Puppet Enterprise (PE) installs several software components, configuration files, databases, services and users, and log files. It’s useful to know the locations of these should you ever need to troubleshoot or manage your PE infrastructure.
PE installs several software components and dependencies.
The functional components of PE are separated between those packaged with the puppet-agent and those packaged on the server side (which also includes the puppet-agent).
PE 2017.2 includes the following major software components.
|PE Version||Puppet Agent||Puppet||Facter||Hiera||MCollective||Ruby||OpenSSL|
Note: Beginning with the Puppet 4.9.0 release, Hiera is fully integrated into Puppet.
|PE Version||Puppet Server||PuppetDB||r10k||Razor Server||Razor Libs||PostgreSQL||Java||ActiveMQ||Nginx|
Note: PE also installs other dependencies, as documented in the system requirements.
PE installs several binaries, modules, and plugins for normal operations and for interacting with its tools and services.
PE installs executable binaries for interacting with tools and services.
On *nix nodes, all PE software is installed under
On Windows nodes, all PE software is installed in
Program Files at
Executable binaries on *nix are in
To make essential Puppet tools available to all users, the installer automatically creates symlinks in
/usr/local/bin for the
mco binaries. Note that the symlinks will only be created if
/usr/local/bin is writeable.
AIX and Solaris 10/11 users need to add
/usr/local/bin to their default path.
If you’re running Mac OS X agents, note that symlinks are not created until the first successful Puppet run that applies the agents’ catalogs.
Binaries provided by other PE components, such as those for interacting with PE’s installed PostgreSQL server, PuppetDB, or Ruby packages do not have symlinks created.
For instructions on enabling binaries or disabling symlinks, refer to the following:
PE installs some modules and plugins for normal operations.
/opt/puppetlabs/puppet/modules. Don’t modify anything in this directory or add modules of your own. Instead, install them in
/opt/puppetlabs/mcollective/plugins/on *nix and in
\PuppetLabs\mcollective\etc\plugins\mcollectiveon Windows. If you are adding new plugins to your PE agent nodes, you should distribute them via Puppet as described in the “Adding actions” page of this manual.
PE installs configuration files, which, from time to time, you may need to interact with.
On *nix nodes, Puppet Enterprise’s configuration files all live under
On Windows nodes, Puppet Enterprise’s configuration files all live under
<COMMON_APPDATA>\PuppetLabs. The location of this folder varies by Windows version; in 2008 and 2012, its default location is
confdir is in the
puppet subdirectory. This directory contains the
auth.conf, and the SSL directory.
PE installs several suites of tools to help you work with the major components of the software.
These tools include:
puppet cert.See the Tools section of the Puppet Manual for more information.
puppet app. See the Puppet Orchestrator documentation for more information. See the Code Manager documentation for more information.
puppet-codecommand allows you to trigger Code Manager from the command line to deploy your environments.
mcocommand. See the PE MCollective documentation for more information.
PE installs several default databases, all of which use PostgreSQL as a database backend.
The PE PostgreSQL database includes the following databases:
|pe-activity||Activity data from the Classifier, including who, what and when|
|pe-classifier||Classification data, all Node Group information|
|pe-puppetdb||PuppetDB’s data, including exported resources, catalogs, facts, and reports|
|pe-rbac||RBAC data, including users, permissions, and AD/LDAP info|
|pe-orchestrator||orchestrator data, including details about job runs (users, nodes, and run results)|
Use PostgreSQL’s native tools to perform database exports and imports. At a minimum, you should perform nightly backups to a remote system, or as dictated by your company policy.
PE installs several services, users, and group accounts for interacting with the software it contains.
PE installs several services you’ll use to interact with it in normal operations.
|pe-activemq||The ActiveMQ message server, which passes messages to the MCollective servers on agent nodes. Runs on servers with the Puppet master component.|
|pe-console-services||Manages and serves the PE console.|
|pe-puppetserver||The Puppet master server, which manages the Puppet master component.|
|pe-nginx||Nginx, serves as a reverse-proxy to the PE console.|
|mcollective||The MCollective daemon, which listens for messages and invokes actions. Runs on every agent node.|
|puppet||(on EL and Debian-based platforms) --- The Puppet agent daemon. Runs on every agent node.|
|pe-puppetdb, pe-postgresql||Daemons that manage and serve the database components. Note that pe-postgresql is only created if we install and manage PostgreSQL for you.|
|pxp-agent||Runs the Puppet agent PXP process.|
|pe-orchestration-services||Runs the Puppet orchestration process.|
PE creates several user accounts.
