Install PE using the installer tarball

This installer employs default settings to install PE infrastructure components on a single node, creating a standard PE architecture. You can use a standard installation to try out PE with up to 10 nodes, or to manage up to 4,000 nodes. From there, you can scale up to the large or extra-large installation as your infrastructure grows, or customize your configuration as needed.

A standard PE installation consists of the following components installed on a single node:
  • The primary server: The central hub of activity. It is where Puppet code is compiled to create agent catalogs and where SSL certificates are verified and signed.
  • The console: The graphical web user interface. It has configuration and reporting tools.
  • PuppetDB: The data store for data generated throughout your Puppet infrastructure.
Important: The primary server can only run on a *nix machine. However, Windows machines can be Puppet agents, and you can manage them with your *nix primary server. Furthermore, you can operate your *nix primary server remotely from a Windows machine. To do this, before you install PE on your *nix primary server, you must configure an SSH client (such as PuTTY) with the hostname or IP address and port of the *nix machine that you'll use as your primary server. When you open an SSH session to install PE on the *nix primary server, log in as root or use sudo.

To install a FIPS-enabled PE primary server, install the appropriate FIPS-enabled PE tarball (such as puppet-enterprise-2021.7.8-redhatfips-7-x86_64.tar) on a third-party Supported operating system with FIPS mode enabled. The node must be configured with sufficient available entropy for the installation process to succeed.

Verify the installation package

This task is only required if your organization requires you to verify authenticity before installing packages. These steps explain how to use GnuPG (GPG) to verify the PE installation tarball.

Before you begin
You must have GnuPG (GPG) installed to be able to sign for the release key. GPG is an open source program you can use to safely encrypt and sign digital communications. You can download GPG from the GnuPG website or use your package management system to install it by running something like: yum install gnupg
  1. Download the tarball appropriate to your operating system and architecture.
    Tip: To download packages from the command line, run wget --content-disposition "<URL>" or curl -JLO "<URL>", using the URL for the tarball you want to download.
  2. To import the Puppet public key, run:
    uri='https://downloads.puppet.com/puppet-gpg-signing-key-20250406.pub'
    
    curl "$uri" | gpg --import
    Tip: For general information about forming curl commands, go to Using example commands.
  3. To print the key fingerprint, run:
    gpg --fingerprint 0x4528B6CD9E61EF26
    This command returns the primary key fingerprint. For example:
    D681 1ED3 ADEE B844 1AF5 AA8F 4528 B6CD 9E61 EF26
  4. Download the GPG SIGNATURE .asc file corresponding to your PE tarball. You can find links to these files on the PE Download page.
  5. To verify the installation package release signature, run:
    gpg --verify puppet-enterprise-<VERSION>-<PLATFORM>.tar.gz.asc
Results
The gpg --verify command returns something similar to:
gpg: Signature made <DATE_AND_TIME>
gpg: using RSA key <KEY_ID>
gpg: Good signature from "Puppet, Inc. Release Key (Puppet, Inc. Release Key) <release@puppet.com>"
Tip:

If you receive a warning that a valid key path couldn't be found, this means you don't have a trusted path to one of the signatures on the release key.

If you receive a warning that the key is not certified with a trusted signature, this means you haven't told GPG to trust the imported key. Refer to the GPG documentation for more information.

What to do next
If you received the Good signature message, you can proceed to unpack the installation tarball and complete the installation, as outlined in Install PE from tarball.

Install PE from tarball

Before you begin

Review the Hardware requirements for standard installations to make sure your system capacity can handle the standard PE installation.

Log in as root on your target primary server. If you're installing on a system that doesn't allow root login, you must use sudo su - to complete these steps.

  1. Download the tarball appropriate to your operating system and architecture.
    Tip: To download packages from the command line, run wget --content-disposition "<URL>" or curl -JLO "<URL>", using the URL for the tarball you want to download.
  2. To unpack the installation tarball, run:
    tar -xzf <TARBALL_FILENAME>
  3. From the installer directory, run ./puppet-enterprise-installer and follow the CLI instructions to complete the installation.
  4. Optional: Restart the shell to use client tool commands.
What to do next
After completing the standard installation, you can scale or customize your installation, if needed. For information and requirements for large and extra-large installations, go to Supported architectures and System requirements. You can use Configuration parameters and the pe.conf file to customize your installation.

