1 <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
5 The contents of this file are subject to the terms of the
6 Common Development and Distribution License (the "License").
7 You may not use this file except in compliance with the License.
9 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 or http://www.opensolaris.org/os/licensing.
11 See the License for the specific language governing permissions
12 and limitations under the License.
14 When distributing Covered Code, include this CDDL HEADER in each
15 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 If applicable, add the following below this CDDL HEADER, with the
17 fields enclosed by brackets "[]" replaced with your own identifying
18 information: Portions Copyright [yyyy] [name of copyright owner]
22 Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
24 NOTE: This service manifest is not editable; its contents will
25 be overwritten by package or patch operations, including
26 operating system upgrade. Make customizations in a different
29 <service_bundle type="manifest" name="puppet">
30 <service name="application/puppet" type="service" version="1">
31 <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
32 <service_fmri value="svc:/system/filesystem/minimal"/>
34 <dependency name="network" grouping="require_all" restart_on="error" type="service">
35 <service_fmri value="svc:/milestone/network"/>
37 <dependency name="identity" grouping="require_all" restart_on="error" type="service">
38 <service_fmri value="svc:/system/identity:node"/>
40 <exec_method type="method" name="start" exec=":true" timeout_seconds="60"/>
41 <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60"/>
42 <property_group name="general" type="framework">
43 <!-- to start stop puppet -->
44 <propval name="action_authorization" type="astring" value="solaris.smf.manage.puppet"/>
45 <!-- to change puppet properties -->
46 <propval name="value_authorization" type="astring" value="solaris.smf.value.puppet"/>
48 <property_group name="puppet_stencil" type="configfile">
49 <propval name="path" type="astring" value="/etc/puppet/puppet.conf"/>
50 <propval name="stencil" type="astring" value="puppet.stencil"/>
51 <propval name="mode" type="astring" value="0444"/>
53 <instance name="master" enabled="false">
54 <exec_method type="method" name="start" exec="/usr/sbin/puppet master --logdest %{config/logdest}" timeout_seconds="600"/>
55 <property_group name="config" type="application">
56 <propval name="logdest" type="astring" value="/var/log/puppet/puppet-master.log"/>
59 <instance name="agent" enabled="false">
60 <exec_method type="method" name="start" exec="/usr/sbin/puppet agent --logdest %{config/logdest}" timeout_seconds="600"/>
61 <property_group name="config" type="application">
62 <propval name="logdest" type="astring" value="/var/log/puppet/puppet-agent.log"/>
65 <stability value="Unstable"/>
68 <loctext xml:lang="C">Puppet version 3.8.6</loctext>
71 <manpage title="puppet-master" section="8" manpath="/usr/share/man"/>
73 <pg_pattern name="config" required="false" type="application">
74 <prop_pattern name="agent_catalog_run_lockfile" required="false" type="astring">
76 <loctext xml:lang="C">
77 A lock file to indicate that a puppet agent catalog run is currently in progress.
78 The file contains the pid of the process that holds the lock on the catalog run.
82 <prop_pattern name="agent_disabled_lockfile" required="false" type="astring">
84 <loctext xml:lang="C">
85 A lock file to indicate that puppet agent runs have been administratively
86 disabled. File contains a JSON object with state information.
90 <prop_pattern name="allow_duplicate_certs" required="false" type="boolean">
92 <loctext xml:lang="C">
93 Whether to allow a new certificate
94 request to overwrite an existing certificate.
98 <prop_pattern name="allow_variables_with_dashes" required="false" type="boolean">
100 <loctext xml:lang="C">
101 Permit hyphens (`-`) in variable names and issue deprecation warnings about
102 them. This setting **should always be `false`;** setting it to `true`
103 will cause subtle and wide-ranging bugs. It will be removed in a future version.
105 Hyphenated variables caused major problems in the language, but were allowed
106 between Puppet 2.7.3 and 2.7.14. If you used them during this window, we
107 apologize for the inconvenience --- you can temporarily set this to `true`
108 in order to upgrade, and can rename your variables at your leisure. Please
109 revert it to `false` after you have renamed all affected variables.
113 <prop_pattern name="always_cache_features" required="false" type="boolean">
115 <loctext xml:lang="C">
116 Affects how we cache attempts to load Puppet 'features'. If false, then
117 calls to `Puppet.features.<feature>?` will always attempt to load the
118 feature (which can be an expensive operation) unless it has already been
119 loaded successfully. This makes it possible for a single agent run to,
120 e.g., install a package that provides the underlying capabilities for
121 a feature, and then later load that feature during the same run (even if
122 the feature had been tested earlier and had not been available).
124 If this setting is set to true, then features will only be checked once,
125 and if they are not available, the negative result is cached and returned
126 for all subsequent attempts to load the feature. This behavior is almost
127 always appropriate for the server, and can result in a significant performance
128 improvement for features that are checked frequently.
132 <prop_pattern name="archive_file_server" required="false" type="host">
134 <loctext xml:lang="C">
135 During an inspect run, the file bucket server to archive files to if archive_files is set.
139 <prop_pattern name="archive_files" required="false" type="boolean">
141 <loctext xml:lang="C">
142 During an inspect run, whether to archive files whose contents are audited to a file bucket.
146 <prop_pattern name="async_storeconfigs" required="false" type="boolean">
148 <loctext xml:lang="C">
149 Whether to use a queueing system to provide asynchronous database integration.
150 Requires that `puppet queue` be running.
154 <prop_pattern name="autoflush" required="false" type="boolean">
156 <loctext xml:lang="C">
157 Whether log files should always flush to disk.
161 <prop_pattern name="autosign" required="false" type="astring">
163 <loctext xml:lang="C">
164 Whether (and how) to autosign certificate requests. This setting
165 is only relevant on a puppet master acting as a certificate authority (CA).
167 Valid values are true (autosigns all certificate requests; not recommended),
168 false (disables autosigning certificates), or the absolute path to a file.
170 The file specified in this setting may be either a **configuration file**
171 or a **custom policy executable.** Puppet will automatically determine
172 what it is: If the Puppet user (see the `user` setting) can execute the
173 file, it will be treated as a policy executable; otherwise, it will be
174 treated as a config file.
176 If a custom policy executable is configured, the CA puppet master will run it
177 every time it receives a CSR. The executable will be passed the subject CN of the
178 request _as a command line argument,_ and the contents of the CSR in PEM format
179 _on stdin._ It should exit with a status of 0 if the cert should be autosigned
180 and non-zero if the cert should not be autosigned.
182 If a certificate request is not autosigned, it will persist for review. An admin
183 user can use the `puppet cert sign` command to manually sign it, or can delete
186 For info on autosign configuration files, see
187 [the guide to Puppet's config files](http://docs.puppetlabs.com/guides/configuring.html).
191 <prop_pattern name="basemodulepath" required="false" type="astring">
193 <loctext xml:lang="C">
194 The search path for **global** modules. Should be specified as a
195 list of directories separated by the system path separator character. (The
196 POSIX path separator is ':', and the Windows path separator is ';'.)
198 If you are using directory environments, these are the modules that will
199 be used by _all_ environments. Note that the `modules` directory of the active
200 environment will have priority over any global directories. For more info, see
201 http://docs.puppetlabs.com/puppet/latest/reference/environments.html
203 This setting also provides the default value for the deprecated `modulepath`
204 setting, which is used when directory environments are disabled.
208 <prop_pattern name="bindaddress" required="false" type="net_address">
210 <loctext xml:lang="C">
211 The address a listening server should bind to.
215 <prop_pattern name="binder" required="false" type="boolean">
217 <loctext xml:lang="C">
218 Turns the binding system on or off. This includes bindings in modules.
219 The binding system aggregates data from modules and other locations and makes them available for lookup.
220 The binding system is experimental and any or all of it may change.
224 <prop_pattern name="binder_config" required="false" type="astring">
226 <loctext xml:lang="C">
227 The binder configuration file. Puppet reads this file on each request to configure the bindings system.
228 If set to nil (the default), a $confdir/binder_config.yaml is optionally loaded. If it does not exists, a default configuration
229 is used. If the setting :binding_config is specified, it must reference a valid and existing yaml file.
233 <prop_pattern name="bucketdir" required="false" type="astring">
235 <loctext xml:lang="C">
236 Where FileBucket files are stored.
240 <prop_pattern name="ca" required="false" type="boolean">
242 <loctext xml:lang="C">
243 Whether the master should function as a certificate authority.
247 <prop_pattern name="ca_name" required="false" type="astring">
249 <loctext xml:lang="C">
250 The name to use the Certificate Authority certificate.
254 <prop_pattern name="ca_port" required="false" type="integer">
256 <loctext xml:lang="C">
257 The port to use for the certificate authority.
261 <prop_pattern name="ca_server" required="false" type="host">
263 <loctext xml:lang="C">
264 The server to use for certificate
265 authority requests. It's a separate server because it cannot
266 and does not need to horizontally scale.
