https://www.puppet.com/community logo
Join Slack
Powered by
# puppet
  • b
    uninstall it
  • m
    it's still in 
    /opt/puppetlabs/bin/facter
    but I suppose this is expected
  • m
    Copy code
    # find / -type f -name facter
/var/lib/gems/3.1.0/gems/facter-4.10.0/bin/facter
/opt/puppetlabs/server/data/puppetserver/dropsonde/bin/facter
/opt/puppetlabs/server/data/puppetserver/dropsonde/gems/facter-4.9.0/bin/facter
/opt/puppetlabs/puppet/bin/facter
  • m
    /opt/puppetlabs/server/data/puppetserver/dropsonde/gems/facter-4.9.0/bin/facter
    comes from the puppetserver package šŸ¤·ā€ā™‚ļø
  • b
    /var/lib/gems/3.1.0/gems/facter-4.10.0/bin/facter
    is from a debian package or someone did a 
    gem install
  • b
    the other three are expected
  • b
    what do you get by running 
    /opt/puppetlabs/bin/puppet facts show puppetversion facterversion
    now, after purging the facter package?
  • m
    still the same as before šŸ˜ž
  • b
    and 
    /opt/puppetlabs/puppet/bin/facter version
    ?
  • m
    4.10.0
  • b
    and 
    /opt/puppetlabs/puppet/bin/gem list
    ?
  • m
    Copy code
    # /opt/puppetlabs/puppet/bin/gem list

*** LOCAL GEMS ***

benchmark (default: 0.1.0)
bigdecimal (default: 2.0.0)
bundler (default: 2.1.4)
cgi (default: 0.1.0.2)
concurrent-ruby (1.2.3)
csv (default: 3.1.2)
date (default: 3.0.3)
deep_merge (1.2.2)
delegate (default: 0.1.0)
did_you_mean (default: 1.4.0)
etc (default: 1.1.0)
facter (4.10.0)
fast_gettext (1.1.2)
fcntl (default: 1.0.0)
ffi (1.16.3)
fiddle (default: 1.0.0)
fileutils (default: 1.4.1)
forwardable (default: 1.3.1)
getoptlong (default: 0.1.0)
gettext (3.2.2)
hiera (3.12.0)
hiera-eyaml (3.4.0, 3.2.2)
highline (2.1.0)
hocon (1.3.1)
io-console (default: 0.5.6)
ipaddr (default: 1.2.2)
irb (default: 1.2.6)
json (default: 2.3.0)
locale (2.1.4)
logger (default: 1.4.2)
matrix (default: 0.2.0)
minitest (5.13.0)
multi_json (1.15.0)
mutex_m (default: 0.1.0)
net-pop (default: 0.1.0)
net-smtp (default: 0.1.0)
net-ssh (6.1.0)
net-telnet (0.2.0)
observer (default: 0.1.0)
open3 (default: 0.1.0)
openssl (default: 2.1.4)
optimist (3.1.0)
ostruct (default: 0.2.0)
power_assert (1.1.7)
prime (default: 0.1.1)
pstore (default: 0.1.0)
psych (default: 3.1.0)
puppet (7.34.0)
puppet-resource_api (1.9.0)
puppetserver-ca (2.6.0)
racc (default: 1.4.16)
rake (13.0.1)
rdoc (default: 6.2.1.1)
readline (default: 0.0.2)
readline-ext (default: 0.1.0)
reline (default: 0.1.5)
rexml (3.3.6, default: 3.2.3.1)
rss (default: 0.2.8)
scanf (1.0.0)
sdbm (default: 1.0.0)
semantic_puppet (1.1.0)
singleton (default: 0.1.0)
stringio (default: 0.1.0)
strscan (default: 1.0.3)
sys-filesystem (1.4.4)
test-unit (3.3.4)
text (1.3.1)
thor (1.2.2)
timeout (default: 0.1.0)
tracer (default: 0.1.0)
uri (default: 0.10.0.2)
webrick (default: 1.6.1)
xmlrpc (0.3.0)
yaml (default: 0.1.0)
zlib (default: 1.1.0)
  • b
    I'm not really sure where the version is read from. I don't think it's coming from the gemspec
  • m
    yep, that's why I had tried to use strace to find that out, but I couldn't get anywhere
  • y
    Do you have any custom fact called ā€œversionā€ maybe?
  • y
    Ah, itā€™s opposite
  • y
    Well.. strace -ff is the right tool then..
  • y
    Iā€™d do backup /opt/puppetlabs and /etc/puppet{,labs} and delete all the packages related. Then check what left in the dirs above and cleanup
    m
    • 2
    • 1
  • y
    Then reinstall the packages
  • y
    As long as CA and cert files are kept, it should be safe
  • y
    Another option is to use a container for the puppetserver instead
  • b
    @Mickael Saavedra can you do 
    ls -la /etc/facter/facts.d/ /etc/puppetlabs/facter/* /opt/puppetlabs/facter/facts.d/
    and 
    /opt/puppetlabs/bin/puppet facts show puppetversion facterversion --debug
    ?
  • m
    @bastelfreak
    Copy code
    # ls -la /etc/facter/facts.d/ /etc/puppetlabs/facter/* /opt/puppetlabs/facter/facts.d/
ls: cannot access '/etc/facter/facts.d/': No such file or directory
ls: cannot access '/etc/puppetlabs/facter/*': No such file or directory
/opt/puppetlabs/facter/facts.d/:
total 8
drwxr-xr-x 2 root root 4096 Sep 13  2021 .
drwxr-xr-x 3 root root 4096 Oct 10  2021 ..

