Hiera Error 400 on SERVER: Could not find data item classes in any Hiera data file and no default supplied

1,825 views
Skip to first unread message

Ugo Bellavance

unread,
Apr 19, 2016, 1:36:47 PM4/19/16
to Puppet Users
Hi,

I'm currently testing hiera and I can't make it work.  I get this error: Error 400 on SERVER: Could not find data item classes in any Hiera data file and no default supplied at /etc/puppet/manifests/site.pp:11 on node. I'm trying to do something like this: https://docs.puppet.com/hiera/3.0/complete_example.html (puppetlabs ntp module).

Client: puppet 3.6.2

On the master:

puppet 3.6.2

# puppet config print | grep hiera_
hiera_config = /etc/puppet/hiera.yaml

Contents of /etc/puppet/hiera.yaml
---
:backends:
#  - regex
  - yaml
:yaml:
  :datadir: /var/lib/hiera
#:regex:
#  :datadir: /var/lib/hiera
:hierarchy:
  - "host/%{fqdn}"
  - "domain/%{domain}"
  - "env/%{::environment}"
  - "os/%{operatingsystem}"
  - "osfamily/%{osfamily}"
  - "virtual/%{::virtual}"
  - common

Contents of /etc/puppet/manifests/site.pp

import "nodes/*"
import "os/*"
import "packages/*"
import "users/*"
import "service-types/*"

# Enable hiera
hiera_include('classes')

#filebitbucket { main: server => puppet }
#File { backup => main }

# The filebucket option allows for file backups to the server
filebucket { main: server => 'puppet' }

# Set global defaults - including backing up all files to the main filebucket and adds a global path
File { backup => main }

Contents of the hiera file for this host:

# cat /var/lib/hiera/host/agent1.example.com.yaml
---
classes: ntp
ntp::restrict:
  -
ntp::autoupdate: false
ntp::enable: true
ntp::servers:

Contents of the common file:

# cat /var/lib/hiera/common.yaml
---
ntp::autoupdate: true
ntp::enable: true
ntp::servers:
  - ntp1.example


When debugging on the master:

# puppet master --debug --compile agent1.example.com | grep hiera | grep -v Cannot | grep -v Looking
Warning: The use of 'import' is deprecated at /etc/puppet/manifests/site.pp:4. See http://links.puppetlabs.com/puppet-import-deprecation
   (at grammar.ra:610:in `block in _reduce_190')
Debug: hiera(): Hiera YAML backend starting
Debug: hiera(): Found classes in host/agent1.example.com
Debug: hiera(): Found ntp::autoupdate in host/agent1.example.com
Debug: hiera(): Found ntp::restrict in host/agent1.example.com
Debug: hiera(): Found ntp::servers in host/agent1.example.com
Warning: Variable access via 'search_domain' is deprecated. Use '@search_domain' instead. template[/etc/puppet/modules/resolv/templates/resolv.conf.erb]:5
   (at /etc/puppet/modules/resolv/templates/resolv.conf.erb:5:in `block in result')
Warning: Variable access via 'dns_servers' is deprecated. Use '@dns_servers' instead. template[/etc/puppet/modules/resolv/templates/resolv.conf.erb]:7
   (at /etc/puppet/modules/resolv/templates/resolv.conf.erb:7:in `block in result')

(I will eventually fix the warnings, I doubt they cause my hiera problem)

hiera debugging on the master:

# hiera ntp::servers clientcert=agen1.example.com --debug
DEBUG: 2016-04-19 13:26:43 -0400: Hiera YAML backend starting
DEBUG: 2016-04-19 13:26:43 -0400: Looking up ntp::servers in YAML backend
DEBUG: 2016-04-19 13:26:43 -0400: Looking for data source common
DEBUG: 2016-04-19 13:26:43 -0400: Found ntp::servers in common

(should not find the information in common, should use the information in /var/lib/hiera/host/agent1.example.com.yaml

Any help would be greatly appreciated.

Thanks,

Ugo

Rob Nelson

unread,
Apr 19, 2016, 4:39:21 PM4/19/16
to puppet...@googlegroups.com
Ugo,

In your last example you used 'agen1' instead of 'agent1'. Maybe it's just a typo? Those are the best problems :) I also don't see where the 400 error comes from, can you capture that somewhere?

An alternative solution - or maybe complementary - is to change line 11 to say `hiera_include('classes', [])`, or add a default class that notifies "Can't find a class!" This way, all runs complete, even if they don't manage the device properly, which ensures that facts are at least collected.

I also recommend upgrading to the latest 3.x version now, and 4.x as soon as you can, as SO MANY hiera bugs were fixed in 3.7/3.8 and then 4.3/4.4 that it's very likely that any bug you run into is already fixed by moving past 3.6.2.


--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/11548aff-32cd-4cdb-9886-4cfc079cd5fa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Ugo Bellavance

unread,
Apr 19, 2016, 5:48:26 PM4/19/16
to Puppet Users
Unfortunately, I wrote agen1 when I edited my post not to show internal info.

