Why is Hiera not finding the environment, and neither is puppet

puppet

Given these files:

# find /etc/puppetlabs/code -type f | grep -v modules | xargs head -n 100
==> /etc/puppetlabs/code/environments/production/hieradata/common.yaml <==
pgwatch:
  password: "mypass1"
puppetdb:
  password: "mypass2"

==> /etc/puppetlabs/code/environments/production/manifests/site.pp <==
node "todd.ca.seevibes.com" {
  class { 'postgresql::globals':
    encoding            => 'UTF-8',
    locale              => 'en_US.UTF-8',
    manage_package_repo => true,
    version             => '9.1',
  } -> class{'postgresql::server':
  } -> postgresql::server::db{'puppetdb':
    user     => 'puppetdb',
    password => postgresql_password('puppetdb', hiera('puppetdb::password')),
  } -> postgresql::server::db{'pgwatch':
    user     => 'pgwatch',
    password => postgresql_password('pgwatch', hiera('pgwatch::password')),
  }

  postgresql::server::pg_hba_rule{'allow pgwatch from anywhere':
    address     => '0.0.0.0/32',
    auth_method => 'md5',
    database    => 'pgwatch',
    user        => 'pgwatch',
  }
}

==> /etc/puppetlabs/code/hiera.yaml <==
---
:backends:
  - json
  - yaml
:yaml:
  # Use the default value for datadir
  :datadir:
:json:
  # Use the default value for datadir
  :datadir:
:hierarchy:
  - "node/%{::fqdn}"
  - "node/%{::hostname}"
  - "%{::domain}"
  - common

I expected the following to return the pgwatch::password value:

# hiera --debug pgwatch::password
DEBUG: 2015-12-09 22:35:06 +0000: Hiera JSON backend starting
DEBUG: 2015-12-09 22:35:06 +0000: Looking up pgwatch::password in JSON backend
DEBUG: 2015-12-09 22:35:06 +0000: Looking for data source common
DEBUG: 2015-12-09 22:35:06 +0000: Cannot find datafile /etc/puppetlabs/code/environments//hieradata/common.json, skipping
DEBUG: 2015-12-09 22:35:06 +0000: Hiera YAML backend starting
DEBUG: 2015-12-09 22:35:06 +0000: Looking up pgwatch::password in YAML backend
DEBUG: 2015-12-09 22:35:06 +0000: Looking for data source common
DEBUG: 2015-12-09 22:35:06 +0000: Cannot find datafile /etc/puppetlabs/code/environments//hieradata/common.yaml, skipping
nil

The same query from Puppet fails as well:

# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Could not find data item puppetdb::password in any Hiera data file and no default supplied at /etc/puppetlabs/code/environments/production/manifests/site.pp:10:49 on node todd.ca.seevibes.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

In the debug log for hiera, we can clearly see the missing environment in the search paths: /etc/puppetlabs/code/environments//hieradata/common.json (notice the double // before hieradata).

I have found How do I specify $environment to Hiera on the command line? whose best answer says to pass ::environment=production, which changes nothing. When I pass environment=production, then the lookup "succeeds" but returns nothing:

# hiera --debug pgwatch::password 'environment=production'
DEBUG: 2015-12-09 22:42:12 +0000: Hiera JSON backend starting
DEBUG: 2015-12-09 22:42:12 +0000: Looking up pgwatch::password in JSON backend
DEBUG: 2015-12-09 22:42:12 +0000: Looking for data source common
DEBUG: 2015-12-09 22:42:12 +0000: Cannot find datafile /etc/puppetlabs/code/environments/production/hieradata/common.json, skipping
DEBUG: 2015-12-09 22:42:12 +0000: Hiera YAML backend starting
DEBUG: 2015-12-09 22:42:12 +0000: Looking up pgwatch::password in YAML backend
DEBUG: 2015-12-09 22:42:12 +0000: Looking for data source common
nil

I'm guessing that this time around, the path was correct, and the datafile was found, but the value wasn't returned.

I was expecting a Puppet run to find the value. What am I doing wrong?

# uname -a
Linux todd 3.10.23-xxxx-grs-ipv6-64 #1 SMP Mon Dec 9 16:02:37 CET 2013 x86_64 x86_64 x86_64 GNU/Linux
# puppet --version
4.3.1
# hiera --version
3.0.5
# puppet agent --configprint environment
production
# which puppet
/opt/puppetlabs/bin/puppet
# which hiera
/opt/puppetlabs/bin/hiera

Best Answer

in your file /etc/puppetlabs/code/environments/production/hieradata/common.yaml you need to write puppetdb::password: mypass2

In yaml syntax this is a hash not a simple variable

puppetdb:
  password: "mypass2"

In this way you have a simple variable

puppetdb::password: mypass2

Related Solutions

Mysql – Invalid parameter config_hash: Attempting to install thesql (and Openstack) via Puppet

What version of the mysql module do you have installed? (check its Modulefile)

Looks like the openstack modules depend on behavior of older versions of the mysql module, and declare that correctly in their dependencies - they seem to be happy only with 0.9.0.

