Configuring PuppetDB

After you've installed Puppet Enterprise, optimize it for your environment by configuring PuppetDB as needed.

This page covers a few key topics, but additional settings and information about configuring PuppetDB is available in the PuppetDB configuration documentation. Be sure to check that the PuppetDB docs version you're looking at matches the one version of PuppetDB in your PE.

Configure agent run reports

By default, every time Puppet runs, the primary server generates agent run reports and submits them to PuppetDB. You can enable or disable this as needed.

To enable or disable agent run reports using the console:

  1. Click Node groups, and in the PE Infrastructure group, select the PE Master group.
  2. On the Classes tab, add the puppet_enterprise::profile::master::puppetdb class, select the report_processor_ensure parameter, and enter the value present to enable agent run reports or absent to disable agent run reports.
  3. Click Add parameter and commit changes.
  4. On the nodes hosting the primary server and console, run Puppet.

Configure how long before PE stops managing deactivated nodes

Use the node-purge-ttl parameter to set the length of time before PE automatically removes deactivated or expired nodes. Once the time limit expires, nodes and their relevant facts, catalogs, and reports are removed from the PuppetDB only. Agent certificates on the Certificate Authority (CA) server are untouched.

To use the console to change the amount of time before nodes are purged:

  1. Click Node groups, and select the PE PuppetDB group in the PE Infrastructure group.
  2. On the Classes tab, find the puppet_enterprise::profile::puppetdb class and the node_purge_ttl parameter, and change its value to the desired amount of time.

    Use these suffixes to change the unit of time:

    • Days: d

    • Hours: h

    • Minutes: m

    • Seconds: s

    • Milliseconds: ms

      For example, to set the purge time to 14 days:

    puppet_enterprise::profile::puppetdb::node_purge_ttl: '14d'
  3. Click Add parameter and commit changes.
  4. Run Puppet on the nodes hosting the primary server and console.

Change the PuppetDB user password

The console uses a database user account to access its PostgreSQL database. Change it if it is compromised or to comply with security guidelines.

To change the password:

  1. Stop the pe-puppetdb puppet service by running puppet resource service pe-puppetdb ensure=stopped
  2. On the database server (which might or might not be the same as PuppetDB, depending on your deployment's architecture), use the PostgreSQL administration tool of your choice to change the user's password. With the standard PostgreSQL client, you can do this by running ALTER USER console PASSWORD '<new password>';
  3. Edit /etc/puppetlabs/puppetdb/conf.d/database.ini on the PuppetDB server and change the password: line under common or production, depending on your configuration, to contain the new password.
  4. Start the pe-puppetdb service on the console server by running puppet resource service pe-puppetdb ensure=running

Configure excluded facts

Use the facts_blacklist parameter to exclude facts from being stored in the PuppetDB database.

To use Hiera to specify facts you want to exclude:

  1. Add the following to your default .yaml file and list the facts you want to exclude.
    For example, to exclude the facts system_uptime_example and mountpoints_example:
    - 'system_uptime_example'
    - 'mountpoints_example'
  2. Run puppet agent -t to compile changes.