Ah, it’s opposite

Well.. strace -ff is the right tool then..

I’d do backup /opt/puppetlabs and /etc/puppet{,labs} and delete all the packages related. Then check what left in the dirs above and cleanup

Then reinstall the packages

As long as CA and cert files are kept, it should be safe

Another option is to use a container for the puppetserver instead

@Mickael Saavedra can you do

ls -la /etc/facter/facts.d/ /etc/puppetlabs/facter/* /opt/puppetlabs/facter/facts.d/

and

/opt/puppetlabs/bin/puppet facts show puppetversion facterversion --debug

?

@bastelfreak

# ls -la /etc/facter/facts.d/ /etc/puppetlabs/facter/* /opt/puppetlabs/facter/facts.d/
ls: cannot access '/etc/facter/facts.d/': No such file or directory
ls: cannot access '/etc/puppetlabs/facter/*': No such file or directory
/opt/puppetlabs/facter/facts.d/:
total 8
drwxr-xr-x 2 root root 4096 Sep 13  2021 .
drwxr-xr-x 3 root root 4096 Oct 10  2021 ..

# /opt/puppetlabs/bin/puppet facts show puppetversion facterversion --debug
Debug: Runtime environment: puppet_version=7.34.0, ruby_version=2.7.8, run_mode=user, openssl_version='OpenSSL 1.1.1w  11 Sep 2023', openssl_fips=false, default_encoding=UTF-8
Debug: Configuring PuppetDB terminuses with config file /etc/puppetlabs/puppet/puppetdb.conf
Debug: Verified CA certificate 'CN=Puppet Root CA: e257524bd08f6e' fingerprint (SHA256) E8:22:92:68:05:35:87:6E:49:19:A9:FB:5E:A4:F1:B7:6C:76:0D:AD:92:A5:47:1B:88:9C:02:5E:4E:3C:7A:DB
Debug: Verified CA certificate 'CN=Puppet CA: <http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>' fingerprint (SHA256) 5F:7A:CA:46:36:A4:91:E7:61:F5:51:FC:DC:EE:40:C6:D0:3C:7A:2A:D4:14:D4:33:AA:A6:9B:F4:63:9B:0D:48
Debug: Verified client certificate 'CN=<http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>' fingerprint (SHA256) 96:CF:DB:AB:90:44:7C:FF:36:FD:9A:8A:3A:5A:AD:EC:65:A0:F0:F3:71:4E:6A:68:EE:E8:F7:F2:18:BA:88:49
Debug: Using CRL 'CN=Puppet CA: <http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>' authorityKeyIdentifier 'keyid:71:EA:6D:B3:A3:C8:87:4F:14:0A:B2:D7:F6:67:62:F8:58:CD:26:A3' crlNumber '35'
Debug: Using CRL 'CN=Puppet Root CA: e257524bd08f6e' authorityKeyIdentifier 'keyid:D7:83:2C:6A:31:CB:B6:46:07:A6:27:D7:78:E7:E9:85:D3:6A:25:FD' crlNumber '0'
Debug: Creating new connection for <https://puppetdb.example.at:8081>
Debug: Starting connection for <https://puppetdb.example.at:8081>
Debug: Using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256
Debug: HTTP GET <https://puppetdb.example.at:8081/pdb/query/v4/nodes/at-example-puppet-server1.example.at/facts> returned 200 OK
Debug: Caching connection for <https://puppetdb.example.at:8081>
Debug: Using cached facts for <http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>
[...]

why does it talk to your puppetdb

can you show your /etc/puppetlabs/puppet/puppet.conf?

sure,

# This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - <https://puppet.com/docs/puppet/latest/config_important_settings.html>
# - <https://puppet.com/docs/puppet/latest/config_about_settings.html>
# - <https://puppet.com/docs/puppet/latest/config_file_main.html>
# - <https://puppet.com/docs/puppet/latest/configuration.html>
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
default_manifest       = ./manifests/site.pp
#default_manifest       = ./current/manifests/site.pp
factpath               = $vardir/lib/facter
templatedir            = $confdir/templates
#environmentpath       = $confdir/environments
basemodulepath         = $confdir/modules:/usr/share/puppet/modules/
# disable caching environments
environment_timeout    = 0
# disable CA cert auto-signing, we do this manually for now
autosign               = false
tagmap                  = $confdir/tagmail.conf
reports                = store,puppetdb,tagmail

[main]
codedir                = /data/puppet-modules
#external_nodes        = /etc/puppet/foreman_enc.rb --no-environment
#node_terminus         = exec
environment            = production
environments           = production
environmentpath        = /data/puppet-modules/environments
#modulepath             = $environmentpath/$environment/current/modules:$basemodulepath
dns_alt_names          = puppet,<http://puppet.example.at|puppet.example.at>,at-example-puppet-server1,at-example-puppet-server1,<http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>
#ssl_client_header        = SSL_CLIENT_S_DN
#ssl_client_verify_header = SSL_CLIENT_VERIFY
#address="::"
storeconfigs           = true
storeconfigs_backend   = puppetdb
reports                = store,puppetdb
#reports               = store,puppetdb,foreman
# we want to have the $facts variable available
stringify_facts        = false
trusted_node_data      = true
immutable_node_data    = true


