Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Wednesday, February 9, 2022
 
 

puppet.conf (5)

Name

puppet.conf - Man page for 'puppet.conf' in section 5

Synopsis

Please see following description for synopsis

Description

PUPPETCONF(5)                    Puppet manual                   PUPPETCONF(5)



This page is autogenerated; any changes will get overwritten

Configuration settings
       o   Each  of  these  settings can be specified in puppet.conf or on the
           command line.

       o   Puppet Enterprise (PE) and open source Puppet share the  configura-
           tion  settings  that  are documented here. However, PE defaults for
           some settings differ from the open  source  Puppet  defaults.  Some
           examples  of  settings that have different PE defaults include dis-
           able18n, environment_timeout, always_retry_plugins, and the  Puppet
           Server  JRuby max-active-instances setting. To verify PE configura-
           tion defaults, check the puppet.conf file after installation.

       o   When using boolean settings on the command line, use --setting  and
           --no-setting  instead  of  --setting (true|false). (Using --setting
           false results in "Error: Could not parse application options: need-
           less argument".)

       o   Settings  can  be  interpolated  as  $variables  in other settings;
           $environment is special, in that  puppet  master  will  interpolate
           each agent node's environment instead of its own.

       o   Multiple  values should be specified as comma-separated lists; mul-
           tiple directories should be separated with the system path  separa-
           tor (usually a colon).

       o   Settings that represent time intervals should be specified in dura-
           tion format: an integer immediately followed by one  of  the  units
           'y' (years of 365 days), 'd' (days), 'h' (hours), 'm' (minutes), or
           's' (seconds). The unit cannot be combined with  other  units,  and
           defaults  to  seconds  when  omitted.  Examples are '3600' which is
           equivalent to '1h' (one hour), and '1825d' which is  equivalent  to
           '5y' (5 years).

       o   If  you  use  the splay setting, note that the period that it waits
           changes each time the Puppet agent is restarted.

       o   Settings that take a single file or directory  can  optionally  set
           the  owner, group, and mode for their value: rundir = $vardir/run {
           owner = puppet, group = puppet, mode = 644 }

       o   The Puppet executables will ignore any setting that isn't  relevant
           to their function.



       See  the configuration guide https://puppet.com/docs/puppet/latest/con-
       fig_about_settings.html for more details.

   agent_catalog_run_lockfile
       A lock file to indicate that a puppet agent catalog run is currently in
       progress.  The file contains the pid of the process that holds the lock
       on the catalog run.

       o   Default: $statedir/agent_catalog_run.lock



   agent_disabled_lockfile
       A lock file to indicate that puppet agent runs  have  been  administra-
       tively disabled. File contains a JSON object with state information.

       o   Default: $statedir/agent_disabled.lock



   allow_duplicate_certs
       Whether  to  allow  a  new certificate request to overwrite an existing
       certificate.

       o   Default: false



   always_retry_plugins
       Affects how we cache attempts to load Puppet resource  types  and  fea-
       tures.  If true, then calls to Puppet.type.<type>? Puppet.feature.<fea-
       ture>? will always attempt to load the type or feature (which can be an
       expensive  operation)  unless  it has already been loaded successfully.
       This makes it possible for a single agent run to, e.g., install a pack-
       age  that  provides  the underlying capabilities for a type or feature,
       and then later load that type or feature during the same run  (even  if
       the  type  or  feature  had been tested earlier and had not been avail-
       able).

       If this setting is set to false, then types and features will  only  be
       checked  once,  and  if  they are not available, the negative result is
       cached and returned for all subsequent attempts to  load  the  type  or
       feature. This behavior is almost always appropriate for the server, and
       can result in a significant performance improvement for types and  fea-
       tures that are checked frequently.

       o   Default: true



   app_management
       This  setting has no effect and will be removed in a future Puppet ver-
       sion.

       o   Default: false



   autoflush
       Whether log files should always flush to disk.

       o   Default: true



   autosign
       Whether (and how) to autosign certificate  requests.  This  setting  is
       only  relevant  on  a  puppet  master acting as a certificate authority
       (CA).

       Valid values are true (autosigns all certificate requests;  not  recom-
       mended),  false  (disables  autosigning  certificates), or the absolute
       path to a file.

       The file specified in this setting may be either a  configuration  file
       or a custom policy executable. Puppet will automatically determine what
       it is: If the Puppet user (see the user setting) can execute the  file,
       it  will  be  treated  as  a  policy  executable; otherwise, it will be
       treated as a config file.

       If a custom policy executable is configured, the CA puppet master  will
       run  it every time it receives a CSR. The executable will be passed the
       subject CN of the request as a command line argument, and the  contents
       of the CSR in PEM format on stdin. It should exit with a status of 0 if
       the cert should be autosigned and non-zero if the cert  should  not  be
       autosigned.

       If a certificate request is not autosigned, it will persist for review.
       An admin user can use the puppet cert sign command to manually sign it,
       or can delete the request.

       For  info  on  autosign  configuration files, see the guide to Puppet's
       config  files   https://puppet.com/docs/puppet/latest/config_about_set-
       tings.html.

       o   Default: $confdir/autosign.conf



   basemodulepath
       The  search  path  for global modules. Should be specified as a list of
       directories separated by the  system  path  separator  character.  (The
       POSIX path separator is ':', and the Windows path separator is ';'.)

       These  are the modules that will be used by all environments. Note that
       the modules directory of the active environment will have priority over
       any global directories. For more info, see https://puppet.com/docs/pup-
       pet/latest/environments_about.html

       o   Default: $codedir/modules:/usr/puppetlabs/puppet/modules



   bindaddress
       The address a listening server should bind to.

       o   Default: *



   binder_config
       The binder configuration file. Puppet reads this file on  each  request
       to  configure  the  bindings  system.  If  set  to nil (the default), a
       $confdir/binder_config.yaml  is  optionally  loaded.  If  it  does  not
       exists, a default configuration is used. If the setting :binding_config
       is specified, it must reference a valid and existing yaml file.

       Default:


   bucketdir
       Where FileBucket files are stored.

       o   Default: $vardir/bucket



   ca
       Whether the master should function as a certificate authority.

       o   Default: true



   ca_name
       The name to use the Certificate Authority certificate.

       o   Default: Puppet CA: $certname



   ca_port
       The port to use for the certificate authority.

       o   Default: $masterport



   ca_server
       The server to use for certificate authority requests. It's  a  separate
       server because it cannot and does not need to horizontally scale.

       o   Default: $server



   ca_ttl
       The default TTL for new certificates. This setting can be a time inter-
       val in seconds (30 or 30s), minutes (30m), hours (6h),  days  (2d),  or
       years (5y).

       o   Default: 5y



   cacert
       The CA certificate.

       o   Default: $cadir/ca_crt.pem



   cacrl
       The  certificate  revocation  list  (CRL)  for  the CA. Will be used if
       present but otherwise ignored.

       o   Default: $cadir/ca_crl.pem



   cadir
       The root directory for the certificate authority.

       o   Default: $ssldir/ca



   cakey
       The CA private key.

       o   Default: $cadir/ca_key.pem



   capass
       Where the CA stores the password for the private key. This  setting  is
       deprecated and will be removed in Puppet 6.

       o   Default: $caprivatedir/ca.pass



   caprivatedir
       Where  the  CA  stores private certificate information. This setting is
       deprecated and will be removed in Puppet 6.

       o   Default: $cadir/private



   capub
       The CA public key.

       o   Default: $cadir/ca_pub.pem



   catalog_cache_terminus
       How to store cached catalogs. Valid values are  'json',  'msgpack'  and
       'yaml'. The agent application defaults to 'json'.

