Orchestration services settings
Global logging and SSL settings
/etc/puppetlabs/orchestration-services/conf.d/global.conf contains
settings shared across the Puppet Enterprise (PE) orchestration
services.
The file global.certs typically requires no changes and contains the
following settings:
| Setting | Definition | Default |
|---|---|---|
ssl-cert
|
Certificate file path for the orchestrator host. | /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.cert.pem
|
ssl-key
|
Private key path for the orchestrator host. | /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.private_key.pem
|
ssl-ca-cert
|
CA file path | /etc/puppetlabs/puppet/ssl/certs/ca.pem
|
The file global.logging-config is a path to logback.xml file that configures logging for
most of the orchestration services. See http://logback.qos.ch/manual/configuration.html for documentation on the
structure of the logback.xml file.
It configures the log location, rotation, and formatting for the following:
- orchestration-services (appender section
F1) - orchestration-services status (
STATUS) - pcp-broker (
PCP) - pcp-broker access (
PCP_ACCESS) - aggregate-node-count (
AGG_NODE_COUNT)
Allow list of trapperkeeper services to start
/etc/puppetlabs/orchestration-services/bootstrap.cfg is the list of
trapperkeeper services from the orchestrator and pcp-broker projects that are loaded
when the pe-orchestration-services system service starts.
- To disable a service in this list, remove it or comment it with a
#character and restartpe-orchestration-services - To enable an NREPL service for debugging, add
puppetlabs.trapperkeeper.services.nrepl.nrepl-service/nrepl-serviceto this list and restartpe-orchestration-services.
The pcp-broker and orchestrator HTTP services
/etc/puppetlabs/orchestration-services/conf.d/webserver.conf
describes how and where to the run pcp-broker and orchestrator web services, which
accept HTTP API requests from the rest of the PE
installation and from external nodes and users.
The file webserver.orchestrator configures the orchestrator web
service. Defaults are as follows:
| Setting | Definition | Default |
|---|---|---|
access-log-config
|
A logback XML file configuring logging for orchestrator access messages. | /etc/puppetlabs/orchestration-services/request-logging.xml
|
client-auth
|
Determines the mode that the server uses to validate the client's certificate for incoming SSL connections. | want or need |
default-server
|
Allows multi-server configurations to run operations without specifying a server-id. Without a server-id, operations will run on the selected default. Optional. | true
|
ssl-ca-cert
|
Sets the path to the CA certificate PEM file used for client authentication. | /etc/puppetlabs/puppet/ssl/certs/ca.pem
|
ssl-cert
|
Sets the path to the server certificate PEM file used by the web service for HTTPS. | /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.cert.pem
|
ssl-crl-path
|
Describes a path to a Certificate Revocation List file. Optional. | /etc/puppetlabs/puppet/ssl/crl.pem
|
ssl-host
|
Sets the host name to listen on for encrypted HTTPS traffic. | 0.0.0.0.
|
ssl-key
|
Sets the path to the private key PEM file that corresponds
with the ssl-cert |
/etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.private_key.pem
|
ssl-port
|
Sets the port to use for encrypted HTTPS traffic. | 8143
|
The file webserver.pcp-broker configures the pcp-broker web service.
Defaults are as follows:
| Setting | Definition | Default |
|---|---|---|
client-auth
|
Determines the mode that the server uses to validate the client's certificate for incoming SSL connections. | want or need |
ssl-ca-cert
|
Sets the path to the CA certificate PEM file used for client authentication. | /etc/puppetlabs/puppet/ssl/certs/ca.pem
|
ssl-cert
|
Sets the path to the server certificate PEM file used by the web service for HTTPS. | /etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.cert.pem
|
ssl-crl-path
|
Describes a path to a Certificate Revocation List file. Optional. | /etc/puppetlabs/puppet/ssl/crl.pem
|
ssl-host
|
Sets the host name to listen on for encrypted HTTPS traffic. | 0.0.0.0.
|
ssl-key
|
Sets the path to the private key PEM file that corresponds
with the ssl-cert. |
/etc/puppetlabs/orchestration-services/ssl/<orchestrator-host-fqdn>.private_key.pem
|
ssl-port
|
Sets the port to use for encrypted HTTPS traffic. | 8142
|
/etc/puppetlabs/orchestration-services/conf.d/web-routes.conf describes how to
route HTTP requests made to the API web servers, designating routes for interactions
with other services. These should not be modified. See the configuration options at
the trapperkeeper-webserver-jetty project's docs
Analytics trapperkeeper service configuration
/etc/puppetlabs/orchestration-services/conf.d/analytics.conf
contains the internal setting for the analytics
trapperkeeper service.
| Setting | Definition | Default |
|---|---|---|
analytics.url
|
Specifies the API root. | <puppetserver-host-url>:8140/analytics/v1
|
Authorization trapperkeeper service configuration
/etc/puppetlabs/orchestration-services/conf.d/auth.conf contains
internal settings for the authorization trapperkeeper service. See configuration
options in the trapperkeeper-authorization project's docs.
JMX metrics trapperkeeper service configuration
/etc/puppetlabs/orchestration-services/conf.d/metrics.conf contains
internal settings for the JMX metrics service built into orchestration-services. See
the service configuration options in the trapperkeeper-metrics project's docs.
Orchestrator trapperkeeper service configuration
/etc/puppetlabs/orchestration-services/conf.d/orchestrator.conf
contains internal settings for the orchestrator project's trapperkeeper service.
PCP broker trapperkeeper service configuration
/etc/puppetlabs/orchestration-services/conf.d/pcp-broker.conf
contains internal settings for the pcp-broker project's trapperkeeper service. See
the service configuration options in the pcp-broker project's docs.
