Go to main content

man pages section 5: File Formats

Exit Print View

Updated: Thursday, June 13, 2019
 
 

puppet.conf (5)

Name

puppet.conf - Man page for 'puppet.conf' in section 5

Synopsis

Please see following description for synopsis

Description

PUPPETCONF(5)                    Puppet manual                   PUPPETCONF(5)



This page is autogenerated; any changes will get overwritten

Configuration settings
       o   Each  of  these  settings can be specified in puppet.conf or on the
           command line.

       o   When using boolean settings on the command line, use --setting  and
           --no-setting  instead  of  --setting (true|false). (Using --setting
           false results in "Error: Could not parse application options: need-
           less argument".)

       o   Settings  can  be  interpolated  as  $variables  in other settings;
           $environment is special, in that  puppet  master  will  interpolate
           each agent node's environment instead of its own.

       o   Multiple  values should be specified as comma-separated lists; mul-
           tiple directories should be separated with the system path  separa-
           tor (usually a colon).

       o   Settings that represent time intervals should be specified in dura-
           tion format: an integer immediately followed by one  of  the  units
           'y' (years of 365 days), 'd' (days), 'h' (hours), 'm' (minutes), or
           's' (seconds). The unit cannot be combined with  other  units,  and
           defaults  to  seconds  when  omitted.  Examples are '3600' which is
           equivalent to '1h' (one hour), and '1825d' which is  equivalent  to
           '5y' (5 years).

       o   If  you  use  the splay setting, note that the period that it waits
           changes each time the Puppet agent is restarted.

       o   Settings that take a single file or directory  can  optionally  set
           the  owner, group, and mode for their value: rundir = $vardir/run {
           owner = puppet, group = puppet, mode = 644 }

       o   The Puppet executables will ignore any setting that isn't  relevant
           to their function.



       See  the configuration guide https://puppet.com/docs/puppet/latest/con-
       fig_about_settings.html for more details.

   agent_catalog_run_lockfile
       A lock file to indicate that a puppet agent catalog run is currently in
       progress.  The file contains the pid of the process that holds the lock
       on the catalog run.

       o   Default: $statedir/agent_catalog_run.lock



   agent_disabled_lockfile
       A lock file to indicate that puppet agent runs  have  been  administra-
       tively disabled. File contains a JSON object with state information.

       o   Default: $statedir/agent_disabled.lock



   allow_duplicate_certs
       Whether  to  allow  a  new certificate request to overwrite an existing
       certificate.

       o   Default: false



   always_retry_plugins
       Affects how we cache attempts to load Puppet resource  types  and  fea-
       tures.  If true, then calls to Puppet.type.<type>? Puppet.feature.<fea-
       ture>? will always attempt to load the type or feature (which can be an
       expensive  operation)  unless  it has already been loaded successfully.
       This makes it possible for a single agent run to, e.g., install a pack-
       age  that  provides  the underlying capabilities for a type or feature,
       and then later load that type or feature during the same run  (even  if
       the  type  or  feature  had been tested earlier and had not been avail-
       able).

       If this setting is set to false, then types and features will  only  be
       checked  once,  and  if  they are not available, the negative result is
       cached and returned for all subsequent attempts to  load  the  type  or
       feature. This behavior is almost always appropriate for the server, and
       can result in a significant performance improvement for types and  fea-
       tures that are checked frequently.

       o   Default: true



   app_management
       This  setting has no effect and will be removed in a future Puppet ver-
       sion.

       o   Default: false



   autoflush
       Whether log files should always flush to disk.

       o   Default: true



   autosign
       Whether (and how) to autosign certificate  requests.  This  setting  is
       only  relevant  on  a  puppet  master acting as a certificate authority
       (CA).

       Valid values are true (autosigns all certificate requests;  not  recom-
       mended),  false  (disables  autosigning  certificates), or the absolute
       path to a file.

       The file specified in this setting may be either a  configuration  file
       or a custom policy executable. Puppet will automatically determine what
       it is: If the Puppet user (see the user setting) can execute the  file,
       it  will  be  treated  as  a  policy  executable; otherwise, it will be
       treated as a config file.

       If a custom policy executable is configured, the CA puppet master  will
       run  it every time it receives a CSR. The executable will be passed the
       subject CN of the request as a command line argument, and the  contents
       of the CSR in PEM format on stdin. It should exit with a status of 0 if
       the cert should be autosigned and non-zero if the cert  should  not  be
       autosigned.

       If a certificate request is not autosigned, it will persist for review.
       An admin user can use the puppet cert sign command to manually sign it,
       or can delete the request.

       For  info  on  autosign  configuration files, see the guide to Puppet's
       config  files  https://docs.puppetlabs.com/puppet/latest/reference/con-
       fig_about_settings.html.

       o   Default: $confdir/autosign.conf



   basemodulepath
       The  search  path  for global modules. Should be specified as a list of
       directories separated by the  system  path  separator  character.  (The
       POSIX path separator is ':', and the Windows path separator is ';'.)

       These  are the modules that will be used by all environments. Note that
       the modules directory of the active environment will have priority over
       any global directories. For more info, see https://docs.puppet.com/pup-
       pet/latest/reference/environments.html

       o   Default: $codedir/modules:/usr/puppetlabs/puppet/modules



   bindaddress
       The address a listening server should bind to.

       o   Default: *



   binder_config
       The binder configuration file. Puppet reads this file on  each  request
       to  configure  the  bindings  system.  If  set  to nil (the default), a
       $confdir/binder_config.yaml  is  optionally  loaded.  If  it  does  not
       exists, a default configuration is used. If the setting :binding_config
       is specified, it must reference a valid and existing yaml file.

       Default:


   bucketdir
       Where FileBucket files are stored.

       o   Default: $vardir/bucket



   ca
       Whether the master should function as a certificate authority.

       o   Default: true



   ca_name
       The name to use the Certificate Authority certificate.

       o   Default: Puppet CA: $certname



   ca_port
       The port to use for the certificate authority.

       o   Default: $masterport



   ca_server
       The server to use for certificate authority requests. It's  a  separate
       server because it cannot and does not need to horizontally scale.

       o   Default: $server



   ca_ttl
       The default TTL for new certificates. This setting can be a time inter-
       val in seconds (30 or 30s), minutes (30m), hours (6h),  days  (2d),  or
       years (5y).

       o   Default: 5y



   cacert
       The CA certificate.

       o   Default: $cadir/ca_crt.pem



   cacrl
       The  certificate  revocation  list  (CRL)  for  the CA. Will be used if
       present but otherwise ignored.

       o   Default: $cadir/ca_crl.pem



   cadir
       The root directory for the certificate authority.

       o   Default: $ssldir/ca



   cakey
       The CA private key.

       o   Default: $cadir/ca_key.pem



   capass
       Where the CA stores the password for the private key.

       o   Default: $caprivatedir/ca.pass



   caprivatedir
       Where the CA stores private certificate information.

       o   Default: $cadir/private



   capub
       The CA public key.

       o   Default: $cadir/ca_pub.pem



   catalog_cache_terminus
       How to store cached catalogs. Valid values are  'json',  'msgpack'  and
       'yaml'. The agent application defaults to 'json'.

