DragonFly On-Line Manual Pages
PUPPETCONF(5) Puppet manual PUPPETCONF(5)
This page is autogenerated; any changes will get overwritten (last generated
on 2015-05-18 10:15:47 -0700)
Configuration Settings
o Each of these settings can be specified in puppet.conf or on the
command line.
o When using boolean settings on the command line, use --setting and
--no-setting instead of --setting (true|false). (Using --setting
false results in "Error: Could not parse application options:
needless argument".)
o Settings can be interpolated as $variables in other settings;
$environment is special, in that puppet master will interpolate
each agent node's environment instead of its own.
o Multiple values should be specified as comma-separated lists;
multiple directories should be separated with the system path
separator (usually a colon).
o Settings that represent time intervals should be specified in
duration format: an integer immediately followed by one of the
units 'y' (years of 365 days), 'd' (days), 'h' (hours), 'm'
(minutes), or 's' (seconds). The unit cannot be combined with other
units, and defaults to seconds when omitted. Examples are '3600'
which is equivalent to '1h' (one hour), and '1825d' which is
equivalent to '5y' (5 years).
o Settings that take a single file or directory can optionally set
the owner, group, and mode for their value: rundir = $vardir/run {
owner = puppet, group = puppet, mode = 644 }
o The Puppet executables will ignore any setting that isn't relevant
to their function.
See the configuration guide
http://docs.puppetlabs.com/guides/configuring.html for more details.
agent_catalog_run_lockfile
A lock file to indicate that a puppet agent catalog run is currently in
progress. The file contains the pid of the process that holds the lock
on the catalog run.
o Default: $statedir/agent_catalog_run.lock
agent_disabled_lockfile
A lock file to indicate that puppet agent runs have been
administratively disabled. File contains a JSON object with state
information.
o Default: $statedir/agent_disabled.lock
allow_duplicate_certs
Whether to allow a new certificate request to overwrite an existing
certificate.
o Default: false
always_cache_features
Affects how we cache attempts to load Puppet 'features'. If false, then
calls to Puppet.features.<feature>? will always attempt to load the
feature (which can be an expensive operation) unless it has already
been loaded successfully. This makes it possible for a single agent run
to, e.g., install a package that provides the underlying capabilities
for a feature, and then later load that feature during the same run
(even if the feature had been tested earlier and had not been
available).
If this setting is set to true, then features will only be checked
once, and if they are not available, the negative result is cached and
returned for all subsequent attempts to load the feature. This behavior
is almost always appropriate for the server, and can result in a
significant performance improvement for features that are checked
frequently.
o Default: false
archive_file_server
During an inspect run, the file bucket server to archive files to if
archive_files is set.
o Default: $server
archive_files
During an inspect run, whether to archive files whose contents are
audited to a file bucket.
o Default: false
autoflush
Whether log files should always flush to disk.
o Default: true
autosign
Whether (and how) to autosign certificate requests. This setting is
only relevant on a puppet master acting as a certificate authority
(CA).
Valid values are true (autosigns all certificate requests; not
recommended), false (disables autosigning certificates), or the
absolute path to a file.
The file specified in this setting may be either a configuration file
or a custom policy executable. Puppet will automatically determine what
it is: If the Puppet user (see the user setting) can execute the file,
it will be treated as a policy executable; otherwise, it will be
treated as a config file.
If a custom policy executable is configured, the CA puppet master will
run it every time it receives a CSR. The executable will be passed the
subject CN of the request as a command line argument, and the contents
of the CSR in PEM format on stdin. It should exit with a status of 0 if
the cert should be autosigned and non-zero if the cert should not be
autosigned.
If a certificate request is not autosigned, it will persist for review.
An admin user can use the puppet cert sign command to manually sign it,
or can delete the request.
For info on autosign configuration files, see the guide to Puppet's
config files http://docs.puppetlabs.com/guides/configuring.html.
o Default: $confdir/autosign.conf
basemodulepath
The search path for global modules. Should be specified as a list of
directories separated by the system path separator character. (The
POSIX path separator is ':', and the Windows path separator is ';'.)
These are the modules that will be used by all environments. Note that
the modules directory of the active environment will have priority over
any global directories. For more info, see
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
o Default: $codedir/modules:/opt/puppetlabs/puppet/modules
bindaddress
The address a listening server should bind to.
o Default: 0.0.0.0
binder_config
The binder configuration file. Puppet reads this file on each request
to configure the bindings system. If set to nil (the default), a
$confdir/binder_config.yaml is optionally loaded. If it does not
exists, a default configuration is used. If the setting :binding_config
is specified, it must reference a valid and existing yaml file.
