puppetdb question !!!

[Rakesh Kathpal]

Hi,

Its been some time that I have been working with puppet.

I have recently installed puppetdb and am using puppetdb APIs to fetch the data about facts etc..

Few things that I have noticed are

1) Whenever I add a custom fact, I do not see it in the postgresql db until I delete all the facts for the particular certname from db (manually). So that in the next puppet run on the client, all facts will be carried into the puppetdb.

So is it the way, puppetdb is designed to work or am I missing something here?

2) Is there any way to know if a new node has started using puppet. I know I can get a node list using the puppetdb API, but is there any way to know amongst these nodes, which are new.

Or is there any other way to get newly added nodes in puppetdb / puppet??

Appreciate any help on these queries.

Thanks & Regards,

Rakesh K.

[Deepak Giridharagopal]

On Mon, Mar 10, 2014 at 6:30 AM, Rakesh Kathpal <rkat...@gmail.com> wrote:

Hi,

Its been some time that I have been working with puppet.

I have recently installed puppetdb and am using puppetdb APIs to fetch the data about facts etc..

Few things that I have noticed are

1) Whenever I add a custom fact, I do not see it in the postgresql db until I delete all the facts for the particular certname from db (manually). So that in the next puppet run on the client, all facts will be carried into the puppetdb.

So is it the way, puppetdb is designed to work or am I missing something here?

That is not the way it's designed to work, and I strongly recommend against direct manipulation of postgres (at the point you're messing with the db directly, your changes are outside of puppetdb's control...so caveat emptor).

PuppetDB stores new facts for a node whenever a puppetmaster sends new facts to PuppetDB. That normally happens when you run puppet on the node itself...it runs facter, sends facts to the master, master sends a copy of those facts to puppetdb. You can verify that facts are going to puppetdb by looking at puppetdb.log; it should indicate that we've received a "replace facts" command for the node in question.

You can also check the API directly. On your puppetdb node, curl http://localhost:8080/v3/nodes/foobar.com . That will dump out information about when we've last received data for that node.

If it appears that puppetdb is getting updated facts for a node, but it doesn't include a custom fact, and forcibly clearing out the data results in that fact appearing, then I'd file a bug and include all of that information (including what version of puppetdb you're on). 

 

2) Is there any way to know if a new node has started using puppet. I know I can get a node list using the puppetdb API, but is there any way to know amongst these nodes, which are new.

Or is there any other way to get newly added nodes in puppetdb / puppet??

There's no mechanism currently in PuppetDB to get notified when a new node is added. PuppetDB tracks the timestamps of the latest data (catalogs, facts, reports) for each node, and that doesn't include the first time we ever got data for a node. If you can describe the desired API in more detail, this would make a good feature request.

 

Appreciate any help on these queries.

Thanks & Regards,

Rakesh K.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAEJrXMW7MvdaPTGcPjoZTJB4SkNGCy_wLcjpHNXwa%3D6hsTg5jQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Rakesh Kathpal]

Deepak.. Thanks alot for the info, really appreciate your help.

1) Regarding replace facts, I will recheck the issue and get back to you if it still seems to be a bug.

2) The thing is I need to run a report for the newly added report, so I am running a poller script which will poll every 5 mins and check for the new node, as soon it gets a new node it will run a report based on the facts received. Though I can get a list using the api or bu directly accessing the certname table in puppetdb but there is no way to know which are new nodes unless I sync the tables locally (which is again a tedious task).

Just a suggestion .. it will really good if you can add field "date added" to the certname table just reporting purposes.

Regards,

Rakesh K.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOjOXY19k5jQHtTtgb_zidSVeyJB6N5SVWdQWCajCKCM5jBQUg%40mail.gmail.com.

[Ken Barber]

> Just a suggestion .. it will really good if you can add field "date added"
> to the certname table just reporting purposes.

Feel free to raise that as a feature request here Rakesh:
https://tickets.puppetlabs.com/browse/PDB

ken.

[Rakesh Kathpal]

https://tickets.puppetlabs.com/browse/PDB-508

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3D6LBjFCDrym8auMw7ufxMwBmV_d6x-yTO4CxdMPkdKqQ%40mail.gmail.com.

[Rakesh Kathpal]

Hi ,

I am still struggling on the replace fact part, is there any way
to force replace_facts for a node.

I am actually adding new facts by coping them directly into the facter dir but unfortunately they are not getting replicated to puppetdb. Is there any way to force puppetdb to replace_facts.

