1PUPPETCONF(5) Puppet manual PUPPETCONF(5)
2
3
4
6
8 • Each of these settings can be specified in puppet.conf or on the
9 command line.
10
11 • Puppet Enterprise (PE) and open source Puppet share the configura‐
12 tion settings documented here. However, PE defaults differ from
13 open source defaults for some settings, such as node_terminus,
14 storeconfigs, always_retry_plugins, disable18n, environment_timeout
15 (when Code Manager is enabled), and the Puppet Server JRuby max-ac‐
16 tive-instances setting. To verify PE configuration defaults, check
17 the puppet.conf or pe-puppet-server.conf file after installation.
18
19 • When using boolean settings on the command line, use --setting and
20 --no-setting instead of --setting (true|false). (Using --setting
21 false results in "Error: Could not parse application options: need‐
22 less argument".)
23
24 • Settings can be interpolated as $variables in other settings; $en‐
25 vironment is special, in that puppet master will interpolate each
26 agent node´s environment instead of its own.
27
28 • Multiple values should be specified as comma-separated lists; mul‐
29 tiple directories should be separated with the system path separa‐
30 tor (usually a colon).
31
32 • Settings that represent time intervals should be specified in dura‐
33 tion format: an integer immediately followed by one of the units
34 ´y´ (years of 365 days), ´d´ (days), ´h´ (hours), ´m´ (minutes), or
35 ´s´ (seconds). The unit cannot be combined with other units, and
36 defaults to seconds when omitted. Examples are ´3600´ which is
37 equivalent to ´1h´ (one hour), and ´1825d´ which is equivalent to
38 ´5y´ (5 years).
39
40 • If you use the splay setting, note that the period that it waits
41 changes each time the Puppet agent is restarted.
42
43 • Settings that take a single file or directory can optionally set
44 the owner, group, and mode for their value: rundir = $vardir/run {
45 owner = puppet, group = puppet, mode = 644 }
46
47 • The Puppet executables ignores any setting that isn´t relevant to
48 their function.
49
50
51
52 See the configuration guide https://puppet.com/docs/puppet/latest/con‐
53 fig_about_settings.html for more details.
54
55 agent_catalog_run_lockfile
56 A lock file to indicate that a puppet agent catalog run is currently in
57 progress. The file contains the pid of the process that holds the lock
58 on the catalog run.
59
60 • Default: $statedir/agent_catalog_run.lock
61
62
63
64 agent_disabled_lockfile
65 A lock file to indicate that puppet agent runs have been administra‐
66 tively disabled. File contains a JSON object with state information.
67
68 • Default: $statedir/agent_disabled.lock
69
70
71
72 allow_duplicate_certs
73 Whether to allow a new certificate request to overwrite an existing
74 certificate request. If true, then the old certificate must be cleaned
75 using puppetserver ca clean, and the new request signed using puppet‐
76 server ca sign.
77
78 • Default: false
79
80
81
82 always_retry_plugins
83 Affects how we cache attempts to load Puppet resource types and fea‐
84 tures. If true, then calls to Puppet.type.<type>? Puppet.feature.<fea‐
85 ture>? will always attempt to load the type or feature (which can be an
86 expensive operation) unless it has already been loaded successfully.
87 This makes it possible for a single agent run to, e.g., install a pack‐
88 age that provides the underlying capabilities for a type or feature,
89 and then later load that type or feature during the same run (even if
90 the type or feature had been tested earlier and had not been avail‐
91 able).
92
93 If this setting is set to false, then types and features will only be
94 checked once, and if they are not available, the negative result is
95 cached and returned for all subsequent attempts to load the type or
96 feature. This behavior is almost always appropriate for the server, and
97 can result in a significant performance improvement for types and fea‐
98 tures that are checked frequently.
99
100 • Default: true
101
102
103
104 autoflush
105 Whether log files should always flush to disk.
106
107 • Default: true
108
109
110
111 autosign
112 Whether (and how) to autosign certificate requests. This setting is
113 only relevant on a Puppet Server acting as a certificate authority
114 (CA).
115
116 Valid values are true (autosigns all certificate requests; not recom‐
117 mended), false (disables autosigning certificates), or the absolute
118 path to a file.
119
120 The file specified in this setting may be either a configuration file
121 or a custom policy executable. Puppet will automatically determine what
122 it is: If the Puppet user (see the user setting) can execute the file,
123 it will be treated as a policy executable; otherwise, it will be
124 treated as a config file.
125
126 If a custom policy executable is configured, the CA Puppet Server will
127 run it every time it receives a CSR. The executable will be passed the
128 subject CN of the request as a command line argument, and the contents
129 of the CSR in PEM format on stdin. It should exit with a status of 0 if
130 the cert should be autosigned and non-zero if the cert should not be
131 autosigned.
132
133 If a certificate request is not autosigned, it will persist for review.
134 An admin user can use the puppetserver ca sign command to manually sign
135 it, or can delete the request.
136
137 For info on autosign configuration files, see the guide to Puppet´s
138 config files https://puppet.com/docs/puppet/latest/config_file_au‐
139 tosign.html.
140
141 • Default: $confdir/autosign.conf
142
143
144
145 basemodulepath
146 The search path for global modules. Should be specified as a list of
147 directories separated by the system path separator character. (The
148 POSIX path separator is ´:´, and the Windows path separator is ´;´.)
149
150 These are the modules that will be used by all environments. Note that
151 the modules directory of the active environment will have priority over
152 any global directories. For more info, see https://puppet.com/docs/pup‐
153 pet/latest/environments_about.html
154
155 • Default: $codedir/modules:/usr/share/puppet/modules
156
157
158
159 binder_config
160 The binder configuration file. Puppet reads this file on each request
161 to configure the bindings system. If set to nil (the default), a
162 $confdir/binder_config.yaml is optionally loaded. If it does not ex‐
163 ists, a default configuration is used. If the setting :binding_config
164 is specified, it must reference a valid and existing yaml file.
165
166 • Default: ``
167
168
169
170 bucketdir
171 Where FileBucket files are stored.
172
173 • Default: $vardir/bucket
174
175
176
177 ca_fingerprint
178 The expected fingerprint of the CA certificate. If specified, the agent
179 will compare the CA certificate fingerprint that it downloads against
180 this value and reject the CA certificate if the values do not match.
181 This only applies during the first download of the CA certificate.
182
183 • Default: ``
184
185
186
187 ca_name
188 The name to use the Certificate Authority certificate.
189
190 • Default: Puppet CA: $certname
191
192
193
194 ca_port
195 The port to use for the certificate authority.
196
197 • Default: $serverport
198
199
200
201 ca_server
202 The server to use for certificate authority requests. It´s a separate
203 server because it cannot and does not need to horizontally scale.
204
205 • Default: $server
206
207
208
209 ca_ttl
210 The default TTL for new certificates. This setting can be a time inter‐
211 val in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
212 years (5y).
213
214 • Default: 5y
215
216
217
218 cacert
219 The CA certificate.
220
221 • Default: $cadir/ca_crt.pem
222
223
224
225 cacrl
226 The certificate revocation list (CRL) for the CA.
227
228 • Default: $cadir/ca_crl.pem
229
230
231
232 cadir
233 The root directory for the certificate authority.
234
235 • Default: /etc/puppetserver/ca
236
237
238
239 cakey
240 The CA private key.
241
242 • Default: $cadir/ca_key.pem
243
244
245
246 capub
247 The CA public key.
248
249 • Default: $cadir/ca_pub.pem
250
251
252
253 catalog_cache_terminus
254 How to store cached catalogs. Valid values are ´json´, ´msgpack´ and
255 ´yaml´. The agent application defaults to ´json´.
256
257 • Default: ``
258
259
260
261 catalog_terminus
262 Where to get node catalogs. This is useful to change if, for instance,
263 you´d like to pre-compile catalogs and store them in memcached or some
264 other easily-accessed store.
265
266 • Default: compiler
267
268
269
270 cert_inventory
271 The inventory file. This is a text file to which the CA writes a com‐
272 plete listing of all certificates.
273
274 • Default: $cadir/inventory.txt
275
276
277
278 certdir
279 The certificate directory.
280
281 • Default: $ssldir/certs
282
283
284
285 certificate_revocation
286 Whether certificate revocation checking should be enabled, and what
287 level of checking should be performed.
288
289 When certificate revocation is enabled, Puppet expects the contents of
290 its CRL to be one or more PEM-encoded CRLs concatenated together. When
291 using a cert bundle, CRLs for all CAs in the chain of trust must be in‐
292 cluded in the crl file. The chain should be ordered from least to most
293 authoritative, with the first CRL listed being for the root of the
294 chain and the last being for the leaf CA.
295
296 When certificate_revocation is set to ´true´ or ´chain´, Puppet ensures
297 that each CA in the chain of trust has not been revoked by its issuing
298 CA.
299
300 When certificate_revocation is set to ´leaf´, Puppet verifies certs
301 against the issuing CA´s revocation list, but it does not verify the
302 revocation status of the issuing CA or any CA above it within the chain
303 of trust.
304
305 When certificate_revocation is set to ´false´, Puppet disables all cer‐
306 tificate revocation checking and does not attempt to download the CRL.