Launch an AWS image

You can launch a cloud PE image from the Amazon Web Services (AWS) console or an AWS software development kit (SDK) or by using third-party tools.

  1. Launch a PE image and specify the details for your deployment:
    • EC2 instance type – The image size used for your deployment. For recommendations, see Hardware requirements for standard installations.

    • EC2 VPC and subnet – The VPC or subnet in which to deploy your image.

    • EC2 security group – The security group policy to use for your deployment.

    To control access to the image, a key pair is created.
  2. Connect to the image by using your new key pair and the username puppetadmin:
    ssh -i ~/.ssh/<KEYPAIR_PRIVATE>.pem puppetadmin@<PRIMARY_HOSTNAME>
    SSH keys are automatically provisioned, and no password is required.
  3. Wait for the image to start and for PE configuration to be completed.
    To track progress, run the check_status.sh script:
    sudo /opt/puppetlabs/cloud/bin/check_status.sh --wait
  4. Specify a console admin password:
    sudo /opt/puppetlabs/puppet/bin/puppet infrastructure <console_password>

    Console access is disabled until the password is set.

  5. Using a web browser, connect to the console at https://<PRIMARY_HOSTNAME>, accept the console's certificate, and log in with the username admin and the password that you specified during installation.
    Tip: The console uses an SSL certificate created by your local Puppet certificate authority. Because this authority is specific to your site, web browsers don't know it or trust it, and you must add a security exception to access the console.
    The console indicates that your primary server is actively managed by displaying the following message:
    1 Nodes run in enforcement.
Results
Your primary server is now ready to manage nodes.

Launch an Azure image

You can launch a cloud PE image from the Microsoft Azure Portal, PowerShell, or a software development kit (SDK) from Ruby, Python, Go, or Java.

  1. Launch a PE image and specify the details for your deployment:
    • Resource Group – Creates a resource group or reuses an existing group.
    • Location – The location for the resource group. If you use an existing resource group, the location must match the resource group's location.
    • Admin Password – The password for the admin user. If you select Secure Shell (SSH) authentication, the password you specify is used as a backup authentication method.
    • VM Size – The size used for your deployment. For recommendations, see Hardware requirements for standard installations.
    • Admin User Name – The username for logging in with SSH.
    • Authentication TypesshPublicKey or password.
    • SSH Public Key – The SSH public key, if you select SSH as your authentication type.
    • Virtual Network New Or Existing – Creates a virtual network or uses an existing network. If you select existing, you don't have to enter an address prefix or subnet.
    • Public IP Address New Or Existingnew to specify a static IP address. If the IP is dynamic and the virtual machine (VM) is restarted, you won't be able to access the console, because the console uses the initial public IP address.
    • Public IP Address Domain Name Label – The prefix of the fully qualified domain name used by the VM.
    • Storage Account New Or Existing – Creates a storage account or uses an existing account. If you select existing, you don't have to enter an account type.
    To control access to the image, a new key pair is created.
  2. Connect to the image by using your new key pair and the username puppetadmin:
    ssh -i ~/.ssh/<KEYPAIR_PRIVATE>.pem puppetadmin@<PRIMARY_HOSTNAME>
    SSH keys are automatically provisioned, and no password is required.
  3. Wait for the image to start and for PE configuration to be completed.
    To track progress, run the check_status.sh script:
    sudo /opt/puppetlabs/cloud/bin/check_status.sh --wait
  4. Specify a console admin password:
    sudo /opt/puppetlabs/puppet/bin/puppet infrastructure <console_password>

    Console access is disabled until the password is set.

  5. Using a web browser, connect to the console at https://<PRIMARY_HOSTNAME>, accept the console's certificate, and log in with the username admin and the password that you specified during installation.
    Tip: The console uses an SSL certificate created by your local Puppet certificate authority. Because this authority is specific to your site, web browsers don't know it or trust it, and you must add a security exception to access the console.
    The console indicates that your primary server is actively managed by displaying the following message:
    1 Nodes run in enforcement.
Results
Your primary server is now ready to manage nodes.

Configuration parameters and the pe.conf file

A pe.conf file is a HOCON formatted file that declares parameters and values used to install, upgrade, or configure Puppet Enterprise (PE). A default pe.conf file is available in the conf.d directory in the installer tarball.