       Default:


   catalog_terminus
       Where  to get node catalogs. This is useful to change if, for instance,
       you'd like to pre-compile catalogs and store them in memcached or  some
       other easily-accessed store.

       o   Default: compiler



   cert_inventory
       The  inventory  file. This is a text file to which the CA writes a com-
       plete listing of all certificates.

       o   Default: $cadir/inventory.txt



   certdir
       The certificate directory.

       o   Default: $ssldir/certs



   certificate_revocation
       Whether certificate revocation checking should  be  enabled,  and  what
       level of checking should be performed.

       When  certificate_revocation  is  set to 'true' or 'chain', Puppet will
       download the CA CRL and will perform revocation checking  against  each
       certificate in the chain.

       Puppet is unable to load multiple CRLs, so if certificate_revocation is
       set to 'chain' and Puppet attempts to verify a certificate signed by  a
       root CA the behavior is equivalent to the 'leaf' setting, and if Puppet
       attempts to verify a certificate signed by an intermediate CA then ver-
       ification  will fail as Puppet will be unable to load the multiple CRLs
       required for full chain checking. As such the 'chain' setting  is  lim-
       ited  in functionality and is meant as a stand in pending the implemen-
       tation of full chain checking.

       When certificate_revocation is set to 'leaf', Puppet will download  the
       CA CRL and will verify the leaf certificate against that CRL. CRLs will
       not be fetched or checked for the  rest  of  the  certificates  in  the
       chain.  If  you  are  using  an intermediate CA certificate and want to
       enable certificate revocation checking, this setting  must  be  set  to
       'leaf'.

       When  certificate_revocation is set to 'false', Puppet will disable all
       certificate revocation checking and will not attempt  to  download  the
       CRL.

       o   Default: chain



   certname
       The name to use when handling certificates. When a node requests a cer-
       tificate from the CA puppet master, it uses the value of  the  certname
       setting as its requested Subject CN.

       This  is  the name used when managing a node's permissions in auth.conf
       https://puppet.com/docs/puppet/latest/config_file_auth.html.  In   most
       cases,  it  is  also used as the node's name when matching node defini-
       tions  https://puppet.com/docs/puppet/latest/lang_node_definitions.html
       and  requesting  data  from  an  ENC.  (This  can  be  changed with the
       node_name_value and node_name_fact settings, although you  should  only
       do so if you have a compelling reason.)

       A  node's  certname is available in Puppet manifests as $trusted['cert-
       name']. (See Facts and Built-In Variables  https://puppet.com/docs/pup-
       pet/latest/lang_facts_and_builtin_vars.html for more details.)

       o   For  best  compatibility, you should limit the value of certname to
           only use lowercase  letters,  numbers,  periods,  underscores,  and
           dashes. (That is, it should match /A[a-z0-9._-]+Z/.)

       o   The special value ca is reserved, and can't be used as the certname
           for a normal node.



       Defaults to the node's fully qualified domain name.

       o   Default: the Host's fully qualified domain name, as  determined  by
           facter



   classfile
       The  file in which puppet agent stores a list of the classes associated
       with the retrieved configuration. Can be loaded in the separate  puppet
       executable using the --loadclasses option.

       o   Default: $statedir/classes.txt



   client_datadir
       The directory in which serialized data is stored on the client.

       o   Default: $vardir/client_data



   clientbucketdir
       Where FileBucket files are stored locally.

       o   Default: $vardir/clientbucket



   clientyamldir
       The directory in which client-side YAML data is stored.

       o   Default: $vardir/client_yaml



   code
       Code  to  parse  directly. This is essentially only used by puppet, and
       should only be set if you're writing your own Puppet executable.

   codedir
       The main Puppet code directory. The default for this setting is  calcu-
       lated  based on the user. If the process is running as root or the user
       that Puppet is supposed to run as, it defaults to a  system  directory,
       but  if  it's  running  as  any other user, it defaults to being in the
       user's home directory.

       o   Default: Unix/Linux: /etc/puppetlabs/code --  Windows:  C:\Program-
           Data\PuppetLabs\code -- Non-root user: ~/.puppetlabs/etc/code



   color
       Whether  to  use  colors  when logging to the console. Valid values are
       ansi (equivalent to true), html, and false, which  produces  no  color.
       Defaults to false on Windows, as its console does not support ansi col-
       ors.

       o   Default: ansi



   confdir
       The main Puppet configuration directory. The default for  this  setting
       is  calculated  based on the user. If the process is running as root or
       the user that Puppet is supposed to run as, it  defaults  to  a  system
       directory,  but if it's running as any other user, it defaults to being
       in the user's home directory.

       o   Default: Unix/Linux: /etc/puppetlabs/puppet -- Windows: C:\Program-
           Data\PuppetLabs\puppet\etc -- Non-root user: ~/.puppetlabs/etc/pup-
           pet



   config
       The configuration file for the current puppet application.

       o   Default: $confdir/${config_file_name}



   config_file_name
       The name of the puppet config file.

       o   Default: puppet.conf



   config_version
       How to determine the configuration version. By default, it will be  the
       time  that  the  configuration  is  parsed, but you can provide a shell
       script to override how the version is determined. The  output  of  this
       script  will be added to every log message in the reports, allowing you
       to correlate changes on your hosts to the source version on the server.

       Setting a global value for config_version in puppet.conf is not allowed
       (but it can be overridden from the commandline). Please set a per-envi-
       ronment  value  in  environment.conf  instead.  For  more   info,   see
       https://puppet.com/docs/puppet/latest/environments_about.html

   configprint
       Prints  the value of a specific configuration setting. If the name of a
       setting is provided for this, then the  value  is  printed  and  puppet
       exits.  Comma-separate multiple values. For a list of all values, spec-
       ify 'all'. This setting is  deprecated,  the  'puppet  config'  command
       replaces this functionality.

   configtimeout
       How  long  the client should wait for the configuration to be retrieved
       before considering it a failure. This setting  is  deprecated  and  has
       been  replaced by http_connect_timeout and http_read_timeout. This set-
       ting can be a time interval in seconds  (30  or  30s),  minutes  (30m),
       hours (6h), days (2d), or years (5y).

       o   Default: 2m



   csr_attributes
       An  optional  file  containing  custom attributes to add to certificate
       signing requests (CSRs). You should ensure  that  this  file  does  not
       exist on your CA puppet master; if it does, unwanted certificate exten-
       sions may leak into certificates created with the puppet cert  generate
       command.

       If   present,  this  file  must  be  a  YAML  hash  containing  a  cus-
       tom_attributes key and/or an extension_requests key. The value of  each
       key  must be a hash, where each key is a valid OID and each value is an
       object that can be cast to a string.

       Custom attributes can be used by the CA when deciding whether  to  sign
       the  certificate, but are then discarded. Attribute OIDs can be any OID
       value except the standard CSR attributes (i.e. attributes described  in
       RFC  2985  section  5.4). This is useful for embedding a pre-shared key
       for autosigning policy executables (see the autosign setting), often by
       using the 1.2.840.113549.1.9.7 ("challenge password") OID.

