What gets installed and where?

Puppet Enterprise2017.3
This version is out of date. For current versions, see Puppet Enterprise support lifecycle.
Sections

Puppet Enterprise installs several software components, configuration files, databases, services and users, and log files. It's useful to know the locations of these should you ever need to troubleshoot or manage your infrastructure.

Software components installed

PE installs several software components and dependencies.

The functional components of the software are separated between those packaged with the agent and those packaged on the server side (which also includes the agent).
Note: PE also installs other dependencies, as documented in the system requirements.
This table shows the components installed on all agent nodes.
Note: Hiera 5 is a backwards-compatible evolution of Hiera, which is built into Puppet 4.9.0 and higher. To provide some backwards-compatible features, it uses the classic Hiera 3.x.x codebase version listed in this table.
PE Version Puppet Agent Puppet Facter Hiera MCollective RubyOpenSSL
2017.3.10 5.3.8 5.3.7 3.9.63.4.32.11.52.4.41.0.2n
2017.3.95.3.85.3.73.9.63.4.32.11.52.4.41.0.2n
2017.3.85.3.85.3.73.9.63.4.32.11.52.4.41.0.2n
2017.3.65.3.65.3.63.9.63.4.32.11.52.4.41.0.2n
2017.3.55.3.55.3.53.9.53.4.22.11.42.4.31.0.2n
2017.3.45.3.45.3.43.9.43.4.22.11.42.4.31.0.2n
2017.3.25.3.35.3.33.9.33.4.22.11.42.4.21.0.2k
2017.3.15.3.25.3.23.9.23.4.22.11.32.4.11.0.2k
2017.3.0 5.3.2 5.3.2 3.9.23.4.22.11.32.4.11.0.2k
2017.2.51.10.94.10.93.6.83.3.22.10.62.1.91.0.2k
2017.2.41.10.84.10.83.6.73.3.22.10.52.1.91.0.2k
2017.2.31.10.54.10.53.6.63.3.22.10.52.1.91.0.2k
2017.2.21.10.44.10.43.6.53.3.22.10.52.1.91.0.2k
2017.2.11.10.14.10.13.6.43.3.12.10.42.1.91.0.2k
2017.1.11.9.34.9.43.6.23.3.12.9.02.1.91.0.2j
2017.1.1 for Ubuntu on i3861.7.04.7.03.4.13.2.12.10.22.1.91.0.2h
2017.1.01.9.34.9.43.6.23.3.12.9.02.1.91.0.2j
2017.1.0 for Ubuntu on i3861.7.04.7.03.4.13.2.12.10.22.1.91.0.2h
2016.5.21.8.34.8.23.5.13.2.22.9.12.1.91.0.2j
2016.5.2 for Ubuntu on i3861.7.04.7.03.4.13.2.12.9.02.1.91.0.2h
2016.5.1 1.8.24.8.13.5.03.2.22.9.12.1.91.0.2j
2016.5.1 for Ubuntu on i3861.7.04.7.03.4.13.2.12.9.0 2.1.91.0.2h
2016.4.15 (LTS)1.10.144.10.123.6.103.3.32.10.62.1.91.0.2n
2016.4.141.10.144.10.123.6.103.3.32.10.62.1.91.0.2n
2016.4.131.10.144.10.123.6.103.3.32.10.62.1.91.0.2n
2016.4.111.10.124.10.113.6.103.3.32.10.62.1.91.0.2n
2016.4.101.10.104.10.103.6.9­2.10.62.1.91.0.2n
2016.4.9 1.10.94.10.93.6.8­2.10.62.1.91.0.2k
2016.4.8 1.10.84.10.83.6.7­2.10.52.1.91.0.2k
2016.4.7 1.10.54.10.53.6.6­2.10.52.1.91.0.2k
2016.4.6 1.10.44.10.43.6.5­2.10.52.1.91.0.2k
2016.4.5 1.10.14.10.13.6.4­2.10.42.1.91.0.2k
2016.4.31.7.24.7.13.4.23.2.22.9.1 2.1.91.0.2j
2016.4.3 for Ubuntu on i3861.7.14.7.03.4.13.2.12.9.02.1.91.0.2j
2016.4.2 1.7.14.7.03.4.13.2.12.9.02.1.91.0.2j
2016.4.0 1.7.14.7.03.4.13.2.12.9.02.1.91.0.2j
This table shows components installed on server nodes:
PE Version Puppet Server PuppetDB r10k Razor Server Razor Libs PostgreSQL Java ActiveMQ Nginx
2017.3.10 5.1.6 5.1.5 2.6.01.6.03.1.29.6.101.8.05.15.31.14.0
2017.3.95.1.65.1.52.6.01.6.03.1.29.6.81.8.05.15.31.14.0
2017.3.85.1.65.1.52.6.01.6.03.1.29.6.81.8.05.15.31.12.1
2017.3.65.1.65.1.52.6.01.6.03.1.29.6.81.8.05.15.31.12.1
2017.3.55.1.65.1.42.6.01.6.03.1.29.6.61.8.05.14.31.12.1
2017.3.45.1.55.1.42.6.01.6.03.1.29.6.61.8.05.14.31.12.1
2017.3.25.1.45.1.32.5.51.6.03.1.29.6.51.8.05.14.31.12.1
2017.3.15.1.35.1.12.5.51.6.03.1.29.6.51.8.05.14.31.12.1
2017.3.05.1.35.1.12.5.51.6.03.1.29.6.51.8.05.14.31.12.1
2017.2.52.8.04.4.22.5.51.6.03.1.29.4.141.8.05.14.31.12.1
2017.2.42.8.04.4.22.5.51.6.03.1.29.4.141.8.05.14.31.12.1
2017.2.32.7.24.4.12.5.51.6.03.1.29.4.121.8.05.14.31.12.1
2017.2.22.7.24.4.12.5.51.6.03.1.29.4.121.8.05.14.31.10.2
2017.2.12.7.24.4.02.5.41.6.03.1.29.4.101.8.05.14.31.10.2
2017.1.12.7.24.3.22.5.11.5.03.1.29.4.101.8.05.14.31.10.2
2017.1.02.7.24.3.22.5.11.5.03.1.29.4.101.8.05.14.31.10.2
2016.5.22.6.04.2.52.5.01.5.03.1.29.4.91.8.05.14.31.8.1
2016.5.12.6.04.2.52.5.01.5.03.1.29.4.91.8.05.13.21.8.1
2016.4.15 (LTS)2.6.14.2.32.5.51.4.03.1.29.4.191.8.05.15.31.14.0
2016.4.142.6.14.2.32.5.51.4.03.1.29.4.171.8.05.15.31.14.0
2016.4.132.6.14.2.32.5.51.4.03.1.29.4.171.8.05.15.31.12.1
2016.4.112.6.14.2.32.5.51.4.03.1.29.4.171.8.05.14.31.12.1
2016.4.102.6.14.2.32.5.51.4.03.1.29.4.151.8.05.14.31.12.1
2016.4.92.6.04.2.32.5.51.4.03.1.29.4.141.8.05.14.31.12.1
2016.4.82.6.04.2.32.5.51.4.03.1.29.4.141.8.05.14.31.12.1
2016.4.72.6.04.2.32.5.51.4.03.1.29.4.121.8.05.14.31.12.1
2016.4.62.6.04.2.32.5.51.4.03.1.29.4.121.8.05.14.31.8.1
2016.4.52.6.04.2.32.5.41.4.03.1.29.4.91.8.05.14.31.8.1
2016.4.32.6.04.2.32.4.51.4.03.1.29.4.91.8.05.14.31.8.1
2016.4.22.6.04.2.32.4.31.4.03.1.29.4.91.8.05.13.21.8.1
2016.4.02.6.04.2.32.4.31.4.03.1.29.4.91.8.05.13.21.8.1