270 <prop_pattern name="ca_ttl" required="false" type="integer">
272 <loctext xml:lang="C">
273 The default TTL for new certificates.
274 This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
278 <prop_pattern name="cacert" required="false" type="astring">
280 <loctext xml:lang="C">
285 <prop_pattern name="cacrl" required="false" type="astring">
287 <loctext xml:lang="C">
288 The certificate revocation list (CRL) for the CA. Will be used if present but otherwise ignored.
292 <prop_pattern name="cadir" required="false" type="astring">
294 <loctext xml:lang="C">
295 The root directory for the certificate authority.
299 <prop_pattern name="cakey" required="false" type="astring">
301 <loctext xml:lang="C">
306 <prop_pattern name="capass" required="false" type="astring">
308 <loctext xml:lang="C">
309 Where the CA stores the password for the private key.
313 <prop_pattern name="caprivatedir" required="false" type="astring">
315 <loctext xml:lang="C">
316 Where the CA stores private certificate information.
320 <prop_pattern name="capub" required="false" type="astring">
322 <loctext xml:lang="C">
327 <prop_pattern name="catalog_cache_terminus" required="false" type="astring">
329 <loctext xml:lang="C">
330 How to store cached catalogs. Valid values are 'json', 'msgpack' and 'yaml'. The agent application defaults to 'json'.
334 <prop_pattern name="catalog_format" required="false" type="astring">
336 <loctext xml:lang="C">
337 (Deprecated for 'preferred_serialization_format') What format to
338 use to dump the catalog. Only supports 'marshal' and 'yaml'. Only
339 matters on the client, since it asks the server for a specific format.
343 <prop_pattern name="catalog_terminus" required="false" type="astring">
345 <loctext xml:lang="C">
346 Where to get node catalogs. This is useful to change if, for instance,
347 you'd like to pre-compile catalogs and store them in memcached or some other easily-accessed store.
351 <prop_pattern name="cert_inventory" required="false" type="astring">
353 <loctext xml:lang="C">
354 The inventory file. This is a text file to which the CA writes a
355 complete listing of all certificates.
359 <prop_pattern name="certdir" required="false" type="astring">
361 <loctext xml:lang="C">
362 The certificate directory.
366 <prop_pattern name="certdnsnames" required="false" type="astring">
368 <loctext xml:lang="C">
369 The `certdnsnames` setting is no longer functional,
370 after CVE-2011-3872. We ignore the value completely.
372 For your own certificate request you can set `dns_alt_names` in the
373 configuration and it will apply locally. There is no configuration option to
374 set DNS alt names, or any other `subjectAltName` value, for another nodes
377 Alternately you can use the `--dns_alt_names` command line option to set the
378 labels added while generating your own CSR.
382 <prop_pattern name="certificate_expire_warning" required="false" type="integer">
384 <loctext xml:lang="C">
385 The window of time leading up to a certificate's expiration that a notification
386 will be logged. This applies to CA, master, and agent certificates. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
390 <prop_pattern name="certificate_revocation" required="false" type="boolean">
392 <loctext xml:lang="C">
393 Whether certificate revocation should be supported by downloading a
394 Certificate Revocation List (CRL)
395 to all clients. If enabled, CA chaining will almost definitely not work.
399 <prop_pattern name="certname" required="false" type="hostname">
401 <loctext xml:lang="C">
402 The name to use when handling certificates. When a node
403 requests a certificate from the CA puppet master, it uses the value of the
404 `certname` setting as its requested Subject CN.
406 This is the name used when managing a node's permissions in
407 [auth.conf](http://docs.puppetlabs.com/puppet/latest/reference/config_file_auth.html).
408 In most cases, it is also used as the node's name when matching
409 [node definitions](http://docs.puppetlabs.com/puppet/latest/reference/lang_node_definitions.html)
410 and requesting data from an ENC. (This can be changed with the `node_name_value`
411 and `node_name_fact` settings, although you should only do so if you have
412 a compelling reason.)
414 A node's certname is available in Puppet manifests as `$trusted['certname']`. (See
415 [Facts and Built-In Variables](http://docs.puppetlabs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html)
418 * For best compatibility, you should limit the value of `certname` to
419 only use letters, numbers, periods, underscores, and dashes. (That is,
420 it should match `/A[a-z0-9._-]+Z/`.)
421 * The special value `ca` is reserved, and can't be used as the certname
424 Defaults to the node's fully qualified domain name.
428 <prop_pattern name="cfacter" required="false" type="boolean">
430 <loctext xml:lang="C">
431 Whether or not to use the native facter (cfacter) implementation instead of the Ruby one (facter). Defaults to false.
435 <prop_pattern name="classfile" required="false" type="astring">
437 <loctext xml:lang="C">
438 The file in which puppet agent stores a list of the classes
439 associated with the retrieved configuration. Can be loaded in
440 the separate `puppet` executable using the `--loadclasses`
445 <prop_pattern name="client_datadir" required="false" type="astring">
447 <loctext xml:lang="C">
448 The directory in which serialized data is stored on the client.
452 <prop_pattern name="clientbucketdir" required="false" type="astring">
454 <loctext xml:lang="C">
455 Where FileBucket files are stored locally.
459 <prop_pattern name="clientyamldir" required="false" type="astring">
461 <loctext xml:lang="C">
462 The directory in which client-side YAML data is stored.
466 <prop_pattern name="code" required="false" type="astring">
468 <loctext xml:lang="C">
469 Code to parse directly. This is essentially only used
470 by `puppet`, and should only be set if you're writing your own Puppet
475 <prop_pattern name="color" required="false" type="astring">
477 <loctext xml:lang="C">
478 Whether to use colors when logging to the console. Valid values are
479 `ansi` (equivalent to `true`), `html`, and `false`, which produces no color.
480 Defaults to false on Windows, as its console does not support ansi colors.
484 <prop_pattern name="confdir" required="false" type="astring">
486 <loctext xml:lang="C">
487 The main Puppet configuration directory. The default for this setting
488 is calculated based on the user. If the process is running as root or
489 the user that Puppet is supposed to run as, it defaults to a system
490 directory, but if it's running as any other user, it defaults to being
491 in the user's home directory.
495 <prop_pattern name="config" required="false" type="astring">
497 <loctext xml:lang="C">
498 The configuration file for the current puppet application.
502 <prop_pattern name="config_file_name" required="false" type="astring">
504 <loctext xml:lang="C">
505 The name of the puppet config file.
509 <prop_pattern name="config_version" required="false" type="astring">
511 <loctext xml:lang="C">
512 How to determine the configuration version. By default, it will be the
513 time that the configuration is parsed, but you can provide a shell script to override how the
514 version is determined. The output of this script will be added to every log message in the
515 reports, allowing you to correlate changes on your hosts to the source version on the server.
517 Setting a global value for config_version in puppet.conf is deprecated. Please set a
518 per-environment value in environment.conf instead. For more info, see
519 http://docs.puppetlabs.com/puppet/latest/reference/environments.html
523 <prop_pattern name="configprint" required="false" type="astring">
525 <loctext xml:lang="C">
526 Print the value of a specific configuration setting. If the name of a
527 setting is provided for this, then the value is printed and puppet
528 exits. Comma-separate multiple values. For a list of all values,
533 <prop_pattern name="configtimeout" required="false" type="integer">
535 <loctext xml:lang="C">
536 How long the client should wait for the configuration to be retrieved
537 before considering it a failure. This can help reduce flapping if too
538 many clients contact the server at one time. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
542 <prop_pattern name="couchdb_url" required="false" type="uri">
544 <loctext xml:lang="C">
545 The url where the puppet couchdb database will be created.
546 Only used when `facts_terminus` is set to `couch`.
550 <prop_pattern name="csr_attributes" required="false" type="astring">
552 <loctext xml:lang="C">
553 An optional file containing custom attributes to add to certificate signing
554 requests (CSRs). You should ensure that this file does not exist on your CA
555 puppet master; if it does, unwanted certificate extensions may leak into
556 certificates created with the `puppet cert generate` command.
558 If present, this file must be a YAML hash containing a `custom_attributes` key
559 and/or an `extension_requests` key. The value of each key must be a hash, where
560 each key is a valid OID and each value is an object that can be cast to a string.
