1PUPPETCONF(5) Puppet manual PUPPETCONF(5)
2
3
4
6
8 • Each of these settings can be specified in puppet.conf or on the
9 command line.
10
11 • Puppet Enterprise (PE) and open source Puppet share the configura‐
12 tion settings documented here. However, PE defaults differ from
13 open source defaults for some settings, such as node_terminus,
14 storeconfigs, always_retry_plugins, disable18n, environment_timeout
15 (when Code Manager is enabled), and the Puppet Server JRuby max-ac‐
16 tive-instances setting. To verify PE configuration defaults, check
17 the puppet.conf or pe-puppet-server.conf file after installation.
18
19 • When using boolean settings on the command line, use --setting and
20 --no-setting instead of --setting (true|false). (Using --setting
21 false results in "Error: Could not parse application options: need‐
22 less argument".)
23
24 • Settings can be interpolated as $variables in other settings; $en‐
25 vironment is special, in that puppet master will interpolate each
26 agent node´s environment instead of its own.
27
28 • Multiple values should be specified as comma-separated lists; mul‐
29 tiple directories should be separated with the system path separa‐
30 tor (usually a colon).
31
32 • Settings that represent time intervals should be specified in dura‐
33 tion format: an integer immediately followed by one of the units
34 ´y´ (years of 365 days), ´d´ (days), ´h´ (hours), ´m´ (minutes), or
35 ´s´ (seconds). The unit cannot be combined with other units, and
36 defaults to seconds when omitted. Examples are ´3600´ which is
37 equivalent to ´1h´ (one hour), and ´1825d´ which is equivalent to
38 ´5y´ (5 years).
39
40 • If you use the splay setting, note that the period that it waits
41 changes each time the Puppet agent is restarted.
42
43 • Settings that take a single file or directory can optionally set
44 the owner, group, and mode for their value: rundir = $vardir/run {
45 owner = puppet, group = puppet, mode = 644 }
46
47 • The Puppet executables ignores any setting that isn´t relevant to
48 their function.
49
50
51
52 See the configuration guide https://puppet.com/docs/puppet/latest/con‐
53 fig_about_settings.html for more details.
54
55 agent_catalog_run_lockfile
56 A lock file to indicate that a puppet agent catalog run is currently in
57 progress. The file contains the pid of the process that holds the lock
58 on the catalog run.
59
60 • Default: $statedir/agent_catalog_run.lock
61
62
63
64 agent_disabled_lockfile
65 A lock file to indicate that puppet agent runs have been administra‐
66 tively disabled. File contains a JSON object with state information.
67
68 • Default: $statedir/agent_disabled.lock
69
70
71
72 allow_duplicate_certs
73 Whether to allow a new certificate request to overwrite an existing
74 certificate request. If true, then the old certificate must be cleaned
75 using puppetserver ca clean, and the new request signed using puppet‐
76 server ca sign.
77
78 • Default: false
79
80
81
82 allow_pson_serialization
83 Whether when unable to serialize to JSON or other formats, Puppet falls
84 back to PSON. This option affects both puppetserver´s configuration
85 management service responses and when the agent saves its cached cata‐
86 log. This option is useful in preventing the loss of data because rich
87 data cannot be serialized via PSON.
88
89 • Default: true
90
91
92
93 always_retry_plugins
94 Affects how we cache attempts to load Puppet resource types and fea‐
95 tures. If true, then calls to Puppet.type.<type>? Puppet.feature.<fea‐
96 ture>? will always attempt to load the type or feature (which can be an
97 expensive operation) unless it has already been loaded successfully.
98 This makes it possible for a single agent run to, e.g., install a pack‐
99 age that provides the underlying capabilities for a type or feature,
100 and then later load that type or feature during the same run (even if
101 the type or feature had been tested earlier and had not been avail‐
102 able).
103
104 If this setting is set to false, then types and features will only be
105 checked once, and if they are not available, the negative result is
106 cached and returned for all subsequent attempts to load the type or
107 feature. This behavior is almost always appropriate for the server, and
108 can result in a significant performance improvement for types and fea‐
109 tures that are checked frequently.
110
111 • Default: true
112
113
114
115 autoflush
116 Whether log files should always flush to disk.
117
118 • Default: true
119
120
121
122 autosign
123 Whether (and how) to autosign certificate requests. This setting is
124 only relevant on a Puppet Server acting as a certificate authority
125 (CA).
126
127 Valid values are true (autosigns all certificate requests; not recom‐
128 mended), false (disables autosigning certificates), or the absolute
129 path to a file.
130
131 The file specified in this setting may be either a configuration file
132 or a custom policy executable. Puppet will automatically determine what
133 it is: If the Puppet user (see the user setting) can execute the file,
134 it will be treated as a policy executable; otherwise, it will be
135 treated as a config file.
136
137 If a custom policy executable is configured, the CA Puppet Server will
138 run it every time it receives a CSR. The executable will be passed the
139 subject CN of the request as a command line argument, and the contents
140 of the CSR in PEM format on stdin. It should exit with a status of 0 if
141 the cert should be autosigned and non-zero if the cert should not be
142 autosigned.
143
144 If a certificate request is not autosigned, it will persist for review.
145 An admin user can use the puppetserver ca sign command to manually sign
146 it, or can delete the request.
147
148 For info on autosign configuration files, see the guide to Puppet´s
149 config files https://puppet.com/docs/puppet/latest/config_file_au‐
150 tosign.html.
151
152 • Default: $confdir/autosign.conf
153
154
155
156 basemodulepath
157 The search path for global modules. Should be specified as a list of
158 directories separated by the system path separator character. (The
159 POSIX path separator is ´:´, and the Windows path separator is ´;´.)
160
161 These are the modules that will be used by all environments. Note that
162 the modules directory of the active environment will have priority over
163 any global directories. For more info, see https://puppet.com/docs/pup‐
164 pet/latest/environments_about.html
165
166 • Default: $codedir/modules:/usr/share/puppet/modules
167
168
169
170 binder_config
171 The binder configuration file. Puppet reads this file on each request
172 to configure the bindings system. If set to nil (the default), a
173 $confdir/binder_config.yaml is optionally loaded. If it does not ex‐
174 ists, a default configuration is used. If the setting :binding_config
175 is specified, it must reference a valid and existing yaml file.
176
177 • Default: ``
178
179
180
181 bucketdir
182 Where FileBucket files are stored.
183
184 • Default: $vardir/bucket
185
186
187
188 ca_fingerprint
189 The expected fingerprint of the CA certificate. If specified, the agent
190 will compare the CA certificate fingerprint that it downloads against
191 this value and reject the CA certificate if the values do not match.
192 This only applies during the first download of the CA certificate.
193
194 • Default: ``
195
196
197
198 ca_name
199 The name to use the Certificate Authority certificate.
200
201 • Default: Puppet CA: $certname
202
203
204
205 ca_port
206 The port to use for the certificate authority.
207
208 • Default: $serverport
209
210
211
212 ca_server
213 The server to use for certificate authority requests. It´s a separate
214 server because it cannot and does not need to horizontally scale.
215
216 • Default: $server
217
218
219
220 ca_ttl
221 The default TTL for new certificates. This setting can be a time inter‐
222 val in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
223 years (5y).
224
225 • Default: 5y
226
227
228
229 cacert
230 The CA certificate.
231
232 • Default: $cadir/ca_crt.pem
233
234
235
236 cacrl
237 The certificate revocation list (CRL) for the CA.
238
239 • Default: $cadir/ca_crl.pem
240
241
242
243 cadir
244 The root directory for the certificate authority.
245
246 • Default: /etc/puppetserver/ca
247
248
249
250 cakey
251 The CA private key.
252
253 • Default: $cadir/ca_key.pem
254
255
256
257 capub
258 The CA public key.
259
260 • Default: $cadir/ca_pub.pem
261
262
263
264 catalog_cache_terminus
265 How to store cached catalogs. Valid values are ´json´, ´msgpack´ and
266 ´yaml´. The agent application defaults to ´json´.
267
268 • Default: ``
269
270
271
272 catalog_terminus
273 Where to get node catalogs. This is useful to change if, for instance,
274 you´d like to pre-compile catalogs and store them in memcached or some
275 other easily-accessed store.
276
277 • Default: compiler
278
279
280
281 cert_inventory
282 The inventory file. This is a text file to which the CA writes a com‐
283 plete listing of all certificates.
284
285 • Default: $cadir/inventory.txt
286
287
288
289 certdir
290 The certificate directory.
291
292 • Default: $ssldir/certs
293
294
295
296 certificate_revocation
297 Whether certificate revocation checking should be enabled, and what
298 level of checking should be performed.
299
300 When certificate revocation is enabled, Puppet expects the contents of
301 its CRL to be one or more PEM-encoded CRLs concatenated together. When
302 using a cert bundle, CRLs for all CAs in the chain of trust must be in‐
303 cluded in the crl file. The chain should be ordered from least to most
304 authoritative, with the first CRL listed being for the root of the
305 chain and the last being for the leaf CA.
306
307 When certificate_revocation is set to ´true´ or ´chain´, Puppet ensures
308 that each CA in the chain of trust has not been revoked by its issuing
309 CA.
310
311 When certificate_revocation is set to ´leaf´, Puppet verifies certs
312 against the issuing CA´s revocation list, but it does not verify the
313 revocation status of the issuing CA or any CA above it within the chain
314 of trust.
315
316 When certificate_revocation is set to ´false´, Puppet disables all cer‐
317 tificate revocation checking and does not attempt to download the CRL.