I tried your alternative solution (hiera_include('classes', [])) and it, well, allows the puppet command (puppet agent --noop --test --verbose by the way) to run OK instead of throwing a 400, but I don't see it applying ntp changes.

I'm actually testing a new server on 3.6.2 (EPEL), my production server is 2.7 (EPEL).

Thanks a lot,

Peter Faller

unread,
Apr 20, 2016, 7:45:13 AM4/20/16
to Puppet Users
Ugo, I think you need:

classes:
  - ntp

... instead of:

classes: ntp

... to make 'classes' an array instead of a simple value.

Ugo Bellavance

unread,
Apr 20, 2016, 8:06:53 AM4/20/16
to Puppet Users
Tried it but I get the same result.  I think that both work, the array being needed when one than one class is needed here.

I guess that the next step will be to try with the latest Puppet 3...

Thanks,

jcbollinger

unread,
Apr 20, 2016, 9:03:35 AM4/20/16
to Puppet Users


On Tuesday, April 19, 2016 at 12:36:47 PM UTC-5, Ugo Bellavance wrote:

This:
 
When debugging on the master:

# puppet master --debug --compile agent1.example.com | grep hiera | grep -v Cannot | grep -v Looking
[...]
Debug: hiera(): Hiera YAML backend starting
Debug: hiera(): Found classes in host/agent1.example.com
[...]


Shows that your Hiera config and data are fine.

You haven't presented any logs of the actual puppetmaster service failure, and these might be more illuminating, but at this point I'm inclined to guess that your problem is one of two things:
  1. perhaps the master is running with a stale Hiera config, and needs to be restarted to see the up-to-date one, or
  2. access controls on one or more of the Hiera data files prevent the puppetmaster process from reading them.
I'd rate the latter as somewhat more likely.


John

Ugo Bellavance

unread,
Apr 20, 2016, 9:13:52 AM4/20/16
to Puppet Users
Here are the logs on the puppet master (please note that I don't use the fileserver anymore and as you can see, I restarted the master just before testing):

Apr 20 09:08:51 master puppet-master[26083]: Starting Puppet master version 3.6.2
Apr 20 09:09:27 master puppet-master[26083]: Removing mount "files": /var/lib/puppet/files does not exist or is not a directory
Apr 20 09:09:27 master puppet-master[26083]: Error parsing fileserver configuration: wrong number of arguments (3 for 0..1); using old configuration
Apr 20 09:09:31 master puppet-master[26083]: The use of 'import' is deprecated at /etc/puppet/manifests/site.pp:4. See http://links.puppetlabs.com/puppet-import-deprecation
Apr 20 09:09:31 master puppet-master[26083]:   (at grammar.ra:610:in `block in _reduce_190')
Apr 20 09:09:32 master puppet-master[26083]: Could not find data item classes in any Hiera data file and no default supplied at /etc/puppet/manifests/site.pp:12 on node agent1.atqlan.agri-tracabilite.qc.ca
Apr 20 09:09:32 master puppet-master[26083]: Could not find data item classes in any Hiera data file and no default supplied at /etc/puppet/manifests/site.pp:12 on node agent1.atqlan.agri-tracabilite.qc.ca
Apr 20 09:09:32 master puppet-master[26083]: Could not find data item classes in any Hiera data file and no default supplied at /etc/puppet/manifests/site.pp:12 on node agent1.atqlan.agri-tracabilite.qc.ca
 

jcbollinger

unread,
Apr 21, 2016, 9:03:29 AM4/21/16
to Puppet Users


Well, that at least does demonstrate that the problem is not a stale Hiera config.  The verbosity and logging level are apparently set low enough that the HIera lookup details are not reported.  Did you check the access controls on the data files and the directories in the path to them?  Can a process running with the same uid / gid as the master does access and read the data files?


John

Ugo Bellavance

unread,
Apr 21, 2016, 10:29:21 AM4/21/16
to Puppet Users
It looks like you found it John! Thanks a lot.

In fact, the files were in /var/lib/hiera/ (the default for my puppet binary), but SELinux contexts were not appropriate on the folder and its files.  I could have fixed them manually, but instead I moved them to /etc/puppet/hiera and ran restorecon -Rv on the folder to make sure SELinux contexts were adjusted correctly. Running restorecon on /var/lib/hiera/ doesn't change anything.

I'm kind of mad at me for not seeing this log entry:

type=AVC msg=audit(1461246504.666:74599): avc:  denied  { getattr } for  pid=4901 comm="puppet" path="/var/lib/hiera/common.yaml" dev="dm-4" ino=25715620 scontext=system_u:system_r:puppetmaster_t:s0 tcontext=unconfined_u:object_r:var_
lib_t:s0 tclass=file

This a test server and on setroubleshoot was not configure like on my production server. I'll go configure it now and continue my puppet work.

Thanks!
Reply all
Reply to author
Forward
0 new messages