What gets installed and where?

Puppet Enterprise (PE) installs several software components, configuration files, databases, services and users, and log files. It’s useful to know the locations of these should you ever need to troubleshoot or manage your PE infrastructure.

Software components installed

PE installs several software components and dependencies.

The functional components of PE are separated between those packaged with the puppet-agent and those packaged on the server side (which also includes the puppet-agent).

PE 2017.2 includes the following major software components.

Agent components (on all nodes)

PE Version Puppet Agent Puppet Facter Hiera MCollective Ruby OpenSSL
2017.2.2 1.10.4 4.10.4 3.6.5 2.10.5 2.1.9 1.0.2k
2017.2.1 1.10.1 4.10.1 3.6.4 2.10.4 2.1.9 1.0.2k
2017.1.1 1.9.3
1.7.0
4.9.4
4.7.0
3.6.2
3.4.1

3.2.1
2.9.0
2.10.2
2.1.9 1.0.2j
1.0.2h
2017.1.0 1.9.3
1.7.0
4.9.4
4.7.0
3.6.2
3.4.1

3.2.1
2.9.0
2.10.2
2.1.9 1.0.2j
1.0.2h

Note: Beginning with the Puppet 4.9.0 release, Hiera is fully integrated into Puppet.

Server components

PE Version Puppet Server PuppetDB r10k Razor Server Razor Libs PostgreSQL Java ActiveMQ Nginx
2017.2.2 2.7.2 4.4.1 2.5.5 1.6.0 2017.1.3 2017.2.9 2017.2.1 2017.2.5 2017.2.1
2017.2.1 2.7.2 4.4.0 2.5.4 1.6.0 2017.1.3 2017.2.9 2017.2.1 2017.2.5 2017.2.1
2017.1.1 2.7.2 4.3.2 2.5.1 1.5.0 2017.1.3 2017.1.9 2017.1.1 2017.1.5 2017.1.1
2017.1.0 2.7.2 4.3.2 2.5.1 1.5.0 2017.1.3 2017.1.9 2017.1.1 2017.1.5 2017.1.1

Note: PE also installs other dependencies, as documented in the system requirements.

Binaries, modules, and plugins installed

PE installs several binaries, modules, and plugins for normal operations and for interacting with its tools and services.

PE installs executable binaries for interacting with tools and services.

On *nix nodes, all PE software is installed under /opt/puppetlabs.

On Windows nodes, all PE software is installed in the “Puppet Enterprise” subdirectory of the standard 32-bit applications directory

Executable binaries on *nix are in /opt/puppetlabs/bin and /opt/puppetlabs/sbin.

To make essential Puppet tools available to all users, the installer automatically creates symlinks in /usr/local/bin for the facter, puppet, pe-man, r10k, hiera, and mco binaries. Note that the symlinks will only be created if /usr/local/bin is writeable.

AIX and Solaris 10/11 users need to add /usr/local/bin to their default path.

If you’re running Mac OS X agents, note that symlinks are not created until the first successful Puppet run that applies the agents’ catalogs.

Binaries provided by other PE components, such as those for interacting with PE’s installed PostgreSQL server, PuppetDB, or Ruby packages do not have symlinks created.

For instructions on enabling binaries or disabling symlinks, refer to the following:

Modules and plugins

PE installs some modules and plugins for normal operations.

  • The Puppet modules included with PE are installed on the Puppet master server in /opt/puppetlabs/puppet/modules. Don’t modify anything in this directory or add modules of your own. Instead, install them in /etc/puppetlabs/code/environments/<environment>/modules.
  • MCollective plugins are installed in /opt/puppetlabs/mcollective/plugins/ on *nix and in <COMMON_APPDATA>\PuppetLabs\mcollective\etc\plugins\mcollective on Windows. If you are adding new plugins to your PE agent nodes, you should distribute them via Puppet as described in the “Adding actions” page of this manual.

Configuration files installed

PE installs configuration files, which, from time to time, you may need to interact with.

On *nix nodes, Puppet Enterprise’s configuration files all live under /etc/puppetlabs/puppet.

On Windows nodes, Puppet Enterprise’s configuration files all live under <COMMON_APPDATA>\PuppetLabs. The location of this folder varies by Windows version; in 2008 and 2012, its default location is C:\ProgramData\PuppetLabs\puppet\etc.

Puppet’s confdir is in the puppet subdirectory. This directory contains the puppet.conf file, auth.conf, and the SSL directory.

Tools installed

PE installs several suites of tools to help you work with the major components of the software.