PE installs executable binaries and symlinks for interacting with tools and services.

On *nix nodes, all software is installed under /opt/puppetlabs.

On Windows nodes, all software is installed in Program Files at Puppet Labs\Puppet.

Executable binaries on *nix are in /opt/puppetlabs/bin and /opt/puppetlabs/sbin.
Tip: To include binaries in your default $PATH, manually add them to your profile or export the path:
PATH=/opt/puppetlabs/puppet/bin:/opt/puppetlabs/server/bin:$PATH;export PATH

To make essential Puppet tools available to all users, the installer automatically creates symlinks in /usr/local/bin for the facter, puppet, pe-man, r10k, hiera, and mco binaries. Symlinks are created only if /usr/local/bin is writeable. Users of AIX and Solaris versions 10 and 11 must add /usr/local/bin to their default path.

For macOS agents, symlinks aren't created until the first successful run that applies the agents' catalogs.

Tip: You can disable symlinks by changing the manage_symlinks setting in your default Hiera file: 
puppet_enterprise::manage_symlinks: false

Binaries provided by other software components, such as those for interacting with the PostgreSQL server, PuppetDB, or Ruby packages, do not have symlinks created.

Modules and plugins installed

PE installs modules and plugins for normal operations.

  • Modules included with the software are installed on the master in /opt/puppetlabs/puppet/modules. Don't modify anything in this directory or add modules of your own. Instead, install non-default modules in /etc/puppetlabs/code/environments/<environment>/modules.
  • MCollective plugins are installed in /opt/puppetlabs/mcollective/plugins/ on *nix and in <COMMON_APPDATA>``\PuppetLabs\mcollective\etc\plugins\mcollective on Windows. If you are adding new plugins to agent nodes, distribute them with Puppet.

