Configuring Puppet orchestrator

Once you've installed PE or the client tools package, there are a few tasks you need to do to prepare your PE infrastructure for orchestration services.

  • Set PE RBAC permissions and token authentication for Puppet orchestrator
  • Enable cached catalogs for use with the orchestrator (optional)
  • Review the orchestrator configuration files and adjust them as needed

All of these instructions assume that PE client tools are installed.

Orchestration services settings

Global logging and SSL settings

/etc/puppetlabs/orchestration-services/conf.d/global.conf contains settings shared across the Puppet Enterprise (PE) orchestration services.

The file global.certs typically requires no changes and contains the following settings:
Setting Definition Default
ssl-cert Certificate file path for the orchestrator host. /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.cert.pem
ssl-key Private key path for the orchestrator host. /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.private_key.pem
ssl-ca-cert CA file path /etc/puppetlabs/puppet/ssl/certs/ca.pem
The file global.logging-config is a path to logback.xml file that configures logging for most of the orchestration services. See http://logback.qos.ch/manual/configuration.html for documentation on the structure of the logback.xml file. It configures the log location, rotation, and formatting for the following:
  • orchestration-services (appender section F1)
  • orchestration-services status (STATUS)
  • pcp-broker (PCP)
  • pcp-broker access (PCP_ACCESS)
  • aggregate-node-count (AGG_NODE_COUNT)

Allow list of trapperkeeper services to start

/etc/puppetlabs/orchestration-services/bootstrap.cfg is the list of trapperkeeper services from the orchestrator and pcp-broker projects that are loaded when the pe-orchestration-services system service starts.
  • To disable a service in this list, remove it or comment it with a # character and restart pe-orchestration-services
  • To enable an NREPL service for debugging, add puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-service to this list and restart pe-orchestration-services.

The pcp-broker and orchestrator HTTP services

/etc/puppetlabs/orchestration-services/conf.d/webserver.conf describes how and where to the run pcp-broker and orchestrator web services, which accept HTTP API requests from the rest of the PE installation and from external nodes and users.

The file webserver.orchestrator configures the orchestrator web service. Defaults are as follows:

Setting Definition Default
access-log-config A logback XML file configuring logging for orchestrator access messages. /etc/puppetlabs/orchestration-services/request-logging.xml
client-auth Determines the mode that the server uses to validate the client's certificate for incoming SSL connections. want or need
default-server Allows multi-server configurations to run operations without specifying a server-id. Without a server-id, operations will run on the selected default. Optional. true
ssl-ca-cert Sets the path to the CA certificate PEM file used for client authentication. /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl-cert Sets the path to the server certificate PEM file used by the web service for HTTPS. /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.cert.pem
ssl-crl-path Describes a path to a Certificate Revocation List file. Optional. /etc/puppetlabs/puppet/ssl/crl.pem
ssl-host Sets the host name to listen on for encrypted HTTPS traffic. 0.0.0.0.
ssl-key Sets the path to the private key PEM file that corresponds with the ssl-cert /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.private_key.pem
ssl-port Sets the port to use for encrypted HTTPS traffic. 8143

The file webserver.pcp-broker configures the pcp-broker web service. Defaults are as follows:

Setting Definition Default
client-auth Determines the mode that the server uses to validate the client's certificate for incoming SSL connections. want or need
ssl-ca-cert Sets the path to the CA certificate PEM file used for client authentication. /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl-cert Sets the path to the server certificate PEM file used by the web service for HTTPS. /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.cert.pem
ssl-crl-path Describes a path to a Certificate Revocation List file. Optional. /etc/puppetlabs/puppet/ssl/crl.pem
ssl-host Sets the host name to listen on for encrypted HTTPS traffic. 0.0.0.0.
ssl-key Sets the path to the private key PEM file that corresponds with the ssl-cert. /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.private_key.pem
ssl-port Sets the port to use for encrypted HTTPS traffic. 8142

/etc/puppetlabs/orchestration-services/conf.d/web-routes.conf describes how to route HTTP requests made to the API web servers, designating routes for interactions with other services. These should not be modified. See the configuration options at the trapperkeeper-webserver-jetty project's docs

Analytics trapperkeeper service configuration

/etc/puppetlabs/orchestration-services/conf.d/analytics.conf contains the internal setting for the analytics trapperkeeper service.
Setting Definition Default
analytics.url Specifies the API root. <puppetserver-host-url>:8140/analytics/v1

Authorization trapperkeeper service configuration

/etc/puppetlabs/orchestration-services/conf.d/auth.conf contains internal settings for the authorization trapperkeeper service. See configuration options in the trapperkeeper-authorization project's docs.

