Katello - Disable Puppet?

This is more of a general question rather than a problem. I’m using Katello for package management and yum repos, however, I wanted to know if there’s a way to disable any unused services within Foreman?

I don’t believe that my build is using puppet in any way – is it possible to disable this on the Katello master and smart proxies if need be?


I looked into this a bit and it appears there is an installer option[1] called ‘–puppet-server’ which appears to take true/false in order to install the puppet server or not.

That might be what you’re looking for! Generally speaking: if you’re not using the puppet server you can disable it (so I just learned myself). Though, the puppet agent needs to remain installed as it’s needed by the Foreman installer.

[1] Foreman :: Manual

1 Like

Hi Jonathon – thanks!!! I see what you’re saying.

From foreman-installer -h I see the below block:

= Module katello:
–katello-enable-deb Enable debian content plugin (current: true)
–katello-enable-docker Enable docker content plugin (current: true)
–katello-enable-file Enable generic file content management (current: true)
–katello-enable-ostree Enable ostree content plugin, this requires an ostree install (current: false)
–katello-enable-puppet Enable puppet content plugin (current: true)
–katello-enable-yum Enable rpm content plugin, including syncing of yum content (current: true)
–katello-proxy-password Proxy password for authentication (current: UNDEF)
–katello-proxy-port Port the proxy is running on (current: UNDEF)
–katello-proxy-url URL of the proxy server (current: UNDEF)
–katello-proxy-username Proxy username for authentication (current: UNDEF)
–katello-pulp-max-speed The maximum download speed per second for a Pulp task, such as a sync. (e.g. “4 Kb” (Uses SI KB), 4MB, or 1GB" ) (current: UNDEF)
–katello-repo-export-dir Directory to create for repository exports (current: “/var/lib/pulp/katello-export”)

Thanks for your help!

Also note that there’s --foreman-proxy-content-puppet false. When you run this on an existing server it will stop managing the service, but it’ll probably keep running unless you disable it. Probably systemctl disable --now puppetserver. It’s also likely that foreman-maintain will start it up if present so you may need to actually use yum remove puppetserver.


Thank you very much!

Just to re-iterate, the way to disable puppet-server on the fly (after Katello was already installed) is to run:

  1. foreman-installer --foreman-proxy-content-puppet false
  2. systemctl disable --now puppetserver
  3. yum remove puppetserver

and for a fresh install, we make sure to disable it using --katelo-enable-puppet false.

How do I check if it’s actively disabled on the server after the fact? I noticed in infrastructure-> smart proxies my Katello server has the following error:

09 Jan 11:21 ERROR Failed to list puppet environments: Connection refused - connect(2)

And ‘puppet’ is still listed as a service after the refresh.


This is incomplete. For a proxy it’s more like

foreman-installer \
  # Stop the puppet agent
  --puppet-runmode none \
  # Unmanage the puppet server
  --puppet-server false \
  # Inform the foreman proxy this node has no puppet master
  --foreman-proxy-puppet false \
  # Inform the foreman proxy this node has no puppet ca
  --foreman-proxy-puppetca false \
  # Do not attempt to install certificates
  --foreman-proxy-content-puppet false

For the katello server itself you want to add --katello-enable-puppet false as well.

This is from the top of my head. I may have missed some things.

1 Like

The thread is older, but very useful, so I’ll add to it.

In addition, you have to remove rubygem-hammer_cli_foreman_puppet if it is installed. Otherwise, hammer ping will produce an error.

Even with that removed, foreman-maintain health check still produces an error I am still tracking down:

Check whether all services are running using the ping call: [FAIL]
Couldn’t connect to the server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)

This is despite using an officially signed certificate that works everywhere else in foreman.

For current foreman/katello versions it’s best to use the purge-puppet command which should take care of everything: Configuring Hosts Using Puppet

Thank you, that worked.

The health check failure turned out to be unrelated and caused by the issue described here: Foreman-maintain health check fails - #16 by kkeane