307
308 • Default: chain
309
310
311
312 certname
313 The name to use when handling certificates. When a node requests a cer‐
314 tificate from the CA Puppet Server, it uses the value of the certname
315 setting as its requested Subject CN.
316
317 This is the name used when managing a node´s permissions in Puppet
318 Server´s auth.conf https://puppet.com/docs/puppetserver/latest/con‐
319 fig_file_auth.html. In most cases, it is also used as the node´s name
320 when matching node definitions https://puppet.com/docs/puppet/lat‐
321 est/lang_node_definitions.html and requesting data from an ENC. (This
322 can be changed with the node_name_value and node_name_fact settings,
323 although you should only do so if you have a compelling reason.)
324
325 A node´s certname is available in Puppet manifests as $trusted[´cert‐
326 name´]. (See Facts and Built-In Variables https://puppet.com/docs/pup‐
327 pet/latest/lang_facts_and_builtin_vars.html for more details.)
328
329 • For best compatibility, you should limit the value of certname to
330 only use lowercase letters, numbers, periods, underscores, and
331 dashes. (That is, it should match /A[a-z0-9._-]+Z/.)
332
333 • The special value ca is reserved, and can´t be used as the certname
334 for a normal node.
335
336 Note: You must set the certname in the main section of the pup‐
337 pet.conf file. Setting it in a different section causes errors.
338
339
340
341 Defaults to the node´s fully qualified domain name.
342
343 • Default: the Host´s fully qualified domain name, as determined by
344 Facter
345
346
347
348 ciphers
349 The list of ciphersuites for TLS connections initiated by puppet. The
350 default value is chosen to support TLS 1.0 and up, but can be made more
351 restrictive if needed. The ciphersuites must be specified in OpenSSL
352 format, not IANA.
353
354 • Default:
355 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
356
357
358
359 classfile
360 The file in which puppet agent stores a list of the classes associated
361 with the retrieved configuration. Can be loaded in the separate puppet
362 executable using the --loadclasses option.
363
364 • Default: $statedir/classes.txt
365
366
367
368 client_datadir
369 The directory in which serialized data is stored on the client.
370
371 • Default: $vardir/client_data
372
373
374
375 clientbucketdir
376 Where FileBucket files are stored locally.
377
378 • Default: $vardir/clientbucket
379
380
381
382 clientyamldir
383 The directory in which client-side YAML data is stored.
384
385 • Default: $vardir/client_yaml
386
387
388
389 code
390 Code to parse directly. This is essentially only used by puppet, and
391 should only be set if you´re writing your own Puppet executable.
392
393 codedir
394 The main Puppet code directory. The default for this setting is calcu‐
395 lated based on the user. If the process is running as root or the user
396 that Puppet is supposed to run as, it defaults to a system directory,
397 but if it´s running as any other user, it defaults to being in the
398 user´s home directory.
399
400 • Default: Unix/Linux: /etc/puppet/code -- Windows: C:\Program‐
401 Data\PuppetLabs\code -- Non-root user: ~/.puppetlabs/etc/code
402
403
404
405 color
406 Whether to use colors when logging to the console. Valid values are
407 ansi (equivalent to true), html, and false, which produces no color.
408
409 • Default: ansi
410
411
412
413 confdir
414 The main Puppet configuration directory. The default for this setting
415 is calculated based on the user. If the process is running as root or
416 the user that Puppet is supposed to run as, it defaults to a system di‐
417 rectory, but if it´s running as any other user, it defaults to being in
418 the user´s home directory.
419
420 • Default: Unix/Linux: /etc/puppet -- Windows: C:\ProgramData\Puppet‐
421 Labs\puppet\etc -- Non-root user: ~/.puppetlabs/etc/puppet
422
423
424
425 config
426 The configuration file for the current puppet application.
427
428 • Default: $confdir/${config_file_name}
429
430
431
432 config_file_name
433 The name of the puppet config file.
434
435 • Default: puppet.conf
436
437
438
439 config_version
440 How to determine the configuration version. By default, it will be the
441 time that the configuration is parsed, but you can provide a shell
442 script to override how the version is determined. The output of this
443 script will be added to every log message in the reports, allowing you
444 to correlate changes on your hosts to the source version on the server.
445
446 Setting a global value for config_version in puppet.conf is not allowed
447 (but it can be overridden from the commandline). Please set a per-envi‐
448 ronment value in environment.conf instead. For more info, see
449 https://puppet.com/docs/puppet/latest/environments_about.html
450
451 configprint
452 Prints the value of a specific configuration setting. If the name of a
453 setting is provided for this, then the value is printed and puppet ex‐
454 its. Comma-separate multiple values. For a list of all values, specify
455 ´all´. This setting is deprecated, the ´puppet config´ command replaces
456 this functionality.
457
458 crl_refresh_interval
459 How often the Puppet agent refreshes its local CRL. By default the CRL
460 is only downloaded once, and never refreshed. If a duration is speci‐
461 fied, then the agent will refresh its CRL whenever it next runs and the
462 elapsed time since the CRL was last refreshed exceeds the duration.
463
464 In general, the duration should be greater than the runinterval. Set‐
465 ting it to an equal or lesser value will cause the CRL to be refreshed
466 on every run.
467
468 If the agent downloads a new CRL, the agent will use it for subsequent
469 network requests. If the refresh request fails or if the CRL is un‐
470 changed on the server, then the agent run will continue using the local
471 CRL it already has.This setting can be a time interval in seconds (30
472 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
473
474 • Default: ``
475
476
477
478 csr_attributes
479 An optional file containing custom attributes to add to certificate
480 signing requests (CSRs). You should ensure that this file does not ex‐
481 ist on your CA Puppet Server; if it does, unwanted certificate exten‐
482 sions may leak into certificates created with the puppetserver ca gen‐
483 erate command.
484
485 If present, this file must be a YAML hash containing a custom_at‐
486 tributes key and/or an extension_requests key. The value of each key
487 must be a hash, where each key is a valid OID and each value is an ob‐
488 ject that can be cast to a string.
489
490 Custom attributes can be used by the CA when deciding whether to sign
491 the certificate, but are then discarded. Attribute OIDs can be any OID
492 value except the standard CSR attributes (i.e. attributes described in
493 RFC 2985 section 5.4). This is useful for embedding a pre-shared key
494 for autosigning policy executables (see the autosign setting), often by
495 using the 1.2.840.113549.1.9.7 ("challenge password") OID.
496
497 Extension requests will be permanently embedded in the final certifi‐
498 cate. Extension OIDs must be in the "ppRegCertExt"
499 (1.3.6.1.4.1.34380.1.1), "ppPrivCertExt" (1.3.6.1.4.1.34380.1.2), or
500 "ppAuthCertExt" (1.3.6.1.4.1.34380.1.3) OID arcs. The ppRegCertExt arc
501 is reserved for four of the most common pieces of data to embed:
502 pp_uuid (.1), pp_instance_id (.2), pp_image_name (.3), and pp_pre‐
503 shared_key (.4) --- in the YAML file, these can be referred to by their
504 short descriptive names instead of their full OID. The ppPrivCertExt
505 arc is unregulated, and can be used for site-specific extensions. The
506 ppAuthCert arc is reserved for two pieces of data to embed: pp_autho‐
507 rization (.1) and pp_auth_role (.13). As with ppRegCertExt, in the YAML
508 file, these can be referred to by their short descriptive name instead
509 of their full OID.
510
511 • Default: $confdir/csr_attributes.yaml
512
513
514
515 csrdir
516 Where the CA stores certificate requests.
517
518 • Default: $cadir/requests
519
520
521
522 daemonize
523 Whether to send the process into the background. This defaults to true
524 on POSIX systems, and to false on Windows (where Puppet currently can‐
525 not daemonize).
526
527 • Default: true
528
529
530
531 data_binding_terminus
532 This setting has been deprecated. Use of any value other than ´hiera´
533 should instead be configured in a version 5 hiera.yaml. Until this set‐
534 ting is removed, it controls which data binding terminus to use for
535 global automatic data binding (across all environments). By default
536 this value is ´hiera´. A value of ´none´ turns off the global binding.
537
538 • Default: hiera
539
540
541
542 default_file_terminus
543 The default source for files if no server is given in a uri, e.g. pup‐
544 pet:///file. The default of rest causes the file to be retrieved using
545 the server setting. When running apply the default is file_server,
546 causing requests to be filled locally.
547
548 • Default: rest
549
550
551
552 default_manifest
553 The default main manifest for directory environments. Any environment
554 that doesn´t set the manifest setting in its environment.conf file will
555 use this manifest.
556
557 This setting´s value can be an absolute or relative path. An absolute
558 path will make all environments default to the same main manifest; a
559 relative path will allow each environment to use its own manifest, and
560 Puppet will resolve the path relative to each environment´s main direc‐
561 tory.
562
563 In either case, the path can point to a single file or to a directory
564 of manifests to be evaluated in alphabetical order.
565
566 • Default: ./manifests
567
568
569
570 default_schedules
571 Boolean; whether to generate the default schedule resources. Setting
572 this to false is useful for keeping external report processors clean of
573 skipped schedule resources.