       Default:


   catalog_terminus
       Where  to get node catalogs. This is useful to change if, for instance,
       you'd like to pre-compile catalogs and store them in memcached or  some
       other easily-accessed store.

       o   Default: compiler



   cert_inventory
       The  inventory  file. This is a text file to which the CA writes a com-
       plete listing of all certificates.

       o   Default: $cadir/inventory.txt



   certdir
       The certificate directory.

       o   Default: $ssldir/certs



   certificate_revocation
       Whether certificate revocation checking should  be  enabled,  and  what
       level of checking should be performed.

       When  certificate_revocation  is  set to 'true' or 'chain', Puppet will
       download the CA CRL and will perform revocation checking  against  each
       certificate in the chain.

       Puppet is unable to load multiple CRLs, so if certificate_revocation is
       set to 'chain' and Puppet attempts to verify a certificate signed by  a
       root CA the behavior is equivalent to the 'leaf' setting, and if Puppet
       attempts to verify a certificate signed by an intermediate CA then ver-
       ification  will fail as Puppet will be unable to load the multiple CRLs
       required for full chain checking. As such the 'chain' setting  is  lim-
       ited  in functionality and is meant as a stand in pending the implemen-
       tation of full chain checking.

       When certificate_revocation is set to 'leaf', Puppet will download  the
       CA CRL and will verify the leaf certificate against that CRL. CRLs will
       not be fetched or checked for the  rest  of  the  certificates  in  the
       chain.  If  you  are  using  an intermediate CA certificate and want to
       enable certificate revocation checking, this setting  must  be  set  to
       'leaf'.

       When  certificate_revocation is set to 'false', Puppet will disable all
       certificate revocation checking and will not attempt  to  download  the
       CRL.

       o   Default: chain



   certname
       The name to use when handling certificates. When a node requests a cer-
       tificate from the CA puppet master, it uses the value of  the  certname
       setting as its requested Subject CN.

       This  is  the name used when managing a node's permissions in auth.conf
       https://docs.puppetlabs.com/puppet/latest/reference/con-
       fig_file_auth.html.  In  most cases, it is also used as the node's name
       when matching node definitions  https://docs.puppetlabs.com/puppet/lat-
       est/reference/lang_node_definitions.html  and  requesting  data from an
       ENC. (This can be changed with the node_name_value  and  node_name_fact
       settings,  although you should only do so if you have a compelling rea-
       son.)

       A node's certname is available in Puppet manifests  as  $trusted['cert-
       name'].   (See   Facts   and  Built-In  Variables  https://docs.puppet-
       labs.com/puppet/latest/reference/lang_facts_and_builtin_vars.html   for
       more details.)

       o   For  best  compatibility, you should limit the value of certname to
           only use lowercase  letters,  numbers,  periods,  underscores,  and
           dashes. (That is, it should match /A[a-z0-9._-]+Z/.)

       o   The special value ca is reserved, and can't be used as the certname
           for a normal node.



       Defaults to the node's fully qualified domain name.

       o   Default: the Host's fully qualified domain name, as  determined  by
           facter



   classfile
       The  file in which puppet agent stores a list of the classes associated
       with the retrieved configuration. Can be loaded in the separate  puppet
       executable using the --loadclasses option.

       o   Default: $statedir/classes.txt



   client_datadir
       The directory in which serialized data is stored on the client.

       o   Default: $vardir/client_data



   clientbucketdir
       Where FileBucket files are stored locally.

       o   Default: $vardir/clientbucket



   clientyamldir
       The directory in which client-side YAML data is stored.

       o   Default: $vardir/client_yaml



   code
       Code  to  parse  directly. This is essentially only used by puppet, and
       should only be set if you're writing your own Puppet executable.

   codedir
       The main Puppet code directory. The default for this setting is  calcu-
       lated  based on the user. If the process is running as root or the user
       that Puppet is supposed to run as, it defaults to a  system  directory,
       but  if  it's  running  as  any other user, it defaults to being in the
       user's home directory.

       o   Default: Unix/Linux: /etc/puppetlabs/code --  Windows:  C:\Program-
           Data\PuppetLabs\code -- Non-root user: ~/.puppetlabs/etc/code



   color
       Whether  to  use  colors  when logging to the console. Valid values are
       ansi (equivalent to true), html, and false, which  produces  no  color.
       Defaults to false on Windows, as its console does not support ansi col-
       ors.

       o   Default: ansi



   confdir
       The main Puppet configuration directory. The default for  this  setting
       is  calculated  based on the user. If the process is running as root or
       the user that Puppet is supposed to run as, it  defaults  to  a  system
       directory,  but if it's running as any other user, it defaults to being
       in the user's home directory.

       o   Default: Unix/Linux: /etc/puppetlabs/puppet -- Windows: C:\Program-
           Data\PuppetLabs\puppet\etc -- Non-root user: ~/.puppetlabs/etc/pup-
           pet



   config
       The configuration file for the current puppet application.

       o   Default: $confdir/${config_file_name}



   config_file_name
       The name of the puppet config file.

       o   Default: puppet.conf



   config_version
       How to determine the configuration version. By default, it will be  the
       time  that  the  configuration  is  parsed, but you can provide a shell
       script to override how the version is determined. The  output  of  this
       script  will be added to every log message in the reports, allowing you
       to correlate changes on your hosts to the source version on the server.

       Setting a global value for config_version in puppet.conf is not allowed
       (but it can be overridden from the commandline). Please set a per-envi-
       ronment  value  in  environment.conf  instead.  For  more   info,   see
       https://docs.puppet.com/puppet/latest/reference/environments.html

   configprint
       Print  the  value of a specific configuration setting. If the name of a
       setting is provided for this, then the  value  is  printed  and  puppet
       exits.  Comma-separate multiple values. For a list of all values, spec-
       ify 'all'.

   configtimeout
       How long the client should wait for the configuration to  be  retrieved
       before  considering  it  a  failure. This setting is deprecated and has
       been replaced by http_connect_timeout and http_read_timeout. This  set-
       ting  can  be  a  time  interval in seconds (30 or 30s), minutes (30m),
       hours (6h), days (2d), or years (5y).

       o   Default: 2m



   csr_attributes
       An optional file containing custom attributes  to  add  to  certificate
       signing  requests  (CSRs).  You  should  ensure that this file does not
       exist on your CA puppet master; if it does, unwanted certificate exten-
       sions  may leak into certificates created with the puppet cert generate
       command.

       If  present,  this  file  must  be  a  YAML  hash  containing  a   cus-
       tom_attributes  key and/or an extension_requests key. The value of each
       key must be a hash, where each key is a valid OID and each value is  an
       object that can be cast to a string.

       Custom  attributes  can be used by the CA when deciding whether to sign
       the certificate, but are then discarded. Attribute OIDs can be any  OID
       value  except the standard CSR attributes (i.e. attributes described in
       RFC 2985 section 5.4). This is useful for embedding  a  pre-shared  key
       for autosigning policy executables (see the autosign setting), often by
       using the 1.2.840.113549.1.9.7 ("challenge password") OID.