Default:
bucketdir
Where FileBucket files are stored.
o Default: $vardir/bucket
ca
Whether the master should function as a certificate authority.
o Default: true
ca_name
The name to use the Certificate Authority certificate.
o Default: Puppet CA: $certname
ca_port
The port to use for the certificate authority.
o Default: $masterport
ca_server
The server to use for certificate authority requests. It's a separate
server because it cannot and does not need to horizontally scale.
o Default: $server
ca_ttl
The default TTL for new certificates. This setting can be a time
interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d),
or years (5y).
o Default: 5y
cacert
The CA certificate.
o Default: $cadir/ca_crt.pem
cacrl
The certificate revocation list (CRL) for the CA. Will be used if
present but otherwise ignored.
o Default: $cadir/ca_crl.pem
cadir
The root directory for the certificate authority.
o Default: $ssldir/ca
cakey
The CA private key.
o Default: $cadir/ca_key.pem
capass
Where the CA stores the password for the private key.
o Default: $caprivatedir/ca.pass
caprivatedir
Where the CA stores private certificate information.
o Default: $cadir/private
capub
The CA public key.
o Default: $cadir/ca_pub.pem
catalog_cache_terminus
How to store cached catalogs. Valid values are 'json', 'msgpack' and
'yaml'. The agent application defaults to 'json'.
Default:
catalog_terminus
Where to get node catalogs. This is useful to change if, for instance,
you'd like to pre-compile catalogs and store them in memcached or some
other easily-accessed store.
o Default: compiler
cert_inventory
The inventory file. This is a text file to which the CA writes a
complete listing of all certificates.
o Default: $cadir/inventory.txt
certdir
The certificate directory.
o Default: $ssldir/certs
certificate_revocation
Whether certificate revocation should be supported by downloading a
Certificate Revocation List (CRL) to all clients. If enabled, CA
chaining will almost definitely not work.
o Default: true
certname
The name to use when handling certificates. When a node requests a
certificate from the CA puppet master, it uses the value of the
certname setting as its requested Subject CN.
This is the name used when managing a node's permissions in auth.conf
http://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html.
In most cases, it is also used as the node's name when matching node
definitions
http://docs.puppetlabs.com/puppet/latest/reference/lang_node_definitions.html
and requesting data from an ENC. (This can be changed with the
node_name_value and node_name_fact settings, although you should only
do so if you have a compelling reason.)
A node's certname is available in Puppet manifests as
$trusted['certname']. (See Facts and Built-In Variables
http://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html
for more details.)
o For best compatibility, you should limit the value of certname to
only use letters, numbers, periods, underscores, and dashes. (That
is, it should match /A[a-z0-9._-]+Z/.)
o The special value ca is reserved, and can't be used as the certname
for a normal node.
Defaults to the node's fully qualified domain name.
o Default: rll.corp.puppetlabs.net
cfacter
Whether or not to use the native facter (cfacter) implementation
instead of the Ruby one (facter). Defaults to false.
o Default: false
classfile
The file in which puppet agent stores a list of the classes associated
with the retrieved configuration. Can be loaded in the separate puppet
executable using the --loadclasses option.
o Default: $statedir/classes.txt
client_datadir
The directory in which serialized data is stored on the client.
o Default: $vardir/client_data
clientbucketdir
Where FileBucket files are stored locally.
o Default: $vardir/clientbucket
clientyamldir
The directory in which client-side YAML data is stored.
o Default: $vardir/client_yaml
code
Code to parse directly. This is essentially only used by puppet, and
should only be set if you're writing your own Puppet executable.
codedir
The main Puppet code directory. The default for this setting is
calculated based on the user. If the process is running as root or the
user that Puppet is supposed to run as, it defaults to a system
directory, but if it's running as any other user, it defaults to being
in the user's home directory.
Default:
color
Whether to use colors when logging to the console. Valid values are
ansi (equivalent to true), html, and false, which produces no color.
Defaults to false on Windows, as its console does not support ansi
colors.
o Default: ansi
confdir
The main Puppet configuration directory. The default for this setting
is calculated based on the user. If the process is running as root or
the user that Puppet is supposed to run as, it defaults to a system
directory, but if it's running as any other user, it defaults to being
in the user's home directory.
o Default: /etc/puppetlabs/puppet
config
The configuration file for the current puppet application.
o Default: $confdir/${config_file_name}
config_file_name
The name of the puppet config file.
o Default: puppet.conf
config_version
How to determine the configuration version. By default, it will be the
time that the configuration is parsed, but you can provide a shell
script to override how the version is determined. The output of this
script will be added to every log message in the reports, allowing you
to correlate changes on your hosts to the source version on the server.
Setting a global value for config_version in puppet.conf is not allowed
(but it can be overridden from the commandline). Please set a
per-environment value in environment.conf instead. For more info, see
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
configprint
Print the value of a specific configuration setting. If the name of a
setting is provided for this, then the value is printed and puppet
exits. Comma-separate multiple values. For a list of all values,
specify 'all'.
configtimeout
How long the client should wait for the configuration to be retrieved
before considering it a failure. This setting is deprecated and has
been replaced by http_connect_timeout and http_read_timeout. This
setting can be a time interval in seconds (30 or 30s), minutes (30m),
hours (6h), days (2d), or years (5y).
o Default: 2m
csr_attributes
An optional file containing custom attributes to add to certificate
signing requests (CSRs). You should ensure that this file does not
exist on your CA puppet master; if it does, unwanted certificate
extensions may leak into certificates created with the puppet cert
generate command.
If present, this file must be a YAML hash containing a
custom_attributes key and/or an extension_requests key. The value of
each key must be a hash, where each key is a valid OID and each value
is an object that can be cast to a string.
