I am trying to ensure a certain version of package which I have built to be installed. The variable my_pkg_version is from hiera
package { 'my_package_name':
ensure => $my_pkg_version,
notify => Service['service_name']
}
However the package is not getting upgraded when I put the new version in hiera and in yum repo. When I build a new system I am getting the version of package defined in hiera. But for already existing system with the package installed, it's not getting upgraded to the version.
I am putting the version in the format **1.0.0-6** . This is RHEL 7 system.
I ran the query `rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\n'` as suggested by Eric. The output: `my_package_name-1.0.0-6`.
As mentioned earlier my issue is with upgrades. Whenever a new system is provisioned I am getting the correct RPM version installed.
↧
Ensuring RPM package version
↧
Custom Facts are not working with hiera on puppet agent nodes
We have created a custom factor "datacenter" via /lib/facter/datacenter.rb on puppet master node. when i ran facter -p datacenter, it works fine, and so added the same in hiera.yaml..yaml, but when we ran the same "puppet agent -t" on agent nodes, it fails, with the error " could not find data item in any of the hiera file"
Can someone please help to debug this...
---
:backends:
- yaml
:hierarchy:
- "nodes/%{::trusted.certname}"
- "%{::datacenter}"
- "%{::osfamily}"
- common
:yaml:
# datadir is empty here, so hiera uses its defaults:
# - /etc/puppetlabs/code/environments/%{environment}/hieradata on *nix
# - %CommonAppData%\PuppetLabs\code\environments\%{environment}\hieradata on Windows
# When specifying a datadir, make sure the directory exists.
:datadir:
When i ran "puppet agent -t" on puppet master it runs fine.. and picked the hiera parameter value from ↧
↧
apt::source, hiera, calling_module, how to combine
I' m struggling for about two weeks to figure out how to implement following scenario:
Let' s say I have a module that installs and configures rabbitmq. Since I need package version that is not present in distro repository, I want to add one, by using puppetlabs-apt module, but I want to keep all my variables in hiera and use this repo inly if rabbitmq is installed.
hiera.yaml
:hierarchy:
- "nodes/%{::fqdn}"
- "nodes/%{::lsbdistcodename}"
- "%{calling_module}"
- "common"
:backends:
- yaml
:yaml:
:datadir: '/etc/puppet/hiera'
package.pp
require apt
package {'rabbitmq-server':
ensure => 'present',
}
rabbitmq.yaml
apt::sources:
'rabbitmq':
comment: 'RabbitMQ Official Repository'
location: 'http://www.rabbitmq.com/debian/'
release: 'testing'
repos: 'main'
key:
source: 'https://www.rabbitmq.com/rabbitmq-release-signing-key.asc'
id: '0A9AF2115F4687BD29803A206B73A36E6026DFCA'
include:
deb: true
This doesn't work because calling_module is apt and it doesnt search for variables in rabbitmq.yaml and defaults to common where I define repos for all roles. How can I achieve my goals. Any Ideas?
↧
Puppet/Hiera/limits.conf = Awkward output!
I am using hiera limits::fragment: to add entries to limits.conf. It's adding them after "End of file", which is a bit awkward.
Can anyone offer any guidance?
[root@dev-puppettest-01 security]# tail limits.conf
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
* hard memlock 19000000
* soft memlock 19000000
* hard nofile unlimited
* soft nofile unlimited
↧
Un-Unique Keys in Hiera Hash
I have data in hiera that is structured to purge directories of specific files based on the path, age, and name.
I have a data structure like the following:
rules:
'/tmp':
daystokeep: 5
wildcard: '*.log'
The problem is that if I want to add another rule for /tmp, I cannot because the names would be the same like:
rules:
'/tmp':
daystokeep: 5
wildcard: '*.log'
'/tmp':
daystokeep: 2
wildcard: '*.txt'
Hiera only takes the second value. Is there a struct that I could create that would fullfill the requirements with this data structure?
thanks,
**EDIT**
Fixed with:
rules:
- path: '/tmp':
daystokeep: 5
wildcard: '*.log'
- path: '/tmp':
daystokeep: 2
wildcard: '*.txt'
I don't know how this worked ^ What data structure is that? An array with hashes?