574
575 • Default: true
576
577
578
579 deviceconfdir
580 The root directory of devices´ $confdir.
581
582 • Default: $confdir/devices
583
584
585
586 deviceconfig
587 Path to the device config file for puppet device.
588
589 • Default: $confdir/device.conf
590
591
592
593 devicedir
594 The root directory of devices´ $vardir.
595
596 • Default: $vardir/devices
597
598
599
600 diff
601 Which diff command to use when printing differences between files. This
602 setting has no default value on Windows, as standard diff is not avail‐
603 able, but Puppet can use many third-party diff tools.
604
605 • Default: diff
606
607
608
609 diff_args
610 Which arguments to pass to the diff command when printing differences
611 between files. The command to use can be chosen with the diff setting.
612
613 • Default: -u
614
615
616
617 digest_algorithm
618 Which digest algorithm to use for file resources and the filebucket.
619 Valid values are sha256, sha384, sha512, sha224, md5. Default is
620 sha256.
621
622 • Default: sha256
623
624
625
626 disable_i18n
627 If true, turns off all translations of Puppet and module log messages,
628 which affects error, warning, and info log messages, as well as any
629 translations in the report and CLI.
630
631 • Default: true
632
633
634
635 disable_per_environment_manifest
636 Whether to disallow an environment-specific main manifest. When set to
637 true, Puppet will use the manifest specified in the default_manifest
638 setting for all environments. If an environment specifies a different
639 main manifest in its environment.conf file, catalog requests for that
640 environment will fail with an error.
641
642 This setting requires default_manifest to be set to an absolute path.
643
644 • Default: false
645
646
647
648 disable_warnings
649 A comma-separated list of warning types to suppress. If large numbers
650 of warnings are making Puppet´s logs too large or difficult to use, you
651 can temporarily silence them with this setting.
652
653 If you are preparing to upgrade Puppet to a new major version, you
654 should re-enable all warnings for a while.
655
656 Valid values for this setting are:
657
658 • deprecations --- disables deprecation warnings.
659
660 • undefined_variables --- disables warnings about non existing vari‐
661 ables.
662
663 • undefined_resources --- disables warnings about non existing re‐
664 sources.
665
666 • Default: []
667
668
669
670 dns_alt_names
671 A comma-separated list of alternate DNS names for Puppet Server. These
672 are extra hostnames (in addition to its certname) that the server is
673 allowed to use when serving agents. Puppet checks this setting when au‐
674 tomatically creating a certificate for Puppet agent or Puppet Server.
675 These can be either IP or DNS, and the type should be specified and
676 followed with a colon. Untyped inputs will default to DNS.
677
678 In order to handle agent requests at a given hostname (like "puppet.ex‐
679 ample.com"), Puppet Server needs a certificate that proves it´s allowed
680 to use that name; if a server shows a certificate that doesn´t include
681 its hostname, Puppet agents will refuse to trust it. If you use a sin‐
682 gle hostname for Puppet traffic but load-balance it to multiple Puppet
683 Servers, each of those servers needs to include the official hostname
684 in its list of extra names.
685
686 Note: The list of alternate names is locked in when the server´s cer‐
687 tificate is signed. If you need to change the list later, you can´t
688 just change this setting; you also need to regenerate the certificate.
689 For more information on that process, see the cert regen docs
690 https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html.
691
692 To see all the alternate names your servers are using, log into your CA
693 server and run puppetserver ca list --all, then check the output for
694 (alt names: ...). Most agent nodes should NOT have alternate names; the
695 only certs that should have them are Puppet Server nodes that you want
696 other agents to trust.
697
698 document_all
699 Whether to document all resources when using puppet doc to generate
700 manifest documentation.
701
702 • Default: false
703
704
705
706 environment
707 The environment in which Puppet is running. For clients, such as puppet
708 agent, this determines the environment itself, which Puppet uses to
709 find modules and much more. For servers, such as puppet server, this
710 provides the default environment for nodes that Puppet knows nothing
711 about.
712
713 When defining an environment in the [agent] section, this refers to the
714 environment that the agent requests from the primary server. The envi‐
715 ronment doesn´t have to exist on the local filesystem because the agent
716 fetches it from the primary server. This definition is used when run‐
717 ning puppet agent.
718
719 When defined in the [user] section, the environment refers to the path
720 that Puppet uses to search for code and modules related to its execu‐
721 tion. This requires the environment to exist locally on the filesystem
722 where puppet is being executed. Puppet subcommands, including puppet
723 module and puppet apply, use this definition.
724
725 Given that the context and effects vary depending on the config section
726 https://puppet.com/docs/puppet/latest/config_file_main.html#config-sec‐
727 tions in which the environment setting is defined, do not set it glob‐
728 ally.
729
730 • Default: production
731
732
733
734 environment_data_provider
735 The name of a registered environment data provider used when obtaining
736 environment specific data. The three built in and registered providers
737 are ´none´ (no data), ´function´ (data obtained by calling the function
738 ´environment::data()´) and ´hiera´ (data obtained using a data provider
739 configured using a hiera.yaml file in root of the environment). Other
740 environment data providers may be registered in modules on the module
741 path. For such custom data providers see the respective module documen‐
742 tation. This setting is deprecated.
743
744 • Default: ``
745
746
747
748 environment_timeout
749 How long the Puppet server should cache data it loads from an environ‐
750 ment.
751
752 A value of 0 will disable caching. This setting can also be set to un‐
753 limited, which will cache environments until the server is restarted or
754 told to refresh the cache. All other values will result in Puppet
755 server evicting environments that haven´t been used within the last en‐
756 vironment_timeout seconds.
757
758 You should change this setting once your Puppet deployment is doing
759 non-trivial work. We chose the default value of 0 because it lets new
760 users update their code without any extra steps, but it lowers the per‐
761 formance of your Puppet server. We recommend either:
762
763 • Setting this to unlimited and explicitly refreshing your Puppet
764 server as part of your code deployment process.
765
766 • Setting this to a number that will keep your most actively used en‐
767 vironments cached, but allow testing environments to fall out of
768 the cache and reduce memory usage. A value of 3 minutes (3m) is a
769 reasonable value.
770
771
772
773 Once you set environment_timeout to a non-zero value, you need to tell
774 Puppet server to read new code from disk using the environment-cache
775 API endpoint after you deploy new code. See the docs for the Puppet
776 Server administrative API https://puppet.com/docs/puppetserver/lat‐
777 est/admin-api/v1/environment-cache.html.
778
779 • Default: 0
780
781
782
783 environmentpath
784 A search path for directory environments, as a list of directories sep‐
785 arated by the system path separator character. (The POSIX path separa‐
786 tor is ´:´, and the Windows path separator is ´;´.)
787
788 This setting must have a value set to enable directory environments.
789 The recommended value is $codedir/environments. For more details, see
790 https://puppet.com/docs/puppet/latest/environments_about.html
791
792 • Default: $codedir/environments
793
794
795
796 evaltrace
797 Whether each resource should log when it is being evaluated. This al‐
798 lows you to interactively see exactly what is being done.
799
800 • Default: false
801
802
803
804 external_nodes
805 The external node classifier (ENC) script to use for node data. Puppet
806 combines this data with the main manifest to produce node catalogs.
807
808 To enable this setting, set the node_terminus setting to exec.
809
810 This setting´s value must be the path to an executable command that can
811 produce node information. The command must:
812
813 • Take the name of a node as a command-line argument.
814
815 •
816
817 • classes --- A list of classes, as an array or hash.
818
819 • environment --- A string.
820
821 • parameters --- A list of top-scope variables to set, as a hash.
822
823
824
825
826 • For unknown nodes, exit with a non-zero exit code.
827
828
829
830 Generally, an ENC script makes requests to an external data source.
831
832 For more info, see the ENC documentation https://puppet.com/docs/pup‐
833 pet/latest/nodes_external.html.
834
835 • Default: none
836
837
838
839 fact_name_length_soft_limit
840 The soft limit for the length of a fact name.
841
842 • Default: 2560
843
844
845
846 fact_value_length_soft_limit
847 The soft limit for the length of a fact value.
848
849 • Default: 4096
850
851
852
853 factpath
854 Where Puppet should look for facts. Multiple directories should be sep‐
855 arated by the system path separator character. (The POSIX path separa‐
856 tor is ´:´, and the Windows path separator is ´;´.)
857
858 • Default: $vardir/lib/facter:$vardir/facts
859
860
861
862 facts_terminus
863 The node facts terminus.
864
865 • Default: facter
866
867
868
869 fileserverconfig
870 Where the fileserver configuration is stored.
871
872 • Default: $confdir/fileserver.conf
873
874
875
876 filetimeout
877 The minimum time to wait between checking for updates in configuration
878 files. This timeout determines how quickly Puppet checks whether a file
879 (such as manifests or puppet.conf) has changed on disk. The default
880 will change in a future release to be ´unlimited´, requiring a reload
881 of the Puppet service to pick up changes to its internal configuration.