# /opt/puppetlabs/bin/puppet facts show puppetversion facterversion --debug
Debug: Runtime environment: puppet_version=7.34.0, ruby_version=2.7.8, run_mode=user, openssl_version='OpenSSL 1.1.1w  11 Sep 2023', openssl_fips=false, default_encoding=UTF-8
Debug: Configuring PuppetDB terminuses with config file /etc/puppetlabs/puppet/puppetdb.conf
Debug: Verified CA certificate 'CN=Puppet Root CA: e257524bd08f6e' fingerprint (SHA256) E8:22:92:68:05:35:87:6E:49:19:A9:FB:5E:A4:F1:B7:6C:76:0D:AD:92:A5:47:1B:88:9C:02:5E:4E:3C:7A:DB
Debug: Verified CA certificate 'CN=Puppet CA: <http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>' fingerprint (SHA256) 5F:7A:CA:46:36:A4:91:E7:61:F5:51:FC:DC:EE:40:C6:D0:3C:7A:2A:D4:14:D4:33:AA:A6:9B:F4:63:9B:0D:48
Debug: Verified client certificate 'CN=<http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>' fingerprint (SHA256) 96:CF:DB:AB:90:44:7C:FF:36:FD:9A:8A:3A:5A:AD:EC:65:A0:F0:F3:71:4E:6A:68:EE:E8:F7:F2:18:BA:88:49
Debug: Using CRL 'CN=Puppet CA: <http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>' authorityKeyIdentifier 'keyid:71:EA:6D:B3:A3:C8:87:4F:14:0A:B2:D7:F6:67:62:F8:58:CD:26:A3' crlNumber '35'
Debug: Using CRL 'CN=Puppet Root CA: e257524bd08f6e' authorityKeyIdentifier 'keyid:D7:83:2C:6A:31:CB:B6:46:07:A6:27:D7:78:E7:E9:85:D3:6A:25:FD' crlNumber '0'
Debug: Creating new connection for <https://puppetdb.example.at:8081>
Debug: Starting connection for <https://puppetdb.example.at:8081>
Debug: Using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256
Debug: HTTP GET <https://puppetdb.example.at:8081/pdb/query/v4/nodes/at-example-puppet-server1.example.at/facts> returned 200 OK
Debug: Caching connection for <https://puppetdb.example.at:8081>
Debug: Using cached facts for <http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>
[...]
  • b
    why does it talk to your puppetdb
  • b
    can you show your /etc/puppetlabs/puppet/puppet.conf?
  • m
    sure,
    Copy code
    # This file can be used to override the default puppet settings.
# See the following links for more details on what settings are available:
# - <https://puppet.com/docs/puppet/latest/config_important_settings.html>
# - <https://puppet.com/docs/puppet/latest/config_about_settings.html>
# - <https://puppet.com/docs/puppet/latest/config_file_main.html>
# - <https://puppet.com/docs/puppet/latest/configuration.html>
[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
default_manifest       = ./manifests/site.pp
#default_manifest       = ./current/manifests/site.pp
factpath               = $vardir/lib/facter
templatedir            = $confdir/templates
#environmentpath       = $confdir/environments
basemodulepath         = $confdir/modules:/usr/share/puppet/modules/
# disable caching environments
environment_timeout    = 0
# disable CA cert auto-signing, we do this manually for now
autosign               = false
tagmap                  = $confdir/tagmail.conf
reports                = store,puppetdb,tagmail