This is really urgent for me, any help is greatly appreciated.

Regards,

Rakesh K.

[Christopher Wood]

After copying these facts into /etc/facter/facts.d, are you kicking off another puppet agent run? Facts get sent to the master on each agent run, not before.

http://docs.puppetlabs.com/guides/custom_facts.html#viewing-fact-values

On Sun, Mar 30, 2014 at 07:35:54PM +0530, Rakesh Kathpal wrote:
> Hi ,
>
> I am still struggling on the replace fact part, is there any way
> to force replace_facts for a node.
>
> I am actually adding new facts by coping them directly into the facter dir
> but unfortunately they are not getting replicated to puppetdb. Is there
> any way to force puppetdb to replace_facts.
>
> This is really urgent for me, any help is greatly appreciated.
>
> Regards,
>
> Rakesh K.
>

> On Wed, Mar 12, 2014 at 1:25 PM, Rakesh Kathpal <[1]rkat...@gmail.com>
> wrote:
>
> [2]https://tickets.puppetlabs.com/browse/PDB-508
>
> On Tue, Mar 11, 2014 at 10:28 PM, Ken Barber <[3]k...@puppetlabs.com>

> wrote:
>
> > Just a suggestion .. it will really good if you can add field "date
> added"
> > to the certname table just reporting purposes.
>
> Feel free to raise that as a feature request here Rakesh:

> [4]https://tickets.puppetlabs.com/browse/PDB

>
> ken.
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send

> an email to [5]puppet-users...@googlegroups.com.

> To view this discussion on the web visit

> [6]https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3D6LBjFCDrym8auMw7ufxMwBmV_d6x-yTO4CxdMPkdKqQ%40mail.gmail.com.
> For more options, visit [7]https://groups.google.com/d/optout.

>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to [8]puppet-users...@googlegroups.com.

> To view this discussion on the web visit

> [9]https://groups.google.com/d/msgid/puppet-users/CAEJrXMW8zjnUaAaQ%3DJapew%2Bja5fnAJdy1G6fTyO%3Dws%3D4%2Bt4ZLg%40mail.gmail.com.
> For more options, visit [10]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:rkat...@gmail.com
> 2. https://tickets.puppetlabs.com/browse/PDB-508
> 3. mailto:k...@puppetlabs.com
> 4. https://tickets.puppetlabs.com/browse/PDB
> 5. mailto:puppet-users%2Bunsu...@googlegroups.com
> 6. https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3D6LBjFCDrym8auMw7ufxMwBmV_d6x-yTO4CxdMPkdKqQ%40mail.gmail.com
> 7. https://groups.google.com/d/optout
> 8. mailto:puppet-users...@googlegroups.com
> 9. https://groups.google.com/d/msgid/puppet-users/CAEJrXMW8zjnUaAaQ%3DJapew%2Bja5fnAJdy1G6fTyO%3Dws%3D4%2Bt4ZLg%40mail.gmail.com?utm_medium=email&utm_source=footer
> 10. https://groups.google.com/d/optout

[Rakesh Kathpal]

I am not copying the facts to the facts.d folder..

but i am creating the facts as .rb files and placing them into /usr/lib/ruby/site_ruby/ruby/1.8/facter/.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140330151817.GA24743%40iniquitous.heresiarch.ca.

[Rakesh K]

Sorry for re-opening a old thread but I am still struggling on  related topic..

Step 1: I am copying some .rb files to the /usr/lib/ruby/site_ruby/ruby/1.8/facter/ folder
Step 2: A facter command gives me the values for all new custom / external facts

But the values for new facts will not get into puppetdb untill a next agent run...

Is there a way to run puppet from within a manifest or any other way to force "replace facts" remotely on the agent ???

>        an email to [5]puppet-users+unsubscribe@googlegroups.com.

>        To view this discussion on the web visit

>        [6]https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3D6LBjFCDrym8auMw7ufxMwBmV_d6x-yTO4CxdMPkdKqQ%40mail.gmail.com.
>        For more options, visit [7]https://groups.google.com/d/optout.

>
>    --
>    You received this message because you are subscribed to the Google Groups
>    "Puppet Users" group.
>    To unsubscribe from this group and stop receiving emails from it, send an

>    email to [8]puppet-users+unsubscribe@googlegroups.com.