       Extension requests will be permanently embedded in the  final  certifi-
       cate.    Extension    OIDs    must    be    in    the    "ppRegCertExt"
       (1.3.6.1.4.1.34380.1.1) or "ppPrivCertExt" (1.3.6.1.4.1.34380.1.2)  OID
       arcs.  The  ppRegCertExt  arc  is  reserved for four of the most common
       pieces  of  data  to  embed:   pp_uuid   (.1),   pp_instance_id   (.2),
       pp_image_name  (.3),  and  pp_preshared_key  (.4) --- in the YAML file,
       these can be referred to by their short descriptive  names  instead  of
       their  full  OID. The ppPrivCertExt arc is unregulated, and can be used
       for site-specific extensions.

       o   Default: $confdir/csr_attributes.yaml



   csrdir
       Where the CA stores certificate requests

       o   Default: $cadir/requests



   daemonize
       Whether to send the process into the background. This defaults to  true
       on  POSIX systems, and to false on Windows (where Puppet currently can-
       not daemonize).

       o   Default: true



   data_binding_terminus
       This setting has been deprecated. Use of any value other  than  'hiera'
       should instead be configured in a version 5 hiera.yaml. Until this set-
       ting is removed, it controls which data binding  terminus  to  use  for
       global  automatic  data  binding  (across all environments). By default
       this value is 'hiera'. A value of 'none' turns off the global binding.

       o   Default: hiera



   default_file_terminus
       The default source for files if no server is given in a uri, e.g.  pup-
       pet:///file.  The default of rest causes the file to be retrieved using
       the server setting. When running  apply  the  default  is  file_server,
       causing requests to be filled locally.

       o   Default: rest



   default_manifest
       The  default  main manifest for directory environments. Any environment
       that doesn't set the manifest setting in its environment.conf file will
       use this manifest.

       This  setting's  value can be an absolute or relative path. An absolute
       path will make all environments default to the same  main  manifest;  a
       relative  path will allow each environment to use its own manifest, and
       Puppet will resolve the path relative to each environment's main direc-
       tory.

       In  either  case, the path can point to a single file or to a directory
       of manifests to be evaluated in alphabetical order.

       o   Default: ./manifests



   default_schedules
       Boolean; whether to generate the default  schedule  resources.  Setting
       this to false is useful for keeping external report processors clean of
       skipped schedule resources.

       o   Default: true



   deviceconfig
       Path to the device config file for puppet device.

       o   Default: $confdir/device.conf



   devicedir
       The root directory of devices' $vardir.

       o   Default: $vardir/devices



   diff
       Which diff command to use when printing differences between files. This
       setting has no default value on Windows, as standard diff is not avail-
       able, but Puppet can use many third-party diff tools.

       o   Default: diff



   diff_args
       Which arguments to pass to the diff command when  printing  differences
       between files. The command to use can be chosen with the diff setting.

       o   Default: -u



   digest_algorithm
       Which  digest  algorithm  to use for file resources and the filebucket.
       Valid values are md5, sha256, sha384, sha512, sha224. Default is md5.

       o   Default: md5



   disable_i18n
       If true, turns off all translations of Puppet and module log  messages,
       which  affects  error,  warning,  and info log messages, as well as any
       translations in the report and CLI.

       o   Default: false



   disable_per_environment_manifest
       Whether to disallow an environment-specific main manifest. When set  to
       true,  Puppet  will  use the manifest specified in the default_manifest
       setting for all environments. If an environment specifies  a  different
       main  manifest  in its environment.conf file, catalog requests for that
       environment will fail with an error.

       This setting requires default_manifest to be set to an absolute path.

       o   Default: false



   disable_warnings
       A comma-separated list of warning types to suppress. If  large  numbers
       of warnings are making Puppet's logs too large or difficult to use, you
       can temporarily silence them with this setting.

       If you are preparing to upgrade Puppet to  a  new  major  version,  you
       should re-enable all warnings for a while.

       Valid values for this setting are:

       o   deprecations --- disables deprecation warnings.

       o   undefined_variables  --- disables warnings about non existing vari-
           ables.

       o   undefined_resources  ---  disables  warnings  about  non   existing
           resources.

       o   Default: []



   dns_alt_names
       A  comma-separated list of alternate DNS names for Puppet Server. These
       are extra hostnames (in addition to its certname) that  the  server  is
       allowed  to  use  when  serving agents. Puppet checks this setting when
       automatically requesting a  certificate  for  Puppet  agent  or  Puppet
       Server,  and  when  manually  generating a certificate with puppet cert
       generate.

       In order to handle agent requests  at  a  given  hostname  (like  "pup-
       pet.example.com"),  Puppet  Server needs a certificate that proves it's
       allowed to use that name; if a server shows a certificate that  doesn't
       include its hostname, Puppet agents will refuse to trust it. If you use
       a single hostname for Puppet traffic but load-balance  it  to  multiple
       Puppet  Servers,  each  of  those servers needs to include the official
       hostname in its list of extra names.

       Note: The list of alternate names is locked in when the  server's  cer-
       tificate  is  signed.  If  you need to change the list later, you can't
       just change this setting; you also need to:

       o   On the server: Stop Puppet Server.

       o   On the CA server: Revoke and clean the  server's  old  certificate.
           (puppet cert clean <NAME>)

       o   On  the server: Delete the old certificate (and any old certificate
           signing requests) from the ssldir  https://docs.puppetlabs.com/pup-
           pet/latest/reference/dirs_ssldir.html.

       o   On  the  server:  Run  puppet agent -t --ca_server <CA HOSTNAME> to
           request a new certificate

       o   On the CA server: Sign the certificate request, explicitly allowing
           alternate names (puppet cert sign --allow-dns-alt-names <NAME>).

       o   On  the  server:  Run  puppet agent -t --ca_server <CA HOSTNAME> to
           retrieve the cert.

       o   On the server: Start Puppet Server again.



       To see all the alternate names your servers are using, log into your CA
       server  and  run  puppet  cert  list -a, then check the output for (alt
       names: ...). Most agent nodes should NOT have alternate names; the only
       certs that should have them are Puppet Server nodes that you want other
       agents to trust.

   document_all
       Whether to document all resources when using  puppet  doc  to  generate
       manifest documentation.

       o   Default: false



   environment
       The environment in which Puppet is running. For clients, such as puppet
       agent, this determines the environment itself,  which  Puppet  uses  to
       find  modules  and  much more. For servers, such as puppet master, this
       provides the default environment for nodes that  Puppet  knows  nothing
       about.

       When defining an environment in the [agent] section, this refers to the
       environment that the agent requests from the  master.  The  environment
       doesn't have to exist on the local filesystem because the agent fetches
       it from the master. This definition is used when running puppet agent.

       When defined in the [user] section, the environment refers to the  path
       that  Puppet  uses to search for code and modules related to its execu-
       tion. This requires the environment to exist locally on the  filesystem
       where  puppet  is  being executed. Puppet subcommands, including puppet
       module and puppet apply, use this definition.

       Given that the context and effects vary depending on the config section
       https://puppet.com/docs/puppet/latest/config_file_main.html#config-sec-
       tions in which the environment setting is defined, do not set it  glob-
       ally.

       o   Default: production



   environment_data_provider
       The  name of a registered environment data provider used when obtaining
       environment specific data. The three built in and registered  providers
       are 'none' (no data), 'function' (data obtained by calling the function
       'environment::data()') and 'hiera' (data obtained using a data provider
       configured  using  a hiera.yaml file in root of the environment). Other
       environment data providers may be registered in modules on  the  module
       path. For such custom data providers see the respective module documen-
       tation. This setting is deprecated.

       Default:


   environment_timeout
       How long the Puppet master should cache data it loads from an  environ-
       ment.  This setting can be a time interval in seconds (30 or 30s), min-
       utes (30m), hours (6h), days (2d), or years (5y). A  value  of  0  will
       disable  caching. This setting can also be set to unlimited, which will
       cache environments until the master is restarted or told to refresh the
       cache.