318
319 • Default: chain
320
321
322
323 certname
324 The name to use when handling certificates. When a node requests a cer‐
325 tificate from the CA Puppet Server, it uses the value of the certname
326 setting as its requested Subject CN.
327
328 This is the name used when managing a node´s permissions in Puppet
329 Server´s auth.conf https://puppet.com/docs/puppetserver/latest/con‐
330 fig_file_auth.html. In most cases, it is also used as the node´s name
331 when matching node definitions https://puppet.com/docs/puppet/lat‐
332 est/lang_node_definitions.html and requesting data from an ENC. (This
333 can be changed with the node_name_value and node_name_fact settings,
334 although you should only do so if you have a compelling reason.)
335
336 A node´s certname is available in Puppet manifests as $trusted[´cert‐
337 name´]. (See Facts and Built-In Variables https://puppet.com/docs/pup‐
338 pet/latest/lang_facts_and_builtin_vars.html for more details.)
339
340 • For best compatibility, you should limit the value of certname to
341 only use lowercase letters, numbers, periods, underscores, and
342 dashes. (That is, it should match /A[a-z0-9._-]+Z/.)
343
344 • The special value ca is reserved, and can´t be used as the certname
345 for a normal node.
346
347 Note: You must set the certname in the main section of the pup‐
348 pet.conf file. Setting it in a different section causes errors.
349
350
351
352 Defaults to the node´s fully qualified domain name.
353
354 • Default: the Host´s fully qualified domain name, as determined by
355 Facter
356
357
358
359 ciphers
360 The list of ciphersuites for TLS connections initiated by puppet. The
361 default value is chosen to support TLS 1.0 and up, but can be made more
362 restrictive if needed. The ciphersuites must be specified in OpenSSL
363 format, not IANA.
364
365 • Default:
366 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
367
368
369
370 classfile
371 The file in which puppet agent stores a list of the classes associated
372 with the retrieved configuration. Can be loaded in the separate puppet
373 executable using the --loadclasses option.
374
375 • Default: $statedir/classes.txt
376
377
378
379 client_datadir
380 The directory in which serialized data is stored on the client.
381
382 • Default: $vardir/client_data
383
384
385
386 clientbucketdir
387 Where FileBucket files are stored locally.
388
389 • Default: $vardir/clientbucket
390
391
392
393 clientyamldir
394 The directory in which client-side YAML data is stored.
395
396 • Default: $vardir/client_yaml
397
398
399
400 code
401 Code to parse directly. This is essentially only used by puppet, and
402 should only be set if you´re writing your own Puppet executable.
403
404 codedir
405 The main Puppet code directory. The default for this setting is calcu‐
406 lated based on the user. If the process is running as root or the user
407 that Puppet is supposed to run as, it defaults to a system directory,
408 but if it´s running as any other user, it defaults to being in the
409 user´s home directory.
410
411 • Default: Unix/Linux: /etc/puppet/code -- Windows: C:\Program‐
412 Data\PuppetLabs\code -- Non-root user: ~/.puppetlabs/etc/code
413
414
415
416 color
417 Whether to use colors when logging to the console. Valid values are
418 ansi (equivalent to true), html, and false, which produces no color.
419
420 • Default: ansi
421
422
423
424 confdir
425 The main Puppet configuration directory. The default for this setting
426 is calculated based on the user. If the process is running as root or
427 the user that Puppet is supposed to run as, it defaults to a system di‐
428 rectory, but if it´s running as any other user, it defaults to being in
429 the user´s home directory.
430
431 • Default: Unix/Linux: /etc/puppet -- Windows: C:\ProgramData\Puppet‐
432 Labs\puppet\etc -- Non-root user: ~/.puppetlabs/etc/puppet
433
434
435
436 config
437 The configuration file for the current puppet application.
438
439 • Default: $confdir/${config_file_name}
440
441
442
443 config_file_name
444 The name of the puppet config file.
445
446 • Default: puppet.conf
447
448
449
450 config_version
451 How to determine the configuration version. By default, it will be the
452 time that the configuration is parsed, but you can provide a shell
453 script to override how the version is determined. The output of this
454 script will be added to every log message in the reports, allowing you
455 to correlate changes on your hosts to the source version on the server.
456
457 Setting a global value for config_version in puppet.conf is not allowed
458 (but it can be overridden from the commandline). Please set a per-envi‐
459 ronment value in environment.conf instead. For more info, see
460 https://puppet.com/docs/puppet/latest/environments_about.html
461
462 configprint
463 Prints the value of a specific configuration setting. If the name of a
464 setting is provided for this, then the value is printed and puppet ex‐
465 its. Comma-separate multiple values. For a list of all values, specify
466 ´all´. This setting is deprecated, the ´puppet config´ command replaces
467 this functionality.
468
469 crl_refresh_interval
470 How often the Puppet agent refreshes its local CRL. By default the CRL
471 is only downloaded once, and never refreshed. If a duration is speci‐
472 fied, then the agent will refresh its CRL whenever it next runs and the
473 elapsed time since the CRL was last refreshed exceeds the duration.
474
475 In general, the duration should be greater than the runinterval. Set‐
476 ting it to an equal or lesser value will cause the CRL to be refreshed
477 on every run.
478
479 If the agent downloads a new CRL, the agent will use it for subsequent
480 network requests. If the refresh request fails or if the CRL is un‐
481 changed on the server, then the agent run will continue using the local
482 CRL it already has.This setting can be a time interval in seconds (30
483 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
484
485 • Default: ``
486
487
488
489 csr_attributes
490 An optional file containing custom attributes to add to certificate
491 signing requests (CSRs). You should ensure that this file does not ex‐
492 ist on your CA Puppet Server; if it does, unwanted certificate exten‐
493 sions may leak into certificates created with the puppetserver ca gen‐
494 erate command.
495
496 If present, this file must be a YAML hash containing a custom_at‐
497 tributes key and/or an extension_requests key. The value of each key
498 must be a hash, where each key is a valid OID and each value is an ob‐
499 ject that can be cast to a string.
500
501 Custom attributes can be used by the CA when deciding whether to sign
502 the certificate, but are then discarded. Attribute OIDs can be any OID
503 value except the standard CSR attributes (i.e. attributes described in
504 RFC 2985 section 5.4). This is useful for embedding a pre-shared key
505 for autosigning policy executables (see the autosign setting), often by
506 using the 1.2.840.113549.1.9.7 ("challenge password") OID.
507
508 Extension requests will be permanently embedded in the final certifi‐
509 cate. Extension OIDs must be in the "ppRegCertExt"
510 (1.3.6.1.4.1.34380.1.1), "ppPrivCertExt" (1.3.6.1.4.1.34380.1.2), or
511 "ppAuthCertExt" (1.3.6.1.4.1.34380.1.3) OID arcs. The ppRegCertExt arc
512 is reserved for four of the most common pieces of data to embed:
513 pp_uuid (.1), pp_instance_id (.2), pp_image_name (.3), and pp_pre‐
514 shared_key (.4) --- in the YAML file, these can be referred to by their
515 short descriptive names instead of their full OID. The ppPrivCertExt
516 arc is unregulated, and can be used for site-specific extensions. The
517 ppAuthCert arc is reserved for two pieces of data to embed: pp_autho‐
518 rization (.1) and pp_auth_role (.13). As with ppRegCertExt, in the YAML
519 file, these can be referred to by their short descriptive name instead
520 of their full OID.
521
522 • Default: $confdir/csr_attributes.yaml
523
524
525
526 csrdir
527 Where the CA stores certificate requests.
528
529 • Default: $cadir/requests
530
531
532
533 daemonize
534 Whether to send the process into the background. This defaults to true
535 on POSIX systems, and to false on Windows (where Puppet currently can‐
536 not daemonize).
537
538 • Default: true
539
540
541
542 data_binding_terminus
543 This setting has been deprecated. Use of any value other than ´hiera´
544 should instead be configured in a version 5 hiera.yaml. Until this set‐
545 ting is removed, it controls which data binding terminus to use for
546 global automatic data binding (across all environments). By default
547 this value is ´hiera´. A value of ´none´ turns off the global binding.
548
549 • Default: hiera
550
551
552
553 default_file_terminus
554 The default source for files if no server is given in a uri, e.g. pup‐
555 pet:///file. The default of rest causes the file to be retrieved using
556 the server setting. When running apply the default is file_server,
557 causing requests to be filled locally.
558
559 • Default: rest
560
561
562
563 default_manifest
564 The default main manifest for directory environments. Any environment
565 that doesn´t set the manifest setting in its environment.conf file will
566 use this manifest.
567
568 This setting´s value can be an absolute or relative path. An absolute
569 path will make all environments default to the same main manifest; a
570 relative path will allow each environment to use its own manifest, and
571 Puppet will resolve the path relative to each environment´s main direc‐
572 tory.
573
574 In either case, the path can point to a single file or to a directory
575 of manifests to be evaluated in alphabetical order.
576
577 • Default: ./manifests
578
579
580
581 default_schedules
582 Boolean; whether to generate the default schedule resources. Setting
583 this to false is useful for keeping external report processors clean of
584 skipped schedule resources.
