What gets installed and where?

Puppet Enterprise installs several software components, configuration files, databases, services and users, and log files. It's useful to know the locations of these should you ever need to troubleshoot or manage your infrastructure.

Software components installed

PE installs several software components and dependencies. These tables show which version of each component is installed for releases dating back to the previous long term supported (LTS) release.

The functional components of the software are separated between those packaged with the agent and those packaged on the server side (which also includes the agent).
Note: PE also installs other dependencies, as documented in the system requirements.
This table shows the components installed on all agent nodes.
Tip: Hiera 5 is a backwards-compatible evolution of Hiera, which is built into Puppet 4.9.0 and higher. To provide some backwards-compatible features, it uses the classic Hiera 3.x.x codebase version listed in this table.
PE Version Puppet and the Puppet agent Facter Hiera Ruby OpenSSL
2023.2 7.24.0 4.3.1 3.12.0 2.7.7 1.1.1t
2023.1 7.24.0 4.3.1 3.12.0 2.7.7 1.1.1t
2023.0 7.21.0 4.2.14 3.11.0 2.7.7 1.1.1q
2021.7.4 (LTS) 7.24.0 4.3.1 3.12.0 2.7.7 1.1.1t
2021.7.3 7.24.0 4.3.1 3.12.0 2.7.7 1.1.1t
2021.7.2 7.21.0 4.2.14 3.11.0 2.7.7 1.1.1q
2021.7.1 7.20.0 4.2.13 3.10.0 2.7.6 1.1.1q
2021.7.0 7.18.0 4.2.11 3.10.0 2.7.6 1.1.1q
This table shows components installed on server nodes.
PE Version Puppet Server PuppetDB r10k Bolt Services Agentless Catalog Executor (ACE) Services PostgreSQL Java Nginx
2023.2 7.11.0 7.13.0 3.15.4 3.26.2 1.2.4 14.5 17.0.7.6 1.22.0
2023.1 7.11.0 7.13.0 3.15.4 3.26.2 1.2.4 14.5 17.0.7.6 1.22.0
2023.0 7.9.4 7.12.1 3.15.4 3.26.2 1.2.4 14.5 17.0.5.8 1.22.0
2021.7.4 (LTS) 7.11.0 7.13.0 3.15.4 3.27.1 1.2.4 14.5 11.0.19.6 1.22.0
2021.7.3 7.11.0 7.13.0 3.15.4 3.27.1 1.2.4 14.5 11.0.19.6 1.22.0
2021.7.2 7.9.4 7.12.1 3.15.4 3.26.2 1.2.4 14.5 11.0.17.8 1.22.0
2021.7.1 7.9.2 7.11.2 3.15.2 3.26.1 1.2.4 14.5 11.0.6 1.22.0
2021.7.0 7.9.0 7.11.1 3.15.1 3.26.1 1.2.4 14.5 11.0 1.22.0

Modules and plugins installed

PE installs modules and plugins for normal operations.

Modules included with the software are installed on the primary server in /opt/puppetlabs/puppet/modules. Don't modify anything in this directory or add modules of your own. Instead, install non-default modules in /etc/puppetlabs/code/environments/<environment>/modules.

Configuration files installed

PE installs configuration files that you might need to interact with from time to time.

On *nix nodes, configuration files live at /etc/puppetlabs.

On Windows nodes, configuration files live at <COMMON_APPDATA>\PuppetLabs. The location of this folder varies by Windows version; in 2008 and 2012, its default location is C:\ProgramData\PuppetLabs\puppet\etc.

The agent software's confdir is in the puppet subdirectory. This directory contains the puppet.conf file, auth.conf, and the SSL directory.

Tools installed

PE installs several suites of tools to help you work with the major components of the software.

  • Puppet tools — Tools that control basic functions of the software such as puppet agent and puppet ssl.
  • Puppet Server tools — The primary server contains a tool to manage and interact with the provided certificate authority, puppetserver ca.
  • Client tools — The pe-client-tools package collects a set of CLI tools that extend the ability for you to access services from the primary server or a workstation. This package includes:
    • Orchestrator — The orchestrator is a set of interactive command line tools that provide the interface to the orchestration service. Orchestrator also enables you to enforce change on the environment level. Tools include puppet job and puppet task.
    • Puppet Access — Users can generate tokens to authenticate their access to certain command line tools and API endpoints.
    • Code Manager CLI — The puppet-code command allows you to trigger Code Manager from the command line to deploy your environments.
    • PuppetDB CLI — This a tool for working with PuppetDB, including building queries and handling exports.
  • Module tool — The module tool is used to access and create modules, which are reusable chunks of Puppet code users have written to automate configuration and deployment tasks. For more information, and to access modules, visit the Forge.
  • Console — The console is the web user interface for PE. The console provides tools to view and edit resources on your nodes, view reports and activity graphs, and more.