       You  should  change  this  setting once your Puppet deployment is doing
       non-trivial work. We chose the default value of 0 because it  lets  new
       users update their code without any extra steps, but it lowers the per-
       formance of your Puppet master.

       We recommend setting this to unlimited and explicitly  refreshing  your
       Puppet master as part of your code deployment process.

       o   With  Puppet Server, you should refresh environments by calling the
           environment-cache API endpoint. See the docs for the Puppet  Server
           administrative API.

       o   With a Rack Puppet master, you should restart the web server or the
           application server. Passenger lets you touch a restart.txt file  to
           refresh an application without restarting Apache; see the Passenger
           docs for details.



       We don't recommend using any value other than  0  or  unlimited,  since
       most  Puppet  masters  use  a  pool of Ruby interpreters which all have
       their own cache timers. When these timers drift out of sync, agents can
       be served inconsistent catalogs.

       o   Default: 0



   environmentpath
       A search path for directory environments, as a list of directories sep-
       arated by the system path separator character. (The POSIX path  separa-
       tor is ':', and the Windows path separator is ';'.)

       This  setting  must  have a value set to enable directory environments.
       The recommended value is $codedir/environments. For more  details,  see
       https://docs.puppet.com/puppet/latest/reference/environments.html

       o   Default: $codedir/environments



   evaltrace
       Whether  each  resource  should  log  when  it is being evaluated. This
       allows you to interactively see exactly what is being done.

       o   Default: false



   external_nodes
       The external node classifier (ENC) script to use for node data.  Puppet
       combines this data with the main manifest to produce node catalogs.

       To enable this setting, set the node_terminus setting to exec.

       This setting's value must be the path to an executable command that can
       produce node information. The command must:

       o   Take the name of a node as a command-line argument.

       o

       o   classes --- A list of classes, as an array or hash.

       o   environment --- A string.

       o   parameters --- A list of top-scope variables to set, as a hash.




       o   For unknown nodes, exit with a non-zero exit code.



       Generally, an ENC script makes requests to an external data source.

       For more info, see the ENC  documentation  https://docs.puppet.com/pup-
       pet/latest/nodes_external.html.

       o   Default: none



   factpath
       Where Puppet should look for facts. Multiple directories should be sep-
       arated by the system path separator character. (The POSIX path  separa-
       tor is ':', and the Windows path separator is ';'.)

       o   Default: $vardir/lib/facter:$vardir/facts



   facts_terminus
       The node facts terminus.

       o   Default: facter



   fileserverconfig
       Where the fileserver configuration is stored.

       o   Default: $confdir/fileserver.conf



   filetimeout
       The  minimum time to wait between checking for updates in configuration
       files. This timeout determines how quickly Puppet checks whether a file
       (such  as manifests or templates) has changed on disk. This setting can
       be a time interval in seconds (30 or 30s), minutes (30m),  hours  (6h),
       days (2d), or years (5y).

       o   Default: 15s



   forge_authorization
       The  authorization  key to connect to the Puppet Forge. Leave blank for
       unauthorized or license based connections

       Default:


   freeze_main
       Freezes the 'main' class, disallowing any code to be added to it.  This
       essentially  means  that  you  can't  have  any code outside of a node,
       class, or definition other than in the site manifest.

       o   Default: false



   future_features
       Whether or not to enable all features  currently  being  developed  for
       future  major  releases  of  Puppet. Should be used with caution, as in
       development features are experimental and can have unexpected effects.

       o   Default: false



   genconfig
       When true, causes Puppet applications to print an example  config  file
       to  stdout and exit. The example will include descriptions of each set-
       ting, and the current (or default) value of each setting, incorporating
       any  settings  overridden  on  the CLI (with the exception of genconfig
       itself). This setting only makes sense when specified  on  the  command
       line as --genconfig.

       o   Default: false



   genmanifest
       Whether  to  just print a manifest to stdout and exit. Only makes sense
       when specified on the command line as --genmanifest. Takes into account
       arguments specified on the CLI.

       o   Default: false



   graph
       Whether  to create .dot graph files, which let you visualize the depen-
       dency and containment relationships in Puppet's catalog. You  can  load
       and  view  these  files  with  tools  like OmniGraffle http://www.omni-
       group.com/applications/omnigraffle/     (OS     X)     or      graphviz
       http://www.graphviz.org/ (multi-platform).

       Graph files are created when applying a catalog, so this setting should
       be used on nodes running puppet agent or puppet apply.

       The graphdir setting determines where Puppet  will  save  graphs.  Note
       that  we don't save graphs for historical runs; Puppet will replace the
       previous .dot files with new ones every time it applies a catalog.

       See your graphing software's documentation for details on opening  .dot
       files.  If  you're using GraphViz's dot command, you can do a quick PNG
       render with dot -Tpng <DOT FILE> -o <OUTPUT FILE>.

       o   Default: false



   graphdir
       Where to save .dot-format graphs (when the graph setting is enabled).

       o   Default: $statedir/graphs



   group
       The group puppet master should run as.

       o   Default: puppet



   hiera_config
       The hiera configuration file. Puppet only reads this file  on  startup,
       so you must restart the puppet master every time you edit it.

       o   Default:   $confdir/hiera.yaml.   However,  if  a  file  exists  at
           $codedir/hiera.yaml, Puppet uses that instead.



   hostcert
       Where individual hosts store and look for their certificates.

       o   Default: $certdir/$certname.pem



   hostcrl
       Where the host's certificate revocation list can be found. This is dis-
       tinct from the certificate authority's CRL.

       o   Default: $ssldir/crl.pem



   hostcsr
       Where individual hosts store and look for their certificate requests.

       o   Default: $ssldir/csr_$certname.pem



   hostprivkey
       Where individual hosts store and look for their private key.

       o   Default: $privatekeydir/$certname.pem



   hostpubkey
       Where individual hosts store and look for their public key.

       o   Default: $publickeydir/$certname.pem



   http_connect_timeout
       The  maximum  amount  of time to wait when establishing an HTTP connec-
       tion. The default value is 2 minutes. This setting can be a time inter-
       val  in  seconds  (30 or 30s), minutes (30m), hours (6h), days (2d), or
       years (5y).

       o   Default: 2m



   http_debug
       Whether to write HTTP request and  responses  to  stderr.  This  should
       never be used in a production environment.

       o   Default: false



   http_keepalive_timeout
       The maximum amount of time a persistent HTTP connection can remain idle
       in the connection pool, before it is closed.  This  timeout  should  be
       shorter than the keepalive timeout used on the HTTP server, e.g. Apache
       KeepAliveTimeout directive. This setting can be a time interval in sec-
       onds (30 or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

       o   Default: 4s



   http_proxy_host
       The HTTP proxy host to use for outgoing connections. Note: You may need
       to use a FQDN for the server hostname when using a  proxy.  Environment
       variable http_proxy or HTTP_PROXY will override this value

       o   Default: none



   http_proxy_password
       The  password for the user of an authenticated HTTP proxy. Requires the
       http_proxy_user setting.