↧
↧
Error while passing hiera values
Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, Failed to parse template care_engine_17_03/ce2web.properties.ceui.erb: Filepath: org/jruby/ext/psych/PsychParser.java Line: 220 Detail: (): expected , but found Scalar while parsing a block mapping at line 281 column 134 at /etc/puppetlabs/code/environments/puppetdev/17.03/care_engine_17_03/manifests/ce_ui.pp:7:16 on node
↧
Hiera : correct lookup way
Hello all,
I am currently reviewing some Hiera configuration file(s) and came across some elements which I would need advices about.
Here's a Hiera configuration example :
vstest:
service_name: svc-id-tag
additional_properties:
c_url: "%{hiera('compliance_url')}"
both **svc-id-tag** and **compliance_url** are Hiera keys located in another YAML configuration file and both ways actually work to retrieve the value.
But what is the best ( recommended ) way to perform lookups ?
↧
fact before catalog
Hi,
I'm looking for a way to tell the puppet server some business logic about a group of nodes before the first puppet run. This business logic affects the parameters of the profiles and the classes. It's an information telling who is the owner of a node, and it implies many configuration changes. There is no way to guess this information from the base facts.
For now, to achieve this, we put manually a fact in `/etc/puppetlabs/facter/facts.d/owner.yaml` containing the fact "owner" with some value This means that the node is property of an "owner" and will affect the catalog in many ways, defined in a hierarchy (`hiera/labo/{%facts.owner}..yaml`)
It works but with the precondition that someone manually set this file with the right value. And if not, the profiles would be realized by the puppet server with wrong parameters.
One solution is to rewrite the profiles for each owner, but this would duplicate the code a lot and I'm trying to avoid this. The same drawback happens if I set the configurations in hiera at a node level (`hiera/nodes/{%facts.fqdn}.yaml`).
Is there another way to set this business logic before a first puppet run ?
↧
How to set some business logic before first puppet run
Hi,
I'm looking for a way to tell the puppet server some business logic about a group of nodes before the first puppet run. This business logic affects the parameters of the profiles and the classes. It's an information telling who is the owner of a node, and it implies many configuration changes. There is no way to guess this information from the base facts.
For now, to achieve this, we put manually a fact in `/etc/puppetlabs/facter/facts.d/owner.yaml` containing the fact "owner" with some value This means that the node is property of an "owner" and will affect the catalog in many ways, defined in a hierarchy (`hiera/labo/{%facts.owner}..yaml`)
It works but with the precondition that someone manually set this file with the right value. And if not, the profiles would be realized by the puppet server with wrong parameters.
One solution is to rewrite the profiles for each owner, but this would duplicate the code a lot and I'm trying to avoid this. The same drawback happens if I set the configurations in hiera at a node level (`hiera/nodes/{%facts.fqdn}.yaml`).
Is there another way to set this business logic before a first puppet run ?
↧
↧
Hiera Couchdb Http Paths Order
When configuring the :http: section, you can specify a :paths: options where you identify a database or some other database name, then you specify a document(s). Does the order of multiple paths relate to the search order done by hiera when it uses Couchdb for the lookup?
Example:
:paths:
- /hieradb/%{::clientcert}
- /%{::environment}/%{::aetna_role}
- /%{::environment}/common
- /hieradb/%{::aetna_role}
- /hieradb/common
Will hiera start at the first path, if not found go to the next path, etc etc?
↧
Hiera.conf 5 mapped_paths based on a Array fact from split string
Hi,
I'm trying to setup a generic hierarchy based on Hiera 5 under the following assumptions:
* a fact `roles` holds a comma-separated list of roles to use in hiera. Example: `[ 'role1', 'role2' ].join(',')` aka `"role1,role2"`
* this `roles` fact is passed to `puppet apply` using the `FACTER_roles` environment variable (which explain why the array is not passed directly).