882 Currently we do not accept a value of ´unlimited´. To reparse files
883 within an environment in Puppet Server please use the environment_cache
884 endpoint
885
886 • Default: 15s
887
888
889
890 forge_authorization
891 The authorization key to connect to the Puppet Forge. Leave blank for
892 unauthorized or license based connections
893
894 • Default: ``
895
896
897
898 freeze_main
899 Freezes the ´main´ class, disallowing any code to be added to it. This
900 essentially means that you can´t have any code outside of a node,
901 class, or definition other than in the site manifest.
902
903 • Default: false
904
905
906
907 genconfig
908 When true, causes Puppet applications to print an example config file
909 to stdout and exit. The example will include descriptions of each set‐
910 ting, and the current (or default) value of each setting, incorporating
911 any settings overridden on the CLI (with the exception of genconfig it‐
912 self). This setting only makes sense when specified on the command line
913 as --genconfig.
914
915 • Default: false
916
917
918
919 genmanifest
920 Whether to just print a manifest to stdout and exit. Only makes sense
921 when specified on the command line as --genmanifest. Takes into account
922 arguments specified on the CLI.
923
924 • Default: false
925
926
927
928 graph
929 Whether to create .dot graph files, which let you visualize the depen‐
930 dency and containment relationships in Puppet´s catalog. You can load
931 and view these files with tools like OmniGraffle http://www.omni‐
932 group.com/applications/omnigraffle/ (OS X) or graphviz
933 http://www.graphviz.org/ (multi-platform).
934
935 Graph files are created when applying a catalog, so this setting should
936 be used on nodes running puppet agent or puppet apply.
937
938 The graphdir setting determines where Puppet will save graphs. Note
939 that we don´t save graphs for historical runs; Puppet will replace the
940 previous .dot files with new ones every time it applies a catalog.
941
942 See your graphing software´s documentation for details on opening .dot
943 files. If you´re using GraphViz´s dot command, you can do a quick PNG
944 render with dot -Tpng <DOT FILE> -o <OUTPUT FILE>.
945
946 • Default: false
947
948
949
950 graphdir
951 Where to save .dot-format graphs (when the graph setting is enabled).
952
953 • Default: $statedir/graphs
954
955
956
957 group
958 The group Puppet Server will run as. Used to ensure the agent side pro‐
959 cesses (agent, apply, etc) create files and directories readable by
960 Puppet Server when necessary.
961
962 • Default: puppet
963
964
965
966 hiera_config
967 The hiera configuration file. Puppet only reads this file on startup,
968 so you must restart the puppet server every time you edit it.
969
970 • Default: $confdir/hiera.yaml. However, for backwards compatibility,
971 if a file exists at $codedir/hiera.yaml, Puppet uses that instead.
972
973
974
975 hostcert
976 Where individual hosts store and look for their certificates.
977
978 • Default: $certdir/$certname.pem
979
980
981
982 hostcrl
983 Where the host´s certificate revocation list can be found. This is dis‐
984 tinct from the certificate authority´s CRL.
985
986 • Default: $ssldir/crl.pem
987
988
989
990 hostcsr
991 Where individual hosts store their certificate request (CSR) while
992 waiting for the CA to issue their certificate.
993
994 • Default: $requestdir/$certname.pem
995
996
997
998 hostprivkey
999 Where individual hosts store and look for their private key.
1000
1001 • Default: $privatekeydir/$certname.pem
1002
1003
1004
1005 hostpubkey
1006 Where individual hosts store and look for their public key.
1007
1008 • Default: $publickeydir/$certname.pem
1009
1010
1011
1012 http_connect_timeout
1013 The maximum amount of time to wait when establishing an HTTP connec‐
1014 tion. The default value is 2 minutes. This setting can be a time inter‐
1015 val in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
1016 years (5y).
1017
1018 • Default: 2m
1019
1020
1021
1022 http_debug
1023 Whether to write HTTP request and responses to stderr. This should
1024 never be used in a production environment.
1025
1026 • Default: false
1027
1028
1029
1030 http_extra_headers
1031 The list of extra headers that will be sent with http requests to the
1032 primary server. The header definition consists of a name and a value
1033 separated by a colon.
1034
1035 • Default: []
1036
1037
1038
1039 http_keepalive_timeout
1040 The maximum amount of time a persistent HTTP connection can remain idle
1041 in the connection pool, before it is closed. This timeout should be
1042 shorter than the keepalive timeout used on the HTTP server, e.g. Apache
1043 KeepAliveTimeout directive. This setting can be a time interval in sec‐
1044 onds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1045
1046 • Default: 4s
1047
1048
1049
1050 http_proxy_host
1051 The HTTP proxy host to use for outgoing connections. The proxy will be
1052 bypassed if the server´s hostname matches the NO_PROXY environment
1053 variable or no_proxy setting. Note: You may need to use a FQDN for the
1054 server hostname when using a proxy. Environment variable http_proxy or
1055 HTTP_PROXY will override this value.
1056
1057 • Default: none
1058
1059
1060
1061 http_proxy_password
1062 The password for the user of an authenticated HTTP proxy. Requires the
1063 http_proxy_user setting.
1064
1065 Note that passwords must be valid when used as part of a URL. If a
1066 password contains any characters with special meanings in URLs (as
1067 specified by RFC 3986 section 2.2), they must be URL-encoded. (For ex‐
1068 ample, # would become %23.)
1069
1070 • Default: none
1071
1072
1073
1074 http_proxy_port
1075 The HTTP proxy port to use for outgoing connections
1076
1077 • Default: 3128
1078
1079
1080
1081 http_proxy_user
1082 The user name for an authenticated HTTP proxy. Requires the
1083 http_proxy_host setting.
1084
1085 • Default: none
1086
1087
1088
1089 http_read_timeout
1090 The time to wait for data to be read from an HTTP connection. If noth‐
1091 ing is read after the elapsed interval then the connection will be
1092 closed. The default value is 10 minutes. This setting can be a time in‐
1093 terval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
1094 years (5y).
1095
1096 • Default: 10m
1097
1098
1099
1100 http_user_agent
1101 The HTTP User-Agent string to send when making network requests.
1102
1103 • Default: Puppet/7.12.1 Ruby/2.5.1-p57 (x86_64-linux)
1104
1105
1106
1107 ignore_plugin_errors
1108 Whether the puppet run should ignore errors during pluginsync. If the
1109 setting is false and there are errors during pluginsync, then the agent
1110 will abort the run and submit a report containing information about the
1111 failed run.
1112
1113 • Default: false
1114
1115
1116
1117 ignoremissingtypes
1118 Skip searching for classes and definitions that were missing during a
1119 prior compilation. The list of missing objects is maintained per-envi‐
1120 ronment and persists until the environment is cleared or the primary
1121 server is restarted.
1122
1123 • Default: false
1124
1125
1126
1127 ignoreschedules
1128 Boolean; whether puppet agent should ignore schedules. This is useful
1129 for initial puppet agent runs.
1130
1131 • Default: false
1132
1133
1134
1135 key_type
1136 The type of private key. Valid values are rsa and ec. Default is rsa.
1137
1138 • Default: rsa
1139
1140
1141
1142 keylength
1143 The bit length of keys.
1144
1145 • Default: 4096
1146
1147
1148
1149 lastrunfile
1150 Where puppet agent stores the last run report summary in yaml format.
1151
1152 • Default: $publicdir/last_run_summary.yaml
1153
1154
1155
1156 lastrunreport
1157 Where Puppet Agent stores the last run report, by default, in yaml for‐
1158 mat. The format of the report can be changed by setting the cache key
1159 of the report terminus in the routes.yaml https://puppet.com/docs/pup‐
1160 pet/latest/config_file_routes.html file. To avoid mismatches between
1161 content and file extension, this setting needs to be manually updated
1162 to reflect the terminus changes.
1163
1164 • Default: $statedir/last_run_report.yaml
1165
1166
1167
1168 ldapattrs
1169 The LDAP attributes to include when querying LDAP for nodes. All re‐
1170 turned attributes are set as variables in the top-level scope. Multiple
1171 values should be comma-separated. The value ´all´ returns all at‐
1172 tributes.
1173
1174 • Default: all
1175
1176
1177
1178 ldapbase
1179 The search base for LDAP searches. It´s impossible to provide a mean‐
1180 ingful default here, although the LDAP libraries might have one already
1181 set. Generally, it should be the ´ou=Hosts´ branch under your main di‐
1182 rectory.
1183
1184 ldapclassattrs
1185 The LDAP attributes to use to define Puppet classes. Values should be
1186 comma-separated.
1187
1188 • Default: puppetclass
1189
1190
1191
1192 ldapparentattr
1193 The attribute to use to define the parent node.
1194
1195 • Default: parentnode
1196
1197
1198
1199 ldappassword
1200 The password to use to connect to LDAP.
1201
1202 ldapport
1203 The LDAP port.
1204
1205 • Default: 389
1206
1207
1208
1209 ldapserver
1210 The LDAP server.
1211
1212 • Default: ldap
1213
1214
1215
1216 ldapssl
1217 Whether SSL should be used when searching for nodes. Defaults to false
1218 because SSL usually requires certificates to be set up on the client
1219 side.
1220
1221 • Default: false
1222
1223
1224
1225 ldapstackedattrs
1226 The LDAP attributes that should be stacked to arrays by adding the val‐
1227 ues in all hierarchy elements of the tree. Values should be comma-sepa‐
1228 rated.