Custom attributes can be used by the CA when deciding whether to sign
the certificate, but are then discarded. Attribute OIDs can be any OID
value except the standard CSR attributes (i.e. attributes described in
RFC 2985 section 5.4). This is useful for embedding a pre-shared key
for autosigning policy executables (see the autosign setting), often by
using the 1.2.840.113549.1.9.7 ("challenge password") OID.
Extension requests will be permanently embedded in the final
certificate. Extension OIDs must be in the "ppRegCertExt"
(1.3.6.1.4.1.34380.1.1) or "ppPrivCertExt" (1.3.6.1.4.1.34380.1.2) OID
arcs. The ppRegCertExt arc is reserved for four of the most common
pieces of data to embed: pp_uuid (.1), pp_instance_id (.2),
pp_image_name (.3), and pp_preshared_key (.4) --- in the YAML file,
these can be referred to by their short descriptive names instead of
their full OID. The ppPrivCertExt arc is unregulated, and can be used
for site-specific extensions.
o Default: $confdir/csr_attributes.yaml
csrdir
Where the CA stores certificate requests
o Default: $cadir/requests
daemonize
Whether to send the process into the background. This defaults to true
on POSIX systems, and to false on Windows (where Puppet currently
cannot daemonize).
o Default: true
data_binding_terminus
Where to retrive information about data.
o Default: hiera
default_file_terminus
The default source for files if no server is given in a uri, e.g.
puppet:///file. The default of rest causes the file to be retrieved
using the server setting. When running apply the default is
file_server, causing requests to be filled locally.
o Default: rest
default_manifest
The default main manifest for directory environments. Any environment
that doesn't set the manifest setting in its environment.conf file will
use this manifest.
This setting's value can be an absolute or relative path. An absolute
path will make all environments default to the same main manifest; a
relative path will allow each environment to use its own manifest, and
Puppet will resolve the path relative to each environment's main
directory.
In either case, the path can point to a single file or to a directory
of manifests to be evaluated in alphabetical order.
o Default: ./manifests
default_schedules
Boolean; whether to generate the default schedule resources. Setting
this to false is useful for keeping external report processors clean of
skipped schedule resources.
o Default: true
deviceconfig
Path to the device config file for puppet device.
o Default: $confdir/device.conf
devicedir
The root directory of devices' $vardir.
o Default: $vardir/devices
diff
Which diff command to use when printing differences between files. This
setting has no default value on Windows, as standard diff is not
available, but Puppet can use many third-party diff tools.
o Default: diff
diff_args
Which arguments to pass to the diff command when printing differences
between files. The command to use can be chosen with the diff setting.
o Default: -u
digest_algorithm
Which digest algorithm to use for file resources and the filebucket.
Valid values are md5, sha256. Default is md5.
o Default: md5
disable_per_environment_manifest
Whether to disallow an environment-specific main manifest. When set to
true, Puppet will use the manifest specified in the default_manifest
setting for all environments. If an environment specifies a different
main manifest in its environment.conf file, catalog requests for that
environment will fail with an error.
This setting requires default_manifest to be set to an absolute path.
o Default: false
disable_warnings
A comma-separated list of warning types to suppress. If large numbers
of warnings are making Puppet's logs too large or difficult to use, you
can temporarily silence them with this setting.
If you are preparing to upgrade Puppet to a new major version, you
should re-enable all warnings for a while.
Valid values for this setting are:
o deprecations --- disables deprecation warnings.
o Default: []
dns_alt_names
The comma-separated list of alternative DNS names to use for the local
host.
When the node generates a CSR for itself, these are added to the
request as the desired subjectAltName in the certificate: additional
DNS labels that the certificate is also valid answering as.
This is generally required if you use a non-hostname certname, or if
you want to use puppet kick or puppet resource -H and the primary
certname does not match the DNS name you use to communicate with the
host.
This is unnecessary for agents, unless you intend to use them as a
server for puppet kick or remote puppet resource management.
It is rarely necessary for servers; it is usually helpful only if you
need to have a pool of multiple load balanced masters, or for the same
master to respond on two physically separate networks under different
names.
document_all
Whether to document all resources when using puppet doc to generate
manifest documentation.
o Default: false
environment
The environment Puppet is running in. For clients (e.g., puppet agent)
this determines the environment itself, which is used to find modules
and much more. For servers (i.e., puppet master) this provides the
default environment for nodes we know nothing about.
o Default: production
environment_data_provider
The name of a registered environment data provider. The two built in
and registered providers are 'none' (no environment specific data), and
'function' (environment specific data obtained by calling the function
'environment::data()'). Other environment data providers may be
registered in modules on the module path. For such custom data
providers see the respective module documentation.
o Default: none
environment_timeout
How long the Puppet master should cache data it loads from an
environment. This setting can be a time interval in seconds (30 or
30s), minutes (30m), hours (6h), days (2d), or years (5y). A value of 0
will disable caching. This setting can also be set to unlimited, which
will cache environments until the master is restarted or told to
refresh the cache.
You should change this setting once your Puppet deployment is doing
non-trivial work. We chose the default value of 0 because it lets new
users update their code without any extra steps, but it lowers the
performance of your Puppet master.
