What gets installed and where?
Puppet Enterprise installs several software components, configuration files, databases, services and users, and log files. It's useful to know the locations of these should you ever need to troubleshoot or manage your infrastructure.
Software components installed
PE installs several software components and dependencies. These tables show which version of each component is installed for releases dating back to the previous long term supported (LTS) release.
PE Version | Puppet and the Puppet agent | Facter | Hiera | Ruby | OpenSSL |
---|---|---|---|---|---|
2023.2 | 7.24.0 | 4.3.1 | 3.12.0 | 2.7.7 | 1.1.1t |
2023.1 | 7.24.0 | 4.3.1 | 3.12.0 | 2.7.7 | 1.1.1t |
2023.0 | 7.21.0 | 4.2.14 | 3.11.0 | 2.7.7 | 1.1.1q |
2021.7.4 (LTS) | 7.24.0 | 4.3.1 | 3.12.0 | 2.7.7 | 1.1.1t |
2021.7.3 | 7.24.0 | 4.3.1 | 3.12.0 | 2.7.7 | 1.1.1t |
2021.7.2 | 7.21.0 | 4.2.14 | 3.11.0 | 2.7.7 | 1.1.1q |
2021.7.1 | 7.20.0 | 4.2.13 | 3.10.0 | 2.7.6 | 1.1.1q |
2021.7.0 | 7.18.0 | 4.2.11 | 3.10.0 | 2.7.6 | 1.1.1q |
PE Version | Puppet Server | PuppetDB | r10k | Bolt Services | Agentless Catalog Executor (ACE) Services | PostgreSQL | Java | Nginx |
---|---|---|---|---|---|---|---|---|
2023.2 | 7.11.0 | 7.13.0 | 3.15.4 | 3.26.2 | 1.2.4 | 14.5 | 17.0.7.6 | 1.22.0 |
2023.1 | 7.11.0 | 7.13.0 | 3.15.4 | 3.26.2 | 1.2.4 | 14.5 | 17.0.7.6 | 1.22.0 |
2023.0 | 7.9.4 | 7.12.1 | 3.15.4 | 3.26.2 | 1.2.4 | 14.5 | 17.0.5.8 | 1.22.0 |
2021.7.4 (LTS) | 7.11.0 | 7.13.0 | 3.15.4 | 3.27.1 | 1.2.4 | 14.5 | 11.0.19.6 | 1.22.0 |
2021.7.3 | 7.11.0 | 7.13.0 | 3.15.4 | 3.27.1 | 1.2.4 | 14.5 | 11.0.19.6 | 1.22.0 |
2021.7.2 | 7.9.4 | 7.12.1 | 3.15.4 | 3.26.2 | 1.2.4 | 14.5 | 11.0.17.8 | 1.22.0 |
2021.7.1 | 7.9.2 | 7.11.2 | 3.15.2 | 3.26.1 | 1.2.4 | 14.5 | 11.0.6 | 1.22.0 |
2021.7.0 | 7.9.0 | 7.11.1 | 3.15.1 | 3.26.1 | 1.2.4 | 14.5 | 11.0 | 1.22.0 |
Executable binaries and symlinks installed
PE installs executable binaries and symlinks for interacting with tools and services.
On *nix nodes, all software is installed under /opt/puppetlabs
.
On Windows nodes, all software is installed in Program Files
at Puppet Labs\Puppet
.
/opt/puppetlabs/bin
and /opt/puppetlabs/sbin
.$PATH
, manually add them to your profile or export
the
path:export PATH=$PATH:/opt/puppetlabs/bin
To make essential Puppet tools
available to all users, the installer automatically creates symlinks in /usr/local/bin
for the facter
, puppet
, pe-man
,
r10k
, and hiera
binaries. Symlinks are created only if
/usr/local/bin
is writeable.
Users of AIX and Solaris versions 10 and 11 must add /usr/local/bin
to their default path.
For macOS agents, symlinks aren't created until the first successful run that applies the agents' catalogs.
manage_symlinks
setting in
your default Hiera file:
puppet_enterprise::manage_symlinks: false
Binaries provided by other software components, such as those for interacting with the PostgreSQL server, PuppetDB, or Ruby packages, do not have symlinks created.
Modules and plugins installed
PE installs modules and plugins for normal operations.