       Extension  requests  will be permanently embedded in the final certifi-
       cate.    Extension    OIDs    must    be    in    the    "ppRegCertExt"
       (1.3.6.1.4.1.34380.1.1),  "ppPrivCertExt"  (1.3.6.1.4.1.34380.1.2),  or
       "ppAuthCertExt" (1.3.6.1.4.1.34380.1.3) OID arcs. The ppRegCertExt  arc
       is  reserved  for  four  of  the  most  common pieces of data to embed:
       pp_uuid (.1), pp_instance_id  (.2),  pp_image_name  (.3),  and  pp_pre-
       shared_key (.4) --- in the YAML file, these can be referred to by their
       short descriptive names instead of their full  OID.  The  ppPrivCertExt
       arc  is  unregulated, and can be used for site-specific extensions. The
       ppAuthCert arc is reserved for two pieces of data to  embed:  pp_autho-
       rization (.1) and pp_auth_role (.13). As with ppRegCertExt, in the YAML
       file, these can be referred to by their short descriptive name  instead
       of their full OID.

       o   Default: $confdir/csr_attributes.yaml



   csrdir
       Where the CA stores certificate requests.

       o   Default: $cadir/requests



   daemonize
       Whether  to send the process into the background. This defaults to true
       on POSIX systems, and to false on Windows (where Puppet currently  can-
       not daemonize).

       o   Default: true



   data_binding_terminus
       This  setting  has been deprecated. Use of any value other than 'hiera'
       should instead be configured in a version 5 hiera.yaml. Until this set-
       ting  is  removed,  it  controls which data binding terminus to use for
       global automatic data binding (across  all  environments).  By  default
       this value is 'hiera'. A value of 'none' turns off the global binding.

       o   Default: hiera



   default_file_terminus
       The  default source for files if no server is given in a uri, e.g. pup-
       pet:///file. The default of rest causes the file to be retrieved  using
       the  server  setting.  When  running  apply the default is file_server,
       causing requests to be filled locally.

       o   Default: rest



   default_manifest
       The default main manifest for directory environments.  Any  environment
       that doesn't set the manifest setting in its environment.conf file will
       use this manifest.

       This setting's value can be an absolute or relative path.  An  absolute
       path  will  make  all environments default to the same main manifest; a
       relative path will allow each environment to use its own manifest,  and
       Puppet will resolve the path relative to each environment's main direc-
       tory.

       In either case, the path can point to a single file or to  a  directory
       of manifests to be evaluated in alphabetical order.

       o   Default: ./manifests



   default_schedules
       Boolean;  whether  to  generate the default schedule resources. Setting
       this to false is useful for keeping external report processors clean of
       skipped schedule resources.

       o   Default: true



   deviceconfig
       Path to the device config file for puppet device.

       o   Default: $confdir/device.conf



   devicedir
       The root directory of devices' $vardir.

       o   Default: $vardir/devices



   diff
       Which diff command to use when printing differences between files. This
       setting has no default value on Windows, as standard diff is not avail-
       able, but Puppet can use many third-party diff tools.

       o   Default: diff



   diff_args
       Which  arguments  to pass to the diff command when printing differences
       between files. The command to use can be chosen with the diff setting.

       o   Default: -u



   digest_algorithm
       Which digest algorithm to use for file resources  and  the  filebucket.
       Valid values are md5, sha256, sha384, sha512, sha224. Default is md5.

       o   Default: md5



   disable_i18n
       If  true, turns off all translations of Puppet and module log messages,
       which affects error, warning, and info log messages,  as  well  as  any
       translations in the report and CLI.

       o   Default: false



   disable_per_environment_manifest
       Whether  to disallow an environment-specific main manifest. When set to
       true, Puppet will use the manifest specified  in  the  default_manifest
       setting  for  all environments. If an environment specifies a different
       main manifest in its environment.conf file, catalog requests  for  that
       environment will fail with an error.

       This setting requires default_manifest to be set to an absolute path.

       o   Default: false



   disable_warnings
       A  comma-separated  list of warning types to suppress. If large numbers
       of warnings are making Puppet's logs too large or difficult to use, you
       can temporarily silence them with this setting.

       If  you  are  preparing  to  upgrade Puppet to a new major version, you
       should re-enable all warnings for a while.

       Valid values for this setting are:

       o   deprecations --- disables deprecation warnings.

       o   undefined_variables --- disables warnings about non existing  vari-
           ables.

       o   undefined_resources   ---  disables  warnings  about  non  existing
           resources.

       o   Default: []



   dns_alt_names
       A comma-separated list of alternate DNS names for Puppet Server.  These
       are  extra  hostnames  (in addition to its certname) that the server is
       allowed to use when serving agents. Puppet  checks  this  setting  when
       automatically  requesting  a  certificate  for  Puppet  agent or Puppet
       Server, and when manually generating a  certificate  with  puppet  cert
       generate.  These can be either IP or DNS, and the type should be speci-
       fied and followed with a colon. Untyped inputs will default to DNS.

       In order to handle agent requests  at  a  given  hostname  (like  "pup-
       pet.example.com"),  Puppet  Server needs a certificate that proves it's
       allowed to use that name; if a server shows a certificate that  doesn't
       include its hostname, Puppet agents will refuse to trust it. If you use
       a single hostname for Puppet traffic but load-balance  it  to  multiple
       Puppet  Servers,  each  of  those servers needs to include the official
       hostname in its list of extra names.

       Note: The list of alternate names is locked in when the  server's  cer-
       tificate  is  signed.  If  you need to change the list later, you can't
       just change this setting; you also need to:

       o   On the server: Stop Puppet Server.

       o   On the CA server: Revoke and clean the  server's  old  certificate.
           (puppet  cert  clean  <NAME>) (Note puppet cert clean is deprecated
           and will be replaced with puppetserver ca clean in Puppet 6.)

       o   On the server: Delete the old certificate (and any old  certificate
           signing  requests)  from  the  ssldir  https://puppet.com/docs/pup-
           pet/latest/dirs_ssldir.html.

       o   On the server: Run puppet agent -t  --ca_server  <CA  HOSTNAME>  to
           request a new certificate

       o   On the CA server: Sign the certificate request, explicitly allowing
           alternate names (puppet cert  sign  --allow-dns-alt-names  <NAME>).
           (Note puppet cert sign is deprecated and will be replaced with pup-
           petserver ca sign in Puppet 6.)

       o   On the server: Run puppet agent -t  --ca_server  <CA  HOSTNAME>  to
           retrieve the cert.

       o   On the server: Start Puppet Server again.



       To see all the alternate names your servers are using, log into your CA
       server and run puppet cert list -a, then  check  the  output  for  (alt
       names: ...). Most agent nodes should NOT have alternate names; the only
       certs that should have them are Puppet Server nodes that you want other
       agents to trust.

   document_all
       Whether  to  document  all  resources when using puppet doc to generate
       manifest documentation.

       o   Default: false



   environment
       The environment in which Puppet is running. For clients, such as puppet
       agent,  this  determines  the  environment itself, which Puppet uses to
       find modules and much more. For servers, such as  puppet  master,  this
       provides  the  default  environment for nodes that Puppet knows nothing
       about.

       When defining an environment in the [agent] section, this refers to the
       environment  that  the  agent requests from the master. The environment
       doesn't have to exist on the local filesystem because the agent fetches
       it from the master. This definition is used when running puppet agent.

       When  defined in the [user] section, the environment refers to the path
       that Puppet uses to search for code and modules related to  its  execu-
       tion.  This requires the environment to exist locally on the filesystem
       where puppet is being executed. Puppet  subcommands,  including  puppet
       module and puppet apply, use this definition.

       Given that the context and effects vary depending on the config section
       https://puppet.com/docs/puppet/latest/config_file_main.html#config-sec-
       tions  in which the environment setting is defined, do not set it glob-
       ally.

       o   Default: production



   environment_data_provider
       The name of a registered environment data provider used when  obtaining
       environment  specific data. The three built in and registered providers
       are 'none' (no data), 'function' (data obtained by calling the function
       'environment::data()') and 'hiera' (data obtained using a data provider
       configured using a hiera.yaml file in root of the  environment).  Other
       environment  data  providers may be registered in modules on the module
       path. For such custom data providers see the respective module documen-
       tation. This setting is deprecated.

       Default:


   environment_timeout
       How  long the Puppet master should cache data it loads from an environ-
       ment. This setting can be a time interval in seconds (30 or 30s),  min-
       utes  (30m),  hours  (6h),  days (2d), or years (5y). A value of 0 will
       disable caching. This setting can also be set to unlimited, which  will
       cache environments until the master is restarted or told to refresh the
       cache.