We recommend setting this to unlimited and explicitly refreshing your
Puppet master as part of your code deployment process.
o With Puppet Server, you should refresh environments by calling the
environment-cache API endpoint. See the docs for the Puppet Server
administrative API.
o With a Rack Puppet master, you should restart the web server or the
application server. Passenger lets you touch a restart.txt file to
refresh an application without restarting Apache; see the Passenger
docs for details.
We don't recommend using any value other than 0 or unlimited, since
most Puppet masters use a pool of Ruby interpreters which all have
their own cache timers. When these timers drift out of sync, agents can
be served inconsistent catalogs.
o Default: 0
environmentpath
A search path for directory environments, as a list of directories
separated by the system path separator character. (The POSIX path
separator is ':', and the Windows path separator is ';'.)
This setting must have a value set to enable directory environments.
The recommended value is $codedir/environments. For more details, see
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
o Default: $codedir/environments
evaltrace
Whether each resource should log when it is being evaluated. This
allows you to interactively see exactly what is being done.
o Default: false
external_nodes
An external command that can produce node information. The command's
output must be a YAML dump of a hash, and that hash must have a classes
key and/or a parameters key, where classes is an array or hash and
parameters is a hash. For unknown nodes, the command should exit with a
non-zero exit code.
This command makes it straightforward to store your node mapping
information in other data sources like databases.
o Default: none
factpath
Where Puppet should look for facts. Multiple directories should be
separated by the system path separator character. (The POSIX path
separator is ':', and the Windows path separator is ';'.)
o Default: $vardir/lib/facter:$vardir/facts
facts_terminus
The node facts terminus.
o Default: facter
fileserverconfig
Where the fileserver configuration is stored.
o Default: $confdir/fileserver.conf
filetimeout
The minimum time to wait between checking for updates in configuration
files. This timeout determines how quickly Puppet checks whether a file
(such as manifests or templates) has changed on disk. This setting can
be a time interval in seconds (30 or 30s), minutes (30m), hours (6h),
days (2d), or years (5y).
o Default: 15s
forge_authorization
The authorization key to connect to the Puppet Forge. Leave blank for
unauthorized or license based connections
Default:
freeze_main
Freezes the 'main' class, disallowing any code to be added to it. This
essentially means that you can't have any code outside of a node,
class, or definition other than in the site manifest.
o Default: false
genconfig
When true, causes Puppet applications to print an example config file
to stdout and exit. The example will include descriptions of each
setting, and the current (or default) value of each setting,
incorporating any settings overridden on the CLI (with the exception of
genconfig itself). This setting only makes sense when specified on the
command line as --genconfig.
o Default: false
genmanifest
Whether to just print a manifest to stdout and exit. Only makes sense
when specified on the command line as --genmanifest. Takes into account
arguments specified on the CLI.
o Default: false
graph
Whether to create .dot graph files, which let you visualize the
dependency and containment relationships in Puppet's catalog. You can
load and view these files with tools like OmniGraffle
http://www.omnigroup.com/applications/omnigraffle/ (OS X) or graphviz
http://www.graphviz.org/ (multi-platform).
Graph files are created when applying a catalog, so this setting should
be used on nodes running puppet agent or puppet apply.
The graphdir setting determines where Puppet will save graphs. Note
that we don't save graphs for historical runs; Puppet will replace the
previous .dot files with new ones every time it applies a catalog.
See your graphing software's documentation for details on opening .dot
files. If you're using GraphViz's dot command, you can do a quick PNG
render with dot -Tpng <DOT FILE> -o <OUTPUT FILE>.
o Default: false
graphdir
Where to save .dot-format graphs (when the graph setting is enabled).
o Default: $statedir/graphs
group
The group puppet master should run as.
o Default: puppet
hiera_config
The hiera configuration file. Puppet only reads this file on startup,
so you must restart the puppet master every time you edit it.
o Default: $codedir/hiera.yaml
hostcert
Where individual hosts store and look for their certificates.
o Default: $certdir/$certname.pem
hostcrl
Where the host's certificate revocation list can be found. This is
distinct from the certificate authority's CRL.
o Default: $ssldir/crl.pem
hostcsr
Where individual hosts store and look for their certificate requests.
o Default: $ssldir/csr_$certname.pem
hostprivkey
Where individual hosts store and look for their private key.
o Default: $privatekeydir/$certname.pem
hostpubkey
Where individual hosts store and look for their public key.
o Default: $publickeydir/$certname.pem
http_connect_timeout
The maximum amount of time to wait when establishing an HTTP
connection. The default value is 2 minutes. This setting can be a time
interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d),
or years (5y).
o Default: 2m
http_debug
Whether to write HTTP request and responses to stderr. This should
never be used in a production environment.
o Default: false
http_keepalive_timeout
The maximum amount of time a persistent HTTP connection can remain idle
in the connection pool, before it is closed. This timeout should be
shorter than the keepalive timeout used on the HTTP server, e.g. Apache
KeepAliveTimeout directive. This setting can be a time interval in
seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years
(5y).
o Default: 4s
http_proxy_host
The HTTP proxy host to use for outgoing connections. Note: You may need
to use a FQDN for the server hostname when using a proxy. Environment
variable http_proxy or HTTP_PROXY will override this value
o Default: none
http_proxy_password
The password for the user of an authenticated HTTP proxy. Requires the
http_proxy_user setting.
