System configuration

Before installing Puppet Enterprise, make sure that your nodes and network are properly configured.

Note: Port numbers are Transmission Control Protocols (TCP), unless noted otherwise.

Network considerations

Before installing, consider these network requirements

Timekeeping

Use NTP or an equivalent service to ensure that time is in sync between your primary server, which acts as the certificate authority, and any agent nodes. If time drifts out of sync in your infrastructure, you might encounter issues such as agents recieving outdated certificates. A service like NTP (available as a supported module) ensures accurate timekeeping.

Name resolution

Decide on a preferred name or set of names that agent nodes can use to contact the primary server. Ensure that the primary server can be reached by domain name lookup by all future agent nodes.

You can simplify configuration of agent nodes by using a CNAME record to make the primary server reachable at the hostname puppet, which is the default primary server hostname that is suggested when installing an agent node.

Web URLs used for deployment and management

PE uses some external web URLs for certain deployment and management tasks. You might want to ensure these URLs are reachable from your network prior to installation, and be aware that they might be called at various stages of configuration.

URL Enables
forgeapi.puppet.com Puppet module downloads.
pm.puppetlabs.com Agent module package downloads.
s3.amazonaws.com Agent module package downloads (redirected from pm.pupptlabs.com).
rubygems.org Puppet and Puppet Server gem downloads.
github.com Third-party module downloads not served by the Forge and access to control repositories.

Antivirus and antimalware considerations

Antivirus and antimalware software can impact or prevent the proper functioning of PE. While we don't have an official stance on which antivirus and antimalware product you use, here are some considerations to keep in mind while installing and configuring antivirus and antimalware software.

  • Exclude the /etc/puppetlabs and /opt/puppetlabs directories from antivirus and antimalware tools that scan disk write operations to avoid performance issues.
  • Some antivirus and antimalware software requires a lot of system processing power. Tune your system resources to accommodate the software so it doesn't slow your performance.
  • Some antivirus and antimalware software defaults to using port 8081, which is the same port PuppetDB uses. When installing the software, consider which port it uses so it doesn't conflict with PuppetDB communications.
  • For agents, you can exclude C:\ProgramData\PuppetLabs\pe_patch if your antivirus is holding a lock on log files and causing patching failures.

Firewall configuration

Follow these guidelines for firewall configuration based on your installation type.

Firewall configuration for standard installations

These are the port requirements for standard installations.


Graphic showing communication between components in a standard installation.
Port Use VPC access in cloud deployments
22
  • Code Manager uses this port to tell a git to clone and fetch content via SSH.
External
443
  • Code Manager uses this port to tell a git to clone and fetch content via HTTPS.

  • This port provides host access to the console

  • The console accepts HTTPS traffic from end users on this port.

  • Classifier group: PE Console

External
4433
  • This port is used as a classifier / console services API endpoint.

  • The primary server communicates with the console over this port.

  • Classifier group: PE Console

External
5432
  • This port is used to replicate PostgreSQL data between the primary server and replica.

Internal
8081
  • PuppetDB accepts traffic/requests on this port.

  • The primary server and console send traffic to PuppetDB on this port.

  • PuppetDB status checks are sent over this port.

  • Classifier group: PE PuppetDB

Internal
8140
  • The primary server uses this port to accept inbound traffic/requests from agents.

  • The console sends requests to the primary server on this port.

  • Certificate requests are passed over this port unless ca_port is set differently.

  • Puppet Server status checks are sent over this port.

  • Classifier group: PE Master

Internal
8142
  • Orchestrator and the Run Puppet button use this port on the primary server to accept inbound traffic/responses from agents via the Puppet Execution Protocol agent.

  • Classifier group: PE Orchestrator

Internal
8143
  • Orchestrator uses this port to accept connections from Puppet Communications Protocol brokers to relay communications. The orchestrator client also uses this port to communicate with the orchestration services running on the primary server. If you install the orchestrator client on a workstation, port 8143 on the primary server must be accessible from the workstation.

  • Classifier group: PE Orchestrator

Internal
8170
  • Code Manager uses this port to deploy environments, run webhooks, and make API calls.

Internal

Firewall configuration for large installations

These are the port requirements for large installations with compilers.


Graphic showing communication between components in a large installation with compilers and a load balancer.
Port Use
22
  • Code Manager uses this port to tell a git to clone and fetch content via SSH.
443
  • Code Manager uses this port to tell a git to clone and fetch content via HTTPS.

  • This port provides host access to the console

  • The console accepts HTTPS traffic from end users on this port.

  • Classifier group: PE Console

4433
  • This port is used as a classifier / console services API endpoint.

  • The primary server communicates with the console over this port.

  • Classifier group: PE Console

5432
  • This port is used to replicate PostgreSQL data between the primary server and replica.

  • The PuppetDB service running on compilers uses this port to communicate with PE-PostgreSQL.

8081
  • PuppetDB accepts traffic/requests on this port.

  • The primary server and console send traffic to PuppetDB on this port.

  • PuppetDB status checks are sent over this port.