       Note that passwords must be valid when used as part  of  a  URL.  If  a
       password  contains  any  characters  with  special meanings in URLs (as
       specified by RFC 3986 section 2.2),  they  must  be  URL-encoded.  (For
       example, # would become %23.)

       o   Default: none



   http_proxy_port
       The HTTP proxy port to use for outgoing connections

       o   Default: 3128



   http_proxy_user
       The   user   name   for  an  authenticated  HTTP  proxy.  Requires  the
       http_proxy_host setting.

       o   Default: none



   http_read_timeout
       The time to wait for one block to be read from an HTTP  connection.  If
       nothing  is read after the elapsed interval then the connection will be
       closed. The default value is unlimited. This  setting  can  be  a  time
       interval  in seconds (30 or 30s), minutes (30m), hours (6h), days (2d),
       or years (5y).

       Default:


   http_user_agent
       The HTTP User-Agent string to send when making network requests.

       o   Default: Puppet/5.5.0 Ruby/2.3.1-p112 (x86_64-linux)



   ignorecache
       This setting has no effect and will be removed in a future Puppet  ver-
       sion.

       o   Default: false



   ignoremissingtypes
       Skip  searching  for classes and definitions that were missing during a
       prior compilation. The list of missing objects is maintained  per-envi-
       ronment  and persists until the environment is cleared or the master is
       restarted.

       o   Default: false



   ignoreschedules
       Boolean; whether puppet agent should ignore schedules. This  is  useful
       for initial puppet agent runs.

       o   Default: false



   keylength
       The bit length of keys.

       o   Default: 4096



   lastrunfile
       Where puppet agent stores the last run report summary in yaml format.

       o   Default: $statedir/last_run_summary.yaml



   lastrunreport
       Where puppet agent stores the last run report in yaml format.

       o   Default: $statedir/last_run_report.yaml



   ldapattrs
       The  LDAP  attributes  to  include  when  querying  LDAP for nodes. All
       returned attributes are set as variables in the top-level scope. Multi-
       ple  values  should  be  comma-separated.  The  value 'all' returns all
       attributes.

       o   Default: all



   ldapbase
       The search base for LDAP searches. It's impossible to provide  a  mean-
       ingful default here, although the LDAP libraries might have one already
       set. Generally, it should be the  'ou=Hosts'  branch  under  your  main
       directory.

   ldapclassattrs
       The  LDAP  attributes to use to define Puppet classes. Values should be
       comma-separated.

       o   Default: puppetclass



   ldapparentattr
       The attribute to use to define the parent node.

       o   Default: parentnode



   ldappassword
       The password to use to connect to LDAP.

   ldapport
       The LDAP port. Only used if node_terminus is set to ldap.

       o   Default: 389



   ldapserver
       The LDAP server. Only used if node_terminus is set to ldap.

       o   Default: ldap



   ldapssl
       Whether SSL should be used when searching for nodes. Defaults to  false
       because  SSL  usually  requires certificates to be set up on the client
       side.

       o   Default: false



   ldapstackedattrs
       The LDAP attributes that should be stacked to arrays by adding the val-
       ues in all hierarchy elements of the tree. Values should be comma-sepa-
       rated.

       o   Default: puppetvar



   ldapstring
       The search string used to find an LDAP node.

       o   Default: (&(objectclass=puppetClient)(cn=%s))



   ldaptls
       Whether TLS should be used when searching for nodes. Defaults to  false
       because  TLS  usually  requires certificates to be set up on the client
       side.

       o   Default: false



   ldapuser
       The user to use to connect to LDAP. Must be specified as a full DN.

   libdir
       An extra search path for Puppet. This is only useful  for  those  files
       that  Puppet  will  load  on demand, and is only guaranteed to work for
       those cases. In fact, the autoload mechanism is responsible for  making
       sure this directory is in Ruby's search path

       o   Default: $vardir/lib



   localcacert
       Where each client stores the CA certificate.

       o   Default: $certdir/ca.pem



   localedest
       Where Puppet should store translation files that it pulls down from the
       central server.

       o   Default: $vardir/locales



   localesource
       From where to retrieve translation files. The standard Puppet file type
       is  used  for retrieval, so anything that is a valid file source can be
       used here.

       o   Default: puppet:///locales



   log_level
       Default logging level for messages from Puppet. Allowed values are:

       o   debug

       o   info

       o   notice

       o   warning

       o   err

       o   alert

       o   emerg

       o   crit

       o   Default: notice



   logdir
       The directory in which to store log files

       o   Default: Unix/Linux: /var/log/puppetlabs/puppet -- Windows: C:\Pro-
           gramData\PuppetLabs\puppet\var\log  --  Non-root  user:  ~/.puppet-
           labs/var/log



   manage_internal_file_permissions
       Whether Puppet should manage the owner, group, and  mode  of  files  it
       uses internally

       o   Default: true



   manifest
       The  entry-point  manifest for puppet master. This can be one file or a
       directory of manifests to be evaluated in  alphabetical  order.  Puppet
       manages this path as a directory if one exists or if the path ends with
       a / or .

       Setting a global value for manifest in puppet.conf is not allowed  (but
       it  can be overridden from the commandline). Please use directory envi-
       ronments instead. If you need to use something other than the  environ-
       ment's  manifests  directory as the main manifest, you can set manifest
       in environment.conf. For more  info,  see  https://docs.puppet.com/pup-
       pet/latest/reference/environments.html

       Default:


   masterhttplog
       Where  the  puppet master web server saves its access log. This is only
       used when running a WEBrick puppet master. When puppet master  is  run-
       ning  under a Rack server like Passenger, that web server will have its
       own logging behavior.

       o   Default: $logdir/masterhttp.log



   masterport
       The port for puppet master traffic. For puppet master, this is the port
       to  listen  on; for puppet agent, this is the port to make requests on.
       Both applications use this setting to get the port.

       o   Default: 8140



   max_deprecations
       Sets the max number of logged/displayed parser  validation  deprecation
       warnings  in  case  multiple deprecation warnings have been detected. A
       value of 0 blocks the logging of deprecation warnings. The count is per
       manifest.

       o   Default: 10



   max_errors
       Sets  the  max  number  of logged/displayed parser validation errors in
       case multiple errors have been detected. A value of 0 is the same as  a
       value  of  1; a minimum of one error is always raised. The count is per
       manifest.

       o   Default: 10



   max_warnings
       Sets the max number of logged/displayed parser validation  warnings  in
       case  multiple warnings have been detected. A value of 0 blocks logging
       of warnings. The count is per manifest.

       o   Default: 10



   maximum_uid
       The maximum allowed UID. Some platforms use negative UIDs but then ship
       with tools that do not know how to handle signed ints, so the UIDs show
       up as huge numbers that can then not be fed back into the system.  This
       is  a  hackish way to fail in a slightly more useful way when that hap-
       pens.

       o   Default: 4294967290



   mkusers
       Whether to create the necessary user and group that puppet  agent  will
       run as.

       o   Default: false



   module_groups
       Extra module groups to request from the Puppet Forge. This is an inter-
       nal setting, and users should never change it.

       Default:


   module_repository
       The module repository

       o   Default: https://forgeapi.puppet.com



   module_skeleton_dir
       The directory which the skeleton for module tool generate is stored.

       o   Default: $module_working_dir/skeleton



   module_working_dir
       The directory into which module tool data is stored

       o   Default: $vardir/puppet-module



   modulepath
       The search path for modules, as a list of directories separated by  the
       system  path separator character. (The POSIX path separator is ':', and
       the Windows path separator is ';'.)