585
586 • Default: true
587
588
589
590 deviceconfdir
591 The root directory of devices´ $confdir.
592
593 • Default: $confdir/devices
594
595
596
597 deviceconfig
598 Path to the device config file for puppet device.
599
600 • Default: $confdir/device.conf
601
602
603
604 devicedir
605 The root directory of devices´ $vardir.
606
607 • Default: $vardir/devices
608
609
610
611 diff
612 Which diff command to use when printing differences between files. This
613 setting has no default value on Windows, as standard diff is not avail‐
614 able, but Puppet can use many third-party diff tools.
615
616 • Default: diff
617
618
619
620 diff_args
621 Which arguments to pass to the diff command when printing differences
622 between files. The command to use can be chosen with the diff setting.
623
624 • Default: -u
625
626
627
628 digest_algorithm
629 Which digest algorithm to use for file resources and the filebucket.
630 Valid values are sha256, sha384, sha512, sha224, md5. Default is
631 sha256.
632
633 • Default: sha256
634
635
636
637 disable_i18n
638 If true, turns off all translations of Puppet and module log messages,
639 which affects error, warning, and info log messages, as well as any
640 translations in the report and CLI.
641
642 • Default: true
643
644
645
646 disable_per_environment_manifest
647 Whether to disallow an environment-specific main manifest. When set to
648 true, Puppet will use the manifest specified in the default_manifest
649 setting for all environments. If an environment specifies a different
650 main manifest in its environment.conf file, catalog requests for that
651 environment will fail with an error.
652
653 This setting requires default_manifest to be set to an absolute path.
654
655 • Default: false
656
657
658
659 disable_warnings
660 A comma-separated list of warning types to suppress. If large numbers
661 of warnings are making Puppet´s logs too large or difficult to use, you
662 can temporarily silence them with this setting.
663
664 If you are preparing to upgrade Puppet to a new major version, you
665 should re-enable all warnings for a while.
666
667 Valid values for this setting are:
668
669 • deprecations --- disables deprecation warnings.
670
671 • undefined_variables --- disables warnings about non existing vari‐
672 ables.
673
674 • undefined_resources --- disables warnings about non existing re‐
675 sources.
676
677 • Default: []
678
679
680
681 dns_alt_names
682 A comma-separated list of alternate DNS names for Puppet Server. These
683 are extra hostnames (in addition to its certname) that the server is
684 allowed to use when serving agents. Puppet checks this setting when au‐
685 tomatically creating a certificate for Puppet agent or Puppet Server.
686 These can be either IP or DNS, and the type should be specified and
687 followed with a colon. Untyped inputs will default to DNS.
688
689 In order to handle agent requests at a given hostname (like "puppet.ex‐
690 ample.com"), Puppet Server needs a certificate that proves it´s allowed
691 to use that name; if a server shows a certificate that doesn´t include
692 its hostname, Puppet agents will refuse to trust it. If you use a sin‐
693 gle hostname for Puppet traffic but load-balance it to multiple Puppet
694 Servers, each of those servers needs to include the official hostname
695 in its list of extra names.
696
697 Note: The list of alternate names is locked in when the server´s cer‐
698 tificate is signed. If you need to change the list later, you can´t
699 just change this setting; you also need to regenerate the certificate.
700 For more information on that process, see the cert regen docs
701 https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html.
702
703 To see all the alternate names your servers are using, log into your CA
704 server and run puppetserver ca list --all, then check the output for
705 (alt names: ...). Most agent nodes should NOT have alternate names; the
706 only certs that should have them are Puppet Server nodes that you want
707 other agents to trust.
708
709 document_all
710 Whether to document all resources when using puppet doc to generate
711 manifest documentation.
712
713 • Default: false
714
715
716
717 environment
718 The environment in which Puppet is running. For clients, such as puppet
719 agent, this determines the environment itself, which Puppet uses to
720 find modules and much more. For servers, such as puppet server, this
721 provides the default environment for nodes that Puppet knows nothing
722 about.
723
724 When defining an environment in the [agent] section, this refers to the
725 environment that the agent requests from the primary server. The envi‐
726 ronment doesn´t have to exist on the local filesystem because the agent
727 fetches it from the primary server. This definition is used when run‐
728 ning puppet agent.
729
730 When defined in the [user] section, the environment refers to the path
731 that Puppet uses to search for code and modules related to its execu‐
732 tion. This requires the environment to exist locally on the filesystem
733 where puppet is being executed. Puppet subcommands, including puppet
734 module and puppet apply, use this definition.
735
736 Given that the context and effects vary depending on the config section
737 https://puppet.com/docs/puppet/latest/config_file_main.html#config-sec‐
738 tions in which the environment setting is defined, do not set it glob‐
739 ally.
740
741 • Default: production
742
743
744
745 environment_data_provider
746 The name of a registered environment data provider used when obtaining
747 environment specific data. The three built in and registered providers
748 are ´none´ (no data), ´function´ (data obtained by calling the function
749 ´environment::data()´) and ´hiera´ (data obtained using a data provider
750 configured using a hiera.yaml file in root of the environment). Other
751 environment data providers may be registered in modules on the module
752 path. For such custom data providers see the respective module documen‐
753 tation. This setting is deprecated.
754
755 • Default: ``
756
757
758
759 environment_timeout
760 How long the Puppet server should cache data it loads from an environ‐
761 ment.
762
763 A value of 0 will disable caching. This setting can also be set to un‐
764 limited, which will cache environments until the server is restarted or
765 told to refresh the cache. All other values will result in Puppet
766 server evicting environments that haven´t been used within the last en‐
767 vironment_timeout seconds.
768
769 You should change this setting once your Puppet deployment is doing
770 non-trivial work. We chose the default value of 0 because it lets new
771 users update their code without any extra steps, but it lowers the per‐
772 formance of your Puppet server. We recommend either:
773
774 • Setting this to unlimited and explicitly refreshing your Puppet
775 server as part of your code deployment process.
776
777 • Setting this to a number that will keep your most actively used en‐
778 vironments cached, but allow testing environments to fall out of
779 the cache and reduce memory usage. A value of 3 minutes (3m) is a
780 reasonable value.
781
782
783
784 Once you set environment_timeout to a non-zero value, you need to tell
785 Puppet server to read new code from disk using the environment-cache
786 API endpoint after you deploy new code. See the docs for the Puppet
787 Server administrative API https://puppet.com/docs/puppetserver/lat‐
788 est/admin-api/v1/environment-cache.html.
789
790 • Default: 0
791
792
793
794 environmentpath
795 A search path for directory environments, as a list of directories sep‐
796 arated by the system path separator character. (The POSIX path separa‐
797 tor is ´:´, and the Windows path separator is ´;´.)
798
799 This setting must have a value set to enable directory environments.
800 The recommended value is $codedir/environments. For more details, see
801 https://puppet.com/docs/puppet/latest/environments_about.html
802
803 • Default: $codedir/environments
804
805
806
807 evaltrace
808 Whether each resource should log when it is being evaluated. This al‐
809 lows you to interactively see exactly what is being done.
810
811 • Default: false
812
813
814
815 exclude_unchanged_resources
816 When set to true, resources that have had no changes after catalog ap‐
817 plication will not have corresponding unchanged resource status updates
818 listed in the report.
819
820 • Default: false
821
822
823
824 external_nodes
825 The external node classifier (ENC) script to use for node data. Puppet
826 combines this data with the main manifest to produce node catalogs.
827
828 To enable this setting, set the node_terminus setting to exec.
829
830 This setting´s value must be the path to an executable command that can
831 produce node information. The command must:
832
833 • Take the name of a node as a command-line argument.
834
835 •
836
837 • classes --- A list of classes, as an array or hash.
838
839 • environment --- A string.
840
841 • parameters --- A list of top-scope variables to set, as a hash.
842
843
844
845
846 • For unknown nodes, exit with a non-zero exit code.
847
848
849
850 Generally, an ENC script makes requests to an external data source.
851
852 For more info, see the ENC documentation https://puppet.com/docs/pup‐
853 pet/latest/nodes_external.html.
854
855 • Default: none
856
857
858
859 fact_name_length_soft_limit
860 The soft limit for the length of a fact name.
861
862 • Default: 2560
863
864
865
866 fact_value_length_soft_limit
867 The soft limit for the length of a fact value.
868
869 • Default: 4096
870
871
872
873 factpath
874 Where Puppet should look for facts. Multiple directories should be sep‐
875 arated by the system path separator character. (The POSIX path separa‐
876 tor is ´:´, and the Windows path separator is ´;´.)
877
878 • Default: $vardir/lib/facter:$vardir/facts
879
880
881
882 facts_terminus
883 The node facts terminus.
884
885 • Default: facter
886
887
888
889 fileserverconfig
890 Where the fileserver configuration is stored.
891
892 • Default: $confdir/fileserver.conf
893
894
895
896 filetimeout
897 The minimum time to wait between checking for updates in configuration
898 files. This timeout determines how quickly Puppet checks whether a file
899 (such as manifests or puppet.conf) has changed on disk. The default
900 will change in a future release to be ´unlimited´, requiring a reload
901 of the Puppet service to pick up changes to its internal configuration.
902 Currently we do not accept a value of ´unlimited´. To reparse files
903 within an environment in Puppet Server please use the environment_cache
904 endpoint
905
906 • Default: 15s
907
908
909
910 forge_authorization
911 The authorization key to connect to the Puppet Forge. Leave blank for
912 unauthorized or license based connections
913
914 • Default: ``
915
916
917
918 freeze_main
919 Freezes the ´main´ class, disallowing any code to be added to it. This
920 essentially means that you can´t have any code outside of a node,
921 class, or definition other than in the site manifest.
