How to Test and Troubleshoot Hiera in a Puppet Environment

hierapuppetpuppet-foreman

I'm using Puppet alongside Foreman to provision hosts, and I've currently got all of Puppet config as modules in a repository. I'd like to use Hiera but I've never been able to get even the simplest thing to pull from one of the .yaml files that I add. My master puppet.conf is:

[main]
    basemodulepath = /etc/puppetlabs/code/environments/common:/etc/puppetlabs/code/modules:/opt/puppetlabs/puppet/modules:/usr/share/puppet/modules
    codedir = /etc/puppetlabs/code
    environmentpath = /etc/puppetlabs/code/environments
    hiera_config = /etc/puppetlabs/code/environments/production/hiera.yaml
    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
    logdir = /var/log/puppetlabs/puppet
    pluginfactsource = puppet:///pluginfacts
    pluginsource = puppet:///plugins
    privatekeydir = $ssldir/private_keys { group = service }
    reports = foreman
    rundir = /var/run/puppetlabs
    server = foreman.domain.net
    show_diff = false
    ssldir = /etc/puppetlabs/puppet/ssl
    vardir = /opt/puppetlabs/puppet/cache

[agent]
    certname = foreman.domain.net
    classfile = $statedir/classes.txt
    default_schedules = false
    environment = production
    listen = false
    localconfig = $vardir/localconfig
    masterport = 8140
    noop = false
    pluginsync = true
    report = true
    runinterval = 1800
    splay = false
    splaylimit = 1800
    usecacheonfailure = true

[master]
    autosign = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
    ca = true
    certname = foreman.domain.net
    external_nodes = /etc/puppetlabs/puppet/node.rb
    logdir = /var/log/puppetlabs/puppetserver
    node_terminus = exec
    parser = current
    rundir = /var/run/puppetlabs/puppetserver
    ssldir = /etc/puppetlabs/puppet/ssl
    strict_variables = false
    vardir = /opt/puppetlabs/server/data/puppetserver

contents of /etc/puppetlabs/code/environments/production/hiera.yaml:

---
version: 5
defaults:
  datadir: hieradata
  data_hash: yaml_data
hierarchy:
  - name: "Per-node data"
    path: "nodes/%{trusted.certname}.yaml"
  - name: "Per-domain data"
    path: "domains/%{facts.networking.domain}.yaml"
  - name: "OS family"
    path: "os/%{facts.os.family}.yaml"
  - name: "Other hierarchy levels"
    path: "common.yaml"

and structure of hieradata:

hieradata/
├── common.yaml
├── domains
│   └── domain.net.yaml
├── nodes
│   ├── foreman.domain.net.yaml
│   └── test.domain.net.yaml
└── os
    └── Debian.yaml

and for example the foreman specific data file content:

---
environment: production
classes:
  - roles::default

finally, versions of things that seem relevant:

$ puppet --version
5.5.3
$ facter --version
3.11.3 (commit 1854ababc68ec12ca40bdc143e46c3d5434b92ba)
$ hiera --version
3.4.3

I feel like I've followed along with the various guides on the internets, but none of my hosts seem to use the settings in the .yaml files. How do you test hiera? I would expect that there'd be some sensible way to resolve what files are applied to an individual node, but I can't find a command that works to do that, or even search for some of the classes that I've created in my environments. I would also think that I'd be able to use something like hiera -c hiera.yaml --hash profiles, but that gives an error about v5 syntax.

Best Answer

I think the answer to the question is actually what I put in the comment that I made.

puppet lookup --node test.domain.net --explain classes

Executing that command on the server showed that it was supposed to work. My real problem was that my site manifest for the node didn't include hiera_include('classes'), which I got to because of the lookup.