Note that passwords must be valid when used as part of a URL. If a
password contains any characters with special meanings in URLs (as
specified by RFC 3986 section 2.2), they must be URL-encoded. (For
example, # would become %23.)
o Default: none
http_proxy_port
The HTTP proxy port to use for outgoing connections
o Default: 3128
http_proxy_user
The user name for an authenticated HTTP proxy. Requires the
http_proxy_host setting.
o Default: none
http_read_timeout
The time to wait for one block to be read from an HTTP connection. If
nothing is read after the elapsed interval then the connection will be
closed. The default value is unlimited. This setting can be a time
interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d),
or years (5y).
Default:
ignorecache
Ignore cache and always recompile the configuration. This is useful for
testing new configurations, where the local cache may in fact be stale
even if the timestamps are up to date - if the facts change or if the
server changes.
o Default: false
ignoremissingtypes
Skip searching for classes and definitions that were missing during a
prior compilation. The list of missing objects is maintained
per-environment and persists until the environment is cleared or the
master is restarted.
o Default: false
ignoreschedules
Boolean; whether puppet agent should ignore schedules. This is useful
for initial puppet agent runs.
o Default: false
keylength
The bit length of keys.
o Default: 4096
lastrunfile
Where puppet agent stores the last run report summary in yaml format.
o Default: $statedir/last_run_summary.yaml
lastrunreport
Where puppet agent stores the last run report in yaml format.
o Default: $statedir/last_run_report.yaml
ldapattrs
The LDAP attributes to include when querying LDAP for nodes. All
returned attributes are set as variables in the top-level scope.
Multiple values should be comma-separated. The value 'all' returns all
attributes.
o Default: all
ldapbase
The search base for LDAP searches. It's impossible to provide a
meaningful default here, although the LDAP libraries might have one
already set. Generally, it should be the 'ou=Hosts' branch under your
main directory.
ldapclassattrs
The LDAP attributes to use to define Puppet classes. Values should be
comma-separated.
o Default: puppetclass
ldapparentattr
The attribute to use to define the parent node.
o Default: parentnode
ldappassword
The password to use to connect to LDAP.
ldapport
The LDAP port. Only used if node_terminus is set to ldap.
o Default: 389
ldapserver
The LDAP server. Only used if node_terminus is set to ldap.
o Default: ldap
ldapssl
Whether SSL should be used when searching for nodes. Defaults to false
because SSL usually requires certificates to be set up on the client
side.
o Default: false
ldapstackedattrs
The LDAP attributes that should be stacked to arrays by adding the
values in all hierarchy elements of the tree. Values should be
comma-separated.
o Default: puppetvar
ldapstring
The search string used to find an LDAP node.
o Default: (&(objectclass=puppetClient)(cn=%s))
ldaptls
Whether TLS should be used when searching for nodes. Defaults to false
because TLS usually requires certificates to be set up on the client
side.
o Default: false
ldapuser
The user to use to connect to LDAP. Must be specified as a full DN.
libdir
An extra search path for Puppet. This is only useful for those files
that Puppet will load on demand, and is only guaranteed to work for
those cases. In fact, the autoload mechanism is responsible for making
sure this directory is in Ruby's search path
o Default: $vardir/lib
localcacert
Where each client stores the CA certificate.
o Default: $certdir/ca.pem
log_level
Default logging level for messages from Puppet. Allowed values are:
o debug
o info
o notice
o warning
o err
o alert
o emerg
o crit
o Default: notice
logdir
The directory in which to store log files
Default:
manage_internal_file_permissions
Whether Puppet should manage the owner, group, and mode of files it
uses internally
o Default: true
manifest
The entry-point manifest for puppet master. This can be one file or a
directory of manifests to be evaluated in alphabetical order. Puppet
manages this path as a directory if one exists or if the path ends with
a / or .
Setting a global value for manifest in puppet.conf is not allowed (but
it can be overridden from them commandline). Please use directory
environments instead. If you need to use something other than the
environment's manifests directory as the main manifest, you can set
manifest in environment.conf. For more info, see
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
Default:
masterhttplog
Where the puppet master web server saves its access log. This is only
used when running a WEBrick puppet master. When puppet master is
running under a Rack server like Passenger, that web server will have
its own logging behavior.
o Default: $logdir/masterhttp.log
masterport
The port for puppet master traffic. For puppet master, this is the port
to listen on; for puppet agent, this is the port to make requests on.