       You should change this setting once your  Puppet  deployment  is  doing
       non-trivial  work.  We chose the default value of 0 because it lets new
       users update their code without any extra steps, but it lowers the per-
       formance of your Puppet master.

       We  recommend  setting this to unlimited and explicitly refreshing your
       Puppet master as part of your code deployment process.

       o   With Puppet Server, you should refresh environments by calling  the
           environment-cache  API endpoint. See the docs for the Puppet Server
           administrative API.

       o   With a Rack Puppet master, you should restart the web server or the
           application  server. Passenger lets you touch a restart.txt file to
           refresh an application without restarting Apache; see the Passenger
           docs for details.



       We  don't  recommend  using  any value other than 0 or unlimited, since
       most Puppet masters use a pool of  Ruby  interpreters  which  all  have
       their own cache timers. When these timers drift out of sync, agents can
       be served inconsistent catalogs.

       o   Default: 0



   environmentpath
       A search path for directory environments, as a list of directories sep-
       arated  by the system path separator character. (The POSIX path separa-
       tor is ':', and the Windows path separator is ';'.)

       This setting must have a value set to  enable  directory  environments.
       The  recommended  value is $codedir/environments. For more details, see
       https://puppet.com/docs/puppet/latest/environments_about.html

       o   Default: $codedir/environments



   evaltrace
       Whether each resource should log  when  it  is  being  evaluated.  This
       allows you to interactively see exactly what is being done.

       o   Default: false



   external_nodes
       The  external node classifier (ENC) script to use for node data. Puppet
       combines this data with the main manifest to produce node catalogs.

       To enable this setting, set the node_terminus setting to exec.

       This setting's value must be the path to an executable command that can
       produce node information. The command must:

       o   Take the name of a node as a command-line argument.

       o

       o   classes --- A list of classes, as an array or hash.

       o   environment --- A string.

       o   parameters --- A list of top-scope variables to set, as a hash.




       o   For unknown nodes, exit with a non-zero exit code.



       Generally, an ENC script makes requests to an external data source.

       For  more  info, see the ENC documentation https://puppet.com/docs/pup-
       pet/latest/nodes_external.html.

       o   Default: none



   factpath
       Where Puppet should look for facts. Multiple directories should be sep-
       arated  by the system path separator character. (The POSIX path separa-
       tor is ':', and the Windows path separator is ';'.)

       o   Default: $vardir/lib/facter:$vardir/facts



   facts_terminus
       The node facts terminus.

       o   Default: facter



   fileserverconfig
       Where the fileserver configuration is stored.

       o   Default: $confdir/fileserver.conf



   filetimeout
       The minimum time to wait between checking for updates in  configuration
       files. This timeout determines how quickly Puppet checks whether a file
       (such as manifests or templates) has changed on disk. This setting  can
       be  a  time interval in seconds (30 or 30s), minutes (30m), hours (6h),
       days (2d), or years (5y).

       o   Default: 15s



   forge_authorization
       The authorization key to connect to the Puppet Forge. Leave  blank  for
       unauthorized or license based connections

       Default:


   freeze_main
       Freezes  the 'main' class, disallowing any code to be added to it. This
       essentially means that you can't have  any  code  outside  of  a  node,
       class, or definition other than in the site manifest.

       o   Default: false



   future_features
       Whether  or  not  to  enable all features currently being developed for
       future major releases of Puppet. Should be used  with  caution,  as  in
       development features are experimental and can have unexpected effects.

       o   Default: false



   genconfig
       When  true,  causes Puppet applications to print an example config file
       to stdout and exit. The example will include descriptions of each  set-
       ting, and the current (or default) value of each setting, incorporating
       any settings overridden on the CLI (with  the  exception  of  genconfig
       itself).  This  setting  only makes sense when specified on the command
       line as --genconfig.

       o   Default: false



   genmanifest
       Whether to just print a manifest to stdout and exit. Only  makes  sense
       when specified on the command line as --genmanifest. Takes into account
       arguments specified on the CLI.

       o   Default: false



   graph
       Whether to create .dot graph files, which let you visualize the  depen-
       dency  and  containment relationships in Puppet's catalog. You can load
       and view these  files  with  tools  like  OmniGraffle  http://www.omni-
       group.com/applications/omnigraffle/      (OS     X)     or     graphviz
       http://www.graphviz.org/ (multi-platform).

       Graph files are created when applying a catalog, so this setting should
       be used on nodes running puppet agent or puppet apply.

       The  graphdir  setting  determines  where Puppet will save graphs. Note
       that we don't save graphs for historical runs; Puppet will replace  the
       previous .dot files with new ones every time it applies a catalog.

       See  your graphing software's documentation for details on opening .dot
       files. If you're using GraphViz's dot command, you can do a  quick  PNG
       render with dot -Tpng <DOT FILE> -o <OUTPUT FILE>.

       o   Default: false



   graphdir
       Where to save .dot-format graphs (when the graph setting is enabled).

       o   Default: $statedir/graphs



   group
       The group Puppet Server will run as. Used to ensure the agent side pro-
       cesses (agent, apply, etc) create files  and  directories  readable  by
       Puppet Server when necessary.

       o   Default: puppet



   hiera_config
       The  hiera  configuration file. Puppet only reads this file on startup,
       so you must restart the puppet master every time you edit it.

       o   Default:  $confdir/hiera.yaml.  However,  if  a  file   exists   at
           $codedir/hiera.yaml, Puppet uses that instead.



   hostcert
       Where individual hosts store and look for their certificates.

       o   Default: $certdir/$certname.pem



   hostcrl
       Where the host's certificate revocation list can be found. This is dis-
       tinct from the certificate authority's CRL.

       o   Default: $ssldir/crl.pem



   hostcsr
       Where individual hosts store and look for their certificate requests.

       o   Default: $ssldir/csr_$certname.pem



   hostprivkey
       Where individual hosts store and look for their private key.

       o   Default: $privatekeydir/$certname.pem



   hostpubkey
       Where individual hosts store and look for their public key.

       o   Default: $publickeydir/$certname.pem



   http_connect_timeout
       The maximum amount of time to wait when establishing  an  HTTP  connec-
       tion. The default value is 2 minutes. This setting can be a time inter-
       val in seconds (30 or 30s), minutes (30m), hours (6h),  days  (2d),  or
       years (5y).

       o   Default: 2m



   http_debug
       Whether  to  write  HTTP  request  and responses to stderr. This should
       never be used in a production environment.

       o   Default: false



   http_keepalive_timeout
       The maximum amount of time a persistent HTTP connection can remain idle
       in  the  connection  pool,  before it is closed. This timeout should be
       shorter than the keepalive timeout used on the HTTP server, e.g. Apache
       KeepAliveTimeout directive. This setting can be a time interval in sec-
       onds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

       o   Default: 4s



   http_proxy_host
       The HTTP proxy host to use for outgoing connections. The proxy will  be
       bypassed  if  the  server's  hostname  matches the NO_PROXY environment
       variable or no_proxy setting. Note: You may need to use a FQDN for  the
       server  hostname when using a proxy. Environment variable http_proxy or
       HTTP_PROXY will override this value.

       o   Default: none



   http_proxy_password
       The password for the user of an authenticated HTTP proxy. Requires  the
       http_proxy_user setting.

       Note  that  passwords  must  be  valid when used as part of a URL. If a
       password contains any characters with  special  meanings  in  URLs  (as
       specified  by  RFC  3986  section  2.2), they must be URL-encoded. (For
       example, # would become %23.)

       o   Default: none



   http_proxy_port
       The HTTP proxy port to use for outgoing connections

       o   Default: 3128



   http_proxy_user
       The  user  name  for  an  authenticated  HTTP   proxy.   Requires   the
       http_proxy_host setting.

       o   Default: none



   http_read_timeout
       The  time  to wait for one block to be read from an HTTP connection. If
       nothing is read after the elapsed interval then the connection will  be
       closed.  The  default  value  is  unlimited. This setting can be a time
       interval in seconds (30 or 30s), minutes (30m), hours (6h), days  (2d),
       or years (5y).

