Configure PuppetDB

If needed, you can configure PuppetDB settings to optimize your Puppet Enterprise (PE) installation.

We've described some commonly-configured parameters here. For additional settings and information, refer to Configuring PuppetDB in the Puppet documentation, as well as the other PE documentation listed under Related information.

Disable agent run reports

By default, every time Puppet runs, your Puppet Enterprise (PE) primary server generates agent run reports and submits them to PuppetDB. You can disable agent run reports.

  1. In the PE console, navigate to Node groups > PE Infrastructure > PE Master.
  2. On the Classes tab, add the puppet_enterprise::profile::master::puppetdb class.
  3. Add the report_processor_ensure parameter, and set the value to either:
    • "present": Enable agent run reports
    • "absent": Disable agent run reports
  4. Click Add parameter and commit changes.
  5. On the nodes hosting your primary server and PE console, run Puppet.
    Tip: There are several ways to Run Puppet on demand.

Set the deactivated node retention time

Use the node-purge-ttl parameter to set the length of time before PE automatically removes deactivated or expired nodes. Once the time limit passes, the nodes and their relevant facts, catalogs, and reports are only removed from PuppetDB. Agent certificates on the Certificate Authority (CA) server are untouched.

  1. In the PE console, navigate to Node groups > PE Infrastructure > PE PuppetDB.
  2. On the Classes tab, find the puppet_enterprise::profile::puppetdb class.
  3. Add the node_purge_ttl parameter, and set the value to a string representing the desired retention time. Specify a number along with one of the following suffixes:
    • Days: d
    • Hours: h
    • Minutes: m
    • Seconds: s
    • Milliseconds: ms
    For example, to set the purge time to 14 days, set the value to 14d. For example:
    puppet_enterprise::profile::puppetdb::node_purge_ttl: '14d'
  4. Click Add parameter and commit changes.
  5. On the nodes hosting your primary server and PE console, run Puppet.
    Tip: There are several ways to Run Puppet on demand.

Change the PuppetDB user password

The Puppet Enterprise (PE) console uses a database user account to access its PostgreSQL database. Change this database user's password if it is compromised or to comply with your organization's security guidelines.

  1. Stop the pe-puppetdb service by running:
    puppet resource service pe-puppetdb ensure=stopped
  2. On the database server (which, depending on your deployment's architecture, might or might not be the same as the PuppetDB server), use your preferred PostgreSQL administration tool to change the user's password.
    With the standard PostgreSQL client, you can do this by running:
    ALTER USER console PASSWORD '<new password>';
  3. On the PuppetDB server, open the database.ini file located at /etc/puppetlabs/puppetdb/conf.d/database.ini, and change the password line to reflect the new password.
    The password line is under either common or production, depending on your configuration.
  4. Save the file and restart the pe-puppetdb service on the console server by running:
    puppet resource service pe-puppetdb ensure=running

Exclude facts

Use the facts_blocklist parameter to exclude facts from being stored in the PuppetDB database.

For more information, you can read about facts-blocklist in the Puppet documentation.

You can use Hiera to exclude facts:

  1. Open your default Hiera .yaml file in a text editor.
    Tip: For information about Hiera data files, including file paths, refer to Configure settings with Hiera.
  2. Add the facts_blocklist parameter and a list of names of facts that you want to exclude.
    For example, this declaration excludes the system_uptime_example and mountpoints_example facts:
    puppet_enterprise::puppetdb::database_ini::facts_blocklist:
    - 'system_uptime_example'
    - 'mountpoints_example'
  3. Save the file and run puppet agent -t to compile the changes.