Both applications use this setting to get the port.
o Default: 8140
max_deprecations
Sets the max number of logged/displayed parser validation deprecation
warnings in case multiple deprecation warnings have been detected. A
value of 0 blocks the logging of deprecation warnings. The count is per
manifest.
o Default: 10
max_errors
Sets the max number of logged/displayed parser validation errors in
case multiple errors have been detected. A value of 0 is the same as a
value of 1; a minimum of one error is always raised. The count is per
manifest.
o Default: 10
max_warnings
Sets the max number of logged/displayed parser validation warnings in
case multiple warnings have been detected. A value of 0 blocks logging
of warnings. The count is per manifest.
o Default: 10
maximum_uid
The maximum allowed UID. Some platforms use negative UIDs but then ship
with tools that do not know how to handle signed ints, so the UIDs show
up as huge numbers that can then not be fed back into the system. This
is a hackish way to fail in a slightly more useful way when that
happens.
o Default: 4294967290
mkusers
Whether to create the necessary user and group that puppet agent will
run as.
o Default: false
module_groups
Extra module groups to request from the Puppet Forge
Default:
module_repository
The module repository
o Default: https://forgeapi.puppetlabs.com
module_skeleton_dir
The directory which the skeleton for module tool generate is stored.
o Default: $module_working_dir/skeleton
module_working_dir
The directory into which module tool data is stored
o Default: $vardir/puppet-module
modulepath
The search path for modules, as a list of directories separated by the
system path separator character. (The POSIX path separator is ':', and
the Windows path separator is ';'.)
Setting a global value for modulepath in puppet.conf is not allowed
(but it can be overridden from the commandline). Please use directory
environments instead. If you need to use something other than the
default modulepath of <ACTIVE ENVIRONMENT'S MODULES
DIR>:$basemodulepath, you can set modulepath in environment.conf. For
more info, see
http://docs.puppetlabs.com/puppet/latest/reference/environments.html
name
The name of the application, if we are running as one. The default is
essentially $0 without the path or .rb.
Default:
node_cache_terminus
How to store cached nodes. Valid values are (none), 'json', 'msgpack',
'yaml' or write only yaml ('write_only_yaml'). The master application
defaults to 'write_only_yaml', all others to none.
Default:
node_name
How the puppet master determines the client's identity and sets the
'hostname', 'fqdn' and 'domain' facts for use in the manifest, in
particular for determining which 'node' statement applies to the
client. Possible values are 'cert' (use the subject's CN in the
client's certificate) and 'facter' (use the hostname that the client
reported in its facts)
o Default: cert
node_name_fact
The fact name used to determine the node name used for all requests the
agent makes to the master. WARNING: This setting is mutually exclusive
with node_name_value. Changing this setting also requires changes to
the default auth.conf configuration on the Puppet Master. Please see
http://links.puppetlabs.com/node_name_fact for more information.
node_name_value
The explicit value used for the node name for all requests the agent
makes to the master. WARNING: This setting is mutually exclusive with
node_name_fact. Changing this setting also requires changes to the
default auth.conf configuration on the Puppet Master. Please see
http://links.puppetlabs.com/node_name_value for more information.
o Default: $certname
node_terminus
Where to find information about nodes.
o Default: plain
noop
Whether to apply catalogs in noop mode, which allows Puppet to
partially simulate a normal run. This setting affects puppet agent and
puppet apply.
When running in noop mode, Puppet will check whether each resource is
in sync, like it does when running normally. However, if a resource
attribute is not in the desired state (as declared in the catalog),
Puppet will take no action, and will instead report the changes it
would have made. These simulated changes will appear in the report sent
to the puppet master, or be shown on the console if running puppet
agent or puppet apply in the foreground. The simulated changes will not
send refresh events to any subscribing or notified resources, although
Puppet will log that a refresh event would have been sent.
Important note: The noop metaparameter
http://docs.puppetlabs.com/references/latest/metaparameter.html#noop
allows you to apply individual resources in noop mode, and will
override the global value of the noop setting. This means a resource
with noop => false will be changed if necessary, even when running
puppet agent with noop = true or --noop. (Conversely, a resource with
noop => true will only be simulated, even when noop mode is globally
disabled.)
o Default: false
onetime
Perform one configuration run and exit, rather than spawning a
long-running daemon. This is useful for interactively running puppet
agent, or running puppet agent from cron.
o Default: false
ordering
How unrelated resources should be ordered when applying a catalog.
Allowed values are title-hash, manifest, and random. This setting
affects puppet agent and puppet apply, but not puppet master.
o manifest (the default) will use the order in which the resources
were declared in their manifest files.
o title-hash (the default in 3.x) will order resources randomly, but
will use the same order across runs and across nodes. It is only of
value if you're migrating from 3.x and have errors running with
manifest.
o random will order resources randomly and change their order with
each run. This can work like a fuzzer for shaking out undeclared
dependencies.
Regardless of this setting's value, Puppet will always obey explicit
dependencies set with the before/require/notify/subscribe
metaparameters and the ->/~> chaining arrows; this setting only affects
the relative ordering of unrelated resources.
o Default: manifest
passfile
Where puppet agent stores the password for its private key. Generally
unused.
o Default: $privatedir/password
path
The shell search path. Defaults to whatever is inherited from the
parent process.