These tools include:

  • Puppet tools — Tools that control basic functions of Puppet such as puppet master and puppet cert. See the Tools section of the Puppet Manual for more information.
  • PE client tools — The pe-client-tools package collects a set of CLI tools that extend the ability for you to access Puppet Enterprise services from the Puppet master or a workstation. This package includes:
    • Puppet orchestrator — The Puppet orchestrator is a set of interactive command line tools that provide the interface to the Puppet Application Orchestration service, and also provides you the ability to enforce change on the environment level. These tools include puppet job and puppet app. See the Puppet Orchestrator documentation for more information. See the Code Manager documentation for more information.
    • Puppet access — Puppet Enterprise users can generate tokens to authenticate their access to certain PE command line tools and API endpoints. See the token-based authentication documentation for more information.
    • Code Manager CLI — The puppet-code command allows you to trigger Code Manager from the command line to deploy your environments.
    • PuppetDB CLI — This a tool for working with PuppetDB, such as building queries and handling exports. See the PuppetDB CLI for more information.
  • MCollective tools — Tools used to invoke simultaneous actions across a number of nodes. These tools are built on the MCollective framework and are accessed via the mco command. See the PE MCollective documentation for more information.
  • Module tool — The Module tool is used to access and create Puppet modules, which are reusable chunks of Puppet code users have written to automate configuration and deployment tasks. For more information, and to access modules, visit the Puppet Forge.
  • Console — The console is Puppet Enterprise’s web UI. The console provides tools to view and edit resources on your nodes, view reports and activity graphs, etc. See the console section of the PE Manual for more information.

Databases installed

PE installs several default databases, all of which use PostgreSQL as a database backend.

The PE PostgreSQL database includes the following databases:

Database Description
pe-activity Activity data from the Classifier, including who, what and when
pe-classifier Classification data, all Node Group information
pe-puppetdb PuppetDB’s data, including exported resources, catalogs, facts, and reports
pe-rbac RBAC data, including users, permissions, and AD/LDAP info
pe-orchestrator orchestrator data, including details about job runs (users, nodes, and run results)

Use PostgreSQL’s native tools to perform database exports and imports. At a minimum, you should perform nightly backups to a remote system, or as dictated by your company policy.

Services, users, and group accounts installed

PE installs several services, users, and group accounts for interacting with the software it contains.

Services installed

PE installs several services you’ll use to interact with it in normal operations.

Service Definition
pe-activemq The ActiveMQ message server, which passes messages to the MCollective servers on agent nodes. Runs on servers with the Puppet master component.
pe-console-services Manages and serves the PE console.
pe-puppetserver The Puppet master server, which manages the Puppet master component.
pe-nginx Nginx, serves as a reverse-proxy to the PE console.
mcollective The MCollective daemon, which listens for messages and invokes actions. Runs on every agent node.
puppet (on EL and Debian-based platforms) --- The Puppet agent daemon. Runs on every agent node.
pe-puppetdb, pe-postgresql Daemons that manage and serve the database components. Note that pe-postgresql is only created if we install and manage PostgreSQL for you.
pxp-agent Runs the Puppet agent PXP process.
pe-orchestration-services Runs the Puppet orchestration process.

User accounts installed

PE creates several user accounts.

User Definition
peadmin An administrative account which can invoke MCollective-related actions. This is the only PE user account intended for use in a login shell. See <a href=https://docs.puppetlabs.com/pe/latest/orchestration_invoke_cli.html>Invoking Actions</a> for more about this user. This user exists on servers with the Puppet master component.
pe-puppet A system user that runs the Puppet master processes spawned by pe-puppetserver.
pe-webserver A system user that runs Nginx (pe-nginx).
pe-activemq A system user that runs the ActiveMQ message bus used by MCollective.
pe-puppetdb A system user with root access to the database.
pe-postgres A system user with access to the pe-postgreSQL instance. Note that this user is only created if we install and manage PostgreSQL for you.
pe-console-services A system user that runs the console process.
pe-orchestration-services A system user that runs the Puppet Orchestration process.

Group accounts installed

PE creates several group accounts.

Group Definition
peadmin An administrative group which can invoke MCollective-related actions.
pe-puppet A system group that runs the Puppet master processes spawned by pe-puppetserver.
pe-webserver A system group that runs Nginx (pe-nginx).
pe-activemq A system group that runs the ActiveMQ message bus used by MCollective.
pe-puppetdb A system group with root access to the database.
pe-postgres A system group with access to the pe-postgreSQL instance. Note that this group is only created if we install and manage PostgreSQL for you.
pe-console-services A system group that runs the console process.
pe-orchestration-services A system group that runs the Puppet Orchestration process.

Log files installed

The software distributed with Puppet Enterprise generates log files that you can collect for compliance or use for troubleshooting.

Puppet master logs

The Puppet master has the following logs.

  • /var/log/puppetlabs/puppetserver/puppetserver.log: the Puppet master application logs its activity here; this is where things like compilation errors and deprecation warnings can be found.
  • /var/log/puppetlabs/puppetserver/puppetserver-daemon.log: this is where fatal errors or crash reports can be found.
  • /var/log/puppetlabs/puppetserver/pcp-broker.log: the log file for PCP brokers on compile masters.
  • /var/log/puppetlabs/puppetserver/code-manager-access.log
  • /var/log/puppetlabs/puppetserver/file-sync-access.log
  • /var/log/puppetlabs/puppetserver/masterhttp.log
  • /var/log/puppetlabs/puppetserver/puppetserver-access.log
  • /var/log/puppetlabs/puppetserver/puppetserver.log
  • /var/log/puppetlabs/puppetserver/puppetserver-status.log

Puppet agent logs

The locations of Puppet agent logs depend on your agent’s operating system.