562 Custom attributes can be used by the CA when deciding whether to sign the
563 certificate, but are then discarded. Attribute OIDs can be any OID value except
564 the standard CSR attributes (i.e. attributes described in RFC 2985 section 5.4).
565 This is useful for embedding a pre-shared key for autosigning policy executables
566 (see the `autosign` setting), often by using the `1.2.840.113549.1.9.7`
567 ("challenge password") OID.
569 Extension requests will be permanently embedded in the final certificate.
570 Extension OIDs must be in the "ppRegCertExt" (`1.3.6.1.4.1.34380.1.1`) or
571 "ppPrivCertExt" (`1.3.6.1.4.1.34380.1.2`) OID arcs. The ppRegCertExt arc is
572 reserved for four of the most common pieces of data to embed: `pp_uuid` (`.1`),
573 `pp_instance_id` (`.2`), `pp_image_name` (`.3`), and `pp_preshared_key` (`.4`)
574 --- in the YAML file, these can be referred to by their short descriptive names
575 instead of their full OID. The ppPrivCertExt arc is unregulated, and can be used
576 for site-specific extensions.
580 <prop_pattern name="csrdir" required="false" type="astring">
582 <loctext xml:lang="C">
583 Where the CA stores certificate requests
587 <prop_pattern name="daemonize" required="false" type="boolean">
589 <loctext xml:lang="C">
590 Whether to send the process into the background. This defaults
591 to true on POSIX systems, and to false on Windows (where Puppet
592 currently cannot daemonize).
596 <prop_pattern name="data_binding_terminus" required="false" type="astring">
598 <loctext xml:lang="C">
599 Where to retrive information about data.
603 <prop_pattern name="dbadapter" required="false" type="astring">
605 <loctext xml:lang="C">
606 The type of database to use. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
610 <prop_pattern name="dbconnections" required="false" type="astring">
612 <loctext xml:lang="C">
613 The number of database connections for networked
614 databases. Will be ignored unless the value is a positive integer. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
618 <prop_pattern name="dblocation" required="false" type="astring">
620 <loctext xml:lang="C">
621 The sqlite database file. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
625 <prop_pattern name="dbmigrate" required="false" type="boolean">
627 <loctext xml:lang="C">
628 Whether to automatically migrate the database. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
632 <prop_pattern name="dbname" required="false" type="astring">
634 <loctext xml:lang="C">
635 The name of the database to use. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
639 <prop_pattern name="dbpassword" required="false" type="astring">
641 <loctext xml:lang="C">
642 The database password for caching. Only
643 used when networked databases are used. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
647 <prop_pattern name="dbport" required="false" type="astring">
649 <loctext xml:lang="C">
650 The database password for caching. Only
651 used when networked databases are used. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
655 <prop_pattern name="dbserver" required="false" type="host">
657 <loctext xml:lang="C">
658 The database server for caching. Only
659 used when networked databases are used.
663 <prop_pattern name="dbsocket" required="false" type="astring">
665 <loctext xml:lang="C">
666 The database socket location. Only used when networked
667 databases are used. Will be ignored if the value is an empty string. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
671 <prop_pattern name="dbuser" required="false" type="astring">
673 <loctext xml:lang="C">
674 The database user for caching. Only
675 used when networked databases are used. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
679 <prop_pattern name="default_file_terminus" required="false" type="astring">
681 <loctext xml:lang="C">
682 The default source for files if no server is given in a
683 uri, e.g. puppet:///file. The default of `rest` causes the file to be
684 retrieved using the `server` setting. When running `apply` the default
685 is `file_server`, causing requests to be filled locally.
689 <prop_pattern name="default_manifest" required="false" type="astring">
691 <loctext xml:lang="C">
692 The default main manifest for directory environments. Any environment that
693 doesn't set the `manifest` setting in its `environment.conf` file will use
696 This setting's value can be an absolute or relative path. An absolute path
697 will make all environments default to the same main manifest; a relative
698 path will allow each environment to use its own manifest, and Puppet will
699 resolve the path relative to each environment's main directory.
701 In either case, the path can point to a single file or to a directory of
702 manifests to be evaluated in alphabetical order.
706 <prop_pattern name="default_schedules" required="false" type="boolean">
708 <loctext xml:lang="C">
709 Boolean; whether to generate the default schedule resources. Setting this to
710 false is useful for keeping external report processors clean of skipped schedule resources.
714 <prop_pattern name="deviceconfig" required="false" type="astring">
716 <loctext xml:lang="C">
717 Path to the device config file for puppet device.
721 <prop_pattern name="devicedir" required="false" type="astring">
723 <loctext xml:lang="C">
724 The root directory of devices' $vardir.
728 <prop_pattern name="diff" required="false" type="astring">
730 <loctext xml:lang="C">
731 Which diff command to use when printing differences between files. This setting
732 has no default value on Windows, as standard `diff` is not available, but Puppet can use many
733 third-party diff tools.
737 <prop_pattern name="diff_args" required="false" type="astring">
739 <loctext xml:lang="C">
740 Which arguments to pass to the diff command when printing differences between
741 files. The command to use can be chosen with the `diff` setting.
745 <prop_pattern name="digest_algorithm" required="false" type="astring">
747 <loctext xml:lang="C">
748 Which digest algorithm to use for file resources and the filebucket.
749 Valid values are md5, sha256. Default is md5.
753 <prop_pattern name="disable_per_environment_manifest" required="false" type="boolean">
755 <loctext xml:lang="C">
756 Whether to disallow an environment-specific main manifest. When set
757 to `true`, Puppet will use the manifest specified in the `default_manifest` setting
758 for all environments. If an environment specifies a different main manifest in its
759 `environment.conf` file, catalog requests for that environment will fail with an error.
761 This setting requires `default_manifest` to be set to an absolute path.
765 <prop_pattern name="disable_warnings" required="false" type="astring">
767 <loctext xml:lang="C">
768 A comma-separated list of warning types to suppress. If large numbers
769 of warnings are making Puppet's logs too large or difficult to use, you
770 can temporarily silence them with this setting.
772 If you are preparing to upgrade Puppet to a new major version, you
773 should re-enable all warnings for a while.
775 Valid values for this setting are:
777 * `deprecations` --- disables deprecation warnings.
781 <prop_pattern name="dns_alt_names" required="false" type="host">
783 <loctext xml:lang="C">
784 The comma-separated list of alternative DNS names to use for the local host.
786 When the node generates a CSR for itself, these are added to the request
787 as the desired `subjectAltName` in the certificate: additional DNS labels
788 that the certificate is also valid answering as.
790 This is generally required if you use a non-hostname `certname`, or if you
791 want to use `puppet kick` or `puppet resource -H` and the primary certname
792 does not match the DNS name you use to communicate with the host.
794 This is unnecessary for agents, unless you intend to use them as a server for
795 `puppet kick` or remote `puppet resource` management.
797 It is rarely necessary for servers; it is usually helpful only if you need to
798 have a pool of multiple load balanced masters, or for the same master to
799 respond on two physically separate networks under different names.
803 <prop_pattern name="document_all" required="false" type="boolean">
805 <loctext xml:lang="C">
806 Whether to document all resources when using `puppet doc` to
807 generate manifest documentation.
811 <prop_pattern name="dynamicfacts" required="false" type="astring">
813 <loctext xml:lang="C">
814 (Deprecated) Facts that are dynamic; these facts will be ignored when deciding whether
815 changed facts should result in a recompile. Multiple facts should be
820 <prop_pattern name="environment" required="false" type="astring">
822 <loctext xml:lang="C">
823 The environment Puppet is running in. For clients
824 (e.g., `puppet agent`) this determines the environment itself, which
825 is used to find modules and much more. For servers (i.e., `puppet master`)
826 this provides the default environment for nodes we know nothing about.
830 <prop_pattern name="environment_timeout" required="false" type="integer">
832 <loctext xml:lang="C">
833 How long the Puppet master should cache data it loads from an
835 This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
836 A value of `0` will disable caching. This setting can also be set to
837 `unlimited`, which will cache environments until the master is restarted
838 or told to refresh the cache.
840 You should change this setting once your Puppet deployment is doing
841 non-trivial work. We chose the default value of `0` because it lets new
842 users update their code without any extra steps, but it lowers the
843 performance of your Puppet master.
845 We recommend setting this to `unlimited` and explicitly refreshing your
846 Puppet master as part of your code deployment process.
848 * With Puppet Server, you should refresh environments by calling the
849 `environment-cache` API endpoint. See the docs for the Puppet Server
851 * With a Rack Puppet master, you should restart the web server or the
852 application server. Passenger lets you touch a `restart.txt` file to
853 refresh an application without restarting Apache; see the Passenger docs
856 We don't recommend using any value other than `0` or `unlimited`, since
857 most Puppet masters use a pool of Ruby interpreters which all have their
858 own cache timers. When these timers drift out of sync, agents can be served
859 inconsistent catalogs.