Assuming you're not using the mysql module elsewhere, try downgrading to that version.

Vagrant’s puppet provisioner not reading hiera.yaml backend correctly

Okay so it appears I ran into two different problems. The largest problem was that although I had a module that I created called "hieraconfig" which would copy my precreated hiera.yaml and common.json files to /etc/puppet, the jboss module which calls hiera was being executed first (although I included it after hieraconfig in manifest - see below). I tried to fix this to evaluate hierasetup first in the site.pp manifest, but it still ran the jboss module first:

stage { 'pre':
  before => Stage['main']
}

# add the hierasetup module to the new 'pre' run stage
class { 'hierasetup':
  stage => 'pre'
}

include ::hierasetup
include ::jboss

I have no current fix for this. But at least I know that part of the failure was that /etc/puppet/hiera.yaml and /etc/puppet/hieradata/common.json were not even present on the VM when hiera was being called from the jboss module, since hierasetup had not run yet. I made this work temporarily by using Vagrant's script provisioner instead of puppet to copy the files there for me.

The second issue was that because I thought those files were present the whole time I got quite confused about what "puppet.hiera_config_path" was supposed to do. Through various trial and error attempts here is what I have discovered:

puppet.manifests_path, puppet.modules_path, and puppet.hiera_config_path only point to paths on the host machine (in my case on OSX). Don't be fooled into thinking, if you use relative paths, that it is relative to the /vagrant mount on the VM, and not rather relative to the directory containing your Vagrantfile on the host machine (though that is obviously what gets mounted to /vagrant).
Each of those _path variables, IF and ONLY IF they are actually set in the Vagrantfile (otherwise default puppet directories will be searched), will cause Vagrant to copy the modules, manifests, and hiera config to subdirectories under /tmp/vagrant-puppet[-X] (with -X possibly being an additional number suffix like /tmp/vagrant-puppet-1) and tell puppet to look under /tmp for them.

If you have your puppet files already on the VM that you want to use but set the _path variables then Vagrant's puppet command is not going to find them, because it redirects puppet to /tmp/vagrant-puppet[-X] when you set them. You cannot change this destination on the VM, although the "vagrant up" output will notify you where they are being mapped like this:

default: /tmp/vagrant-puppet-1/manifests => /Users//vm_stuff/vagrant-fresh/puppet_files/manifests

default: /tmp/vagrant-puppet-1/modules-0 => /Users//vm_stuff/vagrant-fresh/puppet_files/modules

The path after the => arrow is the source directory on your host machine which you specified with the _path variables in the Vagrantfile. The path before the => arrow is the location on the VM where the source directory contents will be copied.

If you instead prefer Vagrant to have puppet look in default directories for files you have already placed on the VM (which you do not need copied by Vagrant for you into /tmp) then do not specify any _path variables in Vagrant. Alternately if neither the default locations or the /tmp location are satisfactory you may completely override the default Vagrant behavior by explicitly specifying where to look for each with the puppet.options variable, like this:

puppet.options = "--hiera_config=/path/to/hiera.yaml --modulepath '/path/to/modules/ --manifestdir /path/to/manifests/"

If anything fails and you have set --verbose && --debug as part of the puppet.options (possibly it will show without those set as well) you will get an error showing the actual puppet command sent via ssh to the guest VM, like this:

The following SSH command responded with a non-zero exit status.
Vagrant assumes that this means the command failed!

puppet apply --verbose --debug --modulepath '/tmp/vagrant-puppet-1/modules-0:/etc/puppet/modules' --manifestdir /tmp/vagrant-puppet-1/manifests --hiera_config=/tmp/vagrant-puppet-1/hiera.yaml --detailed-exitcodes /tmp/vagrant-puppet-1/manifests/site.pp || [ $? -eq 2 ]

As long as --hiera_config is pointing to the correct location/file in this command it should read your configuration with no problems. I had an issue temporarily (before I discovered that /etc/puppet/hieradata/common.json was not present on the VM) to where it would read the hiera.yaml but then fail due to common.json being absent.

All said and done though hiera looks in very specific locations depending on whether you set "puppet.hiera_config_path" or not, unless you manually override the puppet.options.

Best Answer

Related Solutions

Mysql – Invalid parameter config_hash: Attempting to install thesql (and Openstack) via Puppet

Vagrant’s puppet provisioner not reading hiera.yaml backend correctly

Related Topic