1229
1230 • Default: puppetvar
1231
1232
1233
1234 ldapstring
1235 The search string used to find an LDAP node.
1236
1237 • Default: (&(objectclass=puppetClient)(cn=%s))
1238
1239
1240
1241 ldaptls
1242 Whether TLS should be used when searching for nodes. Defaults to false
1243 because TLS usually requires certificates to be set up on the client
1244 side.
1245
1246 • Default: false
1247
1248
1249
1250 ldapuser
1251 The user to use to connect to LDAP. Must be specified as a full DN.
1252
1253 libdir
1254 An extra search path for Puppet. This is only useful for those files
1255 that Puppet will load on demand, and is only guaranteed to work for
1256 those cases. In fact, the autoload mechanism is responsible for making
1257 sure this directory is in Ruby´s search path
1258
1259 • Default: $vardir/lib
1260
1261
1262
1263 localcacert
1264 Where each client stores the CA certificate.
1265
1266 • Default: $certdir/ca.pem
1267
1268
1269
1270 localedest
1271 Where Puppet should store translation files that it pulls down from the
1272 central server.
1273
1274 • Default: $vardir/locales
1275
1276
1277
1278 localesource
1279 From where to retrieve translation files. The standard Puppet file type
1280 is used for retrieval, so anything that is a valid file source can be
1281 used here.
1282
1283 • Default: puppet:///locales
1284
1285
1286
1287 log_level
1288 Default logging level for messages from Puppet. Allowed values are:
1289
1290 • debug
1291
1292 • info
1293
1294 • notice
1295
1296 • warning
1297
1298 • err
1299
1300 • alert
1301
1302 • emerg
1303
1304 • crit
1305
1306 • Default: notice
1307
1308
1309
1310 logdest
1311 Where to send log messages. Choose between ´syslog´ (the POSIX syslog
1312 service), ´eventlog´ (the Windows Event Log), ´console´, or the path to
1313 a log file. Multiple destinations can be set using a comma separated
1314 list (eg: /path/file1,console,/path/file2)
1315
1316 • Default: ``
1317
1318
1319
1320 logdir
1321 The directory in which to store log files
1322
1323 • Default: Unix/Linux: /var/log/puppet -- Windows: C:\Program‐
1324 Data\PuppetLabs\puppet\var\log -- Non-root user: ~/.puppet‐
1325 labs/var/log
1326
1327
1328
1329 manage_internal_file_permissions
1330 Whether Puppet should manage the owner, group, and mode of files it
1331 uses internally. Note: For Windows agents, the default is false for
1332 versions 4.10.13 and greater, versions 5.5.6 and greater, and versions
1333 6.0 and greater.
1334
1335 • Default: true
1336
1337
1338
1339 manifest
1340 The entry-point manifest for the primary server. This can be one file
1341 or a directory of manifests to be evaluated in alphabetical order. Pup‐
1342 pet manages this path as a directory if one exists or if the path ends
1343 with a / or .
1344
1345 Setting a global value for manifest in puppet.conf is not allowed (but
1346 it can be overridden from the commandline). Please use directory envi‐
1347 ronments instead. If you need to use something other than the environ‐
1348 ment´s manifests directory as the main manifest, you can set manifest
1349 in environment.conf. For more info, see https://puppet.com/docs/pup‐
1350 pet/latest/environments_about.html
1351
1352 • Default: ``
1353
1354
1355
1356 masterport
1357 The default port puppet subcommands use to communicate with Puppet
1358 Server. (eg puppet facts upload, puppet agent). May be overridden by
1359 more specific settings (see ca_port, report_port).
1360
1361 • Default: 8140
1362
1363
1364
1365 max_deprecations
1366 Sets the max number of logged/displayed parser validation deprecation
1367 warnings in case multiple deprecation warnings have been detected. A
1368 value of 0 blocks the logging of deprecation warnings. The count is per
1369 manifest.
1370
1371 • Default: 10
1372
1373
1374
1375 max_errors
1376 Sets the max number of logged/displayed parser validation errors in
1377 case multiple errors have been detected. A value of 0 is the same as a
1378 value of 1; a minimum of one error is always raised. The count is per
1379 manifest.
1380
1381 • Default: 10
1382
1383
1384
1385 max_warnings
1386 Sets the max number of logged/displayed parser validation warnings in
1387 case multiple warnings have been detected. A value of 0 blocks logging
1388 of warnings. The count is per manifest.
1389
1390 • Default: 10
1391
1392
1393
1394 maximum_uid
1395 The maximum allowed UID. Some platforms use negative UIDs but then ship
1396 with tools that do not know how to handle signed ints, so the UIDs show
1397 up as huge numbers that can then not be fed back into the system. This
1398 is a hackish way to fail in a slightly more useful way when that hap‐
1399 pens.
1400
1401 • Default: 4294967290
1402
1403
1404
1405 maxwaitforcert
1406 The maximum amount of time the Puppet agent should wait for its cer‐
1407 tificate request to be signed. A value of unlimited will cause puppet
1408 agent to ask for a signed certificate indefinitely. This setting can be
1409 a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days
1410 (2d), or years (5y).
1411
1412 • Default: unlimited
1413
1414
1415
1416 maxwaitforlock
1417 The maximum amount of time the puppet agent should wait for an already
1418 running puppet agent to finish before starting a new one. This is set
1419 by default to 1 minute. A value of unlimited will cause puppet agent to
1420 wait indefinitely. This setting can be a time interval in seconds (30
1421 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1422
1423 • Default: 1m
1424
1425
1426
1427 merge_dependency_warnings
1428 Whether to merge class-level dependency failure warnings.
1429
1430 When a class has a failed dependency, every resource in the class gen‐
1431 erates a notice level message about the dependency failure, and a warn‐
1432 ing level message about skipping the resource.
1433
1434 If true, all messages caused by a class dependency failure are merged
1435 into one message associated with the class.
1436
1437 • Default: false
1438
1439
1440
1441 mkusers
1442 Whether to create the necessary user and group that puppet agent will
1443 run as.
1444
1445 • Default: false
1446
1447
1448
1449 module_groups
1450 Extra module groups to request from the Puppet Forge. This is an inter‐
1451 nal setting, and users should never change it.
1452
1453 • Default: ``
1454
1455
1456
1457 module_repository
1458 The module repository
1459
1460 • Default: https://forgeapi.puppet.com
1461
1462
1463
1464 module_working_dir
1465 The directory into which module tool data is stored
1466
1467 • Default: $vardir/puppet-module
1468
1469
1470
1471 modulepath
1472 The search path for modules, as a list of directories separated by the
1473 system path separator character. (The POSIX path separator is ´:´, and
1474 the Windows path separator is ´;´.)
1475
1476 Setting a global value for modulepath in puppet.conf is not allowed
1477 (but it can be overridden from the commandline). Please use directory
1478 environments instead. If you need to use something other than the de‐
1479 fault modulepath of <ACTIVE ENVIRONMENT´S MODULES DIR>:$basemodulepath,
1480 you can set modulepath in environment.conf. For more info, see
1481 https://puppet.com/docs/puppet/latest/environments_about.html
1482
1483 name
1484 The name of the application, if we are running as one. The default is
1485 essentially $0 without the path or .rb.
1486
1487 • Default: ``
1488
1489
1490
1491 named_curve
1492 The short name for the EC curve used to generate the EC private key.
1493 Valid values must be one of the curves in
1494 OpenSSL::PKey::EC.builtin_curves. Default is prime256v1.
1495
1496 • Default: prime256v1
1497
1498
1499
1500 no_proxy
1501 List of host or domain names that should not go through
1502 http_proxy_host. Environment variable no_proxy or NO_PROXY will over‐
1503 ride this value. Names can be specified as an FQDN host.example.com,
1504 wildcard *.example.com, dotted domain .example.com, or suffix exam‐
1505 ple.com.
1506
1507 • Default: localhost, 127.0.0.1
1508
1509
1510
1511 node_cache_terminus
1512 How to store cached nodes. Valid values are (none), ´json´, ´msgpack´,
1513 or ´yaml´.
1514
1515 • Default: ``
1516
1517
1518
1519 node_name_fact
1520 The fact name used to determine the node name used for all requests the
1521 agent makes to the primary server. WARNING: This setting is mutually
1522 exclusive with node_name_value. Changing this setting also requires
1523 changes to Puppet Server´s default auth.conf https://pup‐
1524 pet.com/docs/puppetserver/latest/config_file_auth.html.
1525
1526 node_name_value
1527 The explicit value used for the node name for all requests the agent
1528 makes to the primary server. WARNING: This setting is mutually exclu‐
1529 sive with node_name_fact. Changing this setting also requires changes
1530 to Puppet Server´s default auth.conf https://puppet.com/docs/puppet‐
1531 server/latest/config_file_auth.html.
1532
1533 • Default: $certname
1534
1535
1536
1537 node_terminus
1538 Which node data plugin to use when compiling node catalogs.
1539
1540 When Puppet compiles a catalog, it combines two primary sources of
1541 info: the main manifest, and a node data plugin (often called a "node
1542 terminus," for historical reasons). Node data plugins provide three
1543 things for a given node name:
1544
1545 1. A list of classes to add to that node´s catalog (and, optionally,
1546 values for their parameters).