922
923 • Default: false
924
925
926
927 genconfig
928 When true, causes Puppet applications to print an example config file
929 to stdout and exit. The example will include descriptions of each set‐
930 ting, and the current (or default) value of each setting, incorporating
931 any settings overridden on the CLI (with the exception of genconfig it‐
932 self). This setting only makes sense when specified on the command line
933 as --genconfig.
934
935 • Default: false
936
937
938
939 genmanifest
940 Whether to just print a manifest to stdout and exit. Only makes sense
941 when specified on the command line as --genmanifest. Takes into account
942 arguments specified on the CLI.
943
944 • Default: false
945
946
947
948 graph
949 Whether to create .dot graph files, which let you visualize the depen‐
950 dency and containment relationships in Puppet´s catalog. You can load
951 and view these files with tools like OmniGraffle http://www.omni‐
952 group.com/applications/omnigraffle/ (OS X) or graphviz
953 http://www.graphviz.org/ (multi-platform).
954
955 Graph files are created when applying a catalog, so this setting should
956 be used on nodes running puppet agent or puppet apply.
957
958 The graphdir setting determines where Puppet will save graphs. Note
959 that we don´t save graphs for historical runs; Puppet will replace the
960 previous .dot files with new ones every time it applies a catalog.
961
962 See your graphing software´s documentation for details on opening .dot
963 files. If you´re using GraphViz´s dot command, you can do a quick PNG
964 render with dot -Tpng <DOT FILE> -o <OUTPUT FILE>.
965
966 • Default: false
967
968
969
970 graphdir
971 Where to save .dot-format graphs (when the graph setting is enabled).
972
973 • Default: $statedir/graphs
974
975
976
977 group
978 The group Puppet Server will run as. Used to ensure the agent side pro‐
979 cesses (agent, apply, etc) create files and directories readable by
980 Puppet Server when necessary.
981
982 • Default: puppet
983
984
985
986 hiera_config
987 The hiera configuration file. Puppet only reads this file on startup,
988 so you must restart the puppet server every time you edit it.
989
990 • Default: $confdir/hiera.yaml. However, for backwards compatibility,
991 if a file exists at $codedir/hiera.yaml, Puppet uses that instead.
992
993
994
995 hostcert
996 Where individual hosts store and look for their certificates.
997
998 • Default: $certdir/$certname.pem
999
1000
1001
1002 hostcrl
1003 Where the host´s certificate revocation list can be found. This is dis‐
1004 tinct from the certificate authority´s CRL.
1005
1006 • Default: $ssldir/crl.pem
1007
1008
1009
1010 hostcsr
1011 Where individual hosts store their certificate request (CSR) while
1012 waiting for the CA to issue their certificate.
1013
1014 • Default: $requestdir/$certname.pem
1015
1016
1017
1018 hostprivkey
1019 Where individual hosts store and look for their private key.
1020
1021 • Default: $privatekeydir/$certname.pem
1022
1023
1024
1025 hostpubkey
1026 Where individual hosts store and look for their public key.
1027
1028 • Default: $publickeydir/$certname.pem
1029
1030
1031
1032 http_connect_timeout
1033 The maximum amount of time to wait when establishing an HTTP connec‐
1034 tion. The default value is 2 minutes. This setting can be a time inter‐
1035 val in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
1036 years (5y).
1037
1038 • Default: 2m
1039
1040
1041
1042 http_debug
1043 Whether to write HTTP request and responses to stderr. This should
1044 never be used in a production environment.
1045
1046 • Default: false
1047
1048
1049
1050 http_extra_headers
1051 The list of extra headers that will be sent with http requests to the
1052 primary server. The header definition consists of a name and a value
1053 separated by a colon.
1054
1055 • Default: []
1056
1057
1058
1059 http_keepalive_timeout
1060 The maximum amount of time a persistent HTTP connection can remain idle
1061 in the connection pool, before it is closed. This timeout should be
1062 shorter than the keepalive timeout used on the HTTP server, e.g. Apache
1063 KeepAliveTimeout directive. This setting can be a time interval in sec‐
1064 onds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1065
1066 • Default: 4s
1067
1068
1069
1070 http_proxy_host
1071 The HTTP proxy host to use for outgoing connections. The proxy will be
1072 bypassed if the server´s hostname matches the NO_PROXY environment
1073 variable or no_proxy setting. Note: You may need to use a FQDN for the
1074 server hostname when using a proxy. Environment variable http_proxy or
1075 HTTP_PROXY will override this value.
1076
1077 • Default: none
1078
1079
1080
1081 http_proxy_password
1082 The password for the user of an authenticated HTTP proxy. Requires the
1083 http_proxy_user setting.
1084
1085 Note that passwords must be valid when used as part of a URL. If a
1086 password contains any characters with special meanings in URLs (as
1087 specified by RFC 3986 section 2.2), they must be URL-encoded. (For ex‐
1088 ample, # would become %23.)
1089
1090 • Default: none
1091
1092
1093
1094 http_proxy_port
1095 The HTTP proxy port to use for outgoing connections
1096
1097 • Default: 3128
1098
1099
1100
1101 http_proxy_user
1102 The user name for an authenticated HTTP proxy. Requires the
1103 http_proxy_host setting.
1104
1105 • Default: none
1106
1107
1108
1109 http_read_timeout
1110 The time to wait for data to be read from an HTTP connection. If noth‐
1111 ing is read after the elapsed interval then the connection will be
1112 closed. The default value is 10 minutes. This setting can be a time in‐
1113 terval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
1114 years (5y).
1115
1116 • Default: 10m
1117
1118
1119
1120 http_user_agent
1121 The HTTP User-Agent string to send when making network requests.
1122
1123 • Default: Puppet/7.27.0 Ruby/2.7.5-p203 (x86_64-linux)
1124
1125
1126
1127 ignore_plugin_errors
1128 Whether the puppet run should ignore errors during pluginsync. If the
1129 setting is false and there are errors during pluginsync, then the agent
1130 will abort the run and submit a report containing information about the
1131 failed run.
1132
1133 • Default: false
1134
1135
1136
1137 ignoremissingtypes
1138 Skip searching for classes and definitions that were missing during a
1139 prior compilation. The list of missing objects is maintained per-envi‐
1140 ronment and persists until the environment is cleared or the primary
1141 server is restarted.
1142
1143 • Default: false
1144
1145
1146
1147 ignoreschedules
1148 Boolean; whether puppet agent should ignore schedules. This is useful
1149 for initial puppet agent runs.
1150
1151 • Default: false
1152
1153
1154
1155 include_legacy_facts
1156 Whether to include legacy facts when requesting a catalog. This option
1157 can be set to false provided all puppet manifests, hiera.yaml and hiera
1158 configuration layers no longer access legacy facts, such as $osfamily,
1159 and instead access structured facts, such as $facts[´os´][´family´].
1160
1161 • Default: true
1162
1163
1164
1165 key_type
1166 The type of private key. Valid values are rsa and ec. Default is rsa.
1167
1168 • Default: rsa
1169
1170
1171
1172 keylength
1173 The bit length of keys.
1174
1175 • Default: 4096
1176
1177
1178
1179 lastrunfile
1180 Where puppet agent stores the last run report summary in yaml format.
1181
1182 • Default: $publicdir/last_run_summary.yaml
1183
1184
1185
1186 lastrunreport
1187 Where Puppet Agent stores the last run report, by default, in yaml for‐
1188 mat. The format of the report can be changed by setting the cache key
1189 of the report terminus in the routes.yaml https://puppet.com/docs/pup‐
1190 pet/latest/config_file_routes.html file. To avoid mismatches between
1191 content and file extension, this setting needs to be manually updated
1192 to reflect the terminus changes.
1193
1194 • Default: $statedir/last_run_report.yaml
1195
1196
1197
1198 ldapattrs
1199 The LDAP attributes to include when querying LDAP for nodes. All re‐
1200 turned attributes are set as variables in the top-level scope. Multiple
1201 values should be comma-separated. The value ´all´ returns all at‐
1202 tributes.
1203
1204 • Default: all
1205
1206
1207
1208 ldapbase
1209 The search base for LDAP searches. It´s impossible to provide a mean‐
1210 ingful default here, although the LDAP libraries might have one already
1211 set. Generally, it should be the ´ou=Hosts´ branch under your main di‐
1212 rectory.
1213
1214 ldapclassattrs
1215 The LDAP attributes to use to define Puppet classes. Values should be
1216 comma-separated.
1217
1218 • Default: puppetclass
1219
1220
1221
1222 ldapparentattr
1223 The attribute to use to define the parent node.
1224
1225 • Default: parentnode
1226
1227
1228
1229 ldappassword
1230 The password to use to connect to LDAP.
1231
1232 ldapport
1233 The LDAP port.
1234
1235 • Default: 389
1236
1237
1238
1239 ldapserver
1240 The LDAP server.
1241
1242 • Default: ldap
1243
1244
1245
1246 ldapssl
1247 Whether SSL should be used when searching for nodes. Defaults to false
1248 because SSL usually requires certificates to be set up on the client
1249 side.
1250
1251 • Default: false
1252
1253
1254
1255 ldapstackedattrs
1256 The LDAP attributes that should be stacked to arrays by adding the val‐
1257 ues in all hierarchy elements of the tree. Values should be comma-sepa‐
1258 rated.
1259
1260 • Default: puppetvar
1261
1262
1263
1264 ldapstring
1265 The search string used to find an LDAP node.
1266
1267 • Default: (&(objectclass=puppetClient)(cn=%s))
1268
1269
1270
1271 ldaptls
1272 Whether TLS should be used when searching for nodes. Defaults to false
1273 because TLS usually requires certificates to be set up on the client
1274 side.
