System configuration

Before installing Puppet Enterprise at your site, make sure that your nodes and network are properly configured.

Timekeeping and name resolution

Before installing PE, there are some basic network requirements you need to consider and prepare for. The most important requirements include syncing time and creating a plan for name resolution.

Timekeeping

We recommend using NTP or an equivalent service to ensure that time is in sync between your Puppet master and any Puppet agent nodes. If time drifts out of sync in your PE infrastructure, you may encounter issues such as nodes disappearing from live manangement in the console. A service like NTP (available as a Puppet supported module) will ensure accurate timekeeping.

Name resolution

  • Decide on a preferred name or set of names agent nodes can use to contact the Puppet master server.
  • Ensure that the Puppet master server can be reached via domain name lookup by all of the future Puppet agent nodes at the site.

You can also simplify configuration of agent nodes by using a CNAME record to make the Puppet master reachable at the hostname puppet. (This is the default Puppet master hostname that is automatically suggested when installing an agent node.)

Firewall configuration

Puppet Enterprise requires access to certain ports for its network traffic. The following diagrams show port usages for standard PE installations.

A separate list provides additional port usage information.

For monolithic installs

Monolithic Port Diagram (Click to enlarge)

Port Use
8140
  • The Puppet master uses this port to accept inbound traffic/requests from Puppet agents.
  • The PE console sends request to the Puppet master on this port.
  • Certificate requests are passed over this port unless ca_port is set differently.
  • Puppet Server status checks are sent over this port.
  • Classifier group: “PE Master”
443
  • This port provides host access to the PE console.
  • The PE Console accepts HTTPS traffic from end-users on this port.
  • Classifier group: “PE Console”
61613
  • MCollective uses this port to accept inbound traffic/requests from Puppet agents.
  • Any host used to invoke commands must be able to reach MCollective on this port.
  • Classifier group: “PE ActiveMQ Broker”
8142
  • Orchestration services and the Run Puppet button use this port to accept inbound traffic/responses from Puppet agents (via the PXP agent/PCP broker).
  • Classifier group: “PE Orchestrator”

For monolithic installs with compile masters

Monolithic with Compile Masters Port Diagram (Click to enlarge)

Port Use
8140
  • The Puppet master uses this port to accept inbound traffic/requests from Puppet agents.
  • The Puppet master uses this port to send status checks to compile masters. (Not required to run PE.)
  • The PE console sends request to the Puppet master on this port.
  • Certificate requests are passed over this port unless ca_port is set differently.
  • Puppet Server status checks are sent over this port.
  • Classifier group: “PE Master”
443
  • This port provides host access to the PE console.
  • The PE Console accepts HTTPS traffic from end-users on this port.
  • Classifier group: “PE Console”
61613
  • MCollective uses this port to accept inbound traffic/requests from Puppet agents.
  • Any host used to invoke commands must be able to reach MCollective on this port.
  • Classifier group: “PE ActiveMQ Broker”
4433
  • This port is used as a Classifier / Console Services API endpoint.
  • The Puppet master needs to be able to talk to the PE console over this port.
  • Classifier group: “PE Console”
8081
  • PuppetDB accepts traffic/requests on this port.
  • The Puppet master and PE console send traffic to PuppetDB on this port.
  • PuppetDB status checks are sent over this port.
  • Classifier group: “PE PuppetDB”
8142
  • Orchestration services and the Run Puppet button use this port to accept inbound traffic/responses from Puppet agents (via the PXP agent/PCP broker).
  • Classifier group: “PE Orchestrator”

For split installs

Split Port Diagram (Click to enlarge)

Port Use
8140
  • The Puppet master uses this port to accept inbound traffic/requests from Puppet agents.
  • The PE console sends request to the Puppet master on this port.
  • In an LEI, the Puppet master uses this port to send status checks to compile masters. (Not required to run PE.)
  • Certificate requests are passed over this port unless ca_port is set differently.
  • Puppet Server status checks are sent over this port.
  • Classifier group: “PE Master”
443
  • This port provides host access to the PE console.
  • The PE Console accepts HTTPS traffic from end-users on this port.
  • Classifier group: “PE Console”
8081
  • PuppetDB accepts traffic/requests on this port.
  • The Puppet master and PE console send traffic to PuppetDB on this port.
  • PuppetDB status checks are sent over this port.
  • Classifier group: “PE PuppetDB”
61613
  • MCollective uses this port to accept inbound traffic/requests from Puppet agents.
  • Any host used to invoke commands must be able to reach MCollective on this port.
  • Classifier group: “PE ActiveMQ Broker”
5432
  • PostgreSQL runs on this port.
  • The PE console node will need to connect to the PuppetDB node hosting the PostgreSQL database on this port.
  • Classifier group: “PE PuppetDB”
4433
  • This port is used as a Classifier / Console Services API endpoint.
  • The Puppet master needs to be able to talk to the PE console over this port.
  • Classifier group: “PE Console”
61616
  • This port is used for ActiveMQ hub and spoke communication.
  • Classifier group: “PE ActiveMQ Broker”
8142
  • Orchestration services and the Run Puppet button use this port to accept inbound traffic/responses from Puppet agents (via the PXP agent/PCP broker).
  • Classifier group: “PE Orchestrator”

For large environment installations

See the split installation port/use table for explanations of the ports and their uses.

LEI Port Diagram (Click to enlarge)

Additional port usage for all installation types

  • Port 3000: If you are installing PE using the web-based installer, ensure port 3000 is open. You can close this port when the installation is complete. If necessary, instructions for port forwarding to the web-based installer are available in the installation instructions. (This applies to both split and mono installs.)

  • Port 8143: The orchestrator client uses this port to communicate with the orchestration services running on the Puppet master. If you install the client on a workstation, this port must be available.

  • Port 8150 and 8151: Razor uses port 8150 for HTTP and 8151 for HTTPS. Any node classified as a Razor server must be able to use these ports.

  • Port 4432: Local connections for node classifier, activity service, and RBAC status checks are sent over this port. Remote connections should use port 4433.

  • Port 8170: If you use Code Manager, it requires this port. Code manager status checks are sent over this port.

↑ Back to top