       Default:


   http_user_agent
       The HTTP User-Agent string to send when making network requests.

       o   Default: Puppet/5.5.21 Ruby/2.4.1-p111 (x86_64-linux)



   ignorecache
       This  setting has no effect and will be removed in a future Puppet ver-
       sion.

       o   Default: false



   ignoremissingtypes
       Skip searching for classes and definitions that were missing  during  a
       prior  compilation. The list of missing objects is maintained per-envi-
       ronment and persists until the environment is cleared or the master  is
       restarted.

       o   Default: false



   ignoreschedules
       Boolean;  whether  puppet agent should ignore schedules. This is useful
       for initial puppet agent runs.

       o   Default: false



   keylength
       The bit length of keys.

       o   Default: 4096



   lastrunfile
       Where puppet agent stores the last run report summary in yaml format.

       o   Default: $statedir/last_run_summary.yaml



   lastrunreport
       Where puppet agent stores the last run report in yaml format.

       o   Default: $statedir/last_run_report.yaml



   ldapattrs
       The LDAP attributes to  include  when  querying  LDAP  for  nodes.  All
       returned attributes are set as variables in the top-level scope. Multi-
       ple values should be  comma-separated.  The  value  'all'  returns  all
       attributes.

       o   Default: all



   ldapbase
       The  search  base for LDAP searches. It's impossible to provide a mean-
       ingful default here, although the LDAP libraries might have one already
       set.  Generally,  it  should  be  the 'ou=Hosts' branch under your main
       directory.

   ldapclassattrs
       The LDAP attributes to use to define Puppet classes. Values  should  be
       comma-separated.

       o   Default: puppetclass



   ldapparentattr
       The attribute to use to define the parent node.

       o   Default: parentnode



   ldappassword
       The password to use to connect to LDAP.

   ldapport
       The LDAP port. Only used if node_terminus is set to ldap.

       o   Default: 389



   ldapserver
       The LDAP server. Only used if node_terminus is set to ldap.

       o   Default: ldap



   ldapssl
       Whether  SSL should be used when searching for nodes. Defaults to false
       because SSL usually requires certificates to be set up  on  the  client
       side.

       o   Default: false



   ldapstackedattrs
       The LDAP attributes that should be stacked to arrays by adding the val-
       ues in all hierarchy elements of the tree. Values should be comma-sepa-
       rated.

       o   Default: puppetvar



   ldapstring
       The search string used to find an LDAP node.

       o   Default: (&(objectclass=puppetClient)(cn=%s))



   ldaptls
       Whether  TLS should be used when searching for nodes. Defaults to false
       because TLS usually requires certificates to be set up  on  the  client
       side.

       o   Default: false



   ldapuser
       The user to use to connect to LDAP. Must be specified as a full DN.

   libdir
       An  extra  search  path for Puppet. This is only useful for those files
       that Puppet will load on demand, and is only  guaranteed  to  work  for
       those  cases. In fact, the autoload mechanism is responsible for making
       sure this directory is in Ruby's search path

       o   Default: $vardir/lib



   localcacert
       Where each client stores the CA certificate.

       o   Default: $certdir/ca.pem



   localedest
       Where Puppet should store translation files that it pulls down from the
       central server.

       o   Default: $vardir/locales



   localesource
       From where to retrieve translation files. The standard Puppet file type
       is used for retrieval, so anything that is a valid file source  can  be
       used here.

       o   Default: puppet:///locales



   log_level
       Default logging level for messages from Puppet. Allowed values are:

       o   debug

       o   info

       o   notice

       o   warning

       o   err

       o   alert

       o   emerg

       o   crit

       o   Default: notice



   logdest
       Where  to  send log messages. Choose between 'syslog' (the POSIX syslog
       service), 'eventlog' (the Windows Event Log), 'console', or the path to
       a log file.

       Default:


   logdir
       The directory in which to store log files

       o   Default: Unix/Linux: /var/log/puppetlabs/puppet -- Windows: C:\Pro-
           gramData\PuppetLabs\puppet\var\log  --  Non-root  user:  ~/.puppet-
           labs/var/log



   manage_internal_file_permissions
       Whether  Puppet  should  manage  the owner, group, and mode of files it
       uses internally

       o   Default: true



   manifest
       The entry-point manifest for puppet master. This can be one file  or  a
       directory  of  manifests  to be evaluated in alphabetical order. Puppet
       manages this path as a directory if one exists or if the path ends with
       a / or .

       Setting  a global value for manifest in puppet.conf is not allowed (but
       it can be overridden from the commandline). Please use directory  envi-
       ronments  instead. If you need to use something other than the environ-
       ment's manifests directory as the main manifest, you can  set  manifest
       in  environment.conf.  For  more info, see https://puppet.com/docs/pup-
       pet/latest/environments_about.html

       Default:


   masterhttplog
       Where the puppet master web server saves its access log. This  is  only
       used  when  running a WEBrick puppet master. When puppet master is run-
       ning under a Rack server like Passenger, that web server will have  its
       own logging behavior.

       o   Default: $logdir/masterhttp.log



   masterport
       The  default  port  puppet  subcommands  use to communicate with Puppet
       Server. (eg puppet facts upload, puppet agent). May  be  overridden  by
       more specific settings (see ca_port, report_port).

       o   Default: 8140



   max_deprecations
       Sets  the  max number of logged/displayed parser validation deprecation
       warnings in case multiple deprecation warnings have  been  detected.  A
       value of 0 blocks the logging of deprecation warnings. The count is per
       manifest.

       o   Default: 10



   max_errors
       Sets the max number of logged/displayed  parser  validation  errors  in
       case  multiple errors have been detected. A value of 0 is the same as a
       value of 1; a minimum of one error is always raised. The count  is  per
       manifest.

       o   Default: 10



   max_warnings
       Sets  the  max number of logged/displayed parser validation warnings in
       case multiple warnings have been detected. A value of 0 blocks  logging
       of warnings. The count is per manifest.

       o   Default: 10



   maximum_uid
       The maximum allowed UID. Some platforms use negative UIDs but then ship
       with tools that do not know how to handle signed ints, so the UIDs show
       up  as huge numbers that can then not be fed back into the system. This
       is a hackish way to fail in a slightly more useful way when  that  hap-
       pens.

       o   Default: 4294967290



   mkusers
       Whether  to  create the necessary user and group that puppet agent will
       run as.

       o   Default: false



   module_groups
       Extra module groups to request from the Puppet Forge. This is an inter-
       nal setting, and users should never change it.

       Default:


   module_repository
       The module repository

       o   Default: https://forgeapi.puppet.com



   module_skeleton_dir
       The directory which the skeleton for module tool generate is stored.

       o   Default: $module_working_dir/skeleton



   module_working_dir
       The directory into which module tool data is stored

       o   Default: $vardir/puppet-module



   modulepath
       The  search path for modules, as a list of directories separated by the
       system path separator character. (The POSIX path separator is ':',  and
       the Windows path separator is ';'.)

       Setting  a  global  value  for modulepath in puppet.conf is not allowed
       (but it can be overridden from the commandline). Please  use  directory
       environments  instead.  If  you  need  to  use something other than the
       default modulepath  of  <ACTIVE  ENVIRONMENT'S  MODULES  DIR>:$basemod-
       ulepath, you can set modulepath in environment.conf. For more info, see
       https://puppet.com/docs/puppet/latest/environments_about.html

   name
       The name of the application, if we are running as one. The  default  is
       essentially $0 without the path or .rb.