[agent]
server            = <http://puppet.example.at|puppet.example.at>
masterport        = 8140
report            = true
splay             = true
runinterval       = 3600
syslogfacility    = local3
usecacheonfailure = false

Hello, i have new RHEL9 server with Puppet 7 (open source) and PuppetDB installed on it. I want to configure Hiera to work with AWS Secrets Manager (as backend so to speak). I started using module https://forge.puppet.com/modules/accenture/hiera_aws_sm/readme and during PoC it worked ok. Main aspect - during PoC i was setting AWS Credentials manually. But now to go to production i need to encrypt those credentials to not store them in git in plain text. Here is example of my hiera.yaml file:

---
version: 5
defaults:
  datadir: hieradata
  data_hash: yaml_data

hierarchy:
  - name: "Per-node data"
    path: "node/%{trusted.certname}.yaml"
  - name: "OS major version-based data"
    path: "os/%{facts.os.family}/version/%{facts.os.release.major}.yaml"
  - name: "OS family-based data"
    path: "os/%{facts.os.family}.yaml"

  - name: "[ENCRYPTED] AWS Secrets Manager lookup - Dev"
    lookup_key: hiera_aws_sm
    options:
      continue_if_not_found: false
      aws_access_key: "%{lookup('hiera_aws_sm::dev::aws_access_key')}"
      aws_secret_key: "%{lookup('hiera_aws_sm::dev::aws_secret_key')}"
      region: us-east-1
      delimiter: /
      prefixes:
        - puppet/dev/common/
      confine_to_keys:
        - '^dev_.*'

  - name: "[ENCRYPTED] AWS Secrets Manager lookup - Prod"
    lookup_key: hiera_aws_sm
    options:
      continue_if_not_found: false
      aws_access_key: "%{lookup('hiera_aws_sm::prod::aws_access_key')}"
      aws_secret_key: "%{lookup('hiera_aws_sm::prod::aws_secret_key')}"
      region: us-east-1
      delimiter: /
      prefixes:
        - puppet/prod/common/
      confine_to_keys:
        - '^prod_.*'

  - name: "[ENCRYPTED] Global default data"
    path: "defaults.eyaml"
    lookup_key: eyaml_lookup_key
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem

  - name: "Global default data"
    path: "defaults.yaml"

What i did - i generated eyaml keys, encrypted aws secrets via eyaml and added encrypted values into "defaults.eyaml" and then in this file hiera.yaml "reference" those secrets. But when i try to run "puppet agent -t" i get an error:

# puppet agent -tv --noop
Info: Using environment 'main'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet.server.fqdn:8140 (X.X.X.X)
Notice: Catalog compiled by puppet.server.fqdn
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Interpolation using method syntax is not allowed in this context (file: /etc/puppetlabs/code/environments/main/hiera.yaml) on node puppet.server.fqdn
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

My goals: 1/ Store in git encrypted AWS credentials 2/ Populate/fill-out/put correct credentials into /etc/puppetlabs/code/environments/My_Environment/hiera.yaml Could you please help my to understand how to fix contents of hiera.yaml file to make Puppet happy? 🙂

I have a question about the ordering of includes.. or the prioritization of classes in Puppet. I’ll include details in a follow up to this thread. I’ve been using the software for over 10 years, and I hadn’t had a problem until I believe an upgrade took away defaults. The basic problem is that I have one class that defines hosts, and another that sets up firewall rules. It used to be that the hosts would run first, then the firewall rules.. but now it’s that the puppet agent won’t run if a new host is added, because the firewall rules are running first

Hi, can someone take a look at https://github.com/github/octocatalog-diff/pull/336?

not sure how many people from github are here. most people use https://github.com/voxpupuli/puppet-catalog_diff

Yeah, you would have to post that over at GitHub

Hello, does downloading PDK now behind "paywall"? When i go to https://forge.puppet.com/resources/pdk and want to download installer for Windows it ask me for some username and password

You now need to sign the EULA (despite perforce promising last November that they won't require the EULA for it)

I'm having troubles understanding what to do 😞 I have created Puppet Forge account, and signed Puppet Core EULA (role "Puppet core developer"), enabled MFA. When i go to https://forge.puppet.com/resources/pdk it says there that i can download DPK with Puppet Forge credentials, but when i try to download installer and enter my Forge credentials - it doesn't work 😞 Never mind, i wasn't read text good enough ✅

best is to just not use pdk

under the hood it mostly bundles community tools. many of them with a GPL license

so I'm not sure if the EULA is even allowed here

Hello, everyone. I’m ready to scream and would appreciate your advice…. I’m converting our ERB templates to EPP

<% if $facts['networking']['hostname'] == 'tunnel' { -%>
net.ipv4.ip_forward = 1
<% } -%>

But when I run below command, net.ipv4ip… line is not present. What am I doing wrong? Thank you!

$ puppet epp render cs-local-sysctl.conf.epp --values '{ hostname => tunnel }'

did you try to apply this on a node already, or just with

puppet epp...

?

because you don't pass the facts to the cli command and I don't think it gathers the actual facts when compiling the template, but I could be wrong

just puppet epp.

I'd expect that to set a

$hostname

parameter when evaluating the template --- which is not what the template is using.

So what would be the best way to test out the logic?

apply it on a node or write a unit test for it (or use a sysctl puppet module like https://forge.puppet.com/modules/puppet/augeasproviders_sysctl/readme)

okay, thank you.