JMX metrics trapperkeeper service configuration

/etc/puppetlabs/orchestration-services/conf.d/metrics.conf contains internal settings for the JMX metrics service built into orchestration-services. See the service configuration options in the trapperkeeper-metrics project's docs.

Orchestrator trapperkeeper service configuration

/etc/puppetlabs/orchestration-services/conf.d/orchestrator.conf contains internal settings for the orchestrator project's trapperkeeper service.

PCP broker trapperkeeper service configuration

/etc/puppetlabs/orchestration-services/conf.d/pcp-broker.conf contains internal settings for the pcp-broker project's trapperkeeper service. See the service configuration options in the pcp-broker project's docs.

Orchestrator configuration files

The configuration file for the orchestrator allows you to run commands from the CLI without having to pass additional flags. Whether you are running the orchestrator from the primary server or from a separate work station, there are two types of configuration files: a global configuration file and a user-specified configuration file.

Orchestrator global configuration file

If you're running the orchestrator from a PE-managed machine, on either the primary server or an agent node, PE manages the global configuration file.

This file is installed on both managed and non-managed workstations at:

  • *nix systems --- /etc/puppetlabs/client-tools/orchestrator.conf
  • Windows --- C:/ProgramData/PuppetLabs/client-tools/orchestrator.conf

The class that manages the global configuration file is puppet_enterprise::profile::controller. The following parameters and values are available for this class:

Parameter Value
manage_orchestrator true or false (default is true)
orchestrator_url url and port (default is primary server url and port 8143)

The only value PE sets in the global configuration file is the orchestrator_url (which sets the orchestrator's service-url in /etc/puppetlabs/client-tools/orchestrator.conf).

Important: If you're using a managed workstation, do not edit or change the global configuration file. If you're using an unmanaged workstation, you can edit this file as needed.

Orchestrator user-specified configuration file

You can manually create a user-specified configuration file and populate it with orchestrator configuration file settings. PE does not manage this file.

This file needs to be located at ~/.puppetlabs/client-tools/orchestrator.conf for both *nix and Windows.

If present, the user specified configuration always takes precedence over the global configuration file. For example, if both files have contradictory settings for the environment, the user specified settings prevail.

Orchestrator configuration file settings

The orchestrator configuration file is formatted in JSON. For example:

{
  "options" : {
    "service-url": "https://<PRIMARY SERVER HOSTNAME>:8143",
    "cacert": "/etc/puppetlabs/puppet/ssl/certs/ca.pem",
    "token-file": "~/.puppetlabs/token",
    "color": true
  }
}

The orchestrator configuration files (the user-specified or global files) can take the following settings:

Setting Definition
service-url The URL that points to the primary server and the port used to communicate with the orchestration service. (You can set this with the orchestrator_url parameter in the puppet_enterprise::profile::controller class.) Default value: https://<PRIMARY SERVER HOSTNAME>:8143
environment The environment used when you issue commands with Puppet orchestrator.
cacert The path for the Puppet Enterprise CA cert.
  • *nix: /etc/puppetlabs/puppet/ssl/certs/ca.pem

  • Windows: C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs\ca.pem

token-file The location for the authentication token. Default value: ~/.puppetlabs/token
color Determines whether the orchestrator output uses color. Set to true or false.
noop Determines whether the orchestrator runs the Puppet agent in no-op mode. Set to true or false.

Setting PE RBAC permissions and token authentication for orchestrator

Before you run any orchestrator jobs, you need to set the appropriate permissions in PE role-based access control (RBAC) and establish token-based authentication.