1547
1548 2. Which Puppet environment the node should use.
1549
1550 3. A list of additional top-scope variables to set.
1551
1552
1553
1554 The three main node data plugins are:
1555
1556 • plain --- Returns no data, so that the main manifest controls all
1557 node configuration.
1558
1559 • exec --- Uses an external node classifier (ENC) https://pup‐
1560 pet.com/docs/puppet/latest/nodes_external.html, configured by the
1561 external_nodes setting. This lets you pull a list of Puppet classes
1562 from any external system, using a small glue script to perform the
1563 request and format the result as YAML.
1564
1565 • classifier (formerly console) --- Specific to Puppet Enterprise.
1566 Uses the PE console for node data."
1567
1568 • Default: plain
1569
1570
1571
1572 noop
1573 Whether to apply catalogs in noop mode, which allows Puppet to par‐
1574 tially simulate a normal run. This setting affects puppet agent and
1575 puppet apply.
1576
1577 When running in noop mode, Puppet will check whether each resource is
1578 in sync, like it does when running normally. However, if a resource at‐
1579 tribute is not in the desired state (as declared in the catalog), Pup‐
1580 pet will take no action, and will instead report the changes it would
1581 have made. These simulated changes will appear in the report sent to
1582 the primary Puppet server, or be shown on the console if running puppet
1583 agent or puppet apply in the foreground. The simulated changes will not
1584 send refresh events to any subscribing or notified resources, although
1585 Puppet will log that a refresh event would have been sent.
1586
1587 Important note: The noop metaparameter https://puppet.com/docs/pup‐
1588 pet/latest/metaparameter.html#noop allows you to apply individual re‐
1589 sources in noop mode, and will override the global value of the noop
1590 setting. This means a resource with noop => false will be changed if
1591 necessary, even when running puppet agent with noop = true or --noop.
1592 (Conversely, a resource with noop => true will only be simulated, even
1593 when noop mode is globally disabled.)
1594
1595 • Default: false
1596
1597
1598
1599 number_of_facts_soft_limit
1600 The soft limit for the total number of facts.
1601
1602 • Default: 2048
1603
1604
1605
1606 onetime
1607 Perform one configuration run and exit, rather than spawning a
1608 long-running daemon. This is useful for interactively running puppet
1609 agent, or running puppet agent from cron.
1610
1611 • Default: false
1612
1613
1614
1615 passfile
1616 Where puppet agent stores the password for its private key. Generally
1617 unused.
1618
1619 • Default: $privatedir/password
1620
1621
1622
1623 path
1624 The shell search path. Defaults to whatever is inherited from the par‐
1625 ent process.
1626
1627 This setting can only be set in the [main] section of puppet.conf; it
1628 cannot be set in [server], [agent], or an environment config section.
1629
1630 • Default: none
1631
1632
1633
1634 payload_soft_limit
1635 The soft limit for the size of the payload.
1636
1637 • Default: 16777216
1638
1639
1640
1641 pidfile
1642 The file containing the PID of a running process. This file is intended
1643 to be used by service management frameworks and monitoring systems to
1644 determine if a puppet process is still in the process table.
1645
1646 • Default: $rundir/${run_mode}.pid
1647
1648
1649
1650 plugindest
1651 Where Puppet should store plugins that it pulls down from the central
1652 server.
1653
1654 • Default: $libdir
1655
1656
1657
1658 pluginfactdest
1659 Where Puppet should store external facts that are being handled by plu‐
1660 ginsync
1661
1662 • Default: $vardir/facts.d
1663
1664
1665
1666 pluginfactsource
1667 Where to retrieve external facts for pluginsync
1668
1669 • Default: puppet:///pluginfacts
1670
1671
1672
1673 pluginsignore
1674 What files to ignore when pulling down plugins.
1675
1676 • Default: .svn CVS .git .hg
1677
1678
1679
1680 pluginsource
1681 From where to retrieve plugins. The standard Puppet file type is used
1682 for retrieval, so anything that is a valid file source can be used
1683 here.
1684
1685 • Default: puppet:///plugins
1686
1687
1688
1689 pluginsync
1690 Whether plugins should be synced with the central server. This setting
1691 is deprecated.
1692
1693 • Default: true
1694
1695
1696
1697 postrun_command
1698 A command to run after every agent run. If this command returns a
1699 non-zero return code, the entire Puppet run will be considered to have
1700 failed, even though it might have performed work during the normal run.
1701
1702 preferred_serialization_format
1703 The preferred means of serializing ruby instances for passing over the
1704 wire. This won´t guarantee that all instances will be serialized using
1705 this method, since not all classes can be guaranteed to support this
1706 format, but it will be used for all classes that support it.
1707
1708 • Default: json
1709
1710
1711
1712 prerun_command
1713 A command to run before every agent run. If this command returns a
1714 non-zero return code, the entire Puppet run will fail.
1715
1716 preview_outputdir
1717 The directory where catalog previews per node are generated.
1718
1719 • Default: $vardir/preview
1720
1721
1722
1723 priority
1724 The scheduling priority of the process. Valid values are ´high´, ´nor‐
1725 mal´, ´low´, or ´idle´, which are mapped to platform-specific values.
1726 The priority can also be specified as an integer value and will be
1727 passed as is, e.g. -5. Puppet must be running as a privileged user in
1728 order to increase scheduling priority.
1729
1730 • Default: ``
1731
1732
1733
1734 privatedir
1735 Where the client stores private certificate information.
1736
1737 • Default: $ssldir/private
1738
1739
1740
1741 privatekeydir
1742 The private key directory.
1743
1744 • Default: $ssldir/private_keys
1745
1746
1747
1748 profile
1749 Whether to enable experimental performance profiling
1750
1751 • Default: false
1752
1753
1754
1755 publicdir
1756 Where Puppet stores public files.
1757
1758 • Default: Unix/Linux: /var/lib/puppet/public -- Windows: C:\Program‐
1759 Data\PuppetLabs\puppet\public -- Non-root user: ~/.puppet‐
1760 labs/opt/puppet/public
1761
1762
1763
1764 publickeydir
1765 The public key directory.
1766
1767 • Default: $ssldir/public_keys
1768
1769
1770
1771 puppet_trace
1772 Whether to print the Puppet stack trace on some errors. This is a noop
1773 if trace is also set.
1774
1775 • Default: false
1776
1777
1778
1779 puppetdlog
1780 The fallback log file. This is only used when the --logdest option is
1781 not specified AND Puppet is running on an operating system where both
1782 the POSIX syslog service and the Windows Event Log are unavailable.
1783 (Currently, no supported operating systems match that description.)
1784
1785 Despite the name, both puppet agent and puppet server will use this
1786 file as the fallback logging destination.
1787
1788 For control over logging destinations, see the --logdest command line
1789 option in the manual pages for puppet server, puppet agent, and puppet
1790 apply. You can see man pages by running puppet <SUBCOMMAND> --help, or
1791 read them online at https://puppet.com/docs/puppet/latest/man/.
1792
1793 • Default: $logdir/puppetd.log
1794
1795
1796
1797 report
1798 Whether to send reports after every transaction.
1799
1800 • Default: true
1801
1802
1803
1804 report_include_system_store
1805 Whether the ´http´ report processor should include the system certifi‐
1806 cate store when submitting reports to HTTPS URLs. If false, then the
1807 ´http´ processor will only trust HTTPS report servers whose certifi‐
1808 cates are issued by the puppet CA or one of its intermediate CAs. If
1809 true, the processor will additionally trust CA certificates in the sys‐
1810 tem´s certificate store.
1811
1812 • Default: false
1813
1814
1815
1816 report_port
1817 The port to communicate with the report_server.
1818
1819 • Default: $serverport
1820
1821
1822
1823 report_server
1824 The server to send transaction reports to.
1825
1826 • Default: $server
1827
1828
1829
1830 reportdir
1831 The directory in which to store reports. Each node gets a separate sub‐
1832 directory in this directory. This setting is only used when the store
1833 report processor is enabled (see the reports setting).
1834
1835 • Default: $vardir/reports
1836
1837
1838
1839 reports
1840 The list of report handlers to use. When using multiple report han‐
1841 dlers, their names should be comma-separated, with whitespace allowed.
1842 (For example, reports = http, store.)
1843
1844 This setting is relevant to puppet server and puppet apply. The primary
1845 Puppet server will call these report handlers with the reports it re‐
1846 ceives from agent nodes, and puppet apply will call them with its own
1847 report. (In all cases, the node applying the catalog must have report =
1848 true.)
1849
1850 See the report reference for information on the built-in report han‐
1851 dlers; custom report handlers can also be loaded from modules. (Report
1852 handlers are loaded from the lib directory, at puppet/reports/NAME.rb.)
1853
1854 To turn off reports entirely, set this to none
1855
1856 • Default: store
1857
1858
1859
1860 reporturl
1861 The URL that reports should be forwarded to. This setting is only used
1862 when the http report processor is enabled (see the reports setting).