1275
1276 • Default: false
1277
1278
1279
1280 ldapuser
1281 The user to use to connect to LDAP. Must be specified as a full DN.
1282
1283 libdir
1284 An extra search path for Puppet. This is only useful for those files
1285 that Puppet will load on demand, and is only guaranteed to work for
1286 those cases. In fact, the autoload mechanism is responsible for making
1287 sure this directory is in Ruby´s search path
1288
1289 • Default: $vardir/lib
1290
1291
1292
1293 localcacert
1294 Where each client stores the CA certificate.
1295
1296 • Default: $certdir/ca.pem
1297
1298
1299
1300 localedest
1301 Where Puppet should store translation files that it pulls down from the
1302 central server.
1303
1304 • Default: $vardir/locales
1305
1306
1307
1308 localesource
1309 From where to retrieve translation files. The standard Puppet file type
1310 is used for retrieval, so anything that is a valid file source can be
1311 used here.
1312
1313 • Default: puppet:///locales
1314
1315
1316
1317 location_trusted
1318 This will allow sending the name + password and the cookie header to
1319 all hosts that puppet may redirect to. This may or may not introduce a
1320 security breach if puppet redirects you to a site to which you´ll send
1321 your authentication info and cookies.
1322
1323 • Default: false
1324
1325
1326
1327 log_level
1328 Default logging level for messages from Puppet. Allowed values are:
1329
1330 • debug
1331
1332 • info
1333
1334 • notice
1335
1336 • warning
1337
1338 • err
1339
1340 • alert
1341
1342 • emerg
1343
1344 • crit
1345
1346 • Default: notice
1347
1348
1349
1350 logdest
1351 Where to send log messages. Choose between ´syslog´ (the POSIX syslog
1352 service), ´eventlog´ (the Windows Event Log), ´console´, or the path to
1353 a log file. Multiple destinations can be set using a comma separated
1354 list (eg: /path/file1,console,/path/file2)
1355
1356 • Default: ``
1357
1358
1359
1360 logdir
1361 The directory in which to store log files
1362
1363 • Default: Unix/Linux: /var/log/puppet -- Windows: C:\Program‐
1364 Data\PuppetLabs\puppet\var\log -- Non-root user: ~/.puppet‐
1365 labs/var/log
1366
1367
1368
1369 manage_internal_file_permissions
1370 Whether Puppet should manage the owner, group, and mode of files it
1371 uses internally. Note: For Windows agents, the default is false for
1372 versions 4.10.13 and greater, versions 5.5.6 and greater, and versions
1373 6.0 and greater.
1374
1375 • Default: true
1376
1377
1378
1379 manifest
1380 The entry-point manifest for the primary server. This can be one file
1381 or a directory of manifests to be evaluated in alphabetical order. Pup‐
1382 pet manages this path as a directory if one exists or if the path ends
1383 with a / or .
1384
1385 Setting a global value for manifest in puppet.conf is not allowed (but
1386 it can be overridden from the commandline). Please use directory envi‐
1387 ronments instead. If you need to use something other than the environ‐
1388 ment´s manifests directory as the main manifest, you can set manifest
1389 in environment.conf. For more info, see https://puppet.com/docs/pup‐
1390 pet/latest/environments_about.html
1391
1392 • Default: ``
1393
1394
1395
1396 masterport
1397 The default port puppet subcommands use to communicate with Puppet
1398 Server. (eg puppet facts upload, puppet agent). May be overridden by
1399 more specific settings (see ca_port, report_port).
1400
1401 • Default: 8140
1402
1403
1404
1405 max_deprecations
1406 Sets the max number of logged/displayed parser validation deprecation
1407 warnings in case multiple deprecation warnings have been detected. A
1408 value of 0 blocks the logging of deprecation warnings. The count is per
1409 manifest.
1410
1411 • Default: 10
1412
1413
1414
1415 max_errors
1416 Sets the max number of logged/displayed parser validation errors in
1417 case multiple errors have been detected. A value of 0 is the same as a
1418 value of 1; a minimum of one error is always raised. The count is per
1419 manifest.
1420
1421 • Default: 10
1422
1423
1424
1425 max_warnings
1426 Sets the max number of logged/displayed parser validation warnings in
1427 case multiple warnings have been detected. A value of 0 blocks logging
1428 of warnings. The count is per manifest.
1429
1430 • Default: 10
1431
1432
1433
1434 maximum_uid
1435 The maximum allowed UID. Some platforms use negative UIDs but then ship
1436 with tools that do not know how to handle signed ints, so the UIDs show
1437 up as huge numbers that can then not be fed back into the system. This
1438 is a hackish way to fail in a slightly more useful way when that hap‐
1439 pens.
1440
1441 • Default: 4294967290
1442
1443
1444
1445 maxwaitforcert
1446 The maximum amount of time the Puppet agent should wait for its cer‐
1447 tificate request to be signed. A value of unlimited will cause puppet
1448 agent to ask for a signed certificate indefinitely. This setting can be
1449 a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days
1450 (2d), or years (5y).
1451
1452 • Default: unlimited
1453
1454
1455
1456 maxwaitforlock
1457 The maximum amount of time the puppet agent should wait for an already
1458 running puppet agent to finish before starting a new one. This is set
1459 by default to 1 minute. A value of unlimited will cause puppet agent to
1460 wait indefinitely. This setting can be a time interval in seconds (30
1461 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1462
1463 • Default: 1m
1464
1465
1466
1467 merge_dependency_warnings
1468 Whether to merge class-level dependency failure warnings.
1469
1470 When a class has a failed dependency, every resource in the class gen‐
1471 erates a notice level message about the dependency failure, and a warn‐
1472 ing level message about skipping the resource.
1473
1474 If true, all messages caused by a class dependency failure are merged
1475 into one message associated with the class.
1476
1477 • Default: false
1478
1479
1480
1481 mkusers
1482 Whether to create the necessary user and group that puppet agent will
1483 run as.
1484
1485 • Default: false
1486
1487
1488
1489 module_groups
1490 Extra module groups to request from the Puppet Forge. This is an inter‐
1491 nal setting, and users should never change it.
1492
1493 • Default: ``
1494
1495
1496
1497 module_repository
1498 The module repository
1499
1500 • Default: https://forgeapi.puppet.com
1501
1502
1503
1504 module_working_dir
1505 The directory into which module tool data is stored
1506
1507 • Default: $vardir/puppet-module
1508
1509
1510
1511 modulepath
1512 The search path for modules, as a list of directories separated by the
1513 system path separator character. (The POSIX path separator is ´:´, and
1514 the Windows path separator is ´;´.)
1515
1516 Setting a global value for modulepath in puppet.conf is not allowed
1517 (but it can be overridden from the commandline). Please use directory
1518 environments instead. If you need to use something other than the de‐
1519 fault modulepath of <ACTIVE ENVIRONMENT´S MODULES DIR>:$basemodulepath,
1520 you can set modulepath in environment.conf. For more info, see
1521 https://puppet.com/docs/puppet/latest/environments_about.html
1522
1523 name
1524 The name of the application, if we are running as one. The default is
1525 essentially $0 without the path or .rb.
1526
1527 • Default: ``
1528
1529
1530
1531 named_curve
1532 The short name for the EC curve used to generate the EC private key.
1533 Valid values must be one of the curves in
1534 OpenSSL::PKey::EC.builtin_curves. Default is prime256v1.
1535
1536 • Default: prime256v1
1537
1538
1539
1540 no_proxy
1541 List of host or domain names that should not go through
1542 http_proxy_host. Environment variable no_proxy or NO_PROXY will over‐
1543 ride this value. Names can be specified as an FQDN host.example.com,
1544 wildcard *.example.com, dotted domain .example.com, or suffix exam‐
1545 ple.com.
1546
1547 • Default: localhost, 127.0.0.1
1548
1549
1550
1551 node_cache_terminus
1552 How to store cached nodes. Valid values are (none), ´json´, ´msgpack´,
1553 or ´yaml´.
1554
1555 • Default: ``
1556
1557
1558
1559 node_name_fact
1560 The fact name used to determine the node name used for all requests the
1561 agent makes to the primary server. WARNING: This setting is mutually
1562 exclusive with node_name_value. Changing this setting also requires
1563 changes to Puppet Server´s default auth.conf https://pup‐
1564 pet.com/docs/puppetserver/latest/config_file_auth.html.
1565
1566 node_name_value
1567 The explicit value used for the node name for all requests the agent
1568 makes to the primary server. WARNING: This setting is mutually exclu‐
1569 sive with node_name_fact. Changing this setting also requires changes
1570 to Puppet Server´s default auth.conf https://puppet.com/docs/puppet‐
1571 server/latest/config_file_auth.html.
1572
1573 • Default: $certname
1574
1575
1576
1577 node_terminus
1578 Which node data plugin to use when compiling node catalogs.
1579
1580 When Puppet compiles a catalog, it combines two primary sources of
1581 info: the main manifest, and a node data plugin (often called a "node
1582 terminus," for historical reasons). Node data plugins provide three
1583 things for a given node name:
1584
1585 1. A list of classes to add to that node´s catalog (and, optionally,
1586 values for their parameters).
1587
1588 2. Which Puppet environment the node should use.
1589
1590 3. A list of additional top-scope variables to set.