       Default:


   no_proxy
       List   of   host   or   domain   names   that  should  not  go  through
       http_proxy_host. Environment variable no_proxy or NO_PROXY  will  over-
       ride  this  value.  Names can be specified as an FQDN host.example.com,
       wildcard *.example.com, dotted domain  .example.com,  or  suffix  exam-
       ple.com.

       o   Default: localhost, 127.0.0.1



   node_cache_terminus
       How  to store cached nodes. Valid values are (none), 'json', 'msgpack',
       'yaml' or write only yaml ('write_only_yaml').

       Default:


   node_name
       How the puppet master determines the client's  identity  and  sets  the
       'hostname',  'fqdn' and 'domain' facts for use in the manifest, in par-
       ticular for determining which 'node' statement applies to  the  client.
       Possible  values  are 'cert' (use the subject's CN in the client's cer-
       tificate) and 'facter' (use the hostname that the  client  reported  in
       its facts).

       This setting is deprecated, please use explicit fact matching for clas-
       sification.

       o   Default: cert



   node_name_fact
       The fact name used to determine the node name used for all requests the
       agent  makes to the master. WARNING: This setting is mutually exclusive
       with node_name_value. Changing this setting also  requires  changes  to
       the  default  auth.conf  configuration on the Puppet Master. Please see
       http://links.puppet.com/node_name_fact for more information.

   node_name_value
       The explicit value used for the node name for all  requests  the  agent
       makes  to  the master. WARNING: This setting is mutually exclusive with
       node_name_fact. Changing this setting  also  requires  changes  to  the
       default  auth.conf  configuration  on  the  Puppet  Master.  Please see
       http://links.puppet.com/node_name_value for more information.

       o   Default: $certname



   node_terminus
       Which node data plugin to use when compiling node catalogs.

       When Puppet compiles a catalog, it  combines  two  primary  sources  of
       info:  the  main manifest, and a node data plugin (often called a "node
       terminus," for historical reasons). Node  data  plugins  provide  three
       things for a given node name:

       1.  A  list  of classes to add to that node's catalog (and, optionally,
           values for their parameters).

       2.  Which Puppet environment the node should use.

       3.  A list of additional top-scope variables to set.



       The three main node data plugins are:

       o   plain --- Returns no data, so that the main manifest  controls  all
           node configuration.

       o   exec  ---  Uses  an  external  node  classifier  (ENC) https://pup-
           pet.com/docs/puppet/latest/nodes_external.html, configured  by  the
           external_nodes setting. This lets you pull a list of Puppet classes
           from any external system, using a small glue script to perform  the
           request and format the result as YAML.

       o   classifier  (formerly  console)  --- Specific to Puppet Enterprise.
           Uses the PE console for node data."

       o   Default: plain



   noop
       Whether to apply catalogs in noop mode, which  allows  Puppet  to  par-
       tially  simulate  a  normal  run. This setting affects puppet agent and
       puppet apply.

       When running in noop mode, Puppet will check whether each  resource  is
       in  sync,  like  it  does when running normally. However, if a resource
       attribute is not in the desired state (as  declared  in  the  catalog),
       Puppet  will  take  no  action,  and will instead report the changes it
       would have made. These simulated changes will appear in the report sent
       to  the  puppet  master,  or  be shown on the console if running puppet
       agent or puppet apply in the foreground. The simulated changes will not
       send  refresh events to any subscribing or notified resources, although
       Puppet will log that a refresh event would have been sent.

       Important note:  The  noop  metaparameter  https://puppet.com/docs/pup-
       pet/latest/metaparameter.html#noop   allows  you  to  apply  individual
       resources in noop mode, and will override the global value of the  noop
       setting.  This  means  a resource with noop => false will be changed if
       necessary, even when running puppet agent with noop = true  or  --noop.
       (Conversely,  a resource with noop => true will only be simulated, even
       when noop mode is globally disabled.)

       o   Default: false



   onetime
       Perform  one  configuration  run  and  exit,  rather  than  spawning  a
       long-running  daemon.  This  is useful for interactively running puppet
       agent, or running puppet agent from cron.

       o   Default: false



   ordering
       How unrelated resources should be  ordered  when  applying  a  catalog.
       Allowed  values  are  title-hash,  manifest,  and  random. This setting
       affects puppet agent and puppet apply, but not puppet master.

       o   manifest (the default) will use the order in  which  the  resources
           were declared in their manifest files.

       o   title-hash  (the default in 3.x) will order resources randomly, but
           will use the same order across runs and across nodes. It is only of
           value  if  you're  migrating  from 3.x and have errors running with
           manifest.

       o   random will order resources randomly and change  their  order  with
           each  run.  This  can work like a fuzzer for shaking out undeclared
           dependencies.



       Regardless of this setting's value, Puppet will  always  obey  explicit
       dependencies  set  with the before/require/notify/subscribe metaparame-
       ters and the ->/~> chaining arrows; this setting only affects the rela-
       tive ordering of unrelated resources.

       This setting is deprecated, and will always have a value of manifest in
       6.0 and up.

       o   Default: manifest



   passfile
       Where puppet agent stores the password for its private  key.  Generally
       unused.

       o   Default: $privatedir/password



   path
       The  shell search path. Defaults to whatever is inherited from the par-
       ent process.

       This setting can only be set in the [main] section of  puppet.conf;  it
       cannot be set in [master], [agent], or an environment config section.

       o   Default: none



   pidfile
       The file containing the PID of a running process. This file is intended
       to be used by service management frameworks and monitoring  systems  to
       determine if a puppet process is still in the process table.

       o   Default: $rundir/${run_mode}.pid



   plugindest
       Where  Puppet  should store plugins that it pulls down from the central
       server.

       o   Default: $libdir



   pluginfactdest
       Where Puppet should store external facts that are being handled by plu-
       ginsync

       o   Default: $vardir/facts.d



   pluginfactsource
       Where to retrieve external facts for pluginsync

       o   Default: puppet:///pluginfacts



   pluginsignore
       What files to ignore when pulling down plugins.

       o   Default: .svn CVS .git .hg



   pluginsource
       From  where  to retrieve plugins. The standard Puppet file type is used
       for retrieval, so anything that is a valid  file  source  can  be  used
       here.

       o   Default: puppet:///plugins



   pluginsync
       Whether  plugins should be synced with the central server. This setting
       is deprecated.

       o   Default: true



   postrun_command
       A command to run after every agent  run.  If  this  command  returns  a
       non-zero  return code, the entire Puppet run will be considered to have
       failed, even though it might have performed work during the normal run.

   preferred_serialization_format
       The preferred means of serializing ruby instances for passing over  the
       wire.  This won't guarantee that all instances will be serialized using
       this method, since not all classes can be guaranteed  to  support  this
       format, but it will be used for all classes that support it.

       o   Default: json



   prerun_command
       A  command  to  run  before  every agent run. If this command returns a
       non-zero return code, the entire Puppet run will fail.

   preview_outputdir
       The directory where catalog previews per node are generated.

       o   Default: $vardir/preview



   priority
       The scheduling priority of the process. Valid values are 'high',  'nor-
       mal',  'low',  or 'idle', which are mapped to platform-specific values.
       The priority can also be specified as an  integer  value  and  will  be
       passed  as  is, e.g. -5. Puppet must be running as a privileged user in
       order to increase scheduling priority.

       Default:


   privatedir
       Where the client stores private certificate information.

       o   Default: $ssldir/private



   privatekeydir
       The private key directory.

       o   Default: $ssldir/private_keys



   profile
       Whether to enable experimental performance profiling

       o   Default: false



   publickeydir
       The public key directory.

       o   Default: $ssldir/public_keys



   puppet_trace
       Whether to print the Puppet stack trace on some errors. This is a  noop
       if trace is also set.

       o   Default: false



   puppetdlog
       The  fallback  log file. This is only used when the --logdest option is
       not specified AND Puppet is running on an operating system  where  both
       the  POSIX  syslog  service  and the Windows Event Log are unavailable.
       (Currently, no supported operating systems match that description.)