1863
1864 • Default: http://localhost:3000/reports/upload
1865
1866
1867
1868 requestdir
1869 Where host certificate requests are stored.
1870
1871 • Default: $ssldir/certificate_requests
1872
1873
1874
1875 resourcefile
1876 The file in which puppet agent stores a list of the resources associ‐
1877 ated with the retrieved configuration.
1878
1879 • Default: $statedir/resources.txt
1880
1881
1882
1883 resubmit_facts
1884 Whether to send updated facts after every transaction. By default pup‐
1885 pet only submits facts at the beginning of the transaction before ap‐
1886 plying a catalog. Since puppet can modify the state of the system, the
1887 value of the facts may change after puppet finishes. Therefore, any
1888 facts stored in puppetdb may not be consistent until the agent next
1889 runs, typically in 30 minutes. If this feature is enabled, puppet will
1890 resubmit facts after applying its catalog, ensuring facts for the node
1891 stored in puppetdb are current. However, this will double the fact sub‐
1892 mission load on puppetdb, so it is disabled by default.
1893
1894 • Default: false
1895
1896
1897
1898 rich_data
1899 Enables having extended data in the catalog by storing them as a hash
1900 with the special key __ptype. When enabled, resource containing values
1901 of the data types Binary, Regexp, SemVer, SemVerRange, Timespan and
1902 Timestamp, as well as instances of types derived from Object retain
1903 their data type.
1904
1905 • Default: true
1906
1907
1908
1909 route_file
1910 The YAML file containing indirector route configuration.
1911
1912 • Default: $confdir/routes.yaml
1913
1914
1915
1916 rundir
1917 Where Puppet PID files are kept.
1918
1919 • Default: Unix/Linux: /var/run/puppetlabs -- Windows: C:\Program‐
1920 Data\PuppetLabs\puppet\var\run -- Non-root user: ~/.puppet‐
1921 labs/var/run
1922
1923
1924
1925 runinterval
1926 How often puppet agent applies the catalog. Note that a runinterval of
1927 0 means "run continuously" rather than "never run." This setting can be
1928 a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days
1929 (2d), or years (5y).
1930
1931 • Default: 30m
1932
1933
1934
1935 runtimeout
1936 The maximum amount of time an agent run is allowed to take. A Puppet
1937 agent run that exceeds this timeout will be aborted. A value of 0 dis‐
1938 ables the timeout. Defaults to 1 hour. This setting can be a time in‐
1939 terval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or
1940 years (5y).
1941
1942 • Default: 1h
1943
1944
1945
1946 serial
1947 Where the serial number for certificates is stored.
1948
1949 • Default: $cadir/serial
1950
1951
1952
1953 server
1954 The primary Puppet server to which the Puppet agent should connect.
1955
1956 • Default: puppet
1957
1958
1959
1960 server_datadir
1961 The directory in which serialized data is stored, usually in a subdi‐
1962 rectory.
1963
1964 • Default: $vardir/server_data
1965
1966
1967
1968 server_list
1969 The list of primary Puppet servers to which the Puppet agent should
1970 connect, in the order that they will be tried. Each value should be a
1971 fully qualified domain name, followed by an optional ´:´ and port num‐
1972 ber. If a port is omitted, Puppet uses masterport for that host.
1973
1974 • Default: []
1975
1976
1977
1978 serverport
1979 The default port puppet subcommands use to communicate with Puppet
1980 Server. (eg puppet facts upload, puppet agent). May be overridden by
1981 more specific settings (see ca_port, report_port).
1982
1983 • Default: 8140
1984
1985
1986
1987 settings_catalog
1988 Whether to compile and apply the settings catalog
1989
1990 • Default: true
1991
1992
1993
1994 show_diff
1995 Whether to log and report a contextual diff when files are being re‐
1996 placed. This causes partial file contents to pass through Puppet´s nor‐
1997 mal logging and reporting system, so this setting should be used with
1998 caution if you are sending Puppet´s reports to an insecure destination.
1999 This feature currently requires the diff/lcs Ruby library.
2000
2001 • Default: false
2002
2003
2004
2005 signeddir
2006 Where the CA stores signed certificates.
2007
2008 • Default: $cadir/signed
2009
2010
2011
2012 skip_tags
2013 Tags to use to filter resources. If this is set, then only resources
2014 not tagged with the specified tags will be applied. Values must be
2015 comma-separated.
2016
2017 sourceaddress
2018 The address the agent should use to initiate requests.
2019
2020 • Default: ``
2021
2022
2023
2024 splay
2025 Whether to sleep for a random amount of time, ranging from immediately
2026 up to its $splaylimit, before performing its first agent run after a
2027 service restart. After this period, the agent runs periodically on its
2028 $runinterval.
2029
2030 For example, assume a default 30-minute $runinterval, splay set to its
2031 default of false, and an agent starting at :00 past the hour. The agent
2032 would check in every 30 minutes at :01 and :31 past the hour.
2033
2034 With splay enabled, it waits any amount of time up to its $splaylimit
2035 before its first run. For example, it might randomly wait 8 minutes,
2036 then start its first run at :08 past the hour. With the $runinterval at
2037 its default 30 minutes, its next run will be at :38 past the hour.
2038
2039 If you restart an agent´s puppet service with splay enabled, it recal‐
2040 culates its splay period and delays its first agent run after restart‐
2041 ing for this new period. If you simultaneously restart a group of pup‐
2042 pet agents with splay enabled, their checkins to your primary servers
2043 can be distributed more evenly.
2044
2045 • Default: false
2046
2047
2048
2049 splaylimit
2050 The maximum time to delay before an agent´s first run when splay is en‐
2051 abled. Defaults to the agent´s $runinterval. The splay interval is ran‐
2052 dom and recalculated each time the agent is started or restarted. This
2053 setting can be a time interval in seconds (30 or 30s), minutes (30m),
2054 hours (6h), days (2d), or years (5y).
2055
2056 • Default: $runinterval
2057
2058
2059
2060 srv_domain
2061 The domain which will be queried to find the SRV records of servers to
2062 use.
2063
2064 • Default: ci-jenkins-setup-platform.svc.cluster.local
2065
2066
2067
2068 ssl_client_header
2069 The header containing an authenticated client´s SSL DN. This header
2070 must be set by the proxy to the authenticated client´s SSL DN (e.g.,
2071 /CN=puppet.puppetlabs.com). Puppet will parse out the Common Name (CN)
2072 from the Distinguished Name (DN) and use the value of the CN field for
2073 authorization.
2074
2075 Note that the name of the HTTP header gets munged by the web server
2076 common gateway interface: an HTTP_ prefix is added, dashes are con‐
2077 verted to underscores, and all letters are uppercased. Thus, to use the
2078 X-Client-DN header, this setting should be HTTP_X_CLIENT_DN.
2079
2080 • Default: HTTP_X_CLIENT_DN
2081
2082
2083
2084 ssl_client_verify_header
2085 The header containing the status message of the client verification.
2086 This header must be set by the proxy to ´SUCCESS´ if the client suc‐
2087 cessfully authenticated, and anything else otherwise.
2088
2089 Note that the name of the HTTP header gets munged by the web server
2090 common gateway interface: an HTTP_ prefix is added, dashes are con‐
2091 verted to underscores, and all letters are uppercased. Thus, to use the
2092 X-Client-Verify header, this setting should be HTTP_X_CLIENT_VERIFY.
2093
2094 • Default: HTTP_X_CLIENT_VERIFY
2095
2096
2097
2098 ssl_lockfile
2099 A lock file to indicate that the ssl bootstrap process is currently in
2100 progress.
2101
2102 • Default: $ssldir/ssl.lock
2103
2104
2105
2106 ssl_trust_store
2107 A file containing CA certificates in PEM format that puppet should
2108 trust when making HTTPS requests. This only applies to https requests
2109 to non-puppet infrastructure, such as retrieving file metadata and con‐
2110 tent from https file sources, puppet module tool and the ´http´ report
2111 processor. This setting is ignored when making requests to puppet://
2112 URLs such as catalog and report requests.
2113
2114 • Default: ``
2115
2116
2117
2118 ssldir
2119 Where SSL certificates are kept.
2120
2121 • Default: $confdir/ssl
2122
2123
2124
2125 statedir
2126 The directory where Puppet state is stored. Generally, this directory
2127 can be removed without causing harm (although it might result in spuri‐
2128 ous service restarts).
2129
2130 • Default: $vardir/state
2131
2132
2133
2134 statefile
2135 Where Puppet agent and Puppet Server store state associated with the
2136 running configuration. In the case of Puppet Server, this file reflects
2137 the state discovered through interacting with clients.
2138
2139 • Default: $statedir/state.yaml
2140
2141
2142
2143 statettl
2144 How long the Puppet agent should cache when a resource was last checked
2145 or synced. This setting can be a time interval in seconds (30 or 30s),
2146 minutes (30m), hours (6h), days (2d), or years (5y). A value of 0 or
2147 unlimited will disable cache pruning.
2148
2149 This setting affects the usage of schedule resources, as the informa‐
2150 tion about when a resource was last checked (and therefore when it
2151 needs to be checked again) is stored in the statefile. The statettl
2152 needs to be large enough to ensure that a resource will not trigger
2153 multiple times during a schedule due to its entry expiring from the
2154 cache.