I'm trying now to setup the `:hierarchy`section of `hiera.conf` to handle properly `facts.roles` as an array to iterate on it using [`mapped_paths`](https://docs.puppet.com/puppet/latest/hiera_config_yaml_5.html#the-hierarchy-key).
Ideally, I would like to express this iteration as follows:
# hiera.conf
---
version: 5 # below version 5 are deprecated starting puppet 4.9
### default datadir and backend for hierarchy levels.
defaults: # Used for any hierarchy level that omits these keys.
datadir: hieradata # This path is relative to hiera.yaml's directory.
data_hash: yaml_data # Use the built-in YAML backend.
hierarchy:
#______________________
- name: "Per-node data"
path: "nodes/%{trusted.certname}.yaml"
- name: "Role Specific data"
mapped_paths: [ "%{split(facts.roles, ',')}", role, "role/%{role}.yaml" ]
- name: "Common data"
path: "common.yaml"
Assuming the above setup, I'm expecting to see hiera "loading" the following hiera files:
* `hieradata/role/role1.yaml`
* `hieradata/role/role2.yaml`
* `hieradata/common.yaml`
However it does not work: I end with a strange message
```
==> master: Error: Evaluation Error: Error while evaluating a Function Call, Lookup of key 'noop_mode' failed: Syntax error in string: mapped_path[0] at /tmp/vagrant-puppet/manifests-a11d1078b1b1f2e3bdea27312f6ba513/default.pp:33:14 on node puppet-master.vagrant.dev
```
I don't see the proper way to define a call to the `split` function **within** `hiera.yaml`.
Can anyone help me ?
## Appendix: `mapped_paths`
> The mapped_paths key must contain three string elements, in the following order:> A scope variable that points to a collection of strings.> The variable name that will be mapped to each element of the collection.> A template where that variable can be used in interpolation expressions.> For example, a fact named $services contains the array `[“a”, “b”, “c”]`. Then this configuration:
>> `mapped_paths: [services, tmp, "service/%{tmp}/common.yaml"]`>> has the same results as if paths had been specified to be `[service/a/common.yaml, service/b/common.yaml, service/c/common.yaml]`.
↧
Hiera Defined Types + MongoDB Module?
I might be a bit confused about how Hiera works with defined types...
classes:
- mongodb::service
- mongodb::client
So here's where I start getting confused. I haven't had issues with Apache, which is similar.
In the puppetlabs module for MongoDB: https://forge.puppet.com/puppetlabs/mongodb#class-mongodbserver
There is a mongodb::db defined type, that normally would look like the following:
mongodb::db { 'testdb':
user => 'user1',
password_hash => 'a15fbfca5e3a758be80ceaf42458bcd8',
}
So in Hiera, I thought it would look like the following:
mongodb::db:
chat_log:
user: 'user1'
password: 'plaintextmaybe'
However-- the above doesn't work. I'm confused, because the $user and $password variables arein the mongodb::db class, so shouldn't they be getting picked up that I've called the mongodb::db?
↧
Issue with handling sensitive data (passwords) using Puppet and Hiera-Eyaml.
Hi guys,
I am testing Hiera-Eyaml for encrypting the passwords for the users in our Cassandra databases.
Encrypting the passwords in the eyaml files and passing the Hiera data to the testing nodes works fine.
My module runs an exec statement, that basically performs an "alter user with password " in Cassandra, being the Eyaml encrypted string being passed from Hiera.
Problem arises when I run a "puppet agent -t --debug" from the agent nodes, as it shows the passwords in plain text... is there any way of preventing this master-side? I read about the show_diff metaparameter but it only applies to file resources.
Thanks.