Related Solutions

Vagrant’s puppet provisioner not reading hiera.yaml backend correctly

Okay so it appears I ran into two different problems. The largest problem was that although I had a module that I created called "hieraconfig" which would copy my precreated hiera.yaml and common.json files to /etc/puppet, the jboss module which calls hiera was being executed first (although I included it after hieraconfig in manifest - see below). I tried to fix this to evaluate hierasetup first in the site.pp manifest, but it still ran the jboss module first:

stage { 'pre':
  before => Stage['main']
}

# add the hierasetup module to the new 'pre' run stage
class { 'hierasetup':
  stage => 'pre'
}

include ::hierasetup
include ::jboss

I have no current fix for this. But at least I know that part of the failure was that /etc/puppet/hiera.yaml and /etc/puppet/hieradata/common.json were not even present on the VM when hiera was being called from the jboss module, since hierasetup had not run yet. I made this work temporarily by using Vagrant's script provisioner instead of puppet to copy the files there for me.

The second issue was that because I thought those files were present the whole time I got quite confused about what "puppet.hiera_config_path" was supposed to do. Through various trial and error attempts here is what I have discovered:

puppet.manifests_path, puppet.modules_path, and puppet.hiera_config_path only point to paths on the host machine (in my case on OSX). Don't be fooled into thinking, if you use relative paths, that it is relative to the /vagrant mount on the VM, and not rather relative to the directory containing your Vagrantfile on the host machine (though that is obviously what gets mounted to /vagrant).
Each of those _path variables, IF and ONLY IF they are actually set in the Vagrantfile (otherwise default puppet directories will be searched), will cause Vagrant to copy the modules, manifests, and hiera config to subdirectories under /tmp/vagrant-puppet[-X] (with -X possibly being an additional number suffix like /tmp/vagrant-puppet-1) and tell puppet to look under /tmp for them.

If you have your puppet files already on the VM that you want to use but set the _path variables then Vagrant's puppet command is not going to find them, because it redirects puppet to /tmp/vagrant-puppet[-X] when you set them. You cannot change this destination on the VM, although the "vagrant up" output will notify you where they are being mapped like this:

default: /tmp/vagrant-puppet-1/manifests => /Users//vm_stuff/vagrant-fresh/puppet_files/manifests

default: /tmp/vagrant-puppet-1/modules-0 => /Users//vm_stuff/vagrant-fresh/puppet_files/modules

The path after the => arrow is the source directory on your host machine which you specified with the _path variables in the Vagrantfile. The path before the => arrow is the location on the VM where the source directory contents will be copied.

If you instead prefer Vagrant to have puppet look in default directories for files you have already placed on the VM (which you do not need copied by Vagrant for you into /tmp) then do not specify any _path variables in Vagrant. Alternately if neither the default locations or the /tmp location are satisfactory you may completely override the default Vagrant behavior by explicitly specifying where to look for each with the puppet.options variable, like this:

puppet.options = "--hiera_config=/path/to/hiera.yaml --modulepath '/path/to/modules/ --manifestdir /path/to/manifests/"

If anything fails and you have set --verbose && --debug as part of the puppet.options (possibly it will show without those set as well) you will get an error showing the actual puppet command sent via ssh to the guest VM, like this:

The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

puppet apply --verbose --debug --modulepath '/tmp/vagrant-puppet-1/modules-0:/etc/puppet/modules' --manifestdir /tmp/vagrant-puppet-1/manifests --hiera_config=/tmp/vagrant-puppet-1/hiera.yaml --detailed-exitcodes /tmp/vagrant-puppet-1/manifests/site.pp || [ $? -eq 2 ]

As long as --hiera_config is pointing to the correct location/file in this command it should read your configuration with no problems. I had an issue temporarily (before I discovered that /etc/puppet/hieradata/common.json was not present on the VM) to where it would read the hiera.yaml but then fail due to common.json being absent.

All said and done though hiera looks in very specific locations depending on whether you set "puppet.hiera_config_path" or not, unless you manually override the puppet.options.

Foreman environment import

The module has a syntax error so Foreman's proxy can't parse it to report the classes inside. Run Puppet's validator to see this:

$ find . -name *.pp -exec puppet parser validate {} +
Error: Could not parse for environment production: All resource specifications require names; expected '%s' at andlinger-java-1.0.1/manifests/init.pp:17

The line in question should use a capital letter for "exec" for resource defaults:

Exec{user => root, path => [ "/bin", "/usr/bin" ]}

Best Answer

Related Solutions

Vagrant’s puppet provisioner not reading hiera.yaml backend correctly

Foreman environment import

Related Topic