       Setting a global value for modulepath in  puppet.conf  is  not  allowed
       (but  it  can be overridden from the commandline). Please use directory
       environments instead. If you need  to  use  something  other  than  the
       default  modulepath  of  <ACTIVE  ENVIRONMENT'S  MODULES DIR>:$basemod-
       ulepath, you can set modulepath in environment.conf. For more info, see
       https://docs.puppet.com/puppet/latest/reference/environments.html

   name
       The  name  of the application, if we are running as one. The default is
       essentially $0 without the path or .rb.

       Default:


   node_cache_terminus
       How to store cached nodes. Valid values are (none), 'json',  'msgpack',
       'yaml' or write only yaml ('write_only_yaml').

       Default:


   node_name
       How  the  puppet  master  determines the client's identity and sets the
       'hostname', 'fqdn' and 'domain' facts for use in the manifest, in  par-
       ticular  for  determining which 'node' statement applies to the client.
       Possible values are 'cert' (use the subject's CN in the  client's  cer-
       tificate)  and  'facter'  (use the hostname that the client reported in
       its facts)

       o   Default: cert



   node_name_fact
       The fact name used to determine the node name used for all requests the
       agent  makes to the master. WARNING: This setting is mutually exclusive
       with node_name_value. Changing this setting also  requires  changes  to
       the  default  auth.conf  configuration on the Puppet Master. Please see
       http://links.puppet.com/node_name_fact for more information.

   node_name_value
       The explicit value used for the node name for all  requests  the  agent
       makes  to  the master. WARNING: This setting is mutually exclusive with
       node_name_fact. Changing this setting  also  requires  changes  to  the
       default  auth.conf  configuration  on  the  Puppet  Master.  Please see
       http://links.puppet.com/node_name_value for more information.

       o   Default: $certname



   node_terminus
       Which node data plugin to use when compiling node catalogs.

       When Puppet compiles a catalog, it  combines  two  primary  sources  of
       info:  the  main manifest, and a node data plugin (often called a "node
       terminus," for historical reasons). Node  data  plugins  provide  three
       things for a given node name:

       1.  A  list  of classes to add to that node's catalog (and, optionally,
           values for their parameters).

       2.  Which Puppet environment the node should use.

       3.  A list of additional top-scope variables to set.



       The three main node data plugins are:

       o   plain --- Returns no data, so that the main manifest  controls  all
           node configuration.

       o   exec  ---  Uses an external node classifier (ENC) https://docs.pup-
           pet.com/puppet/latest/nodes_external.html, configured by the exter-
           nal_nodes setting. This lets you pull a list of Puppet classes from
           any external system, using a  small  glue  script  to  perform  the
           request and format the result as YAML.

       o   classifier  (formerly  console)  --- Specific to Puppet Enterprise.
           Uses the PE console for node data."

       o   Default: plain



   noop
       Whether to apply catalogs in noop mode, which  allows  Puppet  to  par-
       tially  simulate  a  normal  run. This setting affects puppet agent and
       puppet apply.

       When running in noop mode, Puppet will check whether each  resource  is
       in  sync,  like  it  does when running normally. However, if a resource
       attribute is not in the desired state (as  declared  in  the  catalog),
       Puppet  will  take  no  action,  and will instead report the changes it
       would have made. These simulated changes will appear in the report sent
       to  the  puppet  master,  or  be shown on the console if running puppet
       agent or puppet apply in the foreground. The simulated changes will not
       send  refresh events to any subscribing or notified resources, although
       Puppet will log that a refresh event would have been sent.

       Important note: The noop metaparameter https://docs.puppetlabs.com/pup-
       pet/latest/reference/metaparameter.html#noop  allows you to apply indi-
       vidual resources in noop mode, and will override the  global  value  of
       the  noop  setting.  This  means  a resource with noop => false will be
       changed if necessary, even when running puppet agent with noop  =  true
       or --noop. (Conversely, a resource with noop => true will only be simu-
       lated, even when noop mode is globally disabled.)

       o   Default: false



   onetime
       Perform  one  configuration  run  and  exit,  rather  than  spawning  a
       long-running  daemon.  This  is useful for interactively running puppet
       agent, or running puppet agent from cron.

       o   Default: false



   ordering
       How unrelated resources should be  ordered  when  applying  a  catalog.
       Allowed  values  are  title-hash,  manifest,  and  random. This setting
       affects puppet agent and puppet apply, but not puppet master.

       o   manifest (the default) will use the order in  which  the  resources
           were declared in their manifest files.

       o   title-hash  (the default in 3.x) will order resources randomly, but
           will use the same order across runs and across nodes. It is only of
           value  if  you're  migrating  from 3.x and have errors running with
           manifest.

       o   random will order resources randomly and change  their  order  with
           each  run.  This  can work like a fuzzer for shaking out undeclared
           dependencies.



       Regardless of this setting's value, Puppet will  always  obey  explicit
       dependencies  set  with the before/require/notify/subscribe metaparame-
       ters and the ->/~> chaining arrows; this setting only affects the rela-
       tive ordering of unrelated resources.

       o   Default: manifest



   passfile
       Where  puppet  agent stores the password for its private key. Generally
       unused.

       o   Default: $privatedir/password



   path
       The shell search path. Defaults to whatever is inherited from the  par-
       ent process.

       This  setting  can only be set in the [main] section of puppet.conf; it
       cannot be set in [master], [agent], or an environment config section.

       o   Default: none



   pidfile
       The file containing the PID of a running process. This file is intended
       to  be  used by service management frameworks and monitoring systems to
       determine if a puppet process is still in the process table.

       o   Default: $rundir/${run_mode}.pid



   plugindest
       Where Puppet should store plugins that it pulls down from  the  central
       server.

       o   Default: $libdir



   pluginfactdest
       Where Puppet should store external facts that are being handled by plu-
       ginsync

       o   Default: $vardir/facts.d



   pluginfactsource
       Where to retrieve external facts for pluginsync

       o   Default: puppet:///pluginfacts



   pluginsignore
       What files to ignore when pulling down plugins.

       o   Default: .svn CVS .git .hg



   pluginsource
       From where to retrieve plugins. The standard Puppet file type  is  used
       for  retrieval,  so  anything  that  is a valid file source can be used
       here.

       o   Default: puppet:///plugins



   pluginsync
       Whether plugins should be synced with the central server. This  setting
       is deprecated.

       o   Default: true



   postrun_command
       A  command  to  run  after  every  agent run. If this command returns a
       non-zero return code, the entire Puppet run will be considered to  have
       failed, even though it might have performed work during the normal run.

   preferred_serialization_format
       The  preferred means of serializing ruby instances for passing over the
       wire. This won't guarantee that all instances will be serialized  using
       this  method,  since  not all classes can be guaranteed to support this
       format, but it will be used for all classes that support it.

       o   Default: json



   prerun_command
       A command to run before every agent run.  If  this  command  returns  a
       non-zero return code, the entire Puppet run will fail.

   preview_outputdir
       The directory where catalog previews per node are generated.

       o   Default: $vardir/preview



   priority
       The  scheduling priority of the process. Valid values are 'high', 'nor-
       mal', 'low', or 'idle', which are mapped to  platform-specific  values.
       The  priority  can  also  be  specified as an integer value and will be
       passed as is, e.g. -5. Puppet must be running as a privileged  user  in
       order to increase scheduling priority.