Configuration files installed

PE installs configuration files that you might need to interact with from time to time.

On *nix nodes, configuration files live at /etc/puppetlabs/puppet.

On Windows nodes, configuration files live at <COMMON_APPDATA>\PuppetLabs. The location of this folder varies by Windows version; in 2008 and 2012, its default location is C:\ProgramData\PuppetLabs\puppet\etc.

The software's confdir is in the puppet subdirectory. This directory contains the puppet.conf file, auth.conf, and the SSL directory.

Tools installed

PE installs several suites of tools to help you work with the major components of the software.

  • Puppet tools — Tools that control basic functions of the software such as puppet master and puppet cert.
  • Client tools — The pe-client-tools package collects a set of CLI tools that extend the ability for you to access services from the master or a workstation. This package includes:
    • Orchestrator — The orchestrator is a set of interactive command line tools that provide the interface to the orchestration service. Orchestrator also enables you to enforce change on the environment level. Tools include puppet job and puppet app.
    • Puppet Access — Users can generate tokens to authenticate their access to certain command line tools and API endpoints.
    • Code Manager CLI — The puppet-code command allows you to trigger Code Manager from the command line to deploy your environments.
    • PuppetDB CLI — This a tool for working with PuppetDB, including building queries and handling exports.
  • MCollective tools — Tools used to invoke simultaneous actions across a number of nodes. These tools are built on the MCollective framework and are accessed via the mco command.
  • Module tool — The module tool is used to access and create modules, which are reusable chunks of Puppet code users have written to automate configuration and deployment tasks. For more information, and to access modules, visit the Forge.
  • Console — The console is the web user interface for PE. The console provides tools to view and edit resources on your nodes, view reports and activity graphs, and more.

Databases installed

PE installs several default databases, all of which use PostgreSQL as a database backend.

The PE PostgreSQL database includes these following databases.

Database Description
pe-activity Activity data from the classifier, including who, what, and when.
pe-classifier Classification data, all node group information.
pe-puppetdb PuppetDB data, including exported resources, catalogs, facts, and reports.
pe-rbac RBAC data, including users, permissions, and AD/LDAP info.
pe-orchestrator Orchestrator data, including details about job runs.

Use the native PostgreSQL tools to perform database exports and imports. At a minimum, you should perform backups to a remote system nightly, or as dictated by your company policy.

Services installed

PE installs several services used to interact with the software during normal operations.

ServiceDefinition
pe-activemqThe ActiveMQ message server, which passes messages to the MCollective servers on agent nodes. Runs on servers with the master component.
pe-console-servicesManages and serves the console.
pe-puppetserverRuns the master server, which manages the master component.
pe-nginxNginx, serves as a reverse-proxy to the console.
mcollectiveThe MCollective daemon, which listens for messages and invokes actions. Runs on every agent node.
puppet(on Enterprise Linux and Debian-based platforms) Runs the agent daemon on every agent node.
pe-puppetdb, pe-postgresqlDaemons that manage and serve the database components. The pe-postgresql service is created only if the software installs and manages PostgreSQL.
pxp-agentRuns the Puppet Execution Protocol agent process.
pe-orchestration-servicesRuns the orchestration process.

User and group accounts installed

These are the user and group accounts installed.

UserDefinition
peadminInvokes MCollective actions. The individual user account is the only user account intended for use in a login shell. This user exists on servers with the master component.
pe-puppetRuns the master processes spawned by pe-puppetserver.
pe-webserverRuns Nginx.
pe-activemqRuns the ActiveMQ message bus used by MCollective.
pe-puppetdbHas root access to the database.
pe-postgresHas access to the pe-postgreSQL instance. Created only if the software installs and manages PostgreSQL.
pe-console-servicesRuns the console process.
pe-orchestration-servicesRuns the orchestration process.

Log files installed

The software distributed with PE generates log files that you can collect for compliance or use for troubleshooting.

Master logs

The master has these logs.

  • /var/log/puppetlabs/puppetserver/puppetserver.log — The master application logs its activity, including compilation errors and deprecation warnings, here.
  • /var/log/puppetlabs/puppetserver/puppetserver-daemon.log — This is where fatal errors or crash reports can be found.
  • /var/log/puppetlabs/puppetserver/pcp-broker.log — The log file for Puppet Communications Protocol brokers on compile masters.
  • /var/log/puppetlabs/puppetserver/code-manager-access.log
  • /var/log/puppetlabs/puppetserver/file-sync-access.log
  • /var/log/puppetlabs/puppetserver/masterhttp.log
  • /var/log/puppetlabs/puppetserver/puppetserver-access.log
  • /var/log/puppetlabs/puppetserver/puppetserver.log
  • /var/log/puppetlabs/puppetserver/puppetserver-status.log

Agent logs

The locations of agent logs depend on the agent operating system.

