This document explains how to configure your OpenVox Server and OpenVoxDB so that the Metrics section in OpenVox GUI has full, rich data.
Without these changes, pages like Run Performance, PuppetDB Health, and OpenVox Server Health will show limited, partial, or empty charts.
OpenVox GUI (running as the puppet user) connects to:
- PuppetDB (port 8081) over mTLS using the local Puppet agent's certificate
- Puppet Server (port 8140) over mTLS using the same certificate
It queries:
- PuppetDB Jolokia metrics (
/metrics/v2/read/...,/status) - Puppet Server status and metrics (
/status/v1/services?level=debug,/metrics/v2)
Puppet Server and PuppetDB restrict access to these internal endpoints by default in many installations. You must explicitly allow them.
Edit /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf:
http-client: {
metrics-enabled: true
}This makes the experimental HTTP route metrics (catalog compile time, etc.) available via the /status debug response.
Create or edit /etc/puppetlabs/puppetserver/metrics.conf:
metrics: {
enabled: true
registries: {
puppetserver: {
reporters: {
jmx: {
enabled: true
}
}
}
}
}Important for Puppet Server 8+: Do not use a bare top-level enabled = true under metrics in some contexts — the nested registries.puppetserver.reporters.jmx.enabled structure (shown above) is the reliable one. You may also see metrics-allowed settings in older docs.
Puppet Server uses authorization rules to decide who can call /metrics and /status.
Edit (or create) /etc/puppetlabs/puppetserver/conf.d/auth.conf and add these rules:
authorization: {
version: 1
rules: [
{
match-request: {
path: "/metrics"
type: path
method: [get, post]
}
allow: "*"
sort-order: 500
name: "openvox-gui allow metrics"
},
{
match-request: {
path: "/status"
type: path
method: get
}
allow: "*"
sort-order: 500
name: "openvox-gui allow status"
}
]
}Using allow: "*" is acceptable here because:
- The GUI is on the same host.
- It is using the master's own CA-signed certificate.
- These are read-only internal endpoints.
Some installations still use /etc/puppetlabs/puppetserver/auth.conf (the old format). Add:
path /metrics
auth any
allow *
path /status
auth any
allow *
Place these near the top so they are not overridden by more restrictive rules.
PuppetDB metrics are usually more open, but can still be restricted.
Common locations to check / adjust:
/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini- Jetty or webserver configuration (certificate allowlists)
/etc/puppetlabs/puppetdb/conf.d/auth.conf(if present)
If you see 403 responses from PuppetDB's /metrics/v2, ensure the master's certificate (or localhost) is allowed for the metrics paths.
In most default OpenVox/PuppetDB installs on the same machine as Puppet Server, the mTLS connection from the local agent cert works without extra changes.
After making changes:
sudo systemctl restart puppetserver
sudo systemctl restart puppetdbThen restart the GUI so it picks up fresh data:
sudo systemctl restart openvox-guiRun these commands on the OpenVox Server as root (or sudo):
CERT=$(puppet config print hostcert)
KEY=$(puppet config print hostprivkey)
CA=$(puppet config print localcacert)
echo "=== Puppet Server status (debug) ==="
curl -sS --cert "$CERT" --key "$KEY" --cacert "$CA" \
"https://localhost:8140/status/v1/services/master?level=debug" | head -c 2000
echo
echo "=== Puppet Server metrics list ==="
curl -sS --cert "$CERT" --key "$KEY" --cacert "$CA" \
"https://localhost:8140/metrics/v2/list" | head -c 1000
echo
echo "=== PuppetDB metrics list ==="
curl -sS --cert "$CERT" --key "$KEY" --cacert "$CA" \
"https://localhost:8081/metrics/v2/list" | head -c 1000If these return JSON (even if some fields are empty), the GUI should be able to read them.
You can edit these files directly from the web interface:
- Log in as admin/operator
- Go to Settings → Application Configuration → Puppet Configuration
- Find and edit:
puppetserver.confmetrics.confauth.conf(under puppetserver)
The editor will create metrics.conf if it does not exist.
Always restart puppetserver after changes.
- Run Performance — heavy use of PuppetDB Jolokia metrics + some Puppet Server data
- PuppetDB Health — JVM, queues, storage timing, connection pools
- OpenVox Server Health — JVM heap, GC, http route timing (from experimental status), JRuby
- Many pages have a "Additional Server Metrics (raw)" or raw data section — use this to see exactly what the backend is receiving
If charts are empty or show only zeros after configuration + restart, click the raw blocks and look for 403s, empty objects, or key name differences.
| Symptom | Likely Cause | Fix |
|---|---|---|
| Empty Server Health charts | Missing auth rules or http-client metrics | Add auth rules + metrics-enabled: true |
| 403 on /metrics or /status | Authorization rules blocking the master's cert | Add the rules above with allow: "*" or the exact certname |
| JMX data missing | metrics.conf not present or wrong structure |
Use the registries example above |
| Only partial data | Using old top-level enabled in metrics.conf |
Switch to the nested structure |
| Works in curl but not GUI | GUI using wrong cert path or wrong hostname | Check .env / settings for puppet_ssl_* paths |
| Data appears after delay | Caching (30s in backend) + browser localStorage | Hard refresh + wait 30–60s |
You can also use the ovox CLI:
ovox infra health- The
allow: "*"rules above only affect the two read-only paths (/metricsand/status). - These endpoints do not allow code execution or configuration changes.
- If you run in a high-security environment, restrict
allowto the exact master certificate name instead of*.
Example tighter rule:
allow: [ "puppet.example.com", "localhost" ]Replace with your actual puppet config print certname.
After completing this setup, the full power of the Metrics section (performance trends, JVM health, database pools, route timing, etc.) will be available.
See also:
- TUNING.md for using the metrics data to tune your infrastructure
- The raw data viewers inside each Metrics page for live diagnostics