863 <prop_pattern name="environmentpath" required="false" type="astring">
865 <loctext xml:lang="C">
866 A search path for directory environments, as a list of directories
867 separated by the system path separator character. (The POSIX path separator
868 is ':', and the Windows path separator is ';'.)
870 This setting must have a value set to enable **directory environments.** The
871 recommended value is `$confdir/environments`. For more details, see
872 http://docs.puppetlabs.com/puppet/latest/reference/environments.html
876 <prop_pattern name="evaltrace" required="false" type="boolean">
878 <loctext xml:lang="C">
879 Whether each resource should log when it is
880 being evaluated. This allows you to interactively see exactly
885 <prop_pattern name="external_nodes" required="false" type="astring">
887 <loctext xml:lang="C">
888 An external command that can produce node information. The command's output
889 must be a YAML dump of a hash, and that hash must have a `classes` key and/or
890 a `parameters` key, where `classes` is an array or hash and
891 `parameters` is a hash. For unknown nodes, the command should
892 exit with a non-zero exit code.
894 This command makes it straightforward to store your node mapping
895 information in other data sources like databases.
899 <prop_pattern name="factpath" required="false" type="astring">
901 <loctext xml:lang="C">
902 Where Puppet should look for facts. Multiple directories should
903 be separated by the system path separator character. (The POSIX path
904 separator is ':', and the Windows path separator is ';'.)
908 <prop_pattern name="facts_terminus" required="false" type="astring">
910 <loctext xml:lang="C">
911 The node facts terminus.
915 <prop_pattern name="fileserverconfig" required="false" type="astring">
917 <loctext xml:lang="C">
918 Where the fileserver configuration is stored.
922 <prop_pattern name="filetimeout" required="false" type="integer">
924 <loctext xml:lang="C">
925 The minimum time to wait between checking for updates in
926 configuration files. This timeout determines how quickly Puppet checks whether
927 a file (such as manifests or templates) has changed on disk. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
931 <prop_pattern name="forge_authorization" required="false" type="astring">
933 <loctext xml:lang="C">
934 The authorization key to connect to the Puppet Forge. Leave blank for unauthorized or license based connections
938 <prop_pattern name="freeze_main" required="false" type="boolean">
940 <loctext xml:lang="C">
941 Freezes the 'main' class, disallowing any code to be added to it. This
942 essentially means that you can't have any code outside of a node,
943 class, or definition other than in the site manifest.
947 <prop_pattern name="genmanifest" required="false" type="boolean">
949 <loctext xml:lang="C">
950 Whether to just print a manifest to stdout and exit. Only makes
951 sense when specified on the command line as `--genmanifest`. Takes into account arguments specified
956 <prop_pattern name="graph" required="false" type="boolean">
958 <loctext xml:lang="C">
959 Whether to create dot graph files for the different
960 configuration graphs. These dot files can be interpreted by tools
961 like OmniGraffle or dot (which is part of ImageMagick).
965 <prop_pattern name="graphdir" required="false" type="astring">
967 <loctext xml:lang="C">
968 Where to store dot-outputted graphs.
972 <prop_pattern name="group" required="false" type="astring">
974 <loctext xml:lang="C">
975 The group puppet master should run as.
979 <prop_pattern name="hiera_config" required="false" type="astring">
981 <loctext xml:lang="C">
982 The hiera configuration file. Puppet only reads this file on startup, so you must restart the puppet master every time you edit it.
986 <prop_pattern name="hostcert" required="false" type="astring">
988 <loctext xml:lang="C">
989 Where individual hosts store and look for their certificates.
993 <prop_pattern name="hostcrl" required="false" type="astring">
995 <loctext xml:lang="C">
996 Where the host's certificate revocation list can be found.
997 This is distinct from the certificate authority's CRL.
1001 <prop_pattern name="hostcsr" required="false" type="astring">
1003 <loctext xml:lang="C">
1004 Where individual hosts store and look for their certificate requests.
1008 <prop_pattern name="hostprivkey" required="false" type="astring">
1010 <loctext xml:lang="C">
1011 Where individual hosts store and look for their private key.
1015 <prop_pattern name="hostpubkey" required="false" type="astring">
1017 <loctext xml:lang="C">
1018 Where individual hosts store and look for their public key.
1022 <prop_pattern name="http_compression" required="false" type="boolean">
1024 <loctext xml:lang="C">
1025 Allow http compression in REST communication with the master.
1026 This setting might improve performance for agent -> master
1027 communications over slow WANs. Your puppet master needs to support
1028 compression (usually by activating some settings in a reverse-proxy in
1029 front of the puppet master, which rules out webrick). It is harmless to
1030 activate this settings if your master doesn't support compression, but
1031 if it supports it, this setting might reduce performance on high-speed LANs.
1035 <prop_pattern name="http_debug" required="false" type="boolean">
1037 <loctext xml:lang="C">
1038 Whether to write HTTP request and responses to stderr. This should never be used in a production environment.
1042 <prop_pattern name="http_keepalive_timeout" required="false" type="integer">
1044 <loctext xml:lang="C">
1045 The maximum amount of time a persistent HTTP connection can remain idle in the connection pool, before it is closed. This timeout should be shorter than the keepalive timeout used on the HTTP server, e.g. Apache KeepAliveTimeout directive.
1046 This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1050 <prop_pattern name="http_proxy_host" required="false" type="host">
1052 <loctext xml:lang="C">
1053 The HTTP proxy host to use for outgoing connections. Note: You
1054 may need to use a FQDN for the server hostname when using a proxy. Environment variable
1055 http_proxy or HTTP_PROXY will override this value
1059 <prop_pattern name="http_proxy_password" required="false" type="astring">
1061 <loctext xml:lang="C">
1062 The password for the user of an authenticated HTTP proxy.
1063 Requires the `http_proxy_user` setting.
1065 Note that passwords must be valid when used as part of a URL. If a password
1066 contains any characters with special meanings in URLs (as specified by RFC 3986
1067 ` would become `%23`.)
1071 <prop_pattern name="http_proxy_port" required="false" type="integer">
1073 <loctext xml:lang="C">
1074 The HTTP proxy port to use for outgoing connections
1078 <prop_pattern name="http_proxy_user" required="false" type="astring">
1080 <loctext xml:lang="C">
1081 The user name for an authenticated HTTP proxy. Requires the `http_proxy_host` setting.
1085 <prop_pattern name="httplog" required="false" type="astring">
1087 <loctext xml:lang="C">
1088 Where the puppet agent web server logs.
1092 <prop_pattern name="ignorecache" required="false" type="boolean">
1094 <loctext xml:lang="C">
1095 Ignore cache and always recompile the configuration. This is
1096 useful for testing new configurations, where the local cache may in
1097 fact be stale even if the timestamps are up to date - if the facts
1098 change or if the server changes.
1102 <prop_pattern name="ignoreimport" required="false" type="boolean">
1104 <loctext xml:lang="C">
1105 If true, allows the parser to continue without requiring
1106 all files referenced with `import` statements to exist. This setting was primarily
1107 designed for use with commit hooks for parse-checking.
1111 <prop_pattern name="ignoremissingtypes" required="false" type="boolean">
1113 <loctext xml:lang="C">
1114 Skip searching for classes and definitions that were missing during a
1115 prior compilation. The list of missing objects is maintained per-environment and
1116 persists until the environment is cleared or the master is restarted.
1120 <prop_pattern name="ignoreschedules" required="false" type="boolean">
1122 <loctext xml:lang="C">
1123 Boolean; whether puppet agent should ignore schedules. This is useful
1124 for initial puppet agent runs.
1128 <prop_pattern name="immutable_node_data" required="false" type="boolean">
1130 <loctext xml:lang="C">
1131 When true, also prevents $trusted and $facts from being overridden in any scope
1135 <prop_pattern name="inventory_port" required="false" type="integer">
1137 <loctext xml:lang="C">
1138 The port to communicate with the inventory_server.
1142 <prop_pattern name="inventory_server" required="false" type="host">
1144 <loctext xml:lang="C">
1145 The server to send facts to.
1149 <prop_pattern name="inventory_terminus" required="false" type="astring">
1151 <loctext xml:lang="C">
1152 Should usually be the same as the facts terminus
1156 <prop_pattern name="keylength" required="false" type="integer">
1158 <loctext xml:lang="C">
1159 The bit length of keys.
1163 <prop_pattern name="lastrunfile" required="false" type="astring">
1165 <loctext xml:lang="C">
1166 Where puppet agent stores the last run report summary in yaml format.
1170 <prop_pattern name="lastrunreport" required="false" type="astring">
1172 <loctext xml:lang="C">
1173 Where puppet agent stores the last run report in yaml format.
1177 <prop_pattern name="ldapattrs" required="false" type="astring">
1179 <loctext xml:lang="C">
1180 The LDAP attributes to include when querying LDAP for nodes. All
1181 returned attributes are set as variables in the top-level scope.