Modules included with the software
are installed on the primary server in /opt/puppetlabs/puppet/modules
. Don't modify anything in this
directory or add modules of your own. Instead, install non-default modules in
/etc/puppetlabs/code/environments/<environment>/modules
.
Configuration files installed
PE installs configuration files that you might need to interact with from time to time.
On *nix nodes, configuration files live at /etc/puppetlabs
.
On Windows nodes, configuration files live at <COMMON_APPDATA>\PuppetLabs
. The
location of this folder varies by Windows version; in
2008 and 2012, its default location is C:\ProgramData\PuppetLabs\puppet\etc
.
The agent
software's confdir
is in the
puppet
subdirectory. This
directory contains the puppet.conf
file, auth.conf
, and the SSL
directory.
Tools installed
PE installs several suites of tools to help you work with the major components of the software.
-
Puppet tools — Tools that control basic
functions of the software such as
puppet agent
andpuppet ssl
. -
Puppet Server tools — The primary server contains a
tool to manage and interact with the provided certificate authority,
puppetserver ca
. -
Client tools — The pe-client-tools package collects a set of CLI tools that
extend the ability for you to access services from the primary server or a
workstation. This package includes:
-
Orchestrator — The orchestrator is a set of interactive command line
tools that provide the interface to the orchestration service. Orchestrator
also enables you to enforce change on the environment level. Tools include
puppet job
andpuppet task
. - Puppet Access — Users can generate tokens to authenticate their access to certain command line tools and API endpoints.
-
Code Manager CLI — The
puppet-code
command allows you to trigger Code Manager from the command line to deploy your environments. - PuppetDB CLI — This a tool for working with PuppetDB, including building queries and handling exports.
-
Orchestrator — The orchestrator is a set of interactive command line
tools that provide the interface to the orchestration service. Orchestrator
also enables you to enforce change on the environment level. Tools include
- Module tool — The module tool is used to access and create modules, which are reusable chunks of Puppet code users have written to automate configuration and deployment tasks. For more information, and to access modules, visit the Forge.
- Console — The console is the web user interface for PE. The console provides tools to view and edit resources on your nodes, view reports and activity graphs, and more.
Databases installed
PE installs several default databases, all of which use PostgreSQL as a database backend.
Database | Contents |
---|---|
pe-activity |
Activity data from the classifier, including who, what, and when |
pe-classifier |
Classification data, all node group information |
pe-inventory |
Connection information and credentials for agentless node connections |
pe-orchestrator |
Orchestrator data, including details about job runs |
pe-puppetdb |
PuppetDB data, including exported resources, catalogs, facts, and reports |
pe-rbac |
RBAC data, including users, permissions, and AD/LDAP info |
Use the native PostgreSQL tools to perform database exports and imports. At a minimum, perform backups to a remote system nightly, or as dictated by your company policy.
Services installed
PE installs several services used to interact with the software during normal operations.
Service | Definition |
---|---|
pe-console-services | Manages and serves the console. |
pe-puppetserver | Runs the primary server. |
pe-nginx | Nginx, serves as a reverse-proxy to the console. |
puppet | (on Enterprise Linux and Debian-based platforms) Runs the agent daemon on every agent node. |
pe-puppetdb, pe-postgresql | Daemons that manage and serve the database components. The pe-postgresql service is created only if the software installs and manages PostgreSQL. |
pxp-agent | Runs the Puppet Execution Protocol agent process. |
pe-orchestration-services | Runs the orchestration process. |
pe-ace-server | Runs the Agentless Catalog Executor (ACE) server. |
pe-bolt-server | Runs the Bolt server. |
User and group accounts installed
These are the user and group accounts installed.
User | Definition |
---|---|
pe-puppet | Runs the primary server processes spawned
by pe-puppetserver . |
pe-webserver | Runs Nginx. |
pe-puppetdb | Has root access to the database. |
pe-postgres | Has access to the
pe-postgreSQL instance. Created only if
the software installs and manages PostgreSQL. |
pe-console-services | Runs the console process. |
pe-orchestration-services | Runs the orchestration process. |
pe-ace-server | Runs the ace server. |
pe-bolt-server | Runs the Bolt server. |
Log files installed
The software distributed with PE generates log files that you can collect for compliance or use for troubleshooting.
Primary server logs
- Code Manager access log
- Location:
/var/log/puppetlabs/puppetserver/code-manager-access.log
- File sync access log
- Location:
/var/log/puppetlabs/puppetserver/file-sync-access.log
- Puppet Communications Protocol (PCP) broker log
- This is the log file for PCP brokers on compilers.