2155
2156 • Default: 32d
2157
2158
2159
2160 static_catalogs
2161 Whether to compile a static catalog https://puppet.com/docs/puppet/lat‐
2162 est/static_catalogs.html#enabling-or-disabling-static-catalogs, which
2163 occurs only on Puppet Server when the code-id-command and code-con‐
2164 tent-command settings are configured in its puppetserver.conf file.
2165
2166 • Default: true
2167
2168
2169
2170 storeconfigs
2171 Whether to store each client´s configuration, including catalogs,
2172 facts, and related data. This also enables the import and export of re‐
2173 sources in the Puppet language - a mechanism for exchange resources be‐
2174 tween nodes.
2175
2176 By default this uses the ´puppetdb´ backend.
2177
2178 You can adjust the backend using the storeconfigs_backend setting.
2179
2180 • Default: false
2181
2182
2183
2184 storeconfigs_backend
2185 Configure the backend terminus used for StoreConfigs. By default, this
2186 uses the PuppetDB store, which must be installed and configured before
2187 turning on StoreConfigs.
2188
2189 • Default: puppetdb
2190
2191
2192
2193 strict
2194 The strictness level of puppet. Allowed values are:
2195
2196 • off - do not perform extra validation, do not report
2197
2198 • warning - perform extra validation, report as warning (default)
2199
2200 • error - perform extra validation, fail with error
2201
2202
2203
2204 The strictness level is for both language semantics and runtime evalua‐
2205 tion validation. In addition to controlling the behavior with this pri‐
2206 mary server switch some individual warnings may also be controlled by
2207 the disable_warnings setting.
2208
2209 No new validations will be added to a micro (x.y.z) release, but may be
2210 added in minor releases (x.y.0). In major releases it expected that
2211 most (if not all) strictness validation become standard behavior.
2212
2213 • Default: warning
2214
2215
2216
2217 strict_environment_mode
2218 Whether the agent specified environment should be considered authorita‐
2219 tive, causing the run to fail if the retrieved catalog does not match
2220 it.
2221
2222 • Default: false
2223
2224
2225
2226 strict_variables
2227 Causes an evaluation error when referencing unknown variables. (This
2228 does not affect referencing variables that are explicitly set to un‐
2229 def).
2230
2231 • Default: false
2232
2233
2234
2235 summarize
2236 Whether to print a transaction summary.
2237
2238 • Default: false
2239
2240
2241
2242 supported_checksum_types
2243 Checksum types supported by this agent for use in file resources of a
2244 static catalog. Values must be comma-separated. Valid types are sha256,
2245 sha256lite, sha384, sha512, sha224, sha1, sha1lite, md5, md5lite,
2246 mtime, ctime. Default is sha256, sha384, sha512, sha224, md5.
2247
2248 • Default: ["sha256", "sha384", "sha512", "sha224", "md5"]
2249
2250
2251
2252 syslogfacility
2253 What syslog facility to use when logging to syslog. Syslog has a fixed
2254 list of valid facilities, and you must choose one of those; you cannot
2255 just make one up.
2256
2257 • Default: daemon
2258
2259
2260
2261 tags
2262 Tags to use to find resources. If this is set, then only resources
2263 tagged with the specified tags will be applied. Values must be
2264 comma-separated.
2265
2266 tasks
2267 Turns on experimental support for tasks and plans in the puppet lan‐
2268 guage. This is for internal API use only. Do not change this setting.
2269
2270 • Default: false
2271
2272
2273
2274 top_level_facts_soft_limit
2275 The soft limit for the number of top level facts.
2276
2277 • Default: 512
2278
2279
2280
2281 trace
2282 Whether to print stack traces on some errors. Will print internal Ruby
2283 stack trace interleaved with Puppet function frames.
2284
2285 • Default: false
2286
2287
2288
2289 transactionstorefile
2290 Transactional storage file for persisting data between transactions for
2291 the purposes of infering information (such as corrective_change) on new
2292 data received.
2293
2294 • Default: $statedir/transactionstore.yaml
2295
2296
2297
2298 trusted_external_command
2299 The external trusted facts script or directory to use. This setting´s
2300 value can be set to the path to an executable command that can produce
2301 external trusted facts or to a directory containing those executable
2302 commands. The command(s) must:
2303
2304 • Take the name of a node as a command-line argument.
2305
2306 • Return a JSON hash with the external trusted facts for this node.
2307
2308 • For unknown or invalid nodes, exit with a non-zero exit code.
2309
2310
2311
2312 If the setting points to an executable command, then the external
2313 trusted facts will be stored in the ´external´ key of the trusted facts
2314 hash. Otherwise for each executable file in the directory, the external
2315 trusted facts will be stored in the <basename> key of the trusted[´ex‐
2316 ternal´] hash. For example, if the files foo.rb and bar.sh are in the
2317 directory, then trusted[´external´] will be the hash { ´foo´ => <foo.rb
2318 output>, ´bar´ => <bar.sh output> }.
2319
2320 • Default: ``
2321
2322
2323
2324 trusted_oid_mapping_file
2325 File that provides mapping between custom SSL oids and user-friendly
2326 names
2327
2328 • Default: $confdir/custom_trusted_oid_mapping.yaml
2329
2330
2331
2332 use_cached_catalog
2333 Whether to only use the cached catalog rather than compiling a new cat‐
2334 alog on every run. Puppet can be run with this enabled by default and
2335 then selectively disabled when a recompile is desired. Because a Puppet
2336 agent using cached catalogs does not contact the primary server for a
2337 new catalog, it also does not upload facts at the beginning of the Pup‐
2338 pet run.
2339
2340 • Default: false
2341
2342
2343
2344 use_srv_records
2345 Whether the server will search for SRV records in DNS for the current
2346 domain.
2347
2348 • Default: false
2349
2350
2351
2352 usecacheonfailure
2353 Whether to use the cached configuration when the remote configuration
2354 will not compile. This option is useful for testing new configurations,
2355 where you want to fix the broken configuration rather than reverting to
2356 a known-good one.
2357
2358 • Default: true
2359
2360
2361
2362 user
2363 The user Puppet Server will run as. Used to ensure the agent side pro‐
2364 cesses (agent, apply, etc) create files and directories readable by
2365 Puppet Server when necessary.
2366
2367 • Default: puppet
2368
2369
2370
2371 vardir
2372 Where Puppet stores dynamic and growing data. The default for this set‐
2373 ting is calculated specially, like confdir_.
2374
2375 • Default: Unix/Linux: /var/lib/puppet -- Windows: C:\Program‐
2376 Data\PuppetLabs\puppet\cache -- Non-root user: ~/.puppet‐
2377 labs/opt/puppet/cache
2378
2379
2380
2381 vendormoduledir
2382 The directory containing vendored modules. These modules will be used
2383 by all environments like those in the basemodulepath. The only differ‐
2384 ence is that modules in the basemodulepath are pluginsynced, while ven‐
2385 dored modules are not
2386
2387 • Default: /usr/share/puppet/vendor_modules
2388
2389
2390
2391 versioned_environment_dirs
2392 Whether or not to look for versioned environment directories, symlinked
2393 from $environmentpath/<environment>. This is an experimental feature
2394 and should be used with caution.
2395
2396 • Default: false
2397
2398
2399
2400 waitforcert
2401 How frequently puppet agent should ask for a signed certificate.
2402
2403 When starting for the first time, puppet agent will submit a certifi‐
2404 cate signing request (CSR) to the server named in the ca_server setting
2405 (usually the primary Puppet server); this may be autosigned, or may
2406 need to be approved by a human, depending on the CA server´s configura‐
2407 tion.
2408
2409 Puppet agent cannot apply configurations until its approved certificate
2410 is available. Since the certificate may or may not be available immedi‐
2411 ately, puppet agent will repeatedly try to fetch it at this interval.
2412 You can turn off waiting for certificates by specifying a time of 0, or
2413 a maximum amount of time to wait in the maxwaitforcert setting, in
2414 which case puppet agent will exit if it cannot get a cert. This setting
2415 can be a time interval in seconds (30 or 30s), minutes (30m), hours
2416 (6h), days (2d), or years (5y).
2417
2418 • Default: 2m
2419
2420
2421
2422 waitforlock
2423 How frequently puppet agent should try running when there is an already
2424 ongoing puppet agent instance.
2425
2426 This argument is by default disabled (value set to 0). In this case
2427 puppet agent will immediately exit if it cannot run at that moment.
2428 When a value other than 0 is set, this can also be used in combination
2429 with the maxwaitforlock argument. This setting can be a time interval
2430 in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years
2431 (5y).
2432
2433 • Default: 0
2434
2435
2436
2437 write_catalog_summary
2438 Whether to write the classfile and resourcefile after applying the cat‐
2439 alog. It is enabled by default, except when running puppet apply.
2440
2441 • Default: true
2442
2443
2444
2445 yamldir
2446 The directory in which YAML data is stored, usually in a subdirectory.
2447
2448 • Default: $vardir/yaml
2449
2450
2451
2452
2453
2454
2455Puppet, Inc. October 2021 PUPPETCONF(5)