This setting can only be set in the [main] section of puppet.conf; it
cannot be set in [master], [agent], or an environment config section.
o Default: none
pidfile
The file containing the PID of a running process. This file is intended
to be used by service management frameworks and monitoring systems to
determine if a puppet process is still in the process table.
o Default: $rundir/${run_mode}.pid
plugindest
Where Puppet should store plugins that it pulls down from the central
server.
o Default: $libdir
pluginfactdest
Where Puppet should store external facts that are being handled by
pluginsync
o Default: $vardir/facts.d
pluginfactsource
Where to retrieve external facts for pluginsync
o Default: puppet:///pluginfacts
pluginsignore
What files to ignore when pulling down plugins.
o Default: .svn CVS .git
pluginsource
From where to retrieve plugins. The standard Puppet file type is used
for retrieval, so anything that is a valid file source can be used
here.
o Default: puppet:///plugins
pluginsync
Whether plugins should be synced with the central server.
o Default: true
postrun_command
A command to run after every agent run. If this command returns a
non-zero return code, the entire Puppet run will be considered to have
failed, even though it might have performed work during the normal run.
preferred_serialization_format
The preferred means of serializing ruby instances for passing over the
wire. This won't guarantee that all instances will be serialized using
this method, since not all classes can be guaranteed to support this
format, but it will be used for all classes that support it.
o Default: pson
prerun_command
A command to run before every agent run. If this command returns a
non-zero return code, the entire Puppet run will fail.
preview_outputdir
The directory where catalog previews per node are generated.
o Default: $vardir/preview
priority
The scheduling priority of the process. Valid values are 'high',
'normal', 'low', or 'idle', which are mapped to platform-specific
values. The priority can also be specified as an integer value and will
be passed as is, e.g. -5. Puppet must be running as a privileged user
in order to increase scheduling priority.
Default:
privatedir
Where the client stores private certificate information.
o Default: $ssldir/private
privatekeydir
The private key directory.
o Default: $ssldir/private_keys
profile
Whether to enable experimental performance profiling
o Default: false
publickeydir
The public key directory.
o Default: $ssldir/public_keys
puppetdlog
The fallback log file. This is only used when the --logdest option is
not specified AND Puppet is running on an operating system where both
the POSIX syslog service and the Windows Event Log are unavailable.
(Currently, no supported operating systems match that description.)
Despite the name, both puppet agent and puppet master will use this
file as the fallback logging destination.
For control over logging destinations, see the --logdest command line
option in the manual pages for puppet master, puppet agent, and puppet
apply. You can see man pages by running puppet <SUBCOMMAND> --help, or
read them online at http://docs.puppetlabs.com/references/latest/man/.
o Default: $logdir/puppetd.log
report
Whether to send reports after every transaction.
o Default: true
report_port
The port to communicate with the report_server.
o Default: $masterport
report_server
The server to send transaction reports to.
o Default: $server
reportdir
The directory in which to store reports. Each node gets a separate
subdirectory in this directory. This setting is only used when the
store report processor is enabled (see the reports setting).
o Default: $vardir/reports
reports
The list of report handlers to use. When using multiple report
handlers, their names should be comma-separated, with whitespace
allowed. (For example, reports = http, store.)
This setting is relevant to puppet master and puppet apply. The puppet
master will call these report handlers with the reports it receives
from agent nodes, and puppet apply will call them with its own report.
(In all cases, the node applying the catalog must have report = true.)
See the report reference for information on the built-in report
handlers; custom report handlers can also be loaded from modules.
(Report handlers are loaded from the lib directory, at
puppet/reports/NAME.rb.)
o Default: store
reporturl
The URL that reports should be forwarded to. This setting is only used
when the http report processor is enabled (see the reports setting).
o Default: http://localhost:3000/reports/upload
req_bits
The bit length of the certificates.
o Default: 4096
requestdir
Where host certificate requests are stored.
o Default: $ssldir/certificate_requests
resourcefile
The file in which puppet agent stores a list of the resources
associated with the retrieved configuration.
o Default: $statedir/resources.txt
rest_authconfig
The configuration file that defines the rights to the different rest
indirections. This can be used as a fine-grained authorization system
for puppet master.
o Default: $confdir/auth.conf
route_file
The YAML file containing indirector route configuration.
o Default: $confdir/routes.yaml
rundir
Where Puppet PID files are kept.
Default:
runinterval
How often puppet agent applies the catalog. Note that a runinterval of
0 means "run continuously" rather than "never run." If you want puppet
agent to never run, you should start it with the --no-client option.
This setting can be a time interval in seconds (30 or 30s), minutes
(30m), hours (6h), days (2d), or years (5y).
o Default: 30m
serial
Where the serial number for certificates is stored.
o Default: $cadir/serial
server
The puppet master server to which the puppet agent should connect.
o Default: puppet
server_datadir
The directory in which serialized data is stored, usually in a
subdirectory.
o Default: $vardir/server_data
show_diff
Whether to log and report a contextual diff when files are being
replaced. This causes partial file contents to pass through Puppet's
normal logging and reporting system, so this setting should be used
with caution if you are sending Puppet's reports to an insecure
destination. This feature currently requires the diff/lcs Ruby library.
o Default: false
signeddir
Where the CA stores signed certificates.
o Default: $cadir/signed
splay
Whether to sleep for a pseudo-random (but consistent) amount of time
before a run.
o Default: false
splaylimit
The maximum time to delay before runs. Defaults to being the same as
the run interval. This setting can be a time interval in seconds (30 or
30s), minutes (30m), hours (6h), days (2d), or years (5y).
o Default: $runinterval
srv_domain
The domain which will be queried to find the SRV records of servers to
use.
o Default: corp.puppetlabs.net
ssl_client_ca_auth
Certificate authorities who issue server certificates. SSL servers will
not be considered authentic unless they possess a certificate issued by
an authority listed in this file. If this setting has no value then the
Puppet master's CA certificate (localcacert) will be used.
