full example of a HOCON auth.conf file, see the HOCON example on page 160.

Converting a simple rule

Let's convert this simple deprecated auth.conf authorization rule:

path /puppet/v3/environments

method find

allow *

We'll start with a skeletal, incomplete HOCON auth.conf file:

authorization: {

version: 1

rules: [

{

match-request: {

path:

type:

}

allow:

sort-order: 1

name:

]

}

Next, let's convert each component of the deprecated rule to the new HOCON format.

Add the path to the new rule's match-request on page 162 setting in its match-request section.

...

match-request: {

path: /puppet/v3/environments

type:

Puppet | Platform components | 174

}

allow:

sort-order: 1

name:

...

Next, add its type to the section's match-request on page 162 setting. Because this is a literal string path, the

type is path.

...

match-request: {

path: /puppet/v3/environments

type: path

}

allow:

sort-order: 1

name:

...

The legacy rule has a method setting, with an indirector value of find that's equivalent to the GET and POST

HTTP methods. We can implement these by adding an optional HOCON match-request on page 162 setting in

the rule's match-request section and specifying GET and POST as an array.

...

match-request: {

path: /puppet/v3/environments

type: path

method: [get, post]

}

allow:

sort-order: 1

name:

...

Next, set the allow setting. The legacy rule used a * glob, which is also supported in HOCON.

...

match-request: {

path: /puppet/v3/environments

type: path

method: [get, post]

}

allow: "*"

sort-order: 1

name:

...

Finally, give the rule a unique name value. Remember that the rule will appear in logs and in the body of error

responses to unauthorized clients.

...

match-request: {

path: /puppet/v3/environments

type: path

method: [get, post]

}

allow: "*"

sort-order: 1

Puppet | Platform components | 175

...

Our HOCON auth.conf file should now allow all authenticated clients to make GET and POST requests to the /

puppet/v3/environments endpoint, and should look like this:

authorization: {

version: 1

rules: [

{

match-request: {

path: /puppet/v3/environments

type: path

method: [get, post]

}

allow: "*"

sort-order: 1

]

}

Converting more complex rules

Paths set by regular expressions

To convert a regular expression path, enclose it in double quotation marks and slash characters (/), and set the type

to regex.

Note: You must escape regular expressions to conform to HOCON standards, which are the same as

JSON's and differ from the deprecated format's regular expressions. For instance, the digit-matching

regular expression \d must be escaped with a second backslash, as \d.

Deprecated:

path ~ ^/puppet/v3/catalog/([^/]+)$

HOCON:

authorization: {

version: 1

rules: [

{

match-request: {

path: "^/puppet/v3/catalog/([^/]+)$"

type: regex

...

Note: You must escape regular expressions to conform to HOCON standards, which are the same as

JSON's and differ from the deprecated format's regular expressions. For instance, the digit-matching

regular expression \d must be escaped with a second backslash, as \d.

Backreferencing works the same way it does in the deprecated format.

Deprecated:

path ~ ^/puppet/v3/catalog/([^/]+)$

allow $1

HOCON:

authorization: {

version: 1

Puppet | Platform components | 176

rules: [

{

match-request: {

path: "^/puppet/v3/catalog/([^/]+)$"

type: regex

}

allow: "$1"

...

Allowing unauthenticated requests

To have a rule match any request regardless of its authentication state, including unauthenticated requests,

a deprecated rule would assign the any value to the auth parameter. In a HOCON rule, set the allow-

unauthenticated parameter to true. This overrides the allow and deny parameters and is an insecure

configuration that should be used with caution.

Deprecated:

auth: any

HOCON:

authorization: {

version: 1

rules: [

{

match-request: {

...

}

allow-unauthenticated: true

...

Multiple method indirectors

If a deprecated rule has multiple method indirectors, combine all of the related HTTP methods to the HOCON

method array.

Deprecated:

method find, save

The deprecated find indirector corresponds to the GET and POST methods, and the save indirector corresponds to the

PUT method. In the HOCON format, simply combine these methods in an array.

HOCON:

authorization: {

version: 1

rules: [

{

match-request: {

...

method: [get, post, put]

}

...

Environment URL parameters

In deprecated rules, the environment parameter adds a comma-separated list of query parameters as a suffix to

the base URL. HOCON rules allow you to pass them as an array environment value inside the query-params

setting. Rules in both the deprecated and HOCON formats match any environment value.

Puppet | Platform components | 177

Deprecated:

environment: production,test

HOCON:

authorization: {

version: 1

rules: [

{

match-request: {

...

query-params: {

environment: [ production, test ]

}

...