↧
↧
Hiera role inheritance
I've got three roles defined in my control repo: `desktop_common`, `desktop_office`, and `desktop_developer`. I'm using hiera to set a variable `systemd_default_target`, which is `multi-user` in my common.yaml, but I'd like it to be `graphical` for all the roles above. (There are other roles which run headless, so it makes sense for the default to be `multi-user`.)
if I set a parameter in Foreman (my ENC) on each host group, called `role`, to specify which role to apply, and include `roles::desktop_common` in both of the others, most things are working fine, but it looks as though I now have to have the following in my hiera data:
`common.yaml` contains `systemd_default_target: multi-user`
`roles/desktop_common.yaml` contains `systemd_default_target: graphical`
`roles/desktop_developer.yaml` contains `systemd_default_target: graphical`
`roles/desktop_office.yaml` contains `systemd_default_target: graphical`
Is there a way to reduce this duplication, either by using some feature of hiera or by designing my roles better?
↧
hiera 5 hash
Hi there
Is there a more deatiled example available on hashes for hiera 5
class profiles::postgresql {
$config_entry = hiera_hash('postgresql::server::config_entry', {})
create_resources(postgresql::server::config_entry, $config_entry)
$pg_hba_rule = hiera_hash('postgresql::server::pg_hba_rule', {})
create_resources(postgresql::server::pg_hba_rule, $pg_hba_rule)
$role = hiera_hash('postgresql::server::role', {})
create_resources(postgresql::server::role, $role)
$db = hiera_hash('postgresql::server::db', {})
create_resources(postgresql::server::db, $db)
}
the example above is working with hiera 3 that will be depricated in the future. Currently I don't understand how I've to replace hiera\_hash and create\_resources. After reading the docs I am more and more confused. In the last year I didn't work with puppet but in some weeks I am starting a new longterm project they I'll start with state on the art.
↧
Does one can impersonate any node by changing hostname and keeping the certificate?
Hi all,
I don't know if it's a bug or a feature, so I just ask.
I have a puppet master run by Passenger.
The configuration is populated from Hiera:
/etc/puppet/hiera.yaml:
---
:backends:
- yaml
:yaml:
:datadir: /etc/puppet/hieradata
:hierarchy:
- "%{::environment}/%{::fqdn}"
The node was already granted (certificate signed) by Puppet Master, and "certname=goodnode" is written in the node configuration.
Auto signing is disabled, I sign manually every new node on the Master (puppet cert sign).
Today I was playing with the node, I changed the hostname. Previously "goodnode", I set it to "badnode", but I let "goodnode" in certname configuration (/etc/puppet/puppet.conf). "badnode" was an existing node in Hiera configuration, it is just an other node managed by the same Master.
After the change, the Puppet agent from "goodnode" then retrieved the "badnode" configuration, without any discussion. What?
Is it an expected behavior? Wasn't the Master supposed to check that the FQDN is correct (checking that the Common Name of the certificate and the FQDN matches) before dumping all the configuration (and secrets) to the node?
In my case, it means that if an attacker gets access to ANY node, it can then become a rogue node and download the configuration of ANY other node, just by changing the hostname, and keeping the certificate!
Is there a way to enforce a check on certificate CN on the master? Is the "%{::fqdn}" Fact safe for use in Hiera configuration?
Thanks in advance for your hints.
EDIT : I changed the fqdn fact by %{::trusted.certname} as the doc suggests, but now the nodes aren't provisioning, the syslog on the master says : "TrustedInformation expected a certificate, but none was given."
It must be giving a certificate, otherwise I would not have been able to sign it in the first place, right?
What am I doing wrong ?
↧
problem with loouk when default should be an array
Hi,
puppet --version 4.9.4
I need to configure a resource that will take a value from an array in hiera. I would like to implement a default value with a lookup in case this value is not configured:
resource in class:
cron { 'yum-cron':
command => 'yum -y update',
user => 'root',
hour => [1,3,4,6,7],
minute => '0',
month => "$cron_month",
}
and in init.pp
$cron_month = lookup({ name => 'yumcron::cron:cron_month', default_value => "[1,6]" }),
It won't work as the default seems not an array?
[root@perif1 ~]# puppet agent -tv --environment=temp
Info: Using configured environment 'temp'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for perif1
Error: Failed to apply catalog: Parameter month failed on Cron[yum-cron]: [1,6] is not a valid month at /etc/puppetlabs/code/environments/temp/modules/yumcron/manifests/cron.pp:22
[root@perif1 ~]#
Can anyone please help me here?
