Want to improve your security posture? The 2019 State of DevOps Report tells you how.
Get the report

Configuring and tuning the console

Puppet Enterprise 2017.2

Expand menu Collapse menu
Open menu Close menu
  1. Configure the PE console and console-services
  2. Change password reset and lockout settings
  3. Disable HTTPS redirect
  4. Tuning the PostgreSQL buffer pool size

After installing PE, you can change product settings to customize the console behavior, adjust to your team’s needs, and improve performance.

Configure the PE console and console-services

There are several parameters you can add to configure the behavior of the PE console and console-services.

  1. In the console, click Classification, and in the PE Infrastructure group, select the PE Console group.

  2. On the Classes tab, locate the puppet_enterprise class indicated and add any of the following parameters and values as needed.

    Parameter Value
    puppet_enterprise::profile::console::classifier_synchronization_period Must be an integer. Classifier synchronization period.
    Controls how long it takes the node classifier (NC) to retrieve classes
    from the Puppet master. Default is "600" seconds (10 minutes).
    puppet_enterprise::api_port The SSL port PE serves the node classifier on. Defaults to "[4433]".
    puppet_enterprise::profile::console::rbac_session_timeout Must be an integer. Specifies how long a user's session should last, in minutes. This session is the same across node classification, RBAC, and the console. The default value is "60".
    puppet_enterprise::profile::console::session_maximum_lifetime Must be an integer. Specifies the maximum allowable period that a console session can be valid for. Supported units are "s" (seconds), "m" (minutes), "h" (hours), "d" (days), "y" (years). May be set to "0" to not expire before the maximum token lifetime.
    Units are specified as a single letter following an integer, for example "1d" (1 day). If no units are specified, the integer is treated as seconds.
    puppet_enterprise::profile::console::console_ssl_listen_port Must be an integer. The port the console is available on.
    Default is "[443]".
    puppet_enterprise::profile::console::ssl_listen_address PE's nginx listen address for the PE console.
    Defaults to "0.0.0.0".
    puppet_enterprise::profile::console::classifier_prune_threshold Must be an integer. The number of days to wait before pruning the size of the classifier database.
    If you set the value to "0", the node classifier service will never prune the database.
    puppet_enterprise::profile::console::display_local_time By default, the console displays timestamps in UTC format (also known as Zulu time). If you prefer, you can change your console settings to display all timestamps in local time, with UTC time shown on hover. Set to true to display timestamps in local time, with hover text showing UTC time or false (default) to show timestamps in UTC time.
    puppet_enterprise::profile::console::classifier_node_check_in_storage The node classifier service can store a check-in for each node when its classification is requested that includes an explanation of how it matched the rule of every group it was classified into. This is disabled by default. Default is false. Set to trueto enable.
    puppet_enterprise::console_services::no_longer_reporting_cutoff Determines the amount of time that should pass after sending its last report before a node is considered unresponsive. Set an integer to specify the value in seconds. Default is 3600 seconds.
  3. Click Add parameter as needed, and commit changes.
  4. On the nodes hosting the Puppet master and PE console, run Puppet.

Change password reset and lockout settings

You can change the default settings for how long new password change tokens last, and how many failed login attempts are permitted.

When a user doesn’t remember their current password, an administrator can generate a token for them to change their password. The duration, in hours, that this generated token is valid can be changed with the password-reset-expiration parameter. The default value is 24.

The failed-attempts-lockout parameter takes a positive integer that specifies how many failed login attempts are allowed on an account before that account is revoked. The default value is 10.

  1. On the node hosting the PE console, navigate to /etc/puppetlabs/console-services/conf.d and create a new file.

    Note: The file name is arbitrary, but the file format is HOCON.

  2. In the file, add the following lines with the values you want:

    rbac: {
 password-reset-expiration: 24
 failed-attempts-lockout: 10
}

  3. Reload pe-console-services:

    sudo service pe-console-services reload

Disable HTTPS redirect

The console redirects to HTTPS when you attempt to connect over HTTP. The pe-nginx webserver now listens on port 80 by default.

To disable the HTTPS redirect, edit your Hiera .yaml file to add the following setting:

puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false

The Hiera .yaml default location is /etc/puppetlabs/code/environments/%{environment}/hieradata (for *nix) and %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata (for Windows).

Tuning the PostgreSQL buffer pool size

If you are experiencing performance issues or instability with the console, you may need to adjust the buffer memory settings for PostgreSQL. The most important PostgreSQL memory settings for PE are shared_buffers and work_mem.

  1. Open the PE PostgreSQL configuration file: /opt/puppetlabs/server/data/postgresql/9.4/data/postgresql.conf.
  2. Change the shared_buffers setting so that it is about 25 percent of your hardware’s RAM.
  3. If you have a large or complex deployment, increase the work_mem value from the default of 1MB.
  4. Restart the PostgreSQL server by running: sudo /etc/init.d/pe-postgresql restart

For more detail, see the PostgreSQL documentation.

Related Links

  • Disable update checking

    You can disable automatic update checks via the pe-puppetserver service.

  • Tune Java args for the PE console

    You can increase the JVM (Java Virtual Machine) memory that is allocated to Java services running on the PE console. This memory allocation is known as the Java heap size.

    Instructions for using the PE console to increase the Jave heap size are detailed on on the Configuring Java Arguments for PE page.

  • Increase the ulimit for console services

    The various services in PE require up to one file handle per connected client. On most OS configurations, the defaults will not be high enough for more than a couple hundred clients. To support more clients, you need to increate the number of allowed file handles.

    Instructions for increasing the number of file handles are detailed on the Increasing the ulimit for PE services page.

Back to top
The page rank or the 1 our of 5 rating a user has given the page.
The email address of the user submitting feedback.
The URL of the page being ranked/rated.