On *nix nodes, the agent service logs its activity to the syslog service. Your syslog configuration dictates where these messages are saved, but the default location is /var/log/messages on Linux, /var/log/system.log on macOS, and /var/adm/messages on Solaris.

On Windows nodes, the agent service logs its activity to the event log. You can view its logs by browsing the event viewer.

MCollective logs

MCollective has these logs.

  • /var/log/puppetlabs/mcollective.log — Maintained by the MCollective service, which is installed on all nodes.
  • /var/log/puppetlabs/mcollective-audit.log — Exists on all nodes that have MCollective installed. Logs any MCollective actions run on the node, including information about the client that called the node

Console and console services logs

The console and pe-console-services has these logs.

  • /var/log/puppetlabs/nginx/error.log — Contains errors related to nginx. Console errors that aren't logged elsewhere can be found in this log.
  • /var/log/puppetlabs/nginx/access.log
  • /var/log/puppetlabs/console-services/console-services.log
  • /var/log/puppetlabs/console-services-access.log
  • /var/log/puppetlabs/console-services/console-services-api-access.log
  • /var/log/puppetlabs/console-services-daemon.log — This is where fatal errors or crash reports can be found.

Installer logs

The installer has these logs.

  • /var/log/puppetlabs/installer/http.log — Contains web requests sent to the installer. This log is present only on the machine from which a web-based installation was performed.
  • /var/log/puppetlabs/installer/installer-<timestamp>.log — Contains the operations performed and any errors that occurred during installation.
  • /var/log/puppetlabs/installer/install_log.lastrun.<hostname>.log — Contains the contents of the last installer run.

Database logs

The database has these logs.

  • /var/log/puppetlabs/puppetdb/puppetdb-access.log
  • /var/log/puppetlabs/puppetdb/puppetdb-status.log
  • /var/log/puppetlabs/puppetdb/puppetdb.log
  • /var/log/puppetlabs/postgresql/pgstartup.log
  • /var/log/puppetlabs/postgresql/postgresql-Fri.log
  • /var/log/puppetlabs/postgresql/postgresql-Mon.log
  • /var/log/puppetlabs/postgresql/postgresql-Sat.log
  • /var/log/puppetlabs/postgresql/postgresql-Sun.log
  • /var/log/puppetlabs/postgresql/postgresql-Thu.log
  • /var/log/puppetlabs/postgresql/postgresql-Tue.log
  • /var/log/puppetlabs/postgresql/postgresql-Wed.log

Orchestration logs

The orchestration service and related components have these logs.

  • /var/log/puppetlabs/orchestration-services/orchestration-services.log
  • /var/log/puppetlabs/orchestration-services/orchestration-services-access.log
  • /var/log/puppetlabs/orchestration-services/orchestration-services-status.log
  • /var/log/puppetlabs/orchestration-services/orchestration-services-daemon.log — This is where fatal errors or crash reports can be found.
  • /var/log/puppetlabs/orchestration-services/pcp-broker.log — The log file for Puppet Communications Protocol brokers on the master of masters.
  • /var/log/puppetlabs/orchestration-services/pcp-broker-access.log
  • /var/log/puppetlabs/pxp-agent/pxp-agent.log (on *nix) or C:/ProgramData/PuppetLabs/pxp-agent/var/log/pxp-agent.log (on Windows) — Contains the Puppet Execution Protocol agent log file.

Certificates installed

During installation, the software generates and installs a number of SSL certificates so that agents and services can authenticate themselves.

These certs can be found at /etc/puppetlabs/puppet/ssl/certs.

Services that run on the master or console — for example, pe-orchestration-services and pe-console-services — use the agent certificate to authenticate.

CertDefinition
<MASTER CERTNAME>Generated during install. In a monolithic install, this cert is used by PuppetDB and the console. This is the same value for the agent's certname that runs on the master. In a monolithic install, the agent on the console and PuppetDB share this certname. In a default monolithic or split install, this is also the CA certificate.
<CONSOLE CERTNAME>The certificate for the console, which is generated only if you have a split install. This is the same value for the agent's certname that runs on the console.
<PUPPETDB CERTNAME>The certificate for PuppetDB, which is generated only if you have a split install. This is the same value for the agent's certname that runs on PuppetDB.
pe-internal-mcollective-serversA certificate generated on the master and shared to all agent nodes.
pe-internal-peadmin-mcollective-clientThe certificate for the peadmin account on the master.
pe-internal-puppet-console-mcollective-clientThe MCollective certificate for the console.
See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.