- General Puppet Server log
- This is where the primary server logs its activity, including compilation errors and deprecation warnings.
- Puppet Server access log
- Location:
/var/log/puppetlabs/puppetserver/puppetserver-access.log
- Puppet Server daemon log
- This is where you can find fatal errors and crash reports.
- Puppet Server status log
- Location:
/var/log/puppetlabs/puppetserver/puppetserver-status.log
Agent logs
The agent log locations depend on the agent node's operating system.
-
Linux:
/var/log/messages
-
macOS:
/var/log/system.log
-
Solaris:
/var/adm/messages
On Windows nodes, the agent service logs its activity to the Event Log. Browse the Event Viewer to view those messages. You might need to enable Logging and debugging.
Console and console services logs
- General console services log
- Location:
/var/log/puppetlabs/console-services/console-services.log
- Console services API access log
- Location:
/var/log/puppetlabs/console-services/console-services-api-access.log
- Console services access log
- Location:
/var/log/puppetlabs/console-services-access.log
- Console services daemon log
- This is where you can find fatal errors and crash reports.
- NGINX access log
- Location:
/var/log/puppetlabs/nginx/access.log
- NGINX error log
- Contains console errors that aren't logged elsewhere and errors related to NGINX.
Installer logs
- HTTP log
- Contains web requests sent to the installer.
- Orchestrator info log
- Contains run details about
puppet infrastructure
commands that use the orchestrator. This includes commands to provision and upgrade compilers, convert legacy compilers, and regenerate agent and compiler certificates. - Last installer run logs, by hostname
- Contains the contents of the last installer run.
- Installer operation logs, by timestamp
- Captures operations performed during installation and any errors that occurred.
- Disaster recovery command logs, by action, timestamp, and description
- Contains details about disaster recovery command execution.
- Bolt info log
- Can be valuable when Troubleshooting disaster recovery.
Database logs
- PostgreSQL startup log
- Can be valuable when Troubleshooting the databases.
- PostgreSQL daily logs, by weekday
- There is one log file for each day of the week. Log file names use short
names, such as
Mon
for Monday,Tue
for Tuesday, and so on. - General PuppetDB log
- Location:
/var/log/puppetlabs/puppetdb/puppetdb.log
- PuppetDB access log
- Location:
/var/log/puppetlabs/puppetdb/puppetdb-access.log
- PuppetDB status log
- Location:
/var/log/puppetlabs/puppetdb/puppetdb-status.log
Orchestration logs
- Aggregate node count log
- Location:
/var/log/puppetlabs/orchestration-services/aggregate-node-count.log
- Puppet Communications Protocol (PCP) broker log
- This is the log file for PCP brokers on the primary server.
- Puppet Communications Protocol (PCP) broker access log
- Location:
/var/log/puppetlabs/orchestration-services/pcp-broker-access.log
- Orchestration services access log
- Location:
/var/log/puppetlabs/orchestration-services/orchestration-services-access.log
- Orchestration services daemon log
- This is where you can find fatal errors and crash reports.
- Orchestration services status log
- Location:
/var/log/puppetlabs/orchestration-services/orchestration-services-status.log
- Puppet Execution Protocol (PXP) agent log
-
*nix location:
/var/log/puppetlabs/pxp-agent/pxp-agent.log
- Bolt server log
- Can be valuable when Troubleshooting connections between components.
- Node inventory service log
- Location:
/var/log/puppetlabs/orchestration-services/orchestration-services.log
Certificates installed
During installation, the software generates and installs a number of SSL certificates so that agents and services can authenticate themselves.
These certs can be found at /etc/puppetlabs/puppet/ssl/certs
.
A certificate with the same name as the agent that runs on the primary server is generated during installation. This certificate is used by PuppetDB and the console.
Services that run on the primary server — for example, pe-orchestration-services
and pe-console-services
— use the agent certificate to
authenticate.
The certificate authority, if active, stores its certificate information at
/etc/puppetlabs/puppetserver/ca
. You can learn more about the
certificate authority service on the PE software architecture
page.
Secret key file installed
During installation, the software generates secret key files that are used to encrypt and decrypt sensitive data.
/etc/puppetlabs/orchestration-services/conf.d/secrets/keys.json
/etc/puppetlabs/console-services/conf.d/secrets/keys.json