1591
1592
1593
1594 The three main node data plugins are:
1595
1596 • plain --- Returns no data, so that the main manifest controls all
1597 node configuration.
1598
1599 • exec --- Uses an external node classifier (ENC) https://pup‐
1600 pet.com/docs/puppet/latest/nodes_external.html, configured by the
1601 external_nodes setting. This lets you pull a list of Puppet classes
1602 from any external system, using a small glue script to perform the
1603 request and format the result as YAML.
1604
1605 • classifier (formerly console) --- Specific to Puppet Enterprise.
1606 Uses the PE console for node data."
1607
1608 • Default: plain
1609
1610
1611
1612 noop
1613 Whether to apply catalogs in noop mode, which allows Puppet to par‐
1614 tially simulate a normal run. This setting affects puppet agent and
1615 puppet apply.
1616
1617 When running in noop mode, Puppet will check whether each resource is
1618 in sync, like it does when running normally. However, if a resource at‐
1619 tribute is not in the desired state (as declared in the catalog), Pup‐
1620 pet will take no action, and will instead report the changes it would
1621 have made. These simulated changes will appear in the report sent to
1622 the primary Puppet server, or be shown on the console if running puppet
1623 agent or puppet apply in the foreground. The simulated changes will not
1624 send refresh events to any subscribing or notified resources, although
1625 Puppet will log that a refresh event would have been sent.
1626
1627 Important note: The noop metaparameter https://puppet.com/docs/pup‐
1628 pet/latest/metaparameter.html#noop allows you to apply individual re‐
1629 sources in noop mode, and will override the global value of the noop
1630 setting. This means a resource with noop => false will be changed if
1631 necessary, even when running puppet agent with noop = true or --noop.
1632 (Conversely, a resource with noop => true will only be simulated, even
1633 when noop mode is globally disabled.)
1634
1635 • Default: false
1636
1637
1638
1639 number_of_facts_soft_limit
1640 The soft limit for the total number of facts.
1641
1642 • Default: 2048
1643
1644
1645
1646 onetime
1647 Perform one configuration run and exit, rather than spawning a
1648 long-running daemon. This is useful for interactively running puppet
1649 agent, or running puppet agent from cron.
1650
1651 • Default: false
1652
1653
1654
1655 passfile
1656 Where puppet agent stores the password for its private key. Generally
1657 unused.
1658
1659 • Default: $privatedir/password
1660
1661
1662
1663 path
1664 The shell search path. Defaults to whatever is inherited from the par‐
1665 ent process.
1666
1667 This setting can only be set in the [main] section of puppet.conf; it
1668 cannot be set in [server], [agent], or an environment config section.
1669
1670 • Default: none
1671
1672
1673
1674 payload_soft_limit
1675 The soft limit for the size of the payload.
1676
1677 • Default: 16777216
1678
1679
1680
1681 pidfile
1682 The file containing the PID of a running process. This file is intended
1683 to be used by service management frameworks and monitoring systems to
1684 determine if a puppet process is still in the process table.
1685
1686 • Default: $rundir/${run_mode}.pid
1687
1688
1689
1690 plugindest
1691 Where Puppet should store plugins that it pulls down from the central
1692 server.
1693
1694 • Default: $libdir
1695
1696
1697
1698 pluginfactdest
1699 Where Puppet should store external facts that are being handled by plu‐
1700 ginsync
1701
1702 • Default: $vardir/facts.d
1703
1704
1705
1706 pluginfactsource
1707 Where to retrieve external facts for pluginsync
1708
1709 • Default: puppet:///pluginfacts
1710
1711
1712
1713 pluginsignore
1714 What files to ignore when pulling down plugins.
1715
1716 • Default: .svn CVS .git .hg
1717
1718
1719
1720 pluginsource
1721 From where to retrieve plugins. The standard Puppet file type is used
1722 for retrieval, so anything that is a valid file source can be used
1723 here.
1724
1725 • Default: puppet:///plugins
1726
1727
1728
1729 pluginsync
1730 Whether plugins should be synced with the central server. This setting
1731 is deprecated.
1732
1733 • Default: true
1734
1735
1736
1737 postrun_command
1738 A command to run after every agent run. If this command returns a
1739 non-zero return code, the entire Puppet run will be considered to have
1740 failed, even though it might have performed work during the normal run.
1741
1742 preferred_serialization_format
1743 The preferred means of serializing ruby instances for passing over the
1744 wire. This won´t guarantee that all instances will be serialized using
1745 this method, since not all classes can be guaranteed to support this
1746 format, but it will be used for all classes that support it.
1747
1748 • Default: json
1749
1750
1751
1752 preprocess_deferred
1753 Whether puppet should call deferred functions before applying the cata‐
1754 log. If set to true, then all prerequisites needed for the deferred
1755 function must be satified prior to puppet running. If set to false,
1756 then deferred functions will follow puppet relationships and ordering.
1757 This allows puppet to install prerequisites needed for a deferred func‐
1758 tion and call the deferred function in the same run.
1759
1760 • Default: true
1761
1762
1763
1764 prerun_command
1765 A command to run before every agent run. If this command returns a
1766 non-zero return code, the entire Puppet run will fail.
1767
1768 preview_outputdir
1769 The directory where catalog previews per node are generated.
1770
1771 • Default: $vardir/preview
1772
1773
1774
1775 priority
1776 The scheduling priority of the process. Valid values are ´high´, ´nor‐
1777 mal´, ´low´, or ´idle´, which are mapped to platform-specific values.
1778 The priority can also be specified as an integer value and will be
1779 passed as is, e.g. -5. Puppet must be running as a privileged user in
1780 order to increase scheduling priority.
1781
1782 • Default: ``
1783
1784
1785
1786 privatedir
1787 Where the client stores private certificate information.
1788
1789 • Default: $ssldir/private
1790
1791
1792
1793 privatekeydir
1794 The private key directory.
1795
1796 • Default: $ssldir/private_keys
1797
1798
1799
1800 profile
1801 Whether to enable experimental performance profiling
1802
1803 • Default: false
1804
1805
1806
1807 publicdir
1808 Where Puppet stores public files.
1809
1810 • Default: Unix/Linux: /var/lib/puppet/public -- Windows: C:\Program‐
1811 Data\PuppetLabs\puppet\public -- Non-root user: ~/.puppet‐
1812 labs/opt/puppet/public
1813
1814
1815
1816 publickeydir
1817 The public key directory.
1818
1819 • Default: $ssldir/public_keys
1820
1821
1822
1823 puppet_trace
1824 Whether to print the Puppet stack trace on some errors. This is a noop
1825 if trace is also set.
1826
1827 • Default: false
1828
1829
1830
1831 puppetdlog
1832 The fallback log file. This is only used when the --logdest option is
1833 not specified AND Puppet is running on an operating system where both
1834 the POSIX syslog service and the Windows Event Log are unavailable.
1835 (Currently, no supported operating systems match that description.)
1836
1837 Despite the name, both puppet agent and puppet server will use this
1838 file as the fallback logging destination.
1839
1840 For control over logging destinations, see the --logdest command line
1841 option in the manual pages for puppet server, puppet agent, and puppet
1842 apply. You can see man pages by running puppet <SUBCOMMAND> --help, or
1843 read them online at https://puppet.com/docs/puppet/latest/man/.
1844
1845 • Default: $logdir/puppetd.log
1846
1847
1848
1849 report
1850 Whether to send reports after every transaction.
1851
1852 • Default: true
1853
1854
1855
1856 report_configured_environmentpath
1857 When versioned_environment_dirs is true Puppet will readlink the envi‐
1858 ronmentpath when constructing the environment´s modulepath. The full
1859 readlinked path is referred to as the "resolved path" and the config‐
1860 ured path potentially containing symlinks is the "configured path".
1861 When reporting where resources come from users may choose between the
1862 configured or resolved path.
1863
1864 When set to false, the resolved paths are reported instead of the con‐
1865 figured paths.
1866
1867 • Default: true
1868
1869
1870
1871 report_include_system_store
1872 Whether the ´http´ report processor should include the system certifi‐
1873 cate store when submitting reports to HTTPS URLs. If false, then the
1874 ´http´ processor will only trust HTTPS report servers whose certifi‐
1875 cates are issued by the puppet CA or one of its intermediate CAs. If
1876 true, the processor will additionally trust CA certificates in the sys‐
1877 tem´s certificate store.
1878
1879 • Default: false
1880
1881
1882
1883 report_port
1884 The port to communicate with the report_server.
1885
1886 • Default: $serverport
1887
1888
1889
1890 report_server
1891 The server to send transaction reports to.
1892
1893 • Default: $server
1894
1895
1896
1897 reportdir
1898 The directory in which to store reports. Each node gets a separate sub‐
1899 directory in this directory. This setting is only used when the store
1900 report processor is enabled (see the reports setting).
1901
1902 • Default: $vardir/reports
1903
1904
1905
1906 reports
1907 The list of report handlers to use. When using multiple report han‐
1908 dlers, their names should be comma-separated, with whitespace allowed.
1909 (For example, reports = http, store.)
1910
1911 This setting is relevant to puppet server and puppet apply. The primary
1912 Puppet server will call these report handlers with the reports it re‐
1913 ceives from agent nodes, and puppet apply will call them with its own
1914 report. (In all cases, the node applying the catalog must have report =
1915 true.)
1916
1917 See the report reference for information on the built-in report han‐
1918 dlers; custom report handlers can also be loaded from modules. (Report
1919 handlers are loaded from the lib directory, at puppet/reports/NAME.rb.)