1182 Multiple values should be comma-separated. The value 'all' returns
1187 <prop_pattern name="ldapbase" required="false" type="astring">
1189 <loctext xml:lang="C">
1190 The search base for LDAP searches. It's impossible to provide
1191 a meaningful default here, although the LDAP libraries might
1192 have one already set. Generally, it should be the 'ou=Hosts'
1193 branch under your main directory.
1197 <prop_pattern name="ldapclassattrs" required="false" type="astring">
1199 <loctext xml:lang="C">
1200 The LDAP attributes to use to define Puppet classes. Values
1201 should be comma-separated.
1205 <prop_pattern name="ldapparentattr" required="false" type="astring">
1207 <loctext xml:lang="C">
1208 The attribute to use to define the parent node.
1212 <prop_pattern name="ldappassword" required="false" type="astring">
1214 <loctext xml:lang="C">
1215 The password to use to connect to LDAP.
1219 <prop_pattern name="ldapport" required="false" type="integer">
1221 <loctext xml:lang="C">
1222 The LDAP port. Only used if `node_terminus` is set to `ldap`.
1226 <prop_pattern name="ldapserver" required="false" type="host">
1228 <loctext xml:lang="C">
1229 The LDAP server. Only used if `node_terminus` is set to `ldap`.
1233 <prop_pattern name="ldapssl" required="false" type="boolean">
1235 <loctext xml:lang="C">
1236 Whether SSL should be used when searching for nodes.
1237 Defaults to false because SSL usually requires certificates
1238 to be set up on the client side.
1242 <prop_pattern name="ldapstackedattrs" required="false" type="astring">
1244 <loctext xml:lang="C">
1245 The LDAP attributes that should be stacked to arrays by adding
1246 the values in all hierarchy elements of the tree. Values
1247 should be comma-separated.
1251 <prop_pattern name="ldapstring" required="false" type="astring">
1253 <loctext xml:lang="C">
1254 The search string used to find an LDAP node.
1258 <prop_pattern name="ldaptls" required="false" type="boolean">
1260 <loctext xml:lang="C">
1261 Whether TLS should be used when searching for nodes.
1262 Defaults to false because TLS usually requires certificates
1263 to be set up on the client side.
1267 <prop_pattern name="ldapuser" required="false" type="hostname">
1269 <loctext xml:lang="C">
1270 The user to use to connect to LDAP. Must be specified as a
1275 <prop_pattern name="legacy_query_parameter_serialization" required="false" type="boolean">
1277 <loctext xml:lang="C">
1278 The serialization format to use when sending file_metadata
1279 query parameters. Older versions of puppet master expect certain query
1280 parameters to be serialized as yaml, which is deprecated.
1282 This should almost always be false. It can be temporarily set to true
1283 to let agents using this Puppet version connect to a puppet master
1284 running Puppet 3.0.0 through 3.2.x.
1286 Note that this is set to true automatically if the agent detects an
1287 older master, so should never need to be set explicitly.
1291 <prop_pattern name="libdir" required="false" type="astring">
1293 <loctext xml:lang="C">
1294 An extra search path for Puppet. This is only useful
1295 for those files that Puppet will load on demand, and is only
1296 guaranteed to work for those cases. In fact, the autoload
1297 mechanism is responsible for making sure this directory
1298 is in Ruby's search path
1302 <prop_pattern name="listen" required="false" type="boolean">
1304 <loctext xml:lang="C">
1305 Whether puppet agent should listen for
1306 connections. If this is true, then puppet agent will accept incoming
1307 REST API requests, subject to the default ACLs and the ACLs set in
1308 the `rest_authconfig` file. Puppet agent can respond usefully to
1309 requests on the `run`, `facts`, `certificate`, and `resource` endpoints.
1313 <prop_pattern name="localcacert" required="false" type="astring">
1315 <loctext xml:lang="C">
1316 Where each client stores the CA certificate.
1320 <prop_pattern name="localconfig" required="false" type="astring">
1322 <loctext xml:lang="C">
1323 Where puppet agent caches the local configuration. An
1324 extension indicating the cache format is added automatically.
1328 <prop_pattern name="log_level" required="false" type="astring">
1330 <loctext xml:lang="C">
1331 Default logging level for messages from Puppet. Allowed values are:
1344 <prop_pattern name="logdir" required="false" type="astring">
1346 <loctext xml:lang="C">
1347 The directory in which to store log files
1351 <prop_pattern name="manage_internal_file_permissions" required="false" type="boolean">
1353 <loctext xml:lang="C">
1354 Whether Puppet should manage the owner, group, and mode of files it uses internally
1358 <prop_pattern name="manifest" required="false" type="astring">
1360 <loctext xml:lang="C">
1361 The entry-point manifest for puppet master. This can be one file
1362 or a directory of manifests to be evaluated in alphabetical order. Puppet manages
1363 this path as a directory if one exists or if the path ends with a / or \.
1365 Setting a global value for `manifest` in puppet.conf is deprecated. Please use
1366 directory environments instead. If you need to use something other than the
1367 environment's `manifests` directory as the main manifest, you can set
1368 `manifest` in environment.conf. For more info, see
1369 http://docs.puppetlabs.com/puppet/latest/reference/environments.html
1373 <prop_pattern name="manifestdir" required="false" type="astring">
1375 <loctext xml:lang="C">
1376 Used to build the default value of the `manifest` setting. Has no other purpose.
1378 This setting is deprecated.
1382 <prop_pattern name="masterhttplog" required="false" type="astring">
1384 <loctext xml:lang="C">
1385 Where the puppet master web server saves its access log. This is
1386 only used when running a WEBrick puppet master. When puppet master is
1387 running under a Rack server like Passenger, that web server will have
1388 its own logging behavior.
1392 <prop_pattern name="masterlog" required="false" type="astring">
1394 <loctext xml:lang="C">
1395 This file is literally never used, although Puppet may create it
1396 as an empty file. For more context, see the `puppetdlog` setting and
1397 puppet master's `--logdest` command line option.
1399 This setting is deprecated and will be removed in a future version of Puppet.
1403 <prop_pattern name="masterport" required="false" type="integer">
1405 <loctext xml:lang="C">
1406 The port for puppet master traffic. For puppet master,
1407 this is the port to listen on; for puppet agent, this is the port
1408 to make requests on. Both applications use this setting to get the port.
1412 <prop_pattern name="max_deprecations" required="false" type="integer">
1414 <loctext xml:lang="C">
1415 Sets the max number of logged/displayed parser validation deprecation
1416 warnings in case multiple deprecation warnings have been detected. A value of 0
1417 blocks the logging of deprecation warnings. The count is per manifest.
1421 <prop_pattern name="max_errors" required="false" type="integer">
1423 <loctext xml:lang="C">
1424 Sets the max number of logged/displayed parser validation errors in case
1425 multiple errors have been detected. A value of 0 is the same as a value of 1; a
1426 minimum of one error is always raised. The count is per manifest.
1430 <prop_pattern name="max_warnings" required="false" type="integer">
1432 <loctext xml:lang="C">
1433 Sets the max number of logged/displayed parser validation warnings in
1434 case multiple warnings have been detected. A value of 0 blocks logging of
1435 warnings. The count is per manifest.
1439 <prop_pattern name="maximum_uid" required="false" type="integer">
1441 <loctext xml:lang="C">
1442 The maximum allowed UID. Some platforms use negative UIDs
1443 but then ship with tools that do not know how to handle signed ints,
1444 so the UIDs show up as huge numbers that can then not be fed back into
1445 the system. This is a hackish way to fail in a slightly more useful
1446 way when that happens.