       Default:


   privatedir
       Where the client stores private certificate information.

       o   Default: $ssldir/private



   privatekeydir
       The private key directory.

       o   Default: $ssldir/private_keys



   profile
       Whether to enable experimental performance profiling

       o   Default: false



   publickeydir
       The public key directory.

       o   Default: $ssldir/public_keys



   puppetdlog
       The  fallback  log file. This is only used when the --logdest option is
       not specified AND Puppet is running on an operating system  where  both
       the  POSIX  syslog  service  and the Windows Event Log are unavailable.
       (Currently, no supported operating systems match that description.)

       Despite the name, both puppet agent and puppet  master  will  use  this
       file as the fallback logging destination.

       For  control  over logging destinations, see the --logdest command line
       option in the manual pages for puppet master, puppet agent, and  puppet
       apply.  You can see man pages by running puppet <SUBCOMMAND> --help, or
       read them  online  at  https://docs.puppetlabs.com/puppet/latest/refer-
       ence/man/.

       o   Default: $logdir/puppetd.log



   report
       Whether to send reports after every transaction.

       o   Default: true



   report_port
       The port to communicate with the report_server.

       o   Default: $masterport



   report_server
       The server to send transaction reports to.

       o   Default: $server



   reportdir
       The directory in which to store reports. Each node gets a separate sub-
       directory in this directory. This setting is only used when  the  store
       report processor is enabled (see the reports setting).

       o   Default: $vardir/reports



   reports
       The  list  of  report  handlers to use. When using multiple report han-
       dlers, their names should be comma-separated, with whitespace  allowed.
       (For example, reports = http, store.)

       This  setting is relevant to puppet master and puppet apply. The puppet
       master will call these report handlers with  the  reports  it  receives
       from  agent nodes, and puppet apply will call them with its own report.
       (In all cases, the node applying the catalog must have report = true.)

       See the report reference for information on the  built-in  report  han-
       dlers;  custom report handlers can also be loaded from modules. (Report
       handlers are loaded from the lib directory, at puppet/reports/NAME.rb.)

       o   Default: store



   reporturl
       The URL that reports should be forwarded to. This setting is only  used
       when the http report processor is enabled (see the reports setting).

       o   Default: http://localhost:3000/reports/upload



   requestdir
       Where host certificate requests are stored.

       o   Default: $ssldir/certificate_requests



   resourcefile
       The  file  in which puppet agent stores a list of the resources associ-
       ated with the retrieved configuration.

       o   Default: $statedir/resources.txt



   rest_authconfig
       The configuration file that defines the rights to  the  different  rest
       indirections.  This  can be used as a fine-grained authorization system
       for puppet master.

       o   Default: $confdir/auth.conf



   rich_data
       Enables having extended data in the catalog by storing them as  a  hash
       with  the special key __pcore_type__. When enabled, resource containing
       values of the data types Binary, Regexp, SemVer, SemVerRange,  Timespan
       and Timestamp, as well as instances of types derived from Object retain
       their data type.

       o   Default: false



   route_file
       The YAML file containing indirector route configuration.

       o   Default: $confdir/routes.yaml



   rundir
       Where Puppet PID files are kept.

       o   Default: Unix/Linux: /var/run/puppetlabs  --  Windows:  C:\Program-
           Data\PuppetLabs\puppet\var\run   --   Non-root   user:   ~/.puppet-
           labs/var/run



   runinterval
       How often puppet agent applies the catalog. Note that a runinterval  of
       0  means "run continuously" rather than "never run." If you want puppet
       agent to never run, you should start it with  the  --no-client  option.
       This  setting  can  be  a time interval in seconds (30 or 30s), minutes
       (30m), hours (6h), days (2d), or years (5y).

       o   Default: 30m



   runtimeout
       The maximum amount of time an agent run is allowed to  take.  A  Puppet
       agent  run  that  exceeds  this timeout will be aborted. Defaults to 0,
       which is unlimited. This setting can be a time interval in seconds  (30
       or 30s), minutes (30m), hours (6h), days (2d), or years (5y).

       o   Default: 0



   serial
       Where the serial number for certificates is stored.

       o   Default: $cadir/serial



   server
       The puppet master server to which the puppet agent should connect.

       o   Default: puppet



   server_datadir
       The  directory  in which serialized data is stored, usually in a subdi-
       rectory.

       o   Default: $vardir/server_data



   server_list
       The list of puppet master servers to which the puppet agent should con-
       nect, in the order that they will be tried.

       o   Default: []



   show_diff
       Whether  to  log  and  report  a  contextual  diff when files are being
       replaced. This causes partial file contents to  pass  through  Puppet's
       normal  logging  and  reporting  system, so this setting should be used
       with caution if you are sending Puppet's reports to an insecure  desti-
       nation. This feature currently requires the diff/lcs Ruby library.

       o   Default: false



   signeddir
       Where the CA stores signed certificates.

       o   Default: $cadir/signed



   skip_tags
       Tags  to  use  to filter resources. If this is set, then only resources
       not tagged with the specified tags will  be  applied.  Values  must  be
       comma-separated.

   sourceaddress
       The address the agent should use to initiate requests.

       Default:


   splay
       Whether  to sleep for a random amount of time, ranging from immediately
       up to its $splaylimit, before performing its first agent  run  after  a
       service  restart. After this period, the agent runs periodically on its
       $runinterval.

       For example, assume a default 30-minute $runinterval, splay set to  its
       default of false, and an agent starting at :00 past the hour. The agent
       would check in every 30 minutes at :01 and :31 past the hour.

       With splay enabled, it waits any amount of time up to  its  $splaylimit
       before  its  first  run. For example, it might randomly wait 8 minutes,
       then start its first run at :08 past the hour. With the $runinterval at
       its default 30 minutes, its next run will be at :38 past the hour.

       If  you restart an agent's puppet service with splay enabled, it recal-
       culates its splay period and delays its first agent run after  restart-
       ing  for this new period. If you simultaneously restart a group of pup-
       pet agents with splay enabled, their checkins to  your  puppet  masters
       can be distributed more evenly.

       o   Default: false



   splaylimit
       The  maximum  time  to  delay before an agent's first run when splay is
       enabled. Defaults to the agent's $runinterval. The  splay  interval  is
       random  and  recalculated  each time the agent is started or restarted.
       This setting can be a time interval in seconds  (30  or  30s),  minutes
       (30m), hours (6h), days (2d), or years (5y).

       o   Default: $runinterval



   srv_domain
       The  domain which will be queried to find the SRV records of servers to
       use.

       o   Default: delivery.puppetlabs.net



   ssl_client_ca_auth
       Certificate authorities who issue server certificates. SSL servers will
       not be considered authentic unless they possess a certificate issued by
       an authority listed in this file. If this setting has no value then the
       Puppet master's CA certificate (localcacert) will be used.

       Default:


   ssl_client_header
       The  header  containing  an  authenticated client's SSL DN. This header
       must be set by the proxy to the authenticated client's  SSL  DN  (e.g.,
       /CN=puppet.puppetlabs.com).  Puppet will parse out the Common Name (CN)
       from the Distinguished Name (DN) and use the value of the CN field  for
       authorization.

       Note  that  the  name  of the HTTP header gets munged by the web server
       common gateway interface: an HTTP_ prefix is  added,  dashes  are  con-
       verted to underscores, and all letters are uppercased. Thus, to use the
       X-Client-DN header, this setting should be HTTP_X_CLIENT_DN.

       o   Default: HTTP_X_CLIENT_DN



   ssl_client_verify_header
       The header containing the status message of  the  client  verification.
       This  header  must  be set by the proxy to 'SUCCESS' if the client suc-
       cessfully authenticated, and anything else otherwise.