1920
1921 To turn off reports entirely, set this to none
1922
1923 • Default: store
1924
1925
1926
1927 reporturl
1928 The URL that reports should be forwarded to. This setting is only used
1929 when the http report processor is enabled (see the reports setting).
1930
1931 • Default: http://localhost:3000/reports/upload
1932
1933
1934
1935 requestdir
1936 Where host certificate requests are stored.
1937
1938 • Default: $ssldir/certificate_requests
1939
1940
1941
1942 resourcefile
1943 The file in which puppet agent stores a list of the resources associ‐
1944 ated with the retrieved configuration.
1945
1946 • Default: $statedir/resources.txt
1947
1948
1949
1950 resubmit_facts
1951 Whether to send updated facts after every transaction. By default pup‐
1952 pet only submits facts at the beginning of the transaction before ap‐
1953 plying a catalog. Since puppet can modify the state of the system, the
1954 value of the facts may change after puppet finishes. Therefore, any
1955 facts stored in puppetdb may not be consistent until the agent next
1956 runs, typically in 30 minutes. If this feature is enabled, puppet will
1957 resubmit facts after applying its catalog, ensuring facts for the node
1958 stored in puppetdb are current. However, this will double the fact sub‐
1959 mission load on puppetdb, so it is disabled by default.
1960
1961 • Default: false
1962
1963
1964
1965 rich_data
1966 Enables having extended data in the catalog by storing them as a hash
1967 with the special key __ptype. When enabled, resource containing values
1968 of the data types Binary, Regexp, SemVer, SemVerRange, Timespan and
1969 Timestamp, as well as instances of types derived from Object retain
1970 their data type.
1971
1972 • Default: true
1973
1974
1975
1976 route_file
1977 The YAML file containing indirector route configuration.
1978
1979 • Default: $confdir/routes.yaml
1980
1981
1982
1983 rundir
1984 Where Puppet PID files are kept.
1985
1986 • Default: Unix/Linux: /var/run/puppetlabs -- Windows: C:\Program‐
1987 Data\PuppetLabs\puppet\var\run -- Non-root user: ~/.puppet‐
1988 labs/var/run
1989
1990
1991
1992 runinterval
1993 How often puppet agent applies the catalog. Note that a runinterval of
1994 0 means "run continuously" rather than "never run." This setting can be
1995 a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days
1996 (2d), or years (5y).
1997
1998 • Default: 30m
1999
2000
2001
2002 runtimeout
2003 The maximum amount of time an agent run is allowed to take. A Puppet
2004 agent run that exceeds this timeout will be aborted. A value of 0 dis‐
2005 ables the timeout. Defaults to 1 hour. This setting can be a time in‐
2006 terval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
2007 years (5y).
2008
2009 • Default: 1h
2010
2011
2012
2013 serial
2014 Where the serial number for certificates is stored.
2015
2016 • Default: $cadir/serial
2017
2018
2019
2020 server
2021 The primary Puppet server to which the Puppet agent should connect.
2022
2023 • Default: puppet
2024
2025
2026
2027 server_datadir
2028 The directory in which serialized data is stored, usually in a subdi‐
2029 rectory.
2030
2031 • Default: $vardir/server_data
2032
2033
2034
2035 server_list
2036 The list of primary Puppet servers to which the Puppet agent should
2037 connect, in the order that they will be tried. Each value should be a
2038 fully qualified domain name, followed by an optional ´:´ and port num‐
2039 ber. If a port is omitted, Puppet uses masterport for that host.
2040
2041 • Default: []
2042
2043
2044
2045 serverport
2046 The default port puppet subcommands use to communicate with Puppet
2047 Server. (eg puppet facts upload, puppet agent). May be overridden by
2048 more specific settings (see ca_port, report_port).
2049
2050 • Default: 8140
2051
2052
2053
2054 settings_catalog
2055 Whether to compile and apply the settings catalog
2056
2057 • Default: true
2058
2059
2060
2061 show_diff
2062 Whether to log and report a contextual diff when files are being re‐
2063 placed. This causes partial file contents to pass through Puppet´s nor‐
2064 mal logging and reporting system, so this setting should be used with
2065 caution if you are sending Puppet´s reports to an insecure destination.
2066 This feature currently requires the diff/lcs Ruby library.
2067
2068 • Default: false
2069
2070
2071
2072 signeddir
2073 Where the CA stores signed certificates.
2074
2075 • Default: $cadir/signed
2076
2077
2078
2079 skip_tags
2080 Tags to use to filter resources. If this is set, then only resources
2081 not tagged with the specified tags will be applied. Values must be
2082 comma-separated.
2083
2084 sourceaddress
2085 The address the agent should use to initiate requests.
2086
2087 • Default: ``
2088
2089
2090
2091 splay
2092 Whether to sleep for a random amount of time, ranging from immediately
2093 up to its $splaylimit, before performing its first agent run after a
2094 service restart. After this period, the agent runs periodically on its
2095 $runinterval.
2096
2097 For example, assume a default 30-minute $runinterval, splay set to its
2098 default of false, and an agent starting at :00 past the hour. The agent
2099 would check in every 30 minutes at :01 and :31 past the hour.
2100
2101 With splay enabled, it waits any amount of time up to its $splaylimit
2102 before its first run. For example, it might randomly wait 8 minutes,
2103 then start its first run at :08 past the hour. With the $runinterval at
2104 its default 30 minutes, its next run will be at :38 past the hour.
2105
2106 If you restart an agent´s puppet service with splay enabled, it recal‐
2107 culates its splay period and delays its first agent run after restart‐
2108 ing for this new period. If you simultaneously restart a group of pup‐
2109 pet agents with splay enabled, their checkins to your primary servers
2110 can be distributed more evenly.
2111
2112 • Default: false
2113
2114
2115
2116 splaylimit
2117 The maximum time to delay before an agent´s first run when splay is en‐
2118 abled. Defaults to the agent´s $runinterval. The splay interval is ran‐
2119 dom and recalculated each time the agent is started or restarted. This
2120 setting can be a time interval in seconds (30 or 30s), minutes (30m),
2121 hours (6h), days (2d), or years (5y).
2122
2123 • Default: $runinterval
2124
2125
2126
2127 srv_domain
2128 The domain which will be queried to find the SRV records of servers to
2129 use.
2130
2131 • Default: example.com
2132
2133
2134
2135 ssl_client_header
2136 The header containing an authenticated client´s SSL DN. This header
2137 must be set by the proxy to the authenticated client´s SSL DN (e.g.,
2138 /CN=puppet.puppetlabs.com). Puppet will parse out the Common Name (CN)
2139 from the Distinguished Name (DN) and use the value of the CN field for
2140 authorization.
2141
2142 Note that the name of the HTTP header gets munged by the web server
2143 common gateway interface: an HTTP_ prefix is added, dashes are con‐
2144 verted to underscores, and all letters are uppercased. Thus, to use the
2145 X-Client-DN header, this setting should be HTTP_X_CLIENT_DN.
2146
2147 • Default: HTTP_X_CLIENT_DN
2148
2149
2150
2151 ssl_client_verify_header
2152 The header containing the status message of the client verification.
2153 This header must be set by the proxy to ´SUCCESS´ if the client suc‐
2154 cessfully authenticated, and anything else otherwise.
2155
2156 Note that the name of the HTTP header gets munged by the web server
2157 common gateway interface: an HTTP_ prefix is added, dashes are con‐
2158 verted to underscores, and all letters are uppercased. Thus, to use the
2159 X-Client-Verify header, this setting should be HTTP_X_CLIENT_VERIFY.
2160
2161 • Default: HTTP_X_CLIENT_VERIFY
2162
2163
2164
2165 ssl_lockfile
2166 A lock file to indicate that the ssl bootstrap process is currently in
2167 progress.
2168
2169 • Default: $ssldir/ssl.lock
2170
2171
2172
2173 ssl_trust_store
2174 A file containing CA certificates in PEM format that puppet should
2175 trust when making HTTPS requests. This only applies to https requests
2176 to non-puppet infrastructure, such as retrieving file metadata and con‐
2177 tent from https file sources, puppet module tool and the ´http´ report
2178 processor. This setting is ignored when making requests to puppet://
2179 URLs such as catalog and report requests.
2180
2181 • Default: ``
2182
2183
2184
2185 ssldir
2186 Where SSL certificates are kept.
2187
2188 • Default: $confdir/ssl
2189
2190
2191
2192 statedir
2193 The directory where Puppet state is stored. Generally, this directory
2194 can be removed without causing harm (although it might result in spuri‐
2195 ous service restarts).
2196
2197 • Default: $vardir/state
2198
2199
2200
2201 statefile
2202 Where Puppet agent and Puppet Server store state associated with the
2203 running configuration. In the case of Puppet Server, this file reflects
2204 the state discovered through interacting with clients.
2205
2206 • Default: $statedir/state.yaml
2207
2208
2209
2210 statettl
2211 How long the Puppet agent should cache when a resource was last checked
2212 or synced. This setting can be a time interval in seconds (30 or 30s),
2213 minutes (30m), hours (6h), days (2d), or years (5y). A value of 0 or
2214 unlimited will disable cache pruning.
2215
2216 This setting affects the usage of schedule resources, as the informa‐
2217 tion about when a resource was last checked (and therefore when it
2218 needs to be checked again) is stored in the statefile. The statettl
2219 needs to be large enough to ensure that a resource will not trigger
2220 multiple times during a schedule due to its entry expiring from the
2221 cache.
