Adding and removing agentless nodes

Using the inventory service, you can manage nodes and devices (such as network switches and firewalls) without installing the Puppet agent on them. Node and device information is stored securely in your Puppet Enterprise (PE) inventory.

  • Agentless nodes are nodes that don't have a Puppet agent installed on them. They can do things like run tasks and plans, but they do not help maintain your infrastructure's desired state in the way agent nodes do.
  • Devices or agentless device are devices, such as network switches or firewalls, that can't have a Puppet agent installed on them. Connecting devices lets you manage these network device and run Puppet and task jobs on them.

The inventory service uses SSH or WinRM remote connections to connect to agentless nodes. To connect to agentless devices, the inventory service uses transport definitions from device transport modules you've installed.

After you add agentless node or device credentials to the inventory, authorized users can run tasks on the agentless nodes and devices without re-entering the credentials. On the Tasks page (in the console), the agentless nodes and devices are listed together with the nodes and devices that have an agent installed.

Add agentless nodes to the inventory

Use SSH or WinRM remote connections to add agentless nodes to your Puppet Enterprise (PE) inventory so you can run tasks on them. Agentless nodes are nodes that can't (or don't) have a Puppet agent installed on them.

Before you begin

Add classes to the PE Master node group for each agent platform used in your environment. For example, pe_repo::platform::el_7_x86_64.

Make sure your user account has this permission: Nodes: Add and delete connection information from inventory service

  1. In the PE console, click Nodes > Add nodes.
  2. Click Connect over SSH or WinRM.
  3. Select a transport method.
    • SSH for *nix and macOS targets
    • WinRM for Windows targets
  4. Enter target host names and the credentials required to access them. If you use an SSH key, include the begin and end tags.
  5. Optional: Select additional Transport configuration options. For example, to customize the connection port number, select Target Port from the Target options drop-down list, enter the desired port number, and click Add.
  6. Click Add nodes.
What to do next
After adding agentless nodes to your PE inventory, they are added to PuppetDB, and you can view them on the Nodes page (in the console). Any nodes in your inventory can be added to the inventory node list when you set up a job to run tasks. To review a node's connection settings or remove an agentless node from the inventory, go to the Connections tab on the Node details page.

Transport configuration options

Descriptions of the target options for SSH and WinRM transports.

Option Transport method Definition
Target port SSH and WinRM The connection port.

For SSH, the default is 22.

For WinRM, the default is 5986, unless ssl: false, then the default is 5985.

Connection time-out in seconds SSH and WinRM The length of time you want Puppet Enterprise (PE) to wait for a response when attempting to establish a connection.
Temporary directory SSH and WinRM The directory to use when uploading temporary files to the target node.
Run as another user SSH After login, this is the user profile to use for running commands.
Sudo password SSH The password to use when switching user profiles via run-as.
Process request as tty SSH Use this if you need to enable text terminal allocation.
Acceptable file extension WinRM A list of allowed file extensions for scripts or tasks.

Scripts with the specified file extensions rely on the target node's file type associations to run. For example, if Python is installed on the target node, a .py script from PE uses python.exe to run (unless the file type association was changed on the target node).

Tip: The extensions .ps1, .rb, and .pp are always allowed and run via hard-coded executables.

Add devices to the inventory

By adding devices to your Puppet Enterprise (PE) inventory, you can manage network devices, such as switches and firewalls, and run Puppet and task jobs on them, just like the agentless nodes in your infrastructure.

Before you begin

Depending on the device you want to connect, you must install the appropriate device transport module in your PE production environment before you can add the device to your inventory. You can find device modules on the Puppet Forge, such as the panos and cisco_ios modules.

Make sure your user account has this permission: Nodes: Add and delete connection information from inventory service

Important: Managing more than 100 devices might cause performance issues on the primary server.
  1. In the PE console, click Nodes > Add nodes.
  2. Click Connect network devices.
  3. Select the device type from the list of device transport modules that you have installed in your production environment.
    If no device types are available, or the relevant device type is missing, check that:
    • You have installed the appropriate module for the device you want to manage.
    • The module is installed correctly.
    • The module is installed in your production environment.
    • Your Puppet code has been deployed. If you're using Code Manager or r10k for Managing and deploying Puppet code, you might need to trigger a code deployment.
    For information about modules and installing modules, refer to the Modules overview and Installing and managing modules from the command line in the Puppet documentation.
  4. Enter the device certname and other connection details, as specified in the transport module's README on the Forge. Mandatory fields are marked with an asterisk.
  5. Click Add node.
What to do next
After adding devices to your PE inventory, they are added to PuppetDB, and you can view them on the Nodes page (in the console). Any devices in your inventory can be added to the inventory node list when you set up a job to run tasks. To review a device's connection settings or remove a device from the inventory, go to the Connections tab on the device's Node details page.

Remove devices and agentless nodes from the inventory

You can remove a device or agentless node from the Puppet Enterprise (PE) inventory by going to the Connections tab on the Node details page. This can also be referred to as disconnecting the node or device.

Before you begin
Make sure your user account has this permission: Nodes: Add and delete connection information from inventory service
  1. In the Puppet Enterprise (PE) console, click Status or Nodes, find the node or device you want to remove, and click its name to open the Node details page.
  2. Switch to the Connections tab.
  3. Click Remove connection. This link's name depends on the connection type, such as Remove SSH Connection, Remove WinRM connection, and so on.
  4. Confirm that you want to remove the connection.
Results
When you remove a node or device from the inventory, PuppetDB marks the node or device as expired after the standard node time-to-live period (node-ttl). Then PuppetDB purges the node or device when it reaches the node-purge time-to-live limit (node-purge-ttl). Once purged, the node or device no longer appears in the PE console, and the node's license is available to reassign to another node.
Tip: For more information about the node-ttl and node-purge-ttl settings, refer to the PuppetDB [database] settings in the Puppet documentation.