       Note that the name of the HTTP header gets munged  by  the  web  server
       common  gateway  interface:  an  HTTP_ prefix is added, dashes are con-
       verted to underscores, and all letters are uppercased. Thus, to use the
       X-Client-Verify header, this setting should be HTTP_X_CLIENT_VERIFY.

       o   Default: HTTP_X_CLIENT_VERIFY



   ssl_server_ca_auth
       Certificate authorities who issue client certificates. SSL clients will
       not be considered authentic unless they possess a certificate issued by
       an authority listed in this file. If this setting has no value then the
       Puppet master's CA certificate (localcacert) will be used.

       Default:


   ssldir
       Where SSL certificates are kept.

       o   Default: $confdir/ssl



   statedir
       The directory where Puppet state is stored. Generally,  this  directory
       can be removed without causing harm (although it might result in spuri-
       ous service restarts).

       o   Default: $vardir/state



   statefile
       Where puppet agent and puppet master store state  associated  with  the
       running configuration. In the case of puppet master, this file reflects
       the state discovered through interacting with clients.

       o   Default: $statedir/state.yaml



   static_catalogs
       Whether to compile a static catalog https://docs.puppet.com/puppet/lat-
       est/static_catalogs.html#enabling-or-disabling-static-catalogs,   which
       occurs only on a Puppet Server  master  when  the  code-id-command  and
       code-content-command  settings  are configured in its puppetserver.conf
       file.

       o   Default: true



   storeconfigs
       Whether to  store  each  client's  configuration,  including  catalogs,
       facts,  and  related  data.  This also enables the import and export of
       resources in the Puppet language - a mechanism for  exchange  resources
       between nodes.

       By default this uses the 'puppetdb' backend.

       You can adjust the backend using the storeconfigs_backend setting.

       o   Default: false



   storeconfigs_backend
       Configure  the backend terminus used for StoreConfigs. By default, this
       uses the PuppetDB store, which must be installed and configured  before
       turning on StoreConfigs.

       o   Default: puppetdb



   strict
       The strictness level of puppet. Allowed values are:

       o   off - do not perform extra validation, do not report

       o   warning - perform extra validation, report as warning (default)

       o   error - perform extra validation, fail with error



       The strictness level is for both language semantics and runtime evalua-
       tion validation. In addition to controlling the behavior with this mas-
       ter  switch some individual warnings may also be controlled by the dis-
       able_warnings setting.

       No new validations will be added to a micro (x.y.z) release, but may be
       added  in  minor  releases  (x.y.0). In major releases it expected that
       most (if not all) strictness validation become standard behavior.

       o   Default: warning



   strict_environment_mode
       Whether the agent specified environment should be considered authorita-
       tive,  causing  the run to fail if the retrieved catalog does not match
       it.

       o   Default: false



   strict_hostname_checking
       Whether to only search for the complete hostname as it is in  the  cer-
       tificate when searching for node information in the catalogs.

       o   Default: false



   strict_variables
       Causes  an  evaluation  error when referencing unknown variables. (This
       does not affect  referencing  variables  that  are  explicitly  set  to
       undef).

       o   Default: false



   summarize
       Whether to print a transaction summary.

       o   Default: false



   supported_checksum_types
       Checksum  types  supported by this agent for use in file resources of a
       static catalog. Values must be comma-separated. Valid  types  are  md5,
       md5lite,  sha256,  sha256lite,  sha384, sha512, sha224, sha1, sha1lite,
       mtime, ctime. Default is md5, sha256, sha384, sha512, sha224.

       o   Default: ["md5", "sha256", "sha384", "sha512", "sha224"]



   syslogfacility
       What syslog facility to use when logging to syslog. Syslog has a  fixed
       list  of valid facilities, and you must choose one of those; you cannot
       just make one up.

       o   Default: daemon



   tags
       Tags to use to find resources. If this  is  set,  then  only  resources
       tagged  with  the  specified  tags  will  be  applied.  Values  must be
       comma-separated.

   tasks
       Turns on experimental support for tasks and plans in  the  puppet  lan-
       guage. This is for internal API use only. Do not change this setting.

       o   Default: false



   trace
       Whether to print stack traces on some errors

       o   Default: false



   transactionstorefile
       Transactional storage file for persisting data between transactions for
       the purposes of infering information (such as corrective_change) on new
       data received.

       o   Default: $statedir/transactionstore.yaml



   trusted_oid_mapping_file
       File  that  provides  mapping between custom SSL oids and user-friendly
       names

       o   Default: $confdir/custom_trusted_oid_mapping.yaml



   trusted_server_facts
       The 'trusted_server_facts' setting is deprecated and has no  effect  as
       the  feature this enabled is now always on. The setting will be removed
       in a future version of puppet.

       o   Default: true



   use_cached_catalog
       Whether to only use the cached catalog rather than compiling a new cat-
       alog  on  every run. Puppet can be run with this enabled by default and
       then selectively disabled when a recompile is desired.

       o   Default: false



   use_srv_records
       Whether the server will search for SRV records in DNS for  the  current
       domain.

       o   Default: false



   usecacheonfailure
       Whether  to  use the cached configuration when the remote configuration
       will not compile. This option is useful for testing new configurations,
       where you want to fix the broken configuration rather than reverting to
       a known-good one.

       o   Default: true



   user
       The user puppet master should run as.

       o   Default: puppet



   vardir
       Where Puppet stores dynamic and growing data. The default for this set-
       ting is calculated specially, like confdir_.

       o   Default:   Unix/Linux:   /usr/puppetlabs/puppet/cache  --  Windows:
           C:\ProgramData\PuppetLabs\puppet\cache -- Non-root user: ~/.puppet-
           labs/usr/puppet/cache



   waitforcert
       How frequently puppet agent should ask for a signed certificate.

       When  starting  for the first time, puppet agent will submit a certifi-
       cate signing request (CSR) to the server named in the ca_server setting
       (usually  the puppet master); this may be autosigned, or may need to be
       approved by a human, depending on the CA server's configuration.

       Puppet agent cannot apply configurations until its approved certificate
       is available. Since the certificate may or may not be available immedi-
       ately, puppet agent will repeatedly try to fetch it at  this  interval.
       You can turn off waiting for certificates by specifying a time of 0, in
       which case puppet agent will exit if it cannot get a cert. This setting
       can  be  a  time  interval in seconds (30 or 30s), minutes (30m), hours
       (6h), days (2d), or years (5y).

       o   Default: 2m



   yamldir
       The directory in which YAML data is stored, usually in a subdirectory.

       o   Default: $vardir/yaml






ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       +---------------+--------------------------+
       |ATTRIBUTE TYPE |     ATTRIBUTE VALUE      |
       +---------------+--------------------------+
       |Availability   | system/management/puppet |
       +---------------+--------------------------+
       |Stability      | Volatile                 |
       +---------------+--------------------------+
NOTES
       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source was  downloaded  from   https://github.com/puppetlabs/puppet/ar-
       chive/5.5.0.tar.gz

       Further information about this software can be found on the open source
       community website at http://puppetlabs.com/.



Puppet, Inc.                      March 2018                     PUPPETCONF(5)