Most orchestrator users require the following permissions to run orchestrator jobs or tasks:

Type Permission Definition
Puppet agent Run Puppet on agent nodes. The ability to run Puppet on nodes using the console or orchestrator. Instance must always be "*".
Job orchestrator Start, stop and view jobs The ability to start and stop jobs and tasks, view jobs and job progress, and view an inventory of nodes that are connected to the PCP broker.
Tasks Run tasks The ability to run specific tasks on all nodes, a selected node group, or nodes that match a PQL query.
Nodes View node data from PuppetDB. The ability to view node data imported from PuppetDB. Object must always be "*".
Note: If you don't have permission to view a node group, or the node group doesn't have any matching nodes, that node group isn't listed as an option. In addition, node groups don't appear if they have no rules specified.

Assign task permissions to a user role

  1. In the console, on the Access control page, click the User roles tab.

  2. From the list of user roles, click the one you want to have task permissions.

  3. On the Permissions tab, in the Type box, select Tasks.

  4. For Permission, select Run tasks, and then select a task from the Object list. For example, facter_task.

  5. Click Add permission, and then commit the change.

Using token authentication

Before running an orchestrator job, you must generate an RBAC access token to authenticate to the orchestration service. If you attempt to run a job without a token, PE prompts you to supply credentials.

For information about generating a token with the CLI, see the documentation on token-based authentication.

PE Bolt server configuration

The PE Bolt server provides an API for running tasks over SSH and WinRM using Bolt, which is the technology underlying PE tasks. You do not need to have Bolt installed to configure the Bolt server or run tasks in PE. The API server for tasks is available as pe-bolt-server.

Bolt vs ACE: Orchestrator uses both ACE and Bolt to run tasks and plans. While both can act on agentless targets, the primary difference is that Bolt server works with agentless nodes over WinRM or SSH, whereas ACE works with agentless devices, like network switches and firewalls, over other transports.

The PE Bolt server is a Puma application that runs as a standalone service.

The server is configured in /etc/puppetlabs/bolt-server/conf.d/bolt-server.conf, managed by the puppet_enterprise::profile::bolt_server class, which includes the parameters described in the following table:
Setting Type Description Default
bolt_server_loglevel String Bolt log level. Acceptable values are debug, info, notice, warn, or error. notice
concurrency Integer Maximum number of server threads. 100
master_host String URI of the primary server where Bolt can download tasks. $puppet_enterprise::puppet_master_host
master_port Integer Port the Bolt server can access the primary server on. $puppet_enterprise::puppet_master_port
ssl_cipher_suites Array of strings TLS cipher suites in order of preference. $puppet_enterprise::params::secure_ciphers
ssl_listen_port Integer Port the Bolt server runs on. 62658

($puppet_enterprise::bolt_server_port)

allowlist Array of strings List of hosts that can connect to pe-bolt-server. [$certname]

PE ACE server configuration

The PE ACE server is a service that allows for tasks and catalogs to run against remote targets that can't run a Puppet agent, such as network switches and firewalls.

Bolt vs ACE: Orchestrator uses both ACE and Bolt to run tasks and plans. While both can act on agentless targets, the primary difference is that Bolt server works with agentless nodes over WinRM or SSH, whereas ACE works with agentless devices, like network switches and firewalls, over other transports.

The ACE server is a Puma application that runs as a standalone service.

The server is configured in /etc/puppetlabs/ace-server/conf.d/ace-server.conf and managed in the puppet_enterprise::profile::ace_server class, which includes the parameters described in the following table:
Setting Type Description Default
service_loglevel String Bolt log level. Acceptable values are debug, info, notice, warn, or error. notice
concurrency Integer Maximum number of server threads. $puppet_enterprise::ace_server_concurrency
master_host String URI that ACE can access the primary server on.

pe_repo::compile_master_pool_address

Default: $puppet_enterprise::puppet_master_host

master_port Integer Port that ACE can access the primary server on. $puppet_enterprise::puppet_master_port
hostcrl String The host CRL path $puppet_enterprise::params::hostcrl
ssl_cipher_suites Array of strings TLS cipher suites in order of preference. $puppet_enterprise::params::secure_ciphers
ssl_listen_port Integer Port that ACE runs on.

44633

($puppet_enterprise::ace_server_port))

allowlist Array of strings List of hosts that can connect to pe-ace-server. [$certname]