On *nix nodes, the Puppet agent service logs its activity to the syslog service. Your syslog configuration dictates where these messages will be saved, but the default location is /var/log/messages on Linux, /var/log/system.log on Mac OS X, and /var/adm/messages on Solaris.

On Windows nodes, the Puppet agent service logs its activity to the Windows Event Log. You can view its logs by browsing the Event Viewer. (Control Panel > System and Security > Administrative Tools > Event Viewer)

ActiveMQ logs

ActiveMQ has the following logs.

  • /var/log/puppetlabs/activemq/wrapper.log
  • /var/log/puppetlabs/activemq/activemq.log
  • /var/log/puppetlabs/activemq/data/audit.log

MCollective logs

MCollective has the following logs.

  • /var/log/puppetlabs/mcollective.log: maintained by the MCollective service, which is installed on all nodes.
  • /var/log/puppetlabs/mcollective-audit.log: exists on all nodes that have MCollective installed; logs any MCollective actions run on the node, including information about the client that called the node

Console and pe-console-services logs

The console and pe-console-services has the following logs.

  • /var/log/puppetlabs/nginx/error.log: contains errors related to nginx. Console errors that don’t get logged anywhere else can be found in this log. If you have problems with the console or Puppet, this log may be useful.
  • /var/log/puppetlabs/nginx/access.log
  • /var/log/puppetlabs/console-services.log
  • /var/log/puppetlabs/console-services-access.log
  • /var/log/puppetlabs/console-services/console-services-api-access.log
  • /var/log/puppetlabs/console-services-daemon.log: this is where fatal errors or crash reports can be found.

Installer logs

The PE installer has the following logs.

  • /var/log/puppetlabs/installer/http.log: contains the web requests sent to the installer; present only on the machine from which the web-based install was performed
  • /var/log/puppetlabs/installer/installer-<timestamp>.log: contains the operations performed and any errors that occurred during installation
  • /var/log/puppetlabs/installer/install_log.lastrun.<hostname>.log: contains the contents of the last installer run

PE Database logs

PE has the following logs for its databases.

  • /var/log/puppetlabs/puppetdb/puppetdb-access.log
  • /var/log/puppetlabs/puppetdb/puppetdb-status.log
  • /var/log/puppetlabs/puppetdb/puppetdb.log
  • /var/log/puppetlabs/postgresql/pgstartup.log
  • /var/log/puppetlabs/postgresql/postgresql-Fri.log
  • /var/log/puppetlabs/postgresql/postgresql-Mon.log
  • /var/log/puppetlabs/postgresql/postgresql-Sat.log
  • /var/log/puppetlabs/postgresql/postgresql-Sun.log
  • /var/log/puppetlabs/postgresql/postgresql-Thu.log
  • /var/log/puppetlabs/postgresql/postgresql-Tue.log
  • /var/log/puppetlabs/postgresql/postgresql-Wed.log

pe-orchestration-services logs

PE has the following logs for pe-orchestration-services and related components.

  • /var/log/puppetlabs/orchestration-services.log
  • /var/log/puppetlabs/orchestration-services-access.log
  • /var/log/puppetlabs/orchestration-services-status.log
  • /var/log/puppetlabs/orchestration-services-daemon.log: this is where fatal errors or crash reports can be found.
  • /var/log/puppetlabs/orchestration-services/pcp-broker.log: the log file for PCP brokers on the master of masters (MoM).
  • /var/log/puppetlabs/orchestration-services/pcp-broker-access.log
  • /var/log/puppetlabs/pxp-agent/pxp-agent.log (on *nix) or C:/ProgramData/PuppetLabs/pxp-agent/var/log/pxp-agent.log (on Windows): contains the PXP agent log file

Certificates installed

During installation, PE generates and installs a number of SSL certificates so agents and services can authenticate themselves.

These certs can be found at /etc/puppetlabs/puppet/ssl/certs.

Cert Definition
<PUPPET MASTER CERTNAME> Generated during install. In a monolithic install, this cert is used by PuppetDB and the PE console. This is the same value for the agent's certname that runs on the Puppet master. In monolithic install, the agent on the PE console and PuppetDB share this certname. In a default monolithic or split install, this is also the Puppet CA cert.
<PE CONSOLE CERTNAME> The certificate for the PE console, which is only generated if you have a split install. This is the same value for the agent's certname that runs on the PE console.
<PUPPETDB CERTNAME> The certificate for PuppetDB, which is only generated if you have a split install. This is the same value for the agent's certname that runs on PuppetDB.
pe-internal-mcollective-servers A certificate generated on the Puppet master and shared to all agent nodes.
pe-internal-peadmin-mcollective-client The certificate for the peadmin account on the Puppet master.
pe-internal-puppet-console-mcollective-client The MCollective certificate for the PE console.

Services that run on the Puppet master or console (for example, pe-orchestration-services and pe-console-services, use the Puppet agent certificate to authenticate.


Related links

↑ Back to top