The primary server and compilers

The primary server is the central hub of activity and process in Puppet Enterprise. This is where code is compiled to create agent catalogs, and where SSL certificates are verified and signed.

PE infrastructure components are installed on a single node: the primary server. The primary server always contains a compiler and a Puppet Server. As your installation grows, you can add additional compilers to distribute the catalog compilation workload.

Each compiler contains the Puppet Server, the catalog compiler, and an instance of file sync.

Puppet Server

Puppet Server is an application that runs on the Java Virtual Machine (JVM) on the primary server. In addition to hosting endpoints for the certificate authority service, it also powers the catalog compiler, which compiles configuration catalogs for agent nodes, using Puppet code and various other data sources.

Catalog compiler

To configure a managed node, the agent uses a document called a catalog, which it downloads from the primary server or a compiler. The catalog describes the desired state for each resource on the node that you want to manage, and it can specify dependency information for resources that need to be managed in a certain order.

File sync

File sync keeps your code synchronized across multiple compilers. When triggered by a web endpoint, file sync takes changes from the working directory on the primary server and deploys the code to a live code directory. File sync then deploys that code to any compilers so that your code is deployed only when it's ready.

Certificate Authority

The internal certificate authority (CA) service:

  • Accepts certificate signing requests (CSRs) from nodes
  • Serves certificates and a certificate revocation list (CRL) to nodes
  • Accepts commands to sign or revoke certificates (optional)

The CA service uses CSPRNG-generated .pem files in the standard ssldir to store credentials. You can use the puppetserver ca command to interact with these credentials, including listing, signing, and revoking certificates.

Depending on your architecture and security needs, you can host the CA server on either the primary server or its own node. The CA service on compilers is configured, by default, to proxy CA requests to the CA server.

By default, the CA private key is located on the CA server at cadir/ca_key.pem. The default cadir is /etc/puppetlabs/puppetserver/ca. If you choose to use another directory, the key file must be stored in location readable by the pe-puppet user.

If you generate your own CA private key, the key must be RSA and the key file's PEM contents must begin with either BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY. The entire CA chain must use the SHA-2 (or stronger) signing algorithm. Additionally, because the CA private key is one of the most critical files for security in your Puppet certificate infrastructure, the pe-puppet user must be the file owner and the permissions must be set to either mode: 0640 or -rw-r-----.

Related information