Tip: You can use a custom pe.conf file when installing PE by running: ./puppet-enterprise-installer -c <PATH_TO_pe.conf>
The following table lists the value types you can use in the pe.conf file, along with examples of each type:
Type Parameter-value format example
FQDN "puppet_enterprise::puppet_master_host": "primary.example.com"
String "console_admin_password": "mypassword"
Array [ "puppet", "puppetlb-01.example.com" ]
Boolean "puppet_enterprise::profile::orchestrator::run_service": true
Restriction: The only valid Boolean values are true and false. These are not case sensitive, and these are the only values that don't use quotation marks. Don't use Yes (y), No (n), 1, or 0 for Booleans.
JSON hash "puppet_enterprise::profile::orchestrator::java_args": {"Xmx": "256m", "Xms": "256m"}
Integer "puppet_enterprise::profile::console::rbac_session_timeout": "60"
Important: With the exception of Booleans, always use double quotes (") around parameter values.

Installation parameters

These parameters must be present in the pe.conf file to install Puppet Enterprise (PE).

puppet_enterprise::puppet_master_host
Specify the FQDN of the node hosting your PE primary server, such as primary.example.com.
Default: %{::trusted.certname}
Tip: To simplify installation, keep the default value and then provide a console administrator password after you run the installer.

Agent platform parameter

When setting up automated provisioning of an installation, you can define this optional parameter in pe.conf to specify the agent platforms you want to support in your installation. If your primary server is connected to the internet when you install or upgrade PE, then the packages for the agent platforms you specified in pe.conf are automatically downloaded to the primary server and the platform tags are automatically added as pe_repo::platform:: classes in the PE Master node group, so the agent packages are available to install on nodes in your inventory.

agent_platform
Define the parameter using an array containing platform tags like "ubuntu-22.04-amd64". You must format the platform tags you include in the array to match the platform_tag fact values referenced in puppet-agent packages.

Database configuration parameters

These parameters and values are supplied for Puppet Enterprise (PE) databases.

CAUTION: Don't change these parameters. This list is provided only for reference purposes.
puppet_enterprise::activity_database_name
The activity database name.
Default: pe-activity
puppet_enterprise::activity_database_read_user
An activity database user that can perform only read functions.
Default: pe-activity-read
puppet_enterprise::activity_database_write_user
An activity database user that can perform read and write functions.
Default: pe-activity-write
puppet_enterprise::activity_database_super_user
The activity database superuser.
Default: pe-activity
puppet_enterprise::activity_service_migration_db_user
An activity service database user used for migrations.
Default: pe-activity
puppet_enterprise::activity_service_regular_db_user
An activity service database user used for normal operations.
Default: pe-activity-write
puppet_enterprise::classifier_database_name
The classifier database name.
Default: pe-classifier
puppet_enterprise::classifier_database_read_user
A classifier database user that can perform only read functions.
Default: pe-classifier-read
puppet_enterprise::classifier_database_write_user
A classifier database user that can perform read and write functions.
Default: pe-classifier-write
puppet_enterprise::classifier_database_super_user
The classifier database superuser.
pe-classifier
puppet_enterprise::classifier_service_migration_db_user
A classifier service user used for migrations.
Default: pe-classifier
puppet_enterprise::classifier_service_regular_db_user
A classifier service user used for normal operations.
Default: pe-classifier-write
puppet_enterprise::orchestrator_database_name
The orchestrator database name.
Default: pe-orchestrator
puppet_enterprise::orchestrator_database_read_user
An orchestrator database user that can perform only read functions.
Default: pe-orchestrator-read
puppet_enterprise::orchestrator_database_write_user
An orchestrator database user that can perform read and write functions.
Default: pe-orchestrator-write
puppet_enterprise::orchestrator_database_super_user
The orchestrator database superuser.
Default: pe-orchestrator
puppet_enterprise::orchestrator_service_migration_db_user
An orchestrator service user used for migrations.
Default: pe-orchestrator
puppet_enterprise::orchestrator_service_regular_db_user
An orchestrator service user used for normal operations.
Default: pe-orchestrator-write
puppet_enterprise::puppetdb_database_name
The PuppetDB database name.
Default: pe-puppetdb
puppet_enterprise::puppetdb_database_user
The PuppetDB database user.
Default: pe-puppetdb
Tip: If necessary, you can Change the PuppetDB user password.
puppet_enterprise::rbac_database_name
The role-based access control (RBAC) database name.
Default: pe-rbac
puppet_enterprise::rbac_database_read_user
An RBAC database user that can perform only read functions.
Default: pe-rbac-read
puppet_enterprise::rbac_database_write_user
An RBAC database user that can perform read and write functions.
Default: pe-rbac-write
puppet_enterprise::rbac_database_super_user
The RBAC database superuser.
Default: pe-rbac
puppet_enterprise::rbac_service_migration_db_user
An RBAC service user used for migrations.
pe-rbac
puppet_enterprise::rbac_service_regular_db_user
An RBAC service user used for normal operations.
Default: pe-rbac-write