  • Classifier group: PE PuppetDB

8140
  • The primary server uses this port to accept inbound traffic/requests from agents.

  • The console sends requests to the primary server on this port.

  • Certificate requests are passed over this port unless ca_port is set differently.

  • Puppet Server status checks are sent over this port.

  • The primary server uses this port to send status checks to compilers. (Not required to run PE.)

  • Classifier group: PE Master

8142
  • Orchestrator and the Run Puppet button use this port on the primary server to accept inbound traffic/responses from agents via the Puppet Execution Protocol agent.

  • Classifier group: PE Orchestrator

8143
  • Orchestrator uses this port to accept connections from Puppet Communications Protocol brokers to relay communications. The orchestrator client also uses this port to communicate with the orchestration services running on the primary server. If you install the orchestrator client on a workstation, port 8143 on the primary server must be accessible from the workstation.

  • Classifier group: PE Orchestrator

8170
  • Code Manager uses this port to deploy environments, run webhooks, and make API calls.

Firewall configuration for extra-large installations

These are the port requirements for extra-large installations with compilers.


Graphic showing communication between components in an extra-large installation with compilers, a load balancer, a disaster recovery replica, and separate PE-PostgreSQL nodes that run PuppetDB.
Port Use
22
  • Code Manager uses this port to tell a git to clone and fetch content via SSH.
443
  • Code Manager uses this port to tell a git to clone and fetch content via HTTPS.

  • This port provides host access to the console

  • The console accepts HTTPS traffic from end users on this port.

  • Classifier group: PE Console

4433
  • This port is used as a classifier / console services API endpoint.

  • The primary server communicates with the console over this port.

  • Classifier group: PE Console

5432
  • The primary server and replica use this port to replicate PostgreSQL data on PE-PostgreSQL nodes.
  • The PuppetDB service running on compilers uses this port to communicate with PE-PostgreSQL.

8081
  • PuppetDB accepts traffic/requests on this port.

  • The primary server and console send traffic to PuppetDB on this port.

  • PuppetDB status checks are sent over this port.

  • Classifier group: PE PuppetDB

8140
  • The primary server uses this port to accept inbound traffic/requests from agents.

  • The console sends requests to the primary server on this port.

  • Certificate requests are passed over this port unless ca_port is set differently.

  • Puppet Server status checks are sent over this port.

  • The primary server uses this port to send status checks to compilers. (Not required to run PE.)

  • Classifier group: PE Master

8142
  • Orchestrator and the Run Puppet button use this port on the primary server to accept inbound traffic/responses from agents via the Puppet Execution Protocol agent.

  • Classifier group: PE Orchestrator

8143
  • Orchestrator uses this port to accept connections from Puppet Communications Protocol brokers to relay communications. The orchestrator client also uses this port to communicate with the orchestration services running on the primary server. If you install the orchestrator client on a workstation, port 8143 on the primary server must be accessible from the workstation.

  • Classifier group: PE Orchestrator

8170
  • Code Manager uses this port to deploy environments, run webhooks, and make API calls.

Firewall configuration for standalone PE-PostgreSQL installations

These are the port requirements for installations with compilers and standalone PE-PostgreSQL


Graphic showing communication between components in a large installation with compilers and a standalone PE-PostgreSQL node.
Port Use
22
  • Code Manager uses this port to tell a git to clone and fetch content via SSH.
443
  • Code Manager uses this port to tell a git to clone and fetch content via HTTPS.

  • This port provides host access to the console

  • The console accepts HTTPS traffic from end users on this port.

  • Classifier group: PE Console

4433
  • This port is used as a classifier / console services API endpoint.

  • The primary server communicates with the console over this port.

  • Classifier group: PE Console

5432
  • The standalone PE-PostgreSQL node uses this port to accept inbound traffic/requests from the primary server.
  • The PuppetDB service running on compilers uses this port to communicate with PE-PostgreSQL.

8081
  • PuppetDB accepts traffic/requests on this port.

  • The primary server and console send traffic to PuppetDB on this port.

  • PuppetDB status checks are sent over this port.

  • Classifier group: PE PuppetDB

8140
  • The primary server uses this port to accept inbound traffic/requests from agents.

  • The console sends requests to the primary server on this port.

  • Certificate requests are passed over this port unless ca_port is set differently.

  • Puppet Server status checks are sent over this port.

  • The primary server uses this port to send status checks to compilers. (Not required to run PE.)

  • Classifier group: PE Master

8142
  • Orchestrator and the Run Puppet button use this port on the primary server to accept inbound traffic/responses from agents via the Puppet Execution Protocol agent.

  • Classifier group: PE Orchestrator

8143
  • Orchestrator uses this port to accept connections from Puppet Communications Protocol brokers to relay communications. The orchestrator client also uses this port to communicate with the orchestration services running on the primary server. If you install the orchestrator client on a workstation, port 8143 on the primary server must be accessible from the workstation.

  • Classifier group: PE Orchestrator

8170
  • Code Manager uses this port to deploy environments, run webhooks, and make API calls.