Databases installed

PE installs several default databases, all of which use PostgreSQL as a database backend.

The PE PostgreSQL database includes the following databases:
Database Contents
pe-activity Activity data from the classifier, including who, what, and when
pe-classifier Classification data, all node group information
pe-inventory Connection information and credentials for agentless node connections
pe-orchestrator Orchestrator data, including details about job runs
pe-puppetdb PuppetDB data, including exported resources, catalogs, facts, and reports
pe-rbac RBAC data, including users, permissions, and AD/LDAP info

Use the native PostgreSQL tools to perform database exports and imports. At a minimum, perform backups to a remote system nightly, or as dictated by your company policy.

Services installed

PE installs several services used to interact with the software during normal operations.

Service Definition
pe-console-services Manages and serves the console.
pe-puppetserver Runs the primary server.
pe-nginx Nginx, serves as a reverse-proxy to the console.
puppet (on Enterprise Linux and Debian-based platforms) Runs the agent daemon on every agent node.
pe-puppetdb, pe-postgresql Daemons that manage and serve the database components. The pe-postgresql service is created only if the software installs and manages PostgreSQL.
pxp-agent Runs the Puppet Execution Protocol agent process.
pe-orchestration-services Runs the orchestration process.
pe-ace-server Runs the Agentless Catalog Executor (ACE) server.
pe-bolt-server Runs the Bolt server.

User and group accounts installed

These are the user and group accounts installed.

User Definition
pe-puppet Runs the primary server processes spawned by pe-puppetserver.
pe-webserver Runs Nginx.
pe-puppetdb Has root access to the database.
pe-postgres Has access to the pe-postgreSQL instance. Created only if the software installs and manages PostgreSQL.
pe-console-services Runs the console process.
pe-orchestration-services Runs the orchestration process.
pe-ace-server Runs the ace server.
pe-bolt-server Runs the Bolt server.

Log files installed

The software distributed with PE generates log files that you can collect for compliance or use for troubleshooting.

Primary server logs

Code Manager access log
Location: /var/log/puppetlabs/puppetserver/code-manager-access.log
File sync access log
Location: /var/log/puppetlabs/puppetserver/file-sync-access.log
Puppet Communications Protocol (PCP) broker log
This is the log file for PCP brokers on compilers.
Location: /var/log/puppetlabs/puppetserver/pcp-broker.log
General Puppet Server log
This is where the primary server logs its activity, including compilation errors and deprecation warnings.
Location: /var/log/puppetlabs/puppetserver/puppetserver.log
Puppet Server access log
Location: /var/log/puppetlabs/puppetserver/puppetserver-access.log
Puppet Server daemon log
This is where you can find fatal errors and crash reports.
Location: /var/log/puppetlabs/puppetserver/puppetserver-daemon.log
Puppet Server status log
Location: /var/log/puppetlabs/puppetserver/puppetserver-status.log

Agent logs

The agent log locations depend on the agent node's operating system.

On *nix nodes, the agent service logs activity to the syslog service. The node's operating system and syslog configuration determines where these messages are saved. The default locations are as follows:
  • Linux: /var/log/messages
  • macOS: /var/log/system.log
  • Solaris: /var/adm/messages

On Windows nodes, the agent service logs its activity to the Event Log. Browse the Event Viewer to view those messages. You might need to enable Logging and debugging.

Console and console services logs

General console services log
Location: /var/log/puppetlabs/console-services/console-services.log
Console services API access log
Location: /var/log/puppetlabs/console-services/console-services-api-access.log
Console services access log
Location: /var/log/puppetlabs/console-services-access.log
Console services daemon log
This is where you can find fatal errors and crash reports.
Location: /var/log/puppetlabs/console-services-daemon.log
NGINX access log
Location: /var/log/puppetlabs/nginx/access.log
NGINX error log
Contains console errors that aren't logged elsewhere and errors related to NGINX.
Location: /var/log/puppetlabs/nginx/error.log