       Despite the name, both puppet agent and puppet  master  will  use  this
       file as the fallback logging destination.

       For  control  over logging destinations, see the --logdest command line
       option in the manual pages for puppet master, puppet agent, and  puppet
       apply.  You can see man pages by running puppet <SUBCOMMAND> --help, or
       read them online at https://puppet.com/docs/puppet/latest/man/.

       o   Default: $logdir/puppetd.log



   report
       Whether to send reports after every transaction.

       o   Default: true



   report_port
       The port to communicate with the report_server.

       o   Default: $masterport



   report_server
       The server to send transaction reports to.

       o   Default: $server



   reportdir
       The directory in which to store reports. Each node gets a separate sub-
       directory  in  this directory. This setting is only used when the store
       report processor is enabled (see the reports setting).

       o   Default: $vardir/reports



   reports
       The list of report handlers to use. When  using  multiple  report  han-
       dlers,  their names should be comma-separated, with whitespace allowed.
       (For example, reports = http, store.)

       This setting is relevant to puppet master and puppet apply. The  puppet
       master  will  call  these  report handlers with the reports it receives
       from agent nodes, and puppet apply will call them with its own  report.
       (In all cases, the node applying the catalog must have report = true.)

       See  the  report  reference for information on the built-in report han-
       dlers; custom report handlers can also be loaded from modules.  (Report
       handlers are loaded from the lib directory, at puppet/reports/NAME.rb.)

       o   Default: store



   reporturl
       The  URL that reports should be forwarded to. This setting is only used
       when the http report processor is enabled (see the reports setting).

       o   Default: http://localhost:3000/reports/upload



   requestdir
       Where host certificate requests are stored.

       o   Default: $ssldir/certificate_requests



   resourcefile
       The file in which puppet agent stores a list of the  resources  associ-
       ated with the retrieved configuration.

       o   Default: $statedir/resources.txt



   rest_authconfig
       The  configuration  file  that defines the rights to the different rest
       indirections. This can be used as a fine-grained  authorization  system
       for  puppet  master. The puppet master command is deprecated and Puppet
       Server uses its own auth.conf that must be placed within its configura-
       tion directory.

       o   Default: $confdir/auth.conf



   resubmit_facts
       Whether to send updated facts after every transaction.

       o   Default: false



   rich_data
       Enables  having  extended data in the catalog by storing them as a hash
       with the special key __pcore_type__. When enabled, resource  containing
       values  of the data types Binary, Regexp, SemVer, SemVerRange, Timespan
       and Timestamp, as well as instances of types derived from Object retain
       their data type.

       o   Default: false



   route_file
       The YAML file containing indirector route configuration.

       o   Default: $confdir/routes.yaml



   rundir
       Where Puppet PID files are kept.

       o   Default:  Unix/Linux:  /var/run/puppetlabs  -- Windows: C:\Program-
           Data\PuppetLabs\puppet\var\run   --   Non-root   user:   ~/.puppet-
           labs/var/run



   runinterval
       How  often puppet agent applies the catalog. Note that a runinterval of
       0 means "run continuously" rather than "never run." If you want  puppet
       agent  to  never  run, you should start it with the --no-client option.
       This setting can be a time interval in seconds  (30  or  30s),  minutes
       (30m), hours (6h), days (2d), or years (5y).

       o   Default: 30m



   runtimeout
       The  maximum  amount  of time an agent run is allowed to take. A Puppet
       agent run that exceeds this timeout will be  aborted.  Defaults  to  0,
       which  is unlimited. This setting can be a time interval in seconds (30
       or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

       o   Default: 0



   serial
       Where the serial number for certificates is stored.

       o   Default: $cadir/serial



   server
       The puppet master server to which the puppet agent should connect.

       o   Default: puppet



   server_datadir
       The directory in which serialized data is stored, usually in  a  subdi-
       rectory.

       o   Default: $vardir/server_data



   server_list
       The list of puppet master servers to which the puppet agent should con-
       nect, in the order that they will be tried.

       o   Default: []



   show_diff
       Whether to log and report  a  contextual  diff  when  files  are  being
       replaced.  This  causes  partial file contents to pass through Puppet's
       normal logging and reporting system, so this  setting  should  be  used
       with  caution if you are sending Puppet's reports to an insecure desti-
       nation. This feature currently requires the diff/lcs Ruby library.

       o   Default: false



   signeddir
       Where the CA stores signed certificates.

       o   Default: $cadir/signed



   skip_tags
       Tags to use to filter resources. If this is set,  then  only  resources
       not  tagged  with  the  specified  tags will be applied. Values must be
       comma-separated.

   sourceaddress
       The address the agent should use to initiate requests.

       Default:


   splay
       Whether to sleep for a random amount of time, ranging from  immediately
       up  to  its  $splaylimit, before performing its first agent run after a
       service restart. After this period, the agent runs periodically on  its
       $runinterval.

       For  example, assume a default 30-minute $runinterval, splay set to its
       default of false, and an agent starting at :00 past the hour. The agent
       would check in every 30 minutes at :01 and :31 past the hour.

       With  splay  enabled, it waits any amount of time up to its $splaylimit
       before its first run. For example, it might randomly  wait  8  minutes,
       then start its first run at :08 past the hour. With the $runinterval at
       its default 30 minutes, its next run will be at :38 past the hour.

       If you restart an agent's puppet service with splay enabled, it  recal-
       culates  its splay period and delays its first agent run after restart-
       ing for this new period. If you simultaneously restart a group of  pup-
       pet  agents  with  splay enabled, their checkins to your puppet masters
       can be distributed more evenly.

       o   Default: false



   splaylimit
       The maximum time to delay before an agent's first  run  when  splay  is
       enabled.  Defaults  to  the agent's $runinterval. The splay interval is
       random and recalculated each time the agent is  started  or  restarted.
       This  setting  can  be  a time interval in seconds (30 or 30s), minutes
       (30m), hours (6h), days (2d), or years (5y).

       o   Default: $runinterval



   srv_domain
       The domain which will be queried to find the SRV records of servers  to
       use.

       o   Default: delivery.puppetlabs.net



   ssl_client_ca_auth
       Certificate authorities who issue server certificates. SSL servers will
       not be considered authentic unless they possess a certificate issued by
       an authority listed in this file. If this setting has no value then the
       Puppet master's CA certificate (localcacert) will be used.

       Default:


   ssl_client_header
       The header containing an authenticated client's  SSL  DN.  This  header
       must  be  set  by the proxy to the authenticated client's SSL DN (e.g.,
       /CN=puppet.puppetlabs.com). Puppet will parse out the Common Name  (CN)
       from  the Distinguished Name (DN) and use the value of the CN field for
       authorization.

       Note that the name of the HTTP header gets munged  by  the  web  server
       common  gateway  interface:  an  HTTP_ prefix is added, dashes are con-
       verted to underscores, and all letters are uppercased. Thus, to use the
       X-Client-DN header, this setting should be HTTP_X_CLIENT_DN.

       o   Default: HTTP_X_CLIENT_DN



   ssl_client_verify_header
       The  header  containing  the status message of the client verification.
       This header must be set by the proxy to 'SUCCESS' if  the  client  suc-
       cessfully authenticated, and anything else otherwise.

       Note  that  the  name  of the HTTP header gets munged by the web server
       common gateway interface: an HTTP_ prefix is  added,  dashes  are  con-
       verted to underscores, and all letters are uppercased. Thus, to use the
       X-Client-Verify header, this setting should be HTTP_X_CLIENT_VERIFY.

       o   Default: HTTP_X_CLIENT_VERIFY



   ssl_server_ca_auth
       Certificate authorities who issue client certificates. SSL clients will
       not be considered authentic unless they possess a certificate issued by
       an authority listed in this file. If this setting has no value then the
       Puppet master's CA certificate (localcacert) will be used.