[main]
codedir                = /data/puppet-modules
#external_nodes        = /etc/puppet/foreman_enc.rb --no-environment
#node_terminus         = exec
environment            = production
environments           = production
environmentpath        = /data/puppet-modules/environments
#modulepath             = $environmentpath/$environment/current/modules:$basemodulepath
dns_alt_names          = puppet,<http://puppet.example.at|puppet.example.at>,at-example-puppet-server1,at-example-puppet-server1,<http://at-example-puppet-server1.example.at|at-example-puppet-server1.example.at>
#ssl_client_header        = SSL_CLIENT_S_DN
#ssl_client_verify_header = SSL_CLIENT_VERIFY
#address="::"
storeconfigs           = true
storeconfigs_backend   = puppetdb
reports                = store,puppetdb
#reports               = store,puppetdb,foreman
# we want to have the $facts variable available
stringify_facts        = false
trusted_node_data      = true
immutable_node_data    = true


[agent]
server            = <http://puppet.example.at|puppet.example.at>
masterport        = 8140
report            = true
splay             = true
runinterval       = 3600
syslogfacility    = local3
usecacheonfailure = false
    c
    • 2
    • 4
  • o
    Hello, i have new RHEL9 server with Puppet 7 (open source) and PuppetDB installed on it. I want to configure Hiera to work with AWS Secrets Manager (as backend so to speak). I started using module https://forge.puppet.com/modules/accenture/hiera_aws_sm/readme and during PoC it worked ok. Main aspect - during PoC i was setting AWS Credentials manually. But now to go to production i need to encrypt those credentials to not store them in git in plain text. Here is example of my hiera.yaml file:
    Copy code
    ---
version: 5
defaults:
  datadir: hieradata
  data_hash: yaml_data

hierarchy:
  - name: "Per-node data"
    path: "node/%{trusted.certname}.yaml"
  - name: "OS major version-based data"
    path: "os/%{facts.os.family}/version/%{facts.os.release.major}.yaml"
  - name: "OS family-based data"
    path: "os/%{facts.os.family}.yaml"

  - name: "[ENCRYPTED] AWS Secrets Manager lookup - Dev"
    lookup_key: hiera_aws_sm
    options:
      continue_if_not_found: false
      aws_access_key: "%{lookup('hiera_aws_sm::dev::aws_access_key')}"
      aws_secret_key: "%{lookup('hiera_aws_sm::dev::aws_secret_key')}"
      region: us-east-1
      delimiter: /
      prefixes:
        - puppet/dev/common/
      confine_to_keys:
        - '^dev_.*'

  - name: "[ENCRYPTED] AWS Secrets Manager lookup - Prod"
    lookup_key: hiera_aws_sm
    options:
      continue_if_not_found: false
      aws_access_key: "%{lookup('hiera_aws_sm::prod::aws_access_key')}"
      aws_secret_key: "%{lookup('hiera_aws_sm::prod::aws_secret_key')}"
      region: us-east-1
      delimiter: /
      prefixes:
        - puppet/prod/common/
      confine_to_keys:
        - '^prod_.*'

  - name: "[ENCRYPTED] Global default data"
    path: "defaults.eyaml"
    lookup_key: eyaml_lookup_key
    options:
      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem

  - name: "Global default data"
    path: "defaults.yaml"
    What i did - i generated eyaml keys, encrypted aws secrets via eyaml and added encrypted values into "defaults.eyaml" and then in this file hiera.yaml "reference" those secrets. But when i try to run "puppet agent -t" i get an error:
    Copy code
    # puppet agent -tv --noop
Info: Using environment 'main'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet.server.fqdn:8140 (X.X.X.X)
Notice: Catalog compiled by puppet.server.fqdn
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Interpolation using method syntax is not allowed in this context (file: /etc/puppetlabs/code/environments/main/hiera.yaml) on node puppet.server.fqdn
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
    My goals: 1/ Store in git encrypted AWS credentials 2/ Populate/fill-out/put correct credentials into /etc/puppetlabs/code/environments/My_Environment/hiera.yaml Could you please help my to understand how to fix contents of hiera.yaml file to make Puppet happy? šŸ™‚
    c
    y
    • 3
    • 13
  • j
    I have a question about the ordering of includes.. or the prioritization of classes in Puppet. Iā€™ll include details in a follow up to this thread. Iā€™ve been using the software for over 10 years, and I hadnā€™t had a problem until I believe an upgrade took away defaults. The basic problem is that I have one class that defines hosts, and another that sets up firewall rules. It used to be that the hosts would run first, then the firewall rules.. but now itā€™s that the puppet agent wonā€™t run if a new host is added, because the firewall rules are running first
    b
    c
    • 3
    • 51
  • m
  • b
    not sure how many people from github are here. most people use https://github.com/voxpupuli/puppet-catalog_diff