External PostgreSQL parameters

These parameters are required to install an external PostgreSQL instance. If necessary, you can add password parameters to standard installations.

puppet_enterprise::database_host
The agent certname of the node hosting the database component.
Important: Don't use an alt name for the database_host value.
puppet_enterprise::database_port
The port that the database is running on.
Default: 5432
puppet_enterprise::database_ssl
A Boolean indicating whether SSL authentication is used.
Default: true
Important: Don't use SSL security for unmanaged PostgreSQL installations. Make sure you set database_ssl to false.
puppet_enterprise::database_cert_auth
A Boolean indicating whether certificate authentication is used.
Default: true
Important: Don't use SSL security for unmanaged PostgreSQL installations. Make sure you set database_cert_auth to false.
puppet_enterprise::puppetdb_database_password
Specify a password, as a string, for the PuppetDB database user.
For example: mypassword
puppet_enterprise::classifier_database_password
Specify a password, as a string, for the classifier database user.
For example: mypassword
puppet_enterprise::classifier_service_regular_db_user
A database user the classifier service can use for normal operations.
Default: pe-classifier
puppet_enterprise::classifier_service_migration_db_user
A database user the classifier service can use for migrations.
Default: pe-classifier
puppet_enterprise::activity_database_password
Specify a password, as a string, for the activity database user.
For example: mypassword
puppet_enterprise::activity_service_regular_db_user
A database user the activity service can use for normal operations.
Default: pe-activity
puppet_enterprise::activity_service_migration_db_user
A database user the activity service can use for migrations.
Default: pe-activity
puppet_enterprise::rbac_database_password
Specify a password, as a string, for the RBAC database user.
For example: mypassword
puppet_enterprise::rbac_service_regular_db_user
A database user the RBAC service can use for normal operations.
Default: pe-rbac
puppet_enterprise::rbac_service_migration_db_user
A database user the RBAC service can use for migrations.
Default: pe-rbac
puppet_enterprise::orchestrator_database_password
Specify a password, as a string, for the orchestrator database user.
For example: mypassword
puppet_enterprise::orchestrator_service_regular_db_user
A database user the orchestrator service can use for normal operations.
Default: pe-orchestrator
puppet_enterprise::orchestrator_service_migration_db_user
A database user the orchestrator service can use for migrations.
Default: pe-orchestrator

Primary server parameters

Use these parameters to configure and tune the primary server.

pe_install::puppet_master_dnsaltnames
An array of strings representing DNS altnames to add to the primary server's SSL certificate.
Default: ["puppet"]
pe_install::install::classification::pe_node_group_environment
A string indicating the environment that infrastructure nodes are running in.
Specify this parameter if you moved your primary server and other infrastructure nodes from the default production environment after install. With non-default environments, this setting ensures that your configuration settings are backed up.
Default: production
puppet_enterprise::ip_version
Accepts either 4 or 6 to specify a preference for IPv4 or IPv6, but this does not restrict the non-preferred option.
The default is 4 (prefer IPv4). You can set it to 6 if you prefer IPv6.
puppet_enterprise::ipv6_only
You can set this to true to force NGINX to listen only on IPv6.
The default is false, which allows both IPv4 and IPv6.
puppet_enterprise::master::recover_configuration::pe_environment
A string indicating the environment that infrastructure nodes are running in.
Specify this parameter if you moved your primary server and other infrastructure nodes from the default production environment after installation. With non-default environments, this setting ensures that your configuration settings are backed up.
Default: production
puppet_enterprise::profile::certificate_authority
An array of additional certificates to be allowed access to the /certificate_statusAPI endpoint. This list is added to the base certificate list.
puppet_enterprise::profile::master::check_for_updates
A Boolean indicating whether to check for updates when the pe-puppetserver service restarts.
The default is true (check for updates). You can set it to false to not check for updates.
puppet_enterprise::profile::master::code_manager_auto_configure
Set to true to automatically configure the Code Manager service; otherwise, set it to false.
puppet_enterprise::profile::master::r10k_remote
A string representing the Git URL to be passed to the r10k.yaml file, for example: git@your.git.server.com:puppet/control.git
The URL can be any URL supported by r10k and Git.
This parameter is only required if you want r10k configured when you install PE, and you must also specify puppet_enterprise::profile::master::r10k_private_key.
puppet_enterprise::profile::master::r10k_private_key
A string representing the local file path on the primary server where the SSH private key can be found and used by r10k, for example: /etc/puppetlabs/puppetserver/ssh/id-control_repo.ed25519
This parameter is only required if you want r10k configured when you install PE, and you must also specify puppet_enterprise::profile::master::r10k_remote.