Default:
ssl_client_header
The header containing an authenticated client's SSL DN. This header
must be set by the proxy to the authenticated client's SSL DN (e.g.,
/CN=puppet.puppetlabs.com). Puppet will parse out the Common Name (CN)
from the Distinguished Name (DN) and use the value of the CN field for
authorization.
Note that the name of the HTTP header gets munged by the web server
common gateway inteface: an HTTP_ prefix is added, dashes are converted
to underscores, and all letters are uppercased. Thus, to use the
X-Client-DN header, this setting should be HTTP_X_CLIENT_DN.
o Default: HTTP_X_CLIENT_DN
ssl_client_verify_header
The header containing the status message of the client verification.
This header must be set by the proxy to 'SUCCESS' if the client
successfully authenticated, and anything else otherwise.
Note that the name of the HTTP header gets munged by the web server
common gateway inteface: an HTTP_ prefix is added, dashes are converted
to underscores, and all letters are uppercased. Thus, to use the
X-Client-Verify header, this setting should be HTTP_X_CLIENT_VERIFY.
o Default: HTTP_X_CLIENT_VERIFY
ssl_server_ca_auth
Certificate authorities who issue client certificates. SSL clients will
not be considered authentic unless they possess a certificate issued by
an authority listed in this file. If this setting has no value then the
Puppet master's CA certificate (localcacert) will be used.
Default:
ssldir
Where SSL certificates are kept.
o Default: $confdir/ssl
statedir
The directory where Puppet state is stored. Generally, this directory
can be removed without causing harm (although it might result in
spurious service restarts).
o Default: $vardir/state
statefile
Where puppet agent and puppet master store state associated with the
running configuration. In the case of puppet master, this file reflects
the state discovered through interacting with clients.
o Default: $statedir/state.yaml
storeconfigs
Whether to store each client's configuration, including catalogs,
facts, and related data. This also enables the import and export of
resources in the Puppet language - a mechanism for exchange resources
between nodes.
By default this uses the 'puppetdb' backend.
You can adjust the backend using the storeconfigs_backend setting.
o Default: false
storeconfigs_backend
Configure the backend terminus used for StoreConfigs. By default, this
uses the PuppetDB store, which must be installed and configured before
turning on StoreConfigs.
o Default: puppetdb
strict_hostname_checking
Whether to only search for the complete hostname as it is in the
certificate when searching for node information in the catalogs.
o Default: false
strict_variables
Makes the parser raise errors when referencing unknown variables. (This
does not affect referencing variables that are explicitly set to
undef).
o Default: false
summarize
Whether to print a transaction summary.
o Default: false
syslogfacility
What syslog facility to use when logging to syslog. Syslog has a fixed
list of valid facilities, and you must choose one of those; you cannot
just make one up.
o Default: daemon
tags
Tags to use to find resources. If this is set, then only resources
tagged with the specified tags will be applied. Values must be
comma-separated.
trace
Whether to print stack traces on some errors
o Default: false
trusted_oid_mapping_file
File that provides mapping between custom SSL oids and user-friendly
names
o Default: $confdir/custom_trusted_oid_mapping.yaml
trusted_server_facts
Stores a trusted set of server-side global variables in a hash called
$server_facts, which cannot be cannot be overridden by client_facts or
logic in manifests. Makes it illegal to assign to the variable
$server_facts in any scope.
o Default: false
use_cached_catalog
Whether to only use the cached catalog rather than compiling a new
catalog on every run. Puppet can be run with this enabled by default
and then selectively disabled when a recompile is desired.
o Default: false
use_srv_records
Whether the server will search for SRV records in DNS for the current
domain.
o Default: false
usecacheonfailure
Whether to use the cached configuration when the remote configuration
will not compile. This option is useful for testing new configurations,
where you want to fix the broken configuration rather than reverting to
a known-good one.
o Default: true
user
The user puppet master should run as.
o Default: puppet
vardir
Where Puppet stores dynamic and growing data. The default for this
setting is calculated specially, like confdir_.
o Default: /opt/puppetlabs/puppet/cache
waitforcert
How frequently puppet agent should ask for a signed certificate.
When starting for the first time, puppet agent will submit a
certificate signing request (CSR) to the server named in the ca_server
setting (usually the puppet master); this may be autosigned, or may
need to be approved by a human, depending on the CA server's
configuration.
Puppet agent cannot apply configurations until its approved certificate
is available. Since the certificate may or may not be available
immediately, puppet agent will repeatedly try to fetch it at this
interval. You can turn off waiting for certificates by specifying a
time of 0, in which case puppet agent will exit if it cannot get a
cert. This setting can be a time interval in seconds (30 or 30s),
minutes (30m), hours (6h), days (2d), or years (5y).
o Default: 2m
yamldir
The directory in which YAML data is stored, usually in a subdirectory.
o Default: $vardir/yaml
This page autogenerated on 2015-05-18 10:15:47 -0700
Puppet Labs, LLC May 2015 PUPPETCONF(5)