       Default:


   ssldir
       Where SSL certificates are kept.

       o   Default: $confdir/ssl



   statedir
       The  directory  where Puppet state is stored. Generally, this directory
       can be removed without causing harm (although it might result in spuri-
       ous service restarts).

       o   Default: $vardir/state



   statefile
       Where  puppet  agent  and puppet master store state associated with the
       running configuration. In the case of puppet master, this file reflects
       the state discovered through interacting with clients.

       o   Default: $statedir/state.yaml



   statettl
       How long the Puppet agent should cache when a resource was last checked
       or synced. This setting can be a time interval in seconds (30 or  30s),
       minutes  (30m),  hours  (6h), days (2d), or years (5y). A value of 0 or
       unlimited will disable cache pruning.

       This setting affects the usage of schedule resources, as  the  informa-
       tion  about  when  a  resource  was last checked (and therefore when it
       needs to be checked again) is stored in  the  statefile.  The  statettl
       needs  to  be  large  enough to ensure that a resource will not trigger
       multiple times during a schedule due to its  entry  expiring  from  the
       cache.

       o   Default: 32d



   static_catalogs
       Whether to compile a static catalog https://puppet.com/docs/puppet/lat-
       est/static_catalogs.html#enabling-or-disabling-static-catalogs,   which
       occurs  only  on  a  Puppet  Server master when the code-id-command and
       code-content-command settings are configured in  its  puppetserver.conf
       file.

       o   Default: true



   storeconfigs
       Whether  to  store  each  client's  configuration,  including catalogs,
       facts, and related data. This also enables the  import  and  export  of
       resources  in  the Puppet language - a mechanism for exchange resources
       between nodes.

       By default this uses the 'puppetdb' backend.

       You can adjust the backend using the storeconfigs_backend setting.

       o   Default: false



   storeconfigs_backend
       Configure the backend terminus used for StoreConfigs. By default,  this
       uses  the PuppetDB store, which must be installed and configured before
       turning on StoreConfigs.

       o   Default: puppetdb



   strict
       The strictness level of puppet. Allowed values are:

       o   off - do not perform extra validation, do not report

       o   warning - perform extra validation, report as warning (default)

       o   error - perform extra validation, fail with error



       The strictness level is for both language semantics and runtime evalua-
       tion validation. In addition to controlling the behavior with this mas-
       ter switch some individual warnings may also be controlled by the  dis-
       able_warnings setting.

       No new validations will be added to a micro (x.y.z) release, but may be
       added in minor releases (x.y.0). In major  releases  it  expected  that
       most (if not all) strictness validation become standard behavior.

       o   Default: warning



   strict_environment_mode
       Whether the agent specified environment should be considered authorita-
       tive, causing the run to fail if the retrieved catalog does  not  match
       it.

       o   Default: false



   strict_hostname_checking
       Whether  to  only search for the complete hostname as it is in the cer-
       tificate when searching for node information  in  the  catalogs  or  to
       match  dot  delimited segments of the cert's certname and the hostname,
       fqdn, and/or domain facts.

       This setting is deprecated and will be removed in a future release.

       o   Default: true



   strict_variables
       Causes an evaluation error when referencing  unknown  variables.  (This
       does  not  affect  referencing  variables  that  are  explicitly set to
       undef).

       o   Default: false



   summarize
       Whether to print a transaction summary.

       o   Default: false



   supported_checksum_types
       Checksum types supported by this agent for use in file resources  of  a
       static  catalog.  Values  must be comma-separated. Valid types are md5,
       md5lite, sha256, sha256lite, sha384, sha512,  sha224,  sha1,  sha1lite,
       mtime, ctime. Default is md5, sha256, sha384, sha512, sha224.

       o   Default: ["md5", "sha256", "sha384", "sha512", "sha224"]



   syslogfacility
       What  syslog facility to use when logging to syslog. Syslog has a fixed
       list of valid facilities, and you must choose one of those; you  cannot
       just make one up.

       o   Default: daemon



   tags
       Tags  to  use  to  find  resources. If this is set, then only resources
       tagged with  the  specified  tags  will  be  applied.  Values  must  be
       comma-separated.

   tasks
       Turns  on  experimental  support for tasks and plans in the puppet lan-
       guage. This is for internal API use only. Do not change this setting.

       o   Default: false



   trace
       Whether to print stack traces on some errors. Will print internal  Ruby
       stack trace interleaved with Puppet function frames.

       o   Default: false



   transactionstorefile
       Transactional storage file for persisting data between transactions for
       the purposes of infering information (such as corrective_change) on new
       data received.

       o   Default: $statedir/transactionstore.yaml



   trusted_oid_mapping_file
       File  that  provides  mapping between custom SSL oids and user-friendly
       names

       o   Default: $confdir/custom_trusted_oid_mapping.yaml



   trusted_server_facts
       The 'trusted_server_facts' setting is deprecated and has no  effect  as
       the  feature this enabled is now always on. The setting will be removed
       in a future version of puppet.

       o   Default: true



   use_cached_catalog
       Whether to only use the cached catalog rather than compiling a new cat-
       alog  on  every run. Puppet can be run with this enabled by default and
       then selectively disabled when a recompile is desired. Because a Puppet
       agent using cached catalogs does not contact the master for a new cata-
       log, it also does not upload facts at the beginning of the Puppet run.

       o   Default: false



   use_srv_records
       Whether the server will search for SRV records in DNS for  the  current
       domain.

       o   Default: false



   usecacheonfailure
       Whether  to  use the cached configuration when the remote configuration
       will not compile. This option is useful for testing new configurations,
       where you want to fix the broken configuration rather than reverting to
       a known-good one.

       o   Default: true



   user
       The user Puppet Server will run as. Used to ensure the agent side  pro-
       cesses  (agent,  apply,  etc)  create files and directories readable by
       Puppet Server when necessary.

       o   Default: puppet



   vardir
       Where Puppet stores dynamic and growing data. The default for this set-
       ting is calculated specially, like confdir_.

       o   Default:   Unix/Linux:   /usr/puppetlabs/puppet/cache  --  Windows:
           C:\ProgramData\PuppetLabs\puppet\cache -- Non-root user: ~/.puppet-
           labs/usr/puppet/cache



   waitforcert
       How frequently puppet agent should ask for a signed certificate.

       When  starting  for the first time, puppet agent will submit a certifi-
       cate signing request (CSR) to the server named in the ca_server setting
       (usually  the puppet master); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.

       Puppet agent cannot apply configurations until its approved certificate
       is available. Since the certificate may or may not be available immedi-
       ately, puppet agent will repeatedly try to fetch it at  this  interval.
       You can turn off waiting for certificates by specifying a time of 0, in
       which case puppet agent will exit if it cannot get a cert. This setting
       can  be  a  time  interval in seconds (30 or 30s), minutes (30m), hours
       (6h), days (2d), or years (5y).

       o   Default: 2m



   yamldir
       The directory in which YAML data is stored, usually in a subdirectory.

       o   Default: $vardir/yaml






ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+--------------------------+
       |ATTRIBUTE TYPE |     ATTRIBUTE VALUE      |
       +---------------+--------------------------+
       |Availability   | system/management/puppet |
       +---------------+--------------------------+
       |Stability      | Volatile                 |
       +---------------+--------------------------+

NOTES
       Source code for open source software components in Oracle  Solaris  can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-
       code-downloads.html.

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source was downloaded from  https://github.com/puppetlabs/puppet.

       Further information about this software can be found on the open source
       community website at http://puppetlabs.com/.



Puppet, Inc.                       July 2020                     PUPPETCONF(5)