Console and console-services parameters

In the PE Console node group, these parameters customize the behavior of the console and the console-services service.

You can modify parameters that begin with puppet_enterprise::profile in the PE console.

puppet_enterprise::profile::console::classifier_synchronization_period
An integer representing, in seconds, the classifier synchronization period. This controls how long the node classifier can take to retrieve classes from the primary server.
Default: 600
puppet_enterprise::profile::console::ldap_sync_period_seconds
An integer specifying, in seconds, the interval at which LDAP user details and group membership associations are synchronized.
The default value is 1800 (30 minutes).
This synchronization refreshes the user details and group membership for every LDAP user in the system, regardless of the last time the user logged in. If a user is no longer present in LDAP, all user-group associations are removed from the user and all of the user's known tokens are revoked.
To disable automatic synchronization, set the value to 0 or a negative integer. When disabled, user details and group membership only refresh when the user logs in.
When enabled, various entries are recorded to console-services.log that indicate whether the service is enabled and when each synchronization event has completed.
puppet_enterprise::profile::console::rbac_failed_attempts_lockout
An integer specifying how many failed login attempts are allowed on an account before the account is revoked.
Default: 10
puppet_enterprise::profile::console::rbac_password_reset_expiration
An integer representing the number of hours that password reset tokens are valid.
An administrator generates these token for users to reset their passwords.
Default: 24
puppet_enterprise::profile::console::rbac_session_timeout
An integer representing, in minutes, how long a user's session can last.
The session length is the same for node classification, RBAC, and the console.
Default: 60
puppet_enterprise::profile::console::session_maximum_lifetime
A string representing how long a console session can last.
The value is formatted as a string consisting of a number and an optional suffix representing a unit of time: s (seconds), m (minutes), h (hours), d (days), or y (years).
Example: "1d" (one day)
If the suffix is omitted, the default unit of time is seconds.
A value of "0" sets an unlimited console session time.
To prevent console sessions from expiring before the maximum RBAC token lifetime, set this parameter to "0".
puppet_enterprise::profile::console::rbac_token_auth_lifetime
A string representing the default authentication lifetime for a token.
The value is formatted as a string consisting of a number followed by a suffix representing a unit of time: y (years), d (days), h (hours), m (minutes), or s (seconds).
Important: This value cannot exceed the rbac_token_maximum_lifetime.
Default: "1h" (one hour)
puppet_enterprise::profile::console::rbac_token_maximum_lifetime
A string representing the maximum allowable lifetime for all tokens.
The value is formatted as a string consisting of a number followed by a suffix representing a unit of time: y (years), d (days), h (hours), m (minutes), or s (seconds).
Default: 10y (10 years)
puppet_enterprise::profile::console::console_ssl_listen_port
An integer representing the port that the console listens on.
Default: 443
puppet_enterprise::profile::console::ssl_listen_address
A string containing an IP address repesenting the console's NGINX listen address.
Default: "0.0.0.0"
puppet_enterprise::profile::console::classifier_prune_threshold
An integer representing the number of days to wait before pruning the node classifier database. The node classifier database contains node check-in history if classifier_node_check_in_storage is enabled.
Set the value to 0 to never prune the node classifier database.
Default: 7 (days), but only has data to prune if classifier_node_check_in_storage is true.
puppet_enterprise::profile::console::classifier_node_check_in_storage
A Boolean specifying whether to create records when nodes check in with the node classifier. These records describe how nodes match the node groups they're classified into.
Set to true to enable node check-in storage. Enabling this parameter is required to use Nodes check-in history endpoints.
Set to false to disable node check-in storage.
Default: false
puppet_enterprise::profile::console::display_local_time
A Boolean indicating whether to show timestamps in the local time or UTC.
Set to true to display timestamps in local time with hover text showing the equivalent UTC time.
Set to false to show timestamps in UTC time with no hover text.
Default: false
puppet_enterprise::profile::console::disclaimer_content_path
Specifies the location of the disclaimer.txt file containing disclaimer content that can appear on the console login page if you Create a custom login disclaimer.
Default: "/etc/puppetlabs/console-services"
Tip: You can also use the RBAC API Disclaimer endpoints to configure the disclaimer without needing to reference a specific file location on disk.
The parameters must be set in Hiera or pe.conf, not the console:
puppet_enterprise::api_port
An integer specifying the SSL port that the node classifier is served on.
Default: 4433
puppet_enterprise::console_services::no_longer_reporting_cutoff
Length of time, in seconds, before a node is considered unresponsive.
Default: 3600 (seconds)
For more information, refer to Node run statuses.
console_admin_password
The password to log into the console as the admin.
Example: "myconsolepassword"
Default: Specified during installation.
Tip: You can also Reset the console administrator password from the command line.