Installer logs

HTTP log
Contains web requests sent to the installer.
Only exists on machines from which a web-based installation was performed.
Location: /var/log/puppetlabs/installer/http.log
Orchestrator info log
Contains run details about puppet infrastructure commands that use the orchestrator. This includes commands to provision and upgrade compilers, convert legacy compilers, and regenerate agent and compiler certificates.
Location: /var/log/puppetlabs/installer/orchestrator_info.log
Last installer run logs, by hostname
Contains the contents of the last installer run.
There can be multiple log files, labeled by hostname.
Location: /var/log/puppetlabs/installer/install_log.lastrun.<HOSTNAME>.log
Installer operation logs, by timestamp
Captures operations performed during installation and any errors that occurred.
There can be multiple log files, labeled by timestamp.
/var/log/puppetlabs/installer/installer-<TIMESTAMP>.log
Disaster recovery command logs, by action, timestamp, and description
Contains details about disaster recovery command execution.
There can be multiple log files for each command because each action triggers multiple Puppet runs (Some on the primary server and some on the replica).
Location:/var/log/puppetlabs/installer/<ACTION-NAME>_<TIMESTAMP>_<RUN-DESCRIPTION>.log
Bolt info log
Can be valuable when Troubleshooting disaster recovery.
Location: /var/log/puppetlabs/installer/bolt_info.log

Database logs

Database logs include PostgreSQL and PuppetDB logs.
PostgreSQL startup log
Can be valuable when Troubleshooting the databases.
Location: /var/log/puppetlabs/postgresql/14/pgstartup.log
PostgreSQL daily logs, by weekday
There is one log file for each day of the week. Log file names use short names, such as Mon for Monday, Tue for Tuesday, and so on.
Location: /var/log/puppetlabs/postgresql/14/postgresql-<WEEKDAY>.log
General PuppetDB log
Location: /var/log/puppetlabs/puppetdb/puppetdb.log
PuppetDB access log
Location: /var/log/puppetlabs/puppetdb/puppetdb-access.log
PuppetDB status log
Location: /var/log/puppetlabs/puppetdb/puppetdb-status.log

Orchestration logs

Orchestrator logs include orchestration services and related components, such as PXP agent and Bolt server.
Aggregate node count log
Location: /var/log/puppetlabs/orchestration-services/aggregate-node-count.log
Puppet Communications Protocol (PCP) broker log
This is the log file for PCP brokers on the primary server.
Location: /var/log/puppetlabs/orchestration-services/pcp-broker.log
Puppet Communications Protocol (PCP) broker access log
Location: /var/log/puppetlabs/orchestration-services/pcp-broker-access.log
Orchestration services access log
Location: /var/log/puppetlabs/orchestration-services/orchestration-services-access.log
Orchestration services daemon log
This is where you can find fatal errors and crash reports.
Location: /var/log/puppetlabs/orchestration-services/orchestration-services-daemon.log
Orchestration services status log
Location: /var/log/puppetlabs/orchestration-services/orchestration-services-status.log
Puppet Execution Protocol (PXP) agent log
*nix location: /var/log/puppetlabs/pxp-agent/pxp-agent.log
Windows location: C:/ProgramData/PuppetLabs/pxp-agent/var/log/pxp-agent.log
Bolt server log
Can be valuable when Troubleshooting connections between components.
Location: /var/log/puppetlabs/bolt-server/bolt-server.log
Node inventory service log
Location: /var/log/puppetlabs/orchestration-services/orchestration-services.log

Certificates installed

During installation, the software generates and installs a number of SSL certificates so that agents and services can authenticate themselves.

These certs can be found at /etc/puppetlabs/puppet/ssl/certs.

A certificate with the same name as the agent that runs on the primary server is generated during installation. This certificate is used by PuppetDB and the console.

Services that run on the primary server — for example, pe-orchestration-services and pe-console-services — use the agent certificate to authenticate.

The certificate authority, if active, stores its certificate information at /etc/puppetlabs/puppetserver/ca. You can learn more about the certificate authority service on the PE software architecture page.

Secret key file installed

During installation, the software generates secret key files that are used to encrypt and decrypt sensitive data.

The inventory service secret key is used to encrypt and decrypt sensitive data stored in the inventory service. This key is stored at:
/etc/puppetlabs/orchestration-services/conf.d/secrets/keys.json
The console services secret key is used to encrypt and decrypt passwords used for LDAP connections. This key is stored at:
/etc/puppetlabs/console-services/conf.d/secrets/keys.json