1450 <prop_pattern name="mkusers" required="false" type="boolean">
1452 <loctext xml:lang="C">
1453 Whether to create the necessary user and group that puppet agent will run as.
1457 <prop_pattern name="module_groups" required="false" type="astring">
1459 <loctext xml:lang="C">
1460 Extra module groups to request from the Puppet Forge
1464 <prop_pattern name="module_repository" required="false" type="uri">
1466 <loctext xml:lang="C">
1467 The module repository
1471 <prop_pattern name="module_skeleton_dir" required="false" type="astring">
1473 <loctext xml:lang="C">
1474 The directory which the skeleton for module tool generate is stored.
1478 <prop_pattern name="module_working_dir" required="false" type="astring">
1480 <loctext xml:lang="C">
1481 The directory into which module tool data is stored
1485 <prop_pattern name="modulepath" required="false" type="astring">
1487 <loctext xml:lang="C">
1488 The search path for modules, as a list of directories separated by the system
1489 path separator character. (The POSIX path separator is ':', and the
1490 Windows path separator is ';'.)
1492 Setting a global value for `modulepath` in puppet.conf is deprecated. Please use
1493 directory environments instead. If you need to use something other than the
1494 default modulepath of `<ACTIVE ENVIRONMENT'S MODULES DIR>:$basemodulepath`,
1495 you can set `modulepath` in environment.conf. For more info, see
1496 http://docs.puppetlabs.com/puppet/latest/reference/environments.html
1500 <prop_pattern name="name" required="false" type="astring">
1502 <loctext xml:lang="C">
1503 The name of the application, if we are running as one. The
1504 default is essentially $0 without the path or `.rb`.
1508 <prop_pattern name="node_cache_terminus" required="false" type="astring">
1510 <loctext xml:lang="C">
1511 How to store cached nodes.
1512 Valid values are (none), 'json', 'msgpack', 'yaml' or write only yaml ('write_only_yaml').
1513 The master application defaults to 'write_only_yaml', all others to none.
1517 <prop_pattern name="node_name" required="false" type="astring">
1519 <loctext xml:lang="C">
1520 How the puppet master determines the client's identity
1521 and sets the 'hostname', 'fqdn' and 'domain' facts for use in the manifest,
1522 in particular for determining which 'node' statement applies to the client.
1523 Possible values are 'cert' (use the subject's CN in the client's
1524 certificate) and 'facter' (use the hostname that the client
1525 reported in its facts)
1529 <prop_pattern name="node_name_fact" required="false" type="astring">
1531 <loctext xml:lang="C">
1532 The fact name used to determine the node name used for all requests the agent
1533 makes to the master. WARNING: This setting is mutually exclusive with
1534 node_name_value. Changing this setting also requires changes to the default
1535 auth.conf configuration on the Puppet Master. Please see
1536 http://links.puppetlabs.com/node_name_fact for more information.
1540 <prop_pattern name="node_name_value" required="false" type="astring">
1542 <loctext xml:lang="C">
1543 The explicit value used for the node name for all requests the agent
1544 makes to the master. WARNING: This setting is mutually exclusive with
1545 node_name_fact. Changing this setting also requires changes to the default
1546 auth.conf configuration on the Puppet Master. Please see
1547 http://links.puppetlabs.com/node_name_value for more information.
1551 <prop_pattern name="node_terminus" required="false" type="astring">
1553 <loctext xml:lang="C">
1554 Where to find information about nodes.
1558 <prop_pattern name="noop" required="false" type="boolean">
1560 <loctext xml:lang="C">
1561 Whether to apply catalogs in noop mode, which allows Puppet to
1562 partially simulate a normal run. This setting affects puppet agent and
1565 When running in noop mode, Puppet will check whether each resource is in sync,
1566 like it does when running normally. However, if a resource attribute is not in
1567 the desired state (as declared in the catalog), Puppet will take no
1568 action, and will instead report the changes it _would_ have made. These
1569 simulated changes will appear in the report sent to the puppet master, or
1570 be shown on the console if running puppet agent or puppet apply in the
1571 foreground. The simulated changes will not send refresh events to any
1572 subscribing or notified resources, although Puppet will log that a refresh
1573 event _would_ have been sent.
1577 allows you to apply individual resources in noop mode, and will override
1578 the global value of the `noop` setting. This means a resource with
1579 `noop => false` _will_ be changed if necessary, even when running puppet
1580 agent with `noop = true` or `--noop`. (Conversely, a resource with
1581 `noop => true` will only be simulated, even when noop mode is globally disabled.)
1585 <prop_pattern name="onetime" required="false" type="boolean">
1587 <loctext xml:lang="C">
1588 Perform one configuration run and exit, rather than spawning a long-running
1589 daemon. This is useful for interactively running puppet agent, or
1590 running puppet agent from cron.
1594 <prop_pattern name="ordering" required="false" type="astring">
1596 <loctext xml:lang="C">
1597 How unrelated resources should be ordered when applying a catalog.
1598 Allowed values are `title-hash`, `manifest`, and `random`. This
1599 setting affects puppet agent and puppet apply, but not puppet master.
1601 * `title-hash` (the default) will order resources randomly, but will use
1602 the same order across runs and across nodes.
1603 * `manifest` will use the order in which the resources were declared in
1604 their manifest files.
1605 * `random` will order resources randomly and change their order with each
1606 run. This can work like a fuzzer for shaking out undeclared dependencies.
1608 Regardless of this setting's value, Puppet will always obey explicit
1609 dependencies set with the before/require/notify/subscribe metaparameters
1610 and the `->`/`~>` chaining arrows; this setting only affects the relative
1611 ordering of _unrelated_ resources.
1615 <prop_pattern name="parser" required="false" type="astring">
1617 <loctext xml:lang="C">
1618 Selects the parser to use for parsing puppet manifests (in puppet DSL
1619 language/'.pp' files). Available choices are `current` (the default)
1622 The `current` parser means that the released version of the parser should
1625 The `future` parser is a "time travel to the future" allowing early
1626 exposure to new language features. What these features are will vary from
1627 release to release and they may be invididually configurable.
1629 Available Since Puppet 3.2.
1633 <prop_pattern name="passfile" required="false" type="astring">
1635 <loctext xml:lang="C">
1636 Where puppet agent stores the password for its private key.
1641 <prop_pattern name="path" required="false" type="astring">
1643 <loctext xml:lang="C">
1644 The shell search path. Defaults to whatever is inherited
1645 from the parent process.
1649 <prop_pattern name="pidfile" required="false" type="astring">
1651 <loctext xml:lang="C">
1652 The file containing the PID of a running process.
1653 This file is intended to be used by service management frameworks
1654 and monitoring systems to determine if a puppet process is still in
1659 <prop_pattern name="plugindest" required="false" type="astring">
1661 <loctext xml:lang="C">
1662 Where Puppet should store plugins that it pulls down from the central
1667 <prop_pattern name="pluginfactdest" required="false" type="astring">
1669 <loctext xml:lang="C">
1670 Where Puppet should store external facts that are being handled by pluginsync
1674 <prop_pattern name="pluginfactsource" required="false" type="astring">
1676 <loctext xml:lang="C">
1677 Where to retrieve external facts for pluginsync
1681 <prop_pattern name="pluginsignore" required="false" type="astring">
1683 <loctext xml:lang="C">
1684 What files to ignore when pulling down plugins.
1688 <prop_pattern name="pluginsource" required="false" type="astring">
1690 <loctext xml:lang="C">
1691 From where to retrieve plugins. The standard Puppet `file` type
1692 is used for retrieval, so anything that is a valid file source can
1697 <prop_pattern name="pluginsync" required="false" type="boolean">
1699 <loctext xml:lang="C">
1700 Whether plugins should be synced with the central server.
1704 <prop_pattern name="postrun_command" required="false" type="astring">
1706 <loctext xml:lang="C">
1707 A command to run after every agent run. If this command returns a non-zero
1708 return code, the entire Puppet run will be considered to have failed, even though it might have
1709 performed work during the normal run.
1713 <prop_pattern name="preferred_serialization_format" required="false" type="astring">
1715 <loctext xml:lang="C">
1716 The preferred means of serializing
1717 ruby instances for passing over the wire. This won't guarantee that all
1718 instances will be serialized using this method, since not all classes
1719 can be guaranteed to support this format, but it will be used for all
1720 classes that support it.
1724 <prop_pattern name="prerun_command" required="false" type="astring">
1726 <loctext xml:lang="C">
1727 A command to run before every agent run. If this command returns a non-zero
1728 return code, the entire Puppet run will fail.
1732 <prop_pattern name="preview_outputdir" required="false" type="astring">
1734 <loctext xml:lang="C">
1735 The directory where catalog previews per node are generated.
1739 <prop_pattern name="priority" required="false" type="astring">
1741 <loctext xml:lang="C">
1742 The scheduling priority of the process. Valid values are 'high',
1743 'normal', 'low', or 'idle', which are mapped to platform-specific
1744 values. The priority can also be specified as an integer value and
1745 will be passed as is, e.g. -5. Puppet must be running as a privileged
1746 user in order to increase scheduling priority.