Orchestrator and orchestration services parameters

Use these parameters to configure and tune the orchestrator and orchestration services.

puppet_enterprise::profile::agent::pxp_enabled
Boolean used to enable or disable the Puppet Execution Protocol (PXP) service.
Set to true to enable the PXP service, which is required to use the orchestrator and run Puppet from the console.
Set to false to disable the PXP service. If false, you can’t use the orchestrator or the Run Puppet button in the console.
Must be true to Configure PXP agent parameters.
Default: true
puppet_enterprise::profile::bolt_server::concurrency
An integer that determines the maximum number of simultaneous task or plan requests the orchestrator can make to bolt-server.
This setting only limits task or plan executions on nodes with SSH or WinRM transport methods, because these are the only tasks and plans requiring requests to bolt-server.
Default: 100 requests
CAUTION: Do not set a concurrency limit that is higher than the bolt-server limit. This can cause timeouts that lead to failed task runs.
puppet_enterprise::profile::orchestrator::global_concurrent_compiles
An integer specifying how many concurrent compile requests can be outstanding to the primary server across all orchestrator jobs.
Default: 8 requests
puppet_enterprise::profile::orchestrator::job_prune_threshold
An integer of 2 or greater, which specifies the number of days to retain job reports.
This parameter sets the corresponding parameter job-prune-days-threshold.
While job_prune_threshold itself has no default value, job-prune-days-threshold has a default of 30 (30 days).
puppet_enterprise::profile::orchestrator::pcp_timeout
An integer representing how long, in seconds, an agent can spend attempting to connect to a PCP broker during a Puppet run triggered by the orchestrator. If the agent can’t connect to the broker in the specified time frame, the Puppet run times out.
Default: 30
puppet_enterprise::profile::orchestrator::run_service
A Boolean used to enable (true) or disable (false) orchestration services.
Default: true
puppet_enterprise::profile::orchestrator::task_concurrency
An integer representing the number of simultaneous task or plan actions that can run at the same time. All task and plan actions are limited by this concurrency limit regardless of transport type (WinRM, SSH, PCP).
If a task or plan action runs on multiple nodes, each node consumes one action. For example, if a task needs to run on 300 nodes, and your task_concurrency is set to 200, then the task can run on 200 nodes while the remaining 100 nodes wait in queue.
Default: 250 actions
puppet_enterprise::pxp_agent::ping_interval
An integer specifying the frequency, in seconds, that PXP agents ping PCP brokers. If the broker doesn't respond, the agent tries to reconnect.
Default: 120
More information: Configure PXP agent parameters
puppet_enterprise::pxp_agent::pxp_logfile
The path, as a string, to the PXP agent log file. This file can be used to debug orchestrator issues.
The default value varies by OS.
  • *nix: "/var/log/puppetlabs/pxp-agent/pxp-agent.log"
  • Windows: "C:\Program Data\PuppetLabs\pxp-agent\var\log\pxp-agent.log"
More information: Configure PXP agent parameters
You might need to configure these parameters depending on your infrastructure. You can always tune them later if you find you need to make adjustments.
puppet_enterprise::profile::orchestrator::allowed_pcp_status_requests
An integer that defines how many times an orchestrator job allows status requests to time out before a job is considered failed. Status requests wait 12 seconds between timeouts, so multiply the value of the allowed_pcp_status_requests by 12 to determine how many seconds the orchestrator waits on targets that aren’t responding to status requests.
Default: 35 timeouts
puppet_enterprise::profile::orchestrator::java_args
Specifies the Java heap size, which is the amount of JVM memory that each Java process is allowed to request from the OS for orchestration services to use.
The value is formatted as a JSON hash, where the maximum and minimum are usually the same. For example: {"Xmx": "256m", "Xms": "256m"}
Default: 704 MB
puppet_enterprise::profile::orchestrator::jruby_max_active_instances
An integer that determines the maximum number of JRuby instances that the orchestrator creates to execute plans. Because each plan uses one JRuby to run, this value is effectively the maximum number of concurrent plans. Setting the orchestrator heap size (java_args) automatically sets the jruby_max_active_instances using the formula $java_args ÷ 1024. If the result is less than one, the default is one JRuby instance.
Default: 1 instance
Note: The jruby_max_active_instances pool for the orchestrator is separate from the Puppet Server pool. Refer to JRuby max active instances for more information.
puppet_enterprise::profile::plan_executor::versioned_deploys
A Boolean used for Running plans alongside code deployments.
Set to true to enable versioned deployments of environment code.
Default: false
Important: Setting this to true disables the file sync client's locking mechanism that usually enforces a consistent environment state for your plans. This can cause Puppet functions and plans that call other plans to behave unexpectedly if a code deployment occurs while a plan is running.