2222
2223 • Default: 32d
2224
2225
2226
2227 static_catalogs
2228 Whether to compile a static catalog https://puppet.com/docs/puppet/lat‐
2229 est/static_catalogs.html#enabling-or-disabling-static-catalogs, which
2230 occurs only on Puppet Server when the code-id-command and code-con‐
2231 tent-command settings are configured in its puppetserver.conf file.
2232
2233 • Default: true
2234
2235
2236
2237 storeconfigs
2238 Whether to store each client´s configuration, including catalogs,
2239 facts, and related data. This also enables the import and export of re‐
2240 sources in the Puppet language - a mechanism for exchange resources be‐
2241 tween nodes.
2242
2243 By default this uses the ´puppetdb´ backend.
2244
2245 You can adjust the backend using the storeconfigs_backend setting.
2246
2247 • Default: false
2248
2249
2250
2251 storeconfigs_backend
2252 Configure the backend terminus used for StoreConfigs. By default, this
2253 uses the PuppetDB store, which must be installed and configured before
2254 turning on StoreConfigs.
2255
2256 • Default: puppetdb
2257
2258
2259
2260 strict
2261 The strictness level of puppet. Allowed values are:
2262
2263 • off - do not perform extra validation, do not report
2264
2265 • warning - perform extra validation, report as warning (default)
2266
2267 • error - perform extra validation, fail with error
2268
2269
2270
2271 The strictness level is for both language semantics and runtime evalua‐
2272 tion validation. In addition to controlling the behavior with this pri‐
2273 mary server switch some individual warnings may also be controlled by
2274 the disable_warnings setting.
2275
2276 No new validations will be added to a micro (x.y.z) release, but may be
2277 added in minor releases (x.y.0). In major releases it expected that
2278 most (if not all) strictness validation become standard behavior.
2279
2280 • Default: warning
2281
2282
2283
2284 strict_environment_mode
2285 Whether the agent specified environment should be considered authorita‐
2286 tive, causing the run to fail if the retrieved catalog does not match
2287 it.
2288
2289 • Default: false
2290
2291
2292
2293 strict_variables
2294 Causes an evaluation error when referencing unknown variables. (This
2295 does not affect referencing variables that are explicitly set to un‐
2296 def).
2297
2298 • Default: false
2299
2300
2301
2302 summarize
2303 Whether to print a transaction summary.
2304
2305 • Default: false
2306
2307
2308
2309 supported_checksum_types
2310 Checksum types supported by this agent for use in file resources of a
2311 static catalog. Values must be comma-separated. Valid types are sha256,
2312 sha256lite, sha384, sha512, sha224, sha1, sha1lite, md5, md5lite,
2313 mtime, ctime. Default is sha256, sha384, sha512, sha224, md5.
2314
2315 • Default: ["sha256", "sha384", "sha512", "sha224", "md5"]
2316
2317
2318
2319 syslogfacility
2320 What syslog facility to use when logging to syslog. Syslog has a fixed
2321 list of valid facilities, and you must choose one of those; you cannot
2322 just make one up.
2323
2324 • Default: daemon
2325
2326
2327
2328 tags
2329 Tags to use to find resources. If this is set, then only resources
2330 tagged with the specified tags will be applied. Values must be
2331 comma-separated.
2332
2333 tasks
2334 Turns on experimental support for tasks and plans in the puppet lan‐
2335 guage. This is for internal API use only. Do not change this setting.
2336
2337 • Default: false
2338
2339
2340
2341 top_level_facts_soft_limit
2342 The soft limit for the number of top level facts.
2343
2344 • Default: 512
2345
2346
2347
2348 trace
2349 Whether to print stack traces on some errors. Will print internal Ruby
2350 stack trace interleaved with Puppet function frames.
2351
2352 • Default: false
2353
2354
2355
2356 transactionstorefile
2357 Transactional storage file for persisting data between transactions for
2358 the purposes of inferring information (such as corrective_change) on
2359 new data received.
2360
2361 • Default: $statedir/transactionstore.yaml
2362
2363
2364
2365 trusted_external_command
2366 The external trusted facts script or directory to use. This setting´s
2367 value can be set to the path to an executable command that can produce
2368 external trusted facts or to a directory containing those executable
2369 commands. The command(s) must:
2370
2371 • Take the name of a node as a command-line argument.
2372
2373 • Return a JSON hash with the external trusted facts for this node.
2374
2375 • For unknown or invalid nodes, exit with a non-zero exit code.
2376
2377
2378
2379 If the setting points to an executable command, then the external
2380 trusted facts will be stored in the ´external´ key of the trusted facts
2381 hash. Otherwise for each executable file in the directory, the external
2382 trusted facts will be stored in the <basename> key of the trusted[´ex‐
2383 ternal´] hash. For example, if the files foo.rb and bar.sh are in the
2384 directory, then trusted[´external´] will be the hash { ´foo´ => <foo.rb
2385 output>, ´bar´ => <bar.sh output> }.
2386
2387 • Default: ``
2388
2389
2390
2391 trusted_oid_mapping_file
2392 File that provides mapping between custom SSL oids and user-friendly
2393 names
2394
2395 • Default: $confdir/custom_trusted_oid_mapping.yaml
2396
2397
2398
2399 use_cached_catalog
2400 Whether to only use the cached catalog rather than compiling a new cat‐
2401 alog on every run. Puppet can be run with this enabled by default and
2402 then selectively disabled when a recompile is desired. Because a Puppet
2403 agent using cached catalogs does not contact the primary server for a
2404 new catalog, it also does not upload facts at the beginning of the Pup‐
2405 pet run.
2406
2407 • Default: false
2408
2409
2410
2411 use_last_environment
2412 Puppet saves both the initial and converged environment in the
2413 last_run_summary file. If they differ, and this setting is set to true,
2414 we will use the last converged environment and skip the node request.
2415
2416 When set to false, we will do the node request and ignore the environ‐
2417 ment data from the last_run_summary file.
2418
2419 • Default: true
2420
2421
2422
2423 use_srv_records
2424 Whether the server will search for SRV records in DNS for the current
2425 domain.
2426
2427 • Default: false
2428
2429
2430
2431 usecacheonfailure
2432 Whether to use the cached configuration when the remote configuration
2433 will not compile. This option is useful for testing new configurations,
2434 where you want to fix the broken configuration rather than reverting to
2435 a known-good one.
2436
2437 • Default: true
2438
2439
2440
2441 user
2442 The user Puppet Server will run as. Used to ensure the agent side pro‐
2443 cesses (agent, apply, etc) create files and directories readable by
2444 Puppet Server when necessary.
2445
2446 • Default: puppet
2447
2448
2449
2450 vardir
2451 Where Puppet stores dynamic and growing data. The default for this set‐
2452 ting is calculated specially, like confdir_.
2453
2454 • Default: Unix/Linux: /var/lib/puppet -- Windows: C:\Program‐
2455 Data\PuppetLabs\puppet\cache -- Non-root user: ~/.puppet‐
2456 labs/opt/puppet/cache
2457
2458
2459
2460 vendormoduledir
2461 The directory containing vendored modules. These modules will be used
2462 by all environments like those in the basemodulepath. The only differ‐
2463 ence is that modules in the basemodulepath are pluginsynced, while ven‐
2464 dored modules are not
2465
2466 • Default: /usr/share/puppet/vendor_modules
2467
2468
2469
2470 versioned_environment_dirs
2471 Whether or not to look for versioned environment directories, symlinked
2472 from $environmentpath/<environment>. This is an experimental feature
2473 and should be used with caution.
2474
2475 • Default: false
2476
2477
2478
2479 waitforcert
2480 How frequently puppet agent should ask for a signed certificate.
2481
2482 When starting for the first time, puppet agent will submit a certifi‐
2483 cate signing request (CSR) to the server named in the ca_server setting
2484 (usually the primary Puppet server); this may be autosigned, or may
2485 need to be approved by a human, depending on the CA server´s configura‐
2486 tion.
2487
2488 Puppet agent cannot apply configurations until its approved certificate
2489 is available. Since the certificate may or may not be available immedi‐
2490 ately, puppet agent will repeatedly try to fetch it at this interval.
2491 You can turn off waiting for certificates by specifying a time of 0, or
2492 a maximum amount of time to wait in the maxwaitforcert setting, in
2493 which case puppet agent will exit if it cannot get a cert. This setting
2494 can be a time interval in seconds (30 or 30s), minutes (30m), hours
2495 (6h), days (2d), or years (5y).
2496
2497 • Default: 2m
2498
2499
2500
2501 waitforlock
2502 How frequently puppet agent should try running when there is an already
2503 ongoing puppet agent instance.
2504
2505 This argument is by default disabled (value set to 0). In this case
2506 puppet agent will immediately exit if it cannot run at that moment.
2507 When a value other than 0 is set, this can also be used in combination
2508 with the maxwaitforlock argument. This setting can be a time interval
2509 in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years
2510 (5y).
2511
2512 • Default: 0
2513
2514
2515
2516 write_catalog_summary
2517 Whether to write the classfile and resourcefile after applying the cat‐
2518 alog. It is enabled by default, except when running puppet apply.
2519
2520 • Default: true
2521
2522
2523
2524 yamldir
2525 The directory in which YAML data is stored, usually in a subdirectory.
2526
2527 • Default: $vardir/yaml
2528
2529
2530
2531
2532
2533
2534Puppet, Inc. October 2023 PUPPETCONF(5)