|peadmin||An administrative account which can invoke MCollective-related actions. This is the only PE user account intended for use in a login shell. See <a href=https://docs.puppetlabs.com/pe/latest/orchestration_invoke_cli.html>Invoking Actions</a> for more about this user. This user exists on servers with the Puppet master component.|
|pe-puppet||A system user that runs the Puppet master processes spawned by pe-puppetserver.|
|pe-webserver||A system user that runs Nginx (pe-nginx).|
|pe-activemq||A system user that runs the ActiveMQ message bus used by MCollective.|
|pe-puppetdb||A system user with root access to the database.|
|pe-postgres||A system user with access to the pe-postgreSQL instance. Note that this user is only created if we install and manage PostgreSQL for you.|
|pe-console-services||A system user that runs the console process.|
|pe-orchestration-services||A system user that runs the Puppet Orchestration process.|
PE creates several group accounts.
|peadmin||An administrative group which can invoke MCollective-related actions.|
|pe-puppet||A system group that runs the Puppet master processes spawned by pe-puppetserver.|
|pe-webserver||A system group that runs Nginx (pe-nginx).|
|pe-activemq||A system group that runs the ActiveMQ message bus used by MCollective.|
|pe-puppetdb||A system group with root access to the database.|
|pe-postgres||A system group with access to the pe-postgreSQL instance. Note that this group is only created if we install and manage PostgreSQL for you.|
|pe-console-services||A system group that runs the console process.|
|pe-orchestration-services||A system group that runs the Puppet Orchestration process.|
The software distributed with Puppet Enterprise generates log files that you can collect for compliance or use for troubleshooting.
The Puppet master has the following logs.
/var/log/puppetlabs/puppetserver/puppetserver.log: the Puppet master application logs its activity here; this is where things like compilation errors and deprecation warnings can be found.
/var/log/puppetlabs/puppetserver/puppetserver-daemon.log: this is where fatal errors or crash reports can be found.
/var/log/puppetlabs/puppetserver/pcp-broker.log: the log file for PCP brokers on compile masters.
The locations of Puppet agent logs depend on your agent’s operating system.
On *nix nodes, the Puppet agent service logs its activity to the syslog service. Your syslog configuration dictates where these messages will be saved, but the default location is
/var/log/messages on Linux,
/var/log/system.log on Mac OS X, and
/var/adm/messages on Solaris.
On Windows nodes, the Puppet agent service logs its activity to the Windows Event Log. You can view its logs by browsing the Event Viewer. (Control Panel > System and Security > Administrative Tools > Event Viewer)
ActiveMQ has the following logs.
MCollective has the following logs.
/var/log/puppetlabs/mcollective.log: maintained by the MCollective service, which is installed on all nodes.
/var/log/puppetlabs/mcollective-audit.log: exists on all nodes that have MCollective installed; logs any MCollective actions run on the node, including information about the client that called the node
The console and pe-console-services has the following logs.
/var/log/puppetlabs/nginx/error.log: contains errors related to nginx. Console errors that don’t get logged anywhere else can be found in this log. If you have problems with the console or Puppet, this log may be useful.
/var/log/puppetlabs/console-services-daemon.log: this is where fatal errors or crash reports can be found.
The PE installer has the following logs.
/var/log/puppetlabs/installer/http.log: contains the web requests sent to the installer; present only on the machine from which the web-based install was performed
/var/log/puppetlabs/installer/installer-<timestamp>.log: contains the operations performed and any errors that occurred during installation
/var/log/puppetlabs/installer/install_log.lastrun.<hostname>.log: contains the contents of the last installer run
PE has the following logs for its databases.
PE has the following logs for pe-orchestration-services and related components.
/var/log/puppetlabs/orchestration-services-daemon.log: this is where fatal errors or crash reports can be found.
/var/log/puppetlabs/orchestration-services/pcp-broker.log: the log file for PCP brokers on the master of masters (MoM).
/var/log/puppetlabs/pxp-agent/pxp-agent.log(on *nix) or
C:/ProgramData/PuppetLabs/pxp-agent/var/log/pxp-agent.log(on Windows): contains the PXP agent log file
During installation, PE generates and installs a number of SSL certificates so agents and services can authenticate themselves.
These certs can be found at
|<PUPPET MASTER CERTNAME>||Generated during install. In a monolithic install, this cert is used by PuppetDB and the PE console. This is the same value for the agent's certname that runs on the Puppet master. In monolithic install, the agent on the PE console and PuppetDB share this certname. In a default monolithic or split install, this is also the Puppet CA cert.|
|<PE CONSOLE CERTNAME>||The certificate for the PE console, which is only generated if you have a split install. This is the same value for the agent's certname that runs on the PE console.|
|<PUPPETDB CERTNAME>||The certificate for PuppetDB, which is only generated if you have a split install. This is the same value for the agent's certname that runs on PuppetDB.|
|pe-internal-mcollective-servers||A certificate generated on the Puppet master and shared to all agent nodes.|
|pe-internal-peadmin-mcollective-client||The certificate for the peadmin account on the Puppet master.|
|pe-internal-puppet-console-mcollective-client||The MCollective certificate for the PE console.|
Services that run on the Puppet master or console (for example,
pe-console-services, use the Puppet agent certificate to authenticate.