Note: The query-params approach above replaces environment-specific rules for both Puppet 3 and

Puppet 4. If you're supporting agents running both Puppet 3 and Puppet 4, see Backward Compatibility

with Puppet 3 Agents for more information.

Search indirector for method

There's no direct equivalent to the search indirector for the deprecated method setting. Create the equivalent rule by

passing GET and POST to method and specifying endpoint paths using the path parameter.

Deprecated:

path ~ ^/puppet/v3/file_metadata/user_files/

method search

HOCON:

authorization: {

version: 1

rules: [

{

match-request: {

path: "^/puppet/v3/file_metadatas?/user_files/"

type: regex

method: [get, post]

}

...

Advanced logging configuration

Puppet Server uses the Logback library to handle all of its logging. Logback configuration settings are stored in the

logback.xml on page 164 file, which is located at /etc/puppetlabs/puppetserver/logback.xml by

default.

You can configure Logback to log messages in JSON format, which makes it easy to send them to other logging

backends, such as Logstash.

Configuring Puppet Server for use with Logstash

There are a few steps necessary to setup your Puppet Server logging for use with Logstash. The first step is to modify

your logging configuration so that Puppet Server is logging in a JSON format. After that, you'll configure an external

tool to monitor these JSON files and send the data to Logstash (or another remote logging system).

Configuring Puppet Server to log to JSON

Before you configure Puppet Server to log to JSON, consider the following:

Puppet | Platform components | 178

• Do you want to configure Puppet Server to only log to JSON, instead of the default plain-text logging? Or do you

want to have JSON logging in addition to the default plain-text logging?

• Do you want to set up JSON logging only for the main Puppet Server logs (puppetserver.log), or also for

the HTTP access logs (puppetserver-access.log)?

• What kind of log rotation strategy do you want to use for the new JSON log files?

The following examples show how to configure Logback for:

• logging to both JSON and plain-text

• JSON logging both the main logs and the HTTP access logs

• log rotation on the JSON log files

Adjust the example configuration settings to suit your needs.

Note: Puppet Server also relies on Logback to manage, rotate, and archive Server log files. Logback

archives Server logs when they exceed 200MB, and when the total size of all Server logs exceeds 1GB, it

automatically deletes the oldest logs.

Adding a JSON version of the main Puppet Server logs

Logback writes logs using components called appenders. The example code below uses RollingFileAppender

to rotate the log files and avoid consuming all of your storage.

To configure Puppet Server to log its main logs to a second log file in JSON format, add an appender section like

the following example to your logback.xml file, at the same level in the XML as existing appenders. The order

of the appenders does not matter.

<appender name="JSON"

class="ch.qos.logback.core.rolling.RollingFileAppender">

<file>/var/log/puppetlabs/puppetserver/puppetserver.log.json</file>

<rollingPolicy

class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">

<fileNamePattern>/var/log/puppetlabs/puppetserver/

puppetserver.log.json.%d{yyyy-MM-dd}</fileNamePattern>

</rollingPolicy>

</appender>

Activate the appended by adding an appender-ref entry to the <root> section of logback.xml:

<appender-ref ref="FILE"/>

<appender-ref ref="JSON"/>

</root>

If you decide you want to log only the JSON format, comment out the other appender-ref entries.

LogstashEncoder has many configuration options, including the ability to modify the list of fields that you want

to include, or give them different field names. For more information, see the Logstash Logback Encoder Docs.

Adding a JSON version of the Puppet Server HTTP Access logs

To add JSON logging for HTTP requests:

Add the following Logback appender section to the request-logging.xml file:

{% raw %}

<appender name="JSON"

class="ch.qos.logback.core.rolling.RollingFileAppender">

<file>/var/log/puppetlabs/puppetserver/puppetserver-access.log.json</

file>

Puppet | Platform components | 179

<rollingPolicy

class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">

<fileNamePattern>/var/log/puppetlabs/puppetserver/puppetserver-

access.log.json.%d{yyyy-MM-dd}</fileNamePattern>

</rollingPolicy>

<encoder

class="net.logstash.logback.encoder.AccessEventCompositeJsonEncoder">

{

"@timestamp":"%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}",

"clientip":"%remoteIP",

"auth":"%user",

"verb":"%requestMethod",

"requestprotocol":"%protocol",

"rawrequest":"%requestURL",

"response":"#asLong{%statusCode}",

"bytes":"#asLong{%bytesSent}",

"total_service_time":"#asLong{%elapsedTime}",

"request":"http://%header{Host}%requestURI",

"referrer":"%header{Referer}",

"agent":"%header{User-agent}",

"request.host":"%header{Host}",

"request.accept":"%header{Accept}",

"request.accept-encoding":"%header{Accept-

Encoding}",

"request.connection":"%header{Connection}",

"puppet.client-verify":"%header{X-Client-Verify}",

"puppet.client-dn":"%header{X-Client-DN}",

"puppet.client-cert":"%header{X-Client-Cert}",

"response.content-type":"%responseHeader{Content-

Type}",

"response.content-length":"%responseHeader{Content-

Length}",

"response.server":"%responseHeader{Server}",

"response.connection":"%responseHeader{Connection}"

