Puppet Enterprise 2017.3

After installing Puppet Enterprise, you can change product settings to customize the console's behavior, adjust to your team's needs, and improve performance.

Configure the PE console and console-services

There are several parameters you can add to configure the behavior of the console and console-services.

  1. In the console, click Classification, and in the PE Infrastructure group, select the PE Console group.
  2. On the Configuration tab, locate the puppet_enterprise class indicated and add any of the following parameters and values as needed.
    ParameterValue
    puppet_enterprise::profile::console::
       classifier_synchronization_period
    An integer. Controls how often, in seconds it takes the node classifier to retrieve classes from the master. Default is "600" seconds (10 minutes).
    puppet_enterprise::api_port
    The SSL port PE serves the node classifier on. Defaults to "[4433]".
    puppet_enterprise::profile::console::
            rbac_session_timeout
    Must be an integer. Specifies how long a user's session should last, in minutes. This session is the same across node classification, RBAC, and the console. The default value is "60".
    puppet_enterprise::profile::console::
          session_maximum_lifetime
    Must be an integer. Specifies the maximum allowable period that a console session can be valid for. Supported units are "s" (seconds), "m" (minutes), "h" (hours), "d" (days), "y" (years). May be set to "0" to not expire before the maximum token lifetime. Units are specified as a single letter following an integer, for example "1d" (1 day). If no units are specified, the integer is treated as seconds.
    puppet_enterprise::profile::console::
             console_ssl_listen_port
    Must be an integer. The port the console is available on. Default is "[443]".
    puppet_enterprise::profile::console::
        ssl_listen_address
    The nginx listen address for the console. Defaults to "0.0.0.0".
    puppet_enterprise::profile::console::
       classifier_prune_threshold
    Must be an integer. The number of days to wait before pruning the size of the classifier database. If you set the value to "0", the node classifier service will never prune the database.
    puppet_enterprise::profile::console::
       display_local_time
    By default, the console displays timestamps in UTC format (also known as Zulu time). If you prefer, you can change your console settings to display all timestamps in local time, with UTC time shown on hover. Set to true to display timestamps in local time, with hover text showing UTC time or false (default) to show timestamps in UTC time.
    puppet_enterprise::profile::console::
       classifier_node_check_in_storage
    The node classifier service can store a check-in for each node when its classification is requested that includes an explanation of how it matched the rule of every group it was classified into. This is disabled by default. Default is false. Set to true to enable.
    puppet_enterprise::console_services::
          no_longer_reporting_cutoff
    Determines the amount of time that should pass after sending its last report before a node is considered unresponsive. Set an integer to specify the value in seconds. Default is 3600 seconds.
  3. Click Add parameter as needed, and commit changes.
  4. On the nodes hosting the master and console, run Puppet.

Change password reset and lockout settings

You can change the default settings for how long new password change tokens last, and how many failed login attempts are permitted.

When a user doesn’t remember their current password, an administrator can generate a token for them to change their password. The duration, in hours, that this generated token is valid can be changed with the password-reset-expiration parameter. The default value is 24.

The failed-attempts-lockout parameter takes a positive integer that specifies how many failed login attempts are allowed on an account before that account is revoked. The default value is 10.

  1. On the node hosting the console, navigate to /etc/puppetlabs/console-services/conf.d and create a new file. The filename can be arbitrary, but the format of its contents is HOCON.
  2. In the file, add the following lines with the values you want:
    rbac: {
     password-reset-expiration: 24
     failed-attempts-lockout: 10
    }
  3. Reload pe-console-services by running sudo service pe-console-services reload

Disable HTTPS redirect

The console redirects to HTTPS when you attempt to connect over HTTP. The pe-nginx webserver now listens on port 80 by default.

The Hiera .yaml default location is /etc/puppetlabs/code/environments/%{environment}/hieradata (for *nix) and %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata (for Windows).

Edit your Hiera .yaml file to add the following setting:
puppet_enterprise::profile::console::proxy::http_redirect::enable_http_redirect: false

Tuning the PostgreSQL buffer pool size

If you are experiencing performance issues or instability with the console, adjust the buffer memory settings for PostgreSQL.

The most important PostgreSQL memory settings for PE are shared_buffers and work_mem.

  1. Open the PE PostgreSQL configuration file, /opt/puppetlabs/server/data/postgresql/9.6/data/postgresql.conf.
  2. Change the shared_buffers setting so that it is about 25 percent of your hardware’s RAM.
  3. If you have a large or complex deployment, increase the work_mem value from the default of 1MB.
  4. Restart the PostgreSQL server by running: sudo /etc/init.d/pe-postgresql restart

For more detail, see the PostgreSQL documentation.

Back to top