1750 <prop_pattern name="privatedir" required="false" type="astring">
1752 <loctext xml:lang="C">
1753 Where the client stores private certificate information.
1757 <prop_pattern name="privatekeydir" required="false" type="astring">
1759 <loctext xml:lang="C">
1760 The private key directory.
1764 <prop_pattern name="profile" required="false" type="boolean">
1766 <loctext xml:lang="C">
1767 Whether to enable experimental performance profiling
1771 <prop_pattern name="publickeydir" required="false" type="astring">
1773 <loctext xml:lang="C">
1774 The public key directory.
1778 <prop_pattern name="puppetdlog" required="false" type="astring">
1780 <loctext xml:lang="C">
1781 The fallback log file. This is only used when the `--logdest` option
1782 is not specified AND Puppet is running on an operating system where both
1783 the POSIX syslog service and the Windows Event Log are unavailable. (Currently,
1784 no supported operating systems match that description.)
1786 Despite the name, both puppet agent and puppet master will use this file
1787 as the fallback logging destination.
1789 For control over logging destinations, see the `--logdest` command line
1790 option in the manual pages for puppet master, puppet agent, and puppet
1791 apply. You can see man pages by running `puppet <SUBCOMMAND> --help`,
1792 or read them online at http://docs.puppetlabs.com/references/latest/man/.
1796 <prop_pattern name="puppetport" required="false" type="integer">
1798 <loctext xml:lang="C">
1799 Which port puppet agent listens on.
1803 <prop_pattern name="queue_source" required="false" type="uri">
1805 <loctext xml:lang="C">
1806 Which type of queue to use for asynchronous processing. If your stomp server requires
1807 authentication, you can include it in the URI as long as your stomp client library is at least 1.1.1
1811 <prop_pattern name="queue_type" required="false" type="astring">
1813 <loctext xml:lang="C">
1814 Which type of queue to use for asynchronous processing.
1818 <prop_pattern name="rails_loglevel" required="false" type="astring">
1820 <loctext xml:lang="C">
1821 The log level for Rails connections. The value must be
1822 a valid log level within Rails. Production environments normally use `info`
1823 and other environments normally use `debug`. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
1827 <prop_pattern name="railslog" required="false" type="astring">
1829 <loctext xml:lang="C">
1830 Where Rails-specific logs are sent. This setting is only used by the ActiveRecord storeconfigs and inventory backends, which are deprecated.
1834 <prop_pattern name="report" required="false" type="boolean">
1836 <loctext xml:lang="C">
1837 Whether to send reports after every transaction.
1841 <prop_pattern name="report_port" required="false" type="integer">
1843 <loctext xml:lang="C">
1844 The port to communicate with the report_server.
1848 <prop_pattern name="report_serialization_format" required="false" type="astring">
1850 <loctext xml:lang="C">
1851 The serialization format to use when sending reports to the
1852 `report_server`. Possible values are `pson` and `yaml`. This setting
1853 affects puppet agent, but not puppet apply (which processes its own
1856 This should almost always be set to `pson`. It can be temporarily set to
1857 `yaml` to let agents using this Puppet version connect to a puppet master
1858 running Puppet 3.0.0 through 3.2.x.
1860 Note that this is set to 'yaml' automatically if the agent detects an
1861 older master, so should never need to be set explicitly.
1865 <prop_pattern name="report_server" required="false" type="host">
1867 <loctext xml:lang="C">
1868 The server to send transaction reports to.
1872 <prop_pattern name="reportdir" required="false" type="astring">
1874 <loctext xml:lang="C">
1875 The directory in which to store reports. Each node gets
1876 a separate subdirectory in this directory. This setting is only
1877 used when the `store` report processor is enabled (see the
1882 <prop_pattern name="reportfrom" required="false" type="astring">
1884 <loctext xml:lang="C">
1885 The 'from' email address for the reports.
1889 <prop_pattern name="reports" required="false" type="astring">
1891 <loctext xml:lang="C">
1892 The list of report handlers to use. When using multiple report handlers,
1893 their names should be comma-separated, with whitespace allowed. (For example,
1894 `reports = http, tagmail`.)
1896 This setting is relevant to puppet master and puppet apply. The puppet
1897 master will call these report handlers with the reports it receives from
1898 agent nodes, and puppet apply will call them with its own report. (In
1899 all cases, the node applying the catalog must have `report = true`.)
1901 See the report reference for information on the built-in report
1902 handlers; custom report handlers can also be loaded from modules.
1903 (Report handlers are loaded from the lib directory, at
1904 `puppet/reports/NAME.rb`.)
1908 <prop_pattern name="reporturl" required="false" type="uri">
1910 <loctext xml:lang="C">
1911 The URL that reports should be forwarded to. This setting
1912 is only used when the `http` report processor is enabled (see the
1917 <prop_pattern name="req_bits" required="false" type="integer">
1919 <loctext xml:lang="C">
1920 The bit length of the certificates.
1924 <prop_pattern name="requestdir" required="false" type="astring">
1926 <loctext xml:lang="C">
1927 Where host certificate requests are stored.
1931 <prop_pattern name="resourcefile" required="false" type="astring">
1933 <loctext xml:lang="C">
1934 The file in which puppet agent stores a list of the resources
1935 associated with the retrieved configuration.
1939 <prop_pattern name="rest_authconfig" required="false" type="astring">
1941 <loctext xml:lang="C">
1942 The configuration file that defines the rights to the different
1943 rest indirections. This can be used as a fine-grained
1944 authorization system for `puppet master`.
1948 <prop_pattern name="route_file" required="false" type="astring">
1950 <loctext xml:lang="C">
1951 The YAML file containing indirector route configuration.
1955 <prop_pattern name="rrddir" required="false" type="astring">
1957 <loctext xml:lang="C">
1958 The directory where RRD database files are stored.
1959 Directories for each reporting host will be created under
1964 <prop_pattern name="rrdinterval" required="false" type="integer">
1966 <loctext xml:lang="C">
1967 How often RRD should expect data.
1968 This should match how often the hosts report back to the server. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1972 <prop_pattern name="rundir" required="false" type="astring">
1974 <loctext xml:lang="C">
1975 Where Puppet PID files are kept.
1979 <prop_pattern name="runinterval" required="false" type="integer">
1981 <loctext xml:lang="C">
1982 How often puppet agent applies the catalog.
1983 Note that a runinterval of 0 means "run continuously" rather than
1984 "never run." If you want puppet agent to never run, you should start
1985 it with the `--no-client` option. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
1989 <prop_pattern name="sendmail" required="false" type="astring">
1991 <loctext xml:lang="C">
1992 Where to find the sendmail binary with which to send email.
1996 <prop_pattern name="serial" required="false" type="astring">
1998 <loctext xml:lang="C">
1999 Where the serial number for certificates is stored.
2003 <prop_pattern name="server" required="false" type="host">
2005 <loctext xml:lang="C">
2006 The puppet master server to which the puppet agent should connect.
2010 <prop_pattern name="server_datadir" required="false" type="astring">
2012 <loctext xml:lang="C">
2013 The directory in which serialized data is stored, usually in a subdirectory.
2017 <prop_pattern name="show_diff" required="false" type="boolean">
2019 <loctext xml:lang="C">
2020 Whether to log and report a contextual diff when files are being replaced.
2021 This causes partial file contents to pass through Puppet's normal
2022 logging and reporting system, so this setting should be used with
2023 caution if you are sending Puppet's reports to an insecure
2024 destination. This feature currently requires the `diff/lcs` Ruby
2029 <prop_pattern name="signeddir" required="false" type="astring">
2031 <loctext xml:lang="C">
2032 Where the CA stores signed certificates.
2036 <prop_pattern name="smtphelo" required="false" type="astring">
2038 <loctext xml:lang="C">
2039 The name by which we identify ourselves in SMTP HELO for reports.
2040 If you send to a smtpserver which does strict HELO checking (as with Postfix's
2041 `smtpd_helo_restrictions` access controls), you may need to ensure this resolves.