}

</pattern>

</providers>

</encoder>

</appender>

{% endraw %}

Add a corresponding appender-ref in the configuration section:

<appender-ref ref="JSON"/>

For more information about options available for the pattern section, see the Logback Logstash Encoder Docs.

Sending the JSON data to Logstash

After configuring Puppet Server to log messages in JSON format, you must also configure it to send the logs to

Logstash (or another external logging system). There are several different ways to approach this:

Puppet | Platform components | 180

• Configure Logback to send the data to Logstash directly, from within Puppet Server. See the Logstash-Logback

encoder docs on how to send the logs by TCP or UDP. Note that TCP comes with the risk of bottlenecking Puppet

Server if your Logstash system is busy, and UDP might silently drop log messages.

• Filebeat is a tool from Elastic for shipping log data to Logstash.

• Logstash Forwarder is an earlier tool from Elastic with similar capabilities.

Differing behavior in puppet.conf

Puppet Server honors almost all settings in puppet.conf and should pick them up automatically. For more complete

information on puppet.conf settings, see our Configuration Reference on page 98 page.

Settings that differ

autoflush on page 99

Puppet Server does not use this setting. For more information on the logging implementation for Puppet Server, see

the Logging on page 159.

bindaddress

Puppet Server does not use this setting. To set the address on which the primary server listens, use either host

(unencrypted) or ssl-host (SSL encrypted) in the webserver.conf file.

Puppet Server does not use this setting. Instead, Puppet Server acts as a certificate authority based on the certificate

authority service configuration in the ca.cfg file. See Service Bootstrapping on page 159 for more details.

ca_ttl

Puppet Server enforces a max ttl of 50 standard years (up to 1576800000 seconds).

cacert on page 100

If you enable Puppet Server's certificate authority service, it uses the cacert setting in puppet.conf to determine the

location of the CA certificate for such tasks as generating the CA certificate or using the CA to sign client certificates.

This is true regardless of the configuration of the ssl- settings in webserver.conf.

cacrl on page 101

If you define ssl-cert, ssl-key, ssl-ca-cert, or ssl-crl-path in webserver.conf, Puppet Server uses

the file at ssl-crl-path as the CRL for authenticating clients via SSL. If at least one of the ssl- settings in

webserver.conf is set but ssl-crl-path is not set, Puppet Server will not use a CRL to validate clients via SSL.

If none of the ssl- settings in webserver.conf are set, Puppet Server uses the CRL file defined for the hostcrl

setting---and not the file defined for the cacrl setting--in puppet.conf. At start time, Puppet Server copies the file for

the cacrl setting, if one exists, over to the location in the hostcrl setting.

Any CRL file updates from the Puppet Server certificate authority---such as revocations performed via the

certificate_status HTTP endpoint---use the cacrl setting in puppet.conf to determine the location of the

CRL. This is true regardless of the ssl- settings in webserver.conf.

capass

Puppet Server does not use this setting. Puppet Server's certificate authority does not create a capass password file

when the CA certificate and key are generated.

caprivatedir

Puppet Server does not use this setting. Puppet Server's certificate authority does not create this directory.

daemonize on page 104

Puppet Server does not use this setting.

Puppet | Platform components | 181

hostcert on page 109

If you define ssl-cert, ssl-key, ssl-ca-cert, or ssl-crl-path in webserver.conf, Puppet Server

presents the file at ssl-cert to clients as the server certificate via SSL.

If at least one of the ssl- settings in webserver.conf is set but ssl-cert is not set, Puppet Server gives an error

and shuts down at startup. If none of the ssl- settings in webserver.conf are set, Puppet Server uses the file for the

hostcert setting in puppet.conf as the server certificate during SSL negotiation.

Regardless of the configuration of the ssl- "webserver.conf" settings, Puppet Server's certificate authority service, if

enabled, uses the hostcert "puppet.conf" setting, and not the ssl-cert setting, to determine the location of the

server host certificate to generate.

hostcrl on page 109