PuppetDB parameters

Use these parameters to configure and tune PuppetDB.

puppet_enterprise::profile::master::puppetdb_host
An array containing a string representing the certname of the node running the PuppetDB service, which is usually the primary server.
Default: ["<PRIMARY_SERVER_CERTNAME>"]
The value is set on the PE Infrastructure node group and inherited by all child infrastructure node groups.
puppet_enterprise::profile::master::puppetdb_port
An array containing an integer representing the SSL port that PuppetDB listens on.
Default: [8081]
You might need to change this value if The PuppetDB default port conflicts with another service. The value is set on the PE Infrastructure node group and inherited by all child infrastructure node groups.
puppet_enterprise::profile::master::puppetdb::report_processor_ensure
Specifies if you want the primary server to generate agent run reports after each Puppet run.
Accepts a string of either "present" or "absent".
Default: "present" (enabled)
Set to "absent" to Disable agent run reports.
puppet_enterprise::profile::puppetdb::node_purge_ttl
Set the length of time before PE automatically removes deactivated or expired nodes, along with their facts, catalogs, and reports, from PuppetDB.
Specify a string representing an amount of time. For example, "14d" sets the retention time to 14 days.
Default: "14d"
For more information, refer to Set the deactivated node retention time.
puppet_enterprise::puppetdb::command_processing_threads
Integer representing how many command processing threads PuppetDB uses to sort incoming data. Each thread can process one command at a time.
If the PuppetDB service runs on compilers, the default value is 25% of the number of cores in your system. Otherwise, the default value is half the number of cores in your system. The minimum is 1.
For more information, refer to PuppetDB command processing threads.

Java parameters

Use these parameters to configure and tune Java.

puppet_enterprise::profile::master::java_args
JVM (Java Virtual Machine) memory, specified as a JSON hash, that is allocated to the Puppet Server service, for example {"Xmx": "4096m", "Xms": "4096m"}.
puppet_enterprise::profile::puppetdb::java_args
JVM memory, specified as a JSON hash, that is allocated to the PuppetDB service, for example {"Xmx": "512m", "Xms": "512m"}.
puppet_enterprise::profile::console::java_args
JVM memory, specified as a JSON hash, that is allocated to console services, for example {"Xmx": "512m", "Xms": "512m"}.
puppet_enterprise::profile::orchestrator::java_args
JVM memory, set as a JSON hash, that is allocated to orchestration services, for example, {"Xmx": "256m", "Xms": "256m"}.