2045 <prop_pattern name="smtpport" required="false" type="integer">
2047 <loctext xml:lang="C">
2048 The TCP port through which to send email reports.
2052 <prop_pattern name="smtpserver" required="false" type="host">
2054 <loctext xml:lang="C">
2055 The server through which to send email reports.
2059 <prop_pattern name="splay" required="false" type="boolean">
2061 <loctext xml:lang="C">
2062 Whether to sleep for a pseudo-random (but consistent) amount of time before
2067 <prop_pattern name="splaylimit" required="false" type="integer">
2069 <loctext xml:lang="C">
2070 The maximum time to delay before runs. Defaults to being the same as the
2071 run interval. This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
2075 <prop_pattern name="srv_domain" required="false" type="host">
2077 <loctext xml:lang="C">
2078 The domain which will be queried to find the SRV records of servers to use.
2082 <prop_pattern name="ssl_client_ca_auth" required="false" type="astring">
2084 <loctext xml:lang="C">
2085 Certificate authorities who issue server certificates. SSL servers will not be
2086 considered authentic unless they possess a certificate issued by an authority
2087 listed in this file. If this setting has no value then the Puppet master's CA
2088 certificate (localcacert) will be used.
2092 <prop_pattern name="ssl_client_header" required="false" type="astring">
2094 <loctext xml:lang="C">
2095 The header containing an authenticated client's SSL DN.
2096 This header must be set by the proxy to the authenticated client's SSL
2097 DN (e.g., `/CN=puppet.puppetlabs.com`). Puppet will parse out the Common
2098 Name (CN) from the Distinguished Name (DN) and use the value of the CN
2099 field for authorization.
2101 Note that the name of the HTTP header gets munged by the web server
2102 common gateway inteface: an `HTTP_` prefix is added, dashes are converted
2103 to underscores, and all letters are uppercased. Thus, to use the
2104 `X-Client-DN` header, this setting should be `HTTP_X_CLIENT_DN`.
2108 <prop_pattern name="ssl_client_verify_header" required="false" type="astring">
2110 <loctext xml:lang="C">
2111 The header containing the status message of the client
2112 verification. This header must be set by the proxy to 'SUCCESS' if the
2113 client successfully authenticated, and anything else otherwise.
2115 Note that the name of the HTTP header gets munged by the web server
2116 common gateway inteface: an `HTTP_` prefix is added, dashes are converted
2117 to underscores, and all letters are uppercased. Thus, to use the
2118 `X-Client-Verify` header, this setting should be
2119 `HTTP_X_CLIENT_VERIFY`.
2123 <prop_pattern name="ssl_server_ca_auth" required="false" type="astring">
2125 <loctext xml:lang="C">
2126 Certificate authorities who issue client certificates. SSL clients will not be
2127 considered authentic unless they possess a certificate issued by an authority
2128 listed in this file. If this setting has no value then the Puppet master's CA
2129 certificate (localcacert) will be used.
2133 <prop_pattern name="ssldir" required="false" type="astring">
2135 <loctext xml:lang="C">
2136 Where SSL certificates are kept.
2140 <prop_pattern name="statedir" required="false" type="astring">
2142 <loctext xml:lang="C">
2143 The directory where Puppet state is stored. Generally,
2144 this directory can be removed without causing harm (although it
2145 might result in spurious service restarts).
2149 <prop_pattern name="statefile" required="false" type="astring">
2151 <loctext xml:lang="C">
2152 Where puppet agent and puppet master store state associated
2153 with the running configuration. In the case of puppet master,
2154 this file reflects the state discovered through interacting
2159 <prop_pattern name="storeconfigs" required="false" type="boolean">
2161 <loctext xml:lang="C">
2162 Whether to store each client's configuration, including catalogs, facts,
2163 and related data. This also enables the import and export of resources in
2164 the Puppet language - a mechanism for exchange resources between nodes.
2166 By default this uses ActiveRecord and an SQL database to store and query
2167 the data; this, in turn, will depend on Rails being available.
2169 You can adjust the backend using the storeconfigs_backend setting.
2173 <prop_pattern name="storeconfigs_backend" required="false" type="astring">
2175 <loctext xml:lang="C">
2176 Configure the backend terminus used for StoreConfigs.
2177 By default, this uses the ActiveRecord store, which directly talks to the
2178 database from within the Puppet Master process.
2182 <prop_pattern name="strict_hostname_checking" required="false" type="boolean">
2184 <loctext xml:lang="C">
2185 Whether to only search for the complete
2186 hostname as it is in the certificate when searching for node information
2191 <prop_pattern name="strict_variables" required="false" type="boolean">
2193 <loctext xml:lang="C">
2194 Makes the parser raise errors when referencing unknown variables. (This does not affect
2195 referencing variables that are explicitly set to undef).
2199 <prop_pattern name="stringify_facts" required="false" type="boolean">
2201 <loctext xml:lang="C">
2202 to_s. Means you can't have arrays or
2203 hashes as fact values. (DEPRECATED) This option will be removed in Puppet 4.0.
2207 <prop_pattern name="summarize" required="false" type="boolean">
2209 <loctext xml:lang="C">
2210 Whether to print a transaction summary.
2214 <prop_pattern name="syslogfacility" required="false" type="astring">
2216 <loctext xml:lang="C">
2217 What syslog facility to use when logging to syslog.
2218 Syslog has a fixed list of valid facilities, and you must
2219 choose one of those; you cannot just make one up.
2223 <prop_pattern name="tagmap" required="false" type="astring">
2225 <loctext xml:lang="C">
2226 The mapping between reporting tags and email addresses.
2230 <prop_pattern name="tags" required="false" type="astring">
2232 <loctext xml:lang="C">
2233 Tags to use to find resources. If this is set, then
2234 only resources tagged with the specified tags will be applied.
2235 Values must be comma-separated.
2239 <prop_pattern name="templatedir" required="false" type="astring">
2241 <loctext xml:lang="C">
2242 Where Puppet looks for template files. Can be a list of colon-separated
2245 This setting is deprecated. Please put your templates in modules instead.
2249 <prop_pattern name="thin_storeconfigs" required="false" type="boolean">
2251 <loctext xml:lang="C">
2252 Boolean; whether Puppet should store only facts and exported resources in the storeconfigs
2253 database. This will improve the performance of exported resources with the older
2254 `active_record` backend, but will disable external tools that search the storeconfigs database.
2255 Thinning catalogs is generally unnecessary when using PuppetDB to store catalogs.
2259 <prop_pattern name="trace" required="false" type="boolean">
2261 <loctext xml:lang="C">
2262 Whether to print stack traces on some errors
2266 <prop_pattern name="trusted_node_data" required="false" type="boolean">
2268 <loctext xml:lang="C">
2269 Stores trusted node data in a hash called $trusted.
2270 When true also prevents $trusted from being overridden in any scope.
2274 <prop_pattern name="use_cached_catalog" required="false" type="boolean">
2276 <loctext xml:lang="C">
2277 Whether to only use the cached catalog rather than compiling a new catalog
2278 on every run. Puppet can be run with this enabled by default and then selectively
2279 disabled when a recompile is desired.
2283 <prop_pattern name="use_srv_records" required="false" type="boolean">
2285 <loctext xml:lang="C">
2286 Whether the server will search for SRV records in DNS for the current domain.
2290 <prop_pattern name="usecacheonfailure" required="false" type="boolean">
2292 <loctext xml:lang="C">
2293 Whether to use the cached configuration when the remote
2294 configuration will not compile. This option is useful for testing
2295 new configurations, where you want to fix the broken configuration
2296 rather than reverting to a known-good one.
2300 <prop_pattern name="user" required="false" type="astring">
2302 <loctext xml:lang="C">
2303 The user puppet master should run as.
2307 <prop_pattern name="vardir" required="false" type="astring">
2309 <loctext xml:lang="C">
2310 Where Puppet stores dynamic and growing data. The default for this
2311 setting is calculated specially, like `confdir`_.
2315 <prop_pattern name="waitforcert" required="false" type="integer">
2317 <loctext xml:lang="C">
2318 How frequently puppet agent should ask for a signed certificate.
2320 When starting for the first time, puppet agent will submit a certificate
2321 signing request (CSR) to the server named in the `ca_server` setting
2322 (usually the puppet master); this may be autosigned, or may need to be
2323 approved by a human, depending on the CA server's configuration.
2325 Puppet agent cannot apply configurations until its approved certificate is
2326 available. Since the certificate may or may not be available immediately,
2327 puppet agent will repeatedly try to fetch it at this interval. You can
2328 turn off waiting for certificates by specifying a time of 0, in which case
2329 puppet agent will exit if it cannot get a cert.
2330 This setting can be a time interval in seconds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).
2334 <prop_pattern name="yamldir" required="false" type="astring">
2336 <loctext xml:lang="C">
2337 The directory in which YAML data is stored, usually in a subdirectory.
2341 <prop_pattern name="zlib" required="false" type="boolean">
2343 <loctext xml:lang="C">
2344 Boolean; whether to use the zlib library