Regards
Pablo
↧
↧
hiera lookup not working?
Hit there
I am trying to create lookups for openstack-neutron
[openstack-neutron](https://github.com/openstack/puppet-neutron/tree/stable/ocata)
class profiles::neutron {
$neutron_default = lookup('neutron', {merge => deep, default_value => {}})
create_resources('neutron', $neutron_default)
}
...
---
classes:
- vswitch::ovs
- profiles::vswitch
- neutron
- profiles::neutron
neutron_default:
rabbit_password: 'askgoogle'
core_plugin: 'ml2'
service_plugins: ['router']
dns_domain: 'webterrorist.local.'
default_transport_url: 'rabbit://openstack:askgoogle@192.168.253.10'
but i get in stuck by
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, When rpc_backend is rabbitmq, you must set rabbit password at /usr/local/etc/puppet/environments/staging/modules/neutron/manifests/init.pp:548:7 on node test02.webterrorist.local
so it seems that my lookups in profiles::neutron where totaly ignored or/and are not working. Any hint why would be very welcome.
I'm using FreeBSD 10.3 as my puppetmaster and Ubuntu 17.04 on my testing nodes. And I use puppet opensource. What would be the best to debug and testing my hiera-lookups on my testing-nodes?
class { '::neutron':
core_plugin => hiera('neutron::core_plugin'),
allow_overlapping_ips => true,
service_plugins => hiera('neutron::service_plugins'),
auth_strategy => 'keystone',
dns_domain => hiera('neutron::dns_domain'),
default_transport_url => hiera('neutron::default_transport_url'),
}
So far the example above would work. But then I have to change my codingstile for my yaml-files. And it's not so flexible.
↧
string based from two hiera lookups?
Hi there
How could I write a string based from two hiera-lookups with an @ un the middle?
something like
hiera('rabbit_user')@hiera('control_node') should give me for example elmer_fudd@runrabbitrun as string
class profiles::rabbitmq {
include ::rabbitmq
rabbitmq_user { hiera('rabbit_user'):
admin => false,
password => hiera('rabbit_password'),
}
rabbitmq_user_permissions { "hiera('rabbit_user')@hiera('rabbit_node')":
configure_permission => '.*',
read_permission => '.*',
write_permission => '.*',
}
}
I've tried also "hiera('rabbit_user')"@"hiera('rabbit_node')": but everything what i tried gives me an
Server Error: Syntax error at '@' at
thanks in advance
↧
Restrict hiera (version 5) lookup at environment and module layers
Hi, Recently I installed PE 2017.2 and got everything setup except hiera. Though I have used Hiera 3 it's going very tough to understand the configuration for all layers. However I have created a hiera.yaml in testing environment and defined the data structure like environment/data/node/mynode.yaml. Below is the content of hiera.yaml
---
version: 5
defaults: # Used for any hierarchy level that omits these keys.
datadir: data # This path is relative to hiera.yaml's directory.
data_hash: yaml_data # Use the built-in YAML backend.
hierarchy:
- name: "Per-node data"
path: "nodes/%{trusted.certname}.yaml"
Directory structure as follows:
[root@mobf7l4z0k testing]# ls data/nodes/
qde1ar.yaml
[root@mobf7l4z0k testing]# ls
data environment.conf hieradata manifests modules
[root@mobf7l4z0k testing]#
There's just one key in my qde1ar.yaml but I am not able to look that up. Getting following error:
> [root@mobf7l4z0k hieradata]# puppet> lookup name Warning:> /etc/puppetlabs/puppet/hiera.yaml: Use> of 'hiera.yaml' version 3 is> deprecated. It should be converted to> version 5 (in> /etc/puppetlabs/puppet/hiera.yaml)
Any idea how to fix it? Even I am not sure how to restrict my lookup to environment layer and it should not go and search for globally declared hiera structure.
↧