>    To view this discussion on the web visit

>    [9]https://groups.google.com/d/msgid/puppet-users/CAEJrXMW8zjnUaAaQ%3DJapew%2Bja5fnAJdy1G6fTyO%3Dws%3D4%2Bt4ZLg%40mail.gmail.com.
>    For more options, visit [10]https://groups.google.com/d/optout.
>
> References
>
>    Visible links
>    1. mailto:rkat...@gmail.com
>    2. https://tickets.puppetlabs.com/browse/PDB-508
>    3. mailto:k...@puppetlabs.com
>    4. https://tickets.puppetlabs.com/browse/PDB
>    5. mailto:puppet-users%2Bunsu...@googlegroups.com
>    6. https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3D6LBjFCDrym8auMw7ufxMwBmV_d6x-yTO4CxdMPkdKqQ%40mail.gmail.com
>    7. https://groups.google.com/d/optout

>    8. mailto:puppet-users+unsub...@googlegroups.com

>    9. https://groups.google.com/d/msgid/puppet-users/CAEJrXMW8zjnUaAaQ%3DJapew%2Bja5fnAJdy1G6fTyO%3Dws%3D4%2Bt4ZLg%40mail.gmail.com?utm_medium=email&utm_source=footer
>   10. https://groups.google.com/d/optout

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.

[Ken Barber]

> Sorry for re-opening a old thread but I am still struggling on related
> topic..
>
> Step 1: I am copying some .rb files to the
> /usr/lib/ruby/site_ruby/ruby/1.8/facter/ folder
> Step 2: A facter command gives me the values for all new custom / external
> facts
>
> But the values for new facts will not get into puppetdb untill a next agent
> run...
>
> Is there a way to run puppet from within a manifest or any other way to
> force "replace facts" remotely on the agent ???

* You could run things in noop mode potentially, which would force a
fact submission.
* You could run puppet apply, and use a masterless way of submitting
facts also (setup would be required:
http://docs.puppetlabs.com/puppetdb/2.0/connect_puppet_apply.html).
* You could submit a POST request in a script for your facts against
the master, throwing away the catalog (saves on the noop processing)
* You could sumibt the facts manually to PuppetDB yourself, here is a
rough script I use for testing which you could modify to match your
needs: https://gist.github.com/kbarber/6190c64335613111c9df

Each one has its own pros and cons. In particular some of these
require direct communication between the node and the PDB instance
which might not be desirable in some cases.

None of these things have common solutions today that we (the PDB
maintainers) "maintain" ourselves, but a few people have done things
like the above in the past in their own bespoke way.

ken.

[Ken Barber]

My colleague Deepak just brought to my attention another mechanism
which works like option #3 without the hard work:

puppet facts upload

But you'll need to ensure your auth.conf on your puppet master has a
snippet like the following:

path ~ ^/facts/([^/]+)$
method save
allow $1

Without it, you'll get a permission denied error.

ken.

[Rakesh Kathpal]

Ken / Deepak,

first of all thanks a ton for the great help.

It seems there is some issue with the  "puppet facts upload" command"

I already have the certname & server configuration directives declared in the puppet.conf but for some reason the same are not being recognized by the puppet facts command

When I am trying to run
# puppet facts upload
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
Error: getaddrinfo: Name or service not known
Error: Try 'puppet help facts upload' for usage

But when I try to run
# puppet facts upload --server="puppet_master_server" --certname="agent_certname"
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
Notice: Uploaded facts for 'agent_certname'

Also I tried to use the postrun_command within the puppet.conf on the client node but I end up getting the same error.

Please let me know if there is something that I am missing, as I am planning to either use "puppet facts upload" within my manifest or in the postrun command.

Awaiting your reply.

Thanks &  Regards,

Rakesh K.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTne8zw%3DcZDHg4cdBhK6T0EcC5axvWKQs7ALxcX6WB4aig%40mail.gmail.com.

[Ken Barber]

> first of all thanks a ton for the great help.

No problem, I'm glad Deepak chimed in about 'facts upload' its a much
better way to do it.

> It seems there is some issue with the "puppet facts upload" command"
>
> I already have the certname & server configuration directives declared in
> the puppet.conf but for some reason the same are not being recognized by the
> puppet facts command
>
> When I am trying to run
> # puppet facts upload
> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
> password: NO)

This is a mysql error ... btw. Let see your puppet.conf on the agent
your testing on, it looks almost as if you have same old storeconfig
setups remaining somewhere. Check in particular for db* style settings
...

> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
> password: NO)
> Error: getaddrinfo: Name or service not known
> Error: Try 'puppet help facts upload' for usage
>
> But when I try to run
> # puppet facts upload --server="puppet_master_server"
> --certname="agent_certname"
> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
> password: NO)
> ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
> password: NO)
> Notice: Uploaded facts for 'agent_certname'
>
> Also I tried to use the postrun_command within the puppet.conf on the client
> node but I end up getting the same error.

Yeah, I'll need to see the puppet.conf on the agent you are trying to
run the facts upload specifically. Remember 'puppet facts upload'
doesn't use your [agent] section (its not an agent is it?), so you
might need to specify the server in your [main].

ken.

[Rakesh Kathpal]

puppet.conf on master

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
    certname = puppet
    dns_alt_names = puppetmaster.mydomain.com, puppetdb.mydomain.com

     pluginsync = true
     autosign = true

node_terminus  = exec
external_nodes =  /usr/bin/env PUPPET_DASHBOARD_URL=http://puppetadmin:myp...@puppetdb.mydomain.com:3000 /usr/share/puppet-dashboard/bin/external_node

reports = store, http
reporturl = http://puppetadmin:myp...@puppetdb.mydomain.com:3000/reports/upload
storeconfigs = true
storeconfigs_backend = puppetdb
usecacheonfailure = false


working puppet.conf on agent after your suggestion

[main]
    # The Puppet log directory.
    # The default value is '$vardir/log'.
    logdir = /var/log/puppet

    # Where Puppet PID files are kept.
    # The default value is '$vardir/run'.
    rundir = /var/run/puppet

    # Where SSL certificates are kept.
    # The default value is '$confdir/ssl'.
    ssldir = $vardir/ssl
server = myagent.mydomain.com
certname = myagentcertname
report = true

[agent]
    # The file in which puppetd stores a list of the classes
    # associated with the retrieved configuratiion.  Can be loaded in
    # the separate ``puppet`` executable using the ``--loadclasses``
    # option.
    # The default value is '$confdir/classes.txt'.
    classfile = $vardir/classes.txt

    # Where puppetd caches the local configuration.  An
    # extension indicating the cache format is added automatically.
    # The default value is '$confdir/localconfig'.
    localconfig = $vardir/localconfig

The files above are my current master and agent configs, I have updated the agent config after your suggestion and it seems to be working great...

But now I will need to update my puppet agent config(for the above change and to include postrun_command for "puppet facts upload") on almost 2000 agents.. I understand that I can do it via puppet itself but each server has a different certname

I guess.. I will need to use templates... but is it correct that any change to puppet.conf is parsed immediately and does not require a restart.

Thanks a lot for your help once again..

Regards,

Rakesh K.

ken.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTnCZJR_z7hWJeZbAhmbKREp6rz%2BUJ73c3%2B0fZZYQ3ZYng%40mail.gmail.com.

[Ken Barber]

> The files above are my current master and agent configs, I have updated the
> agent config after your suggestion and it seems to be working great...
>
> But now I will need to update my puppet agent config(for the above change
> and to include postrun_command for "puppet facts upload") on almost 2000
> agents.. I understand that I can do it via puppet itself but each server has
> a different certname

Weird that the certname default doesn't match what you expect. This is
normally a combination of the facter outputs for 'hostname' and
'domain'. There are ways to adjust the box (like ensuring the
search/domain fields in resolv.conf return the correct domain for
example) to return the correct certname, and its often better to do it
this way, but it might affect other things in strange ways. Its a
complex-ish topic ... if you wanted to go down this route instead of
changing your certname in puppet.conf we can probably help. What
surprises me is that the agent doesn't need this ...

Otherwise yeah, it can be changed with templates, I'm less of a fan of
forcing the certname in most cases, better to fix it so the defaults
are correct if possible. Ideally the box after provisioning (eg.
razor/foreman/cobbler) should have all the correct settings on it so
certname is always correct straight after provisioning, that way you
avoid chicken-and-egg scenarios with trying to adjust 'certname'
post-provisioning.

> I guess.. I will need to use templates... but is it correct that any change
> to puppet.conf is parsed immediately and does not require a restart.

I believe this to be true? But I'm no puppet expert these days so
things might have changed :-).

> Thanks a lot for your help once again..

Your welcome.

ken.

[Rakesh Kathpal]

I need to use certnames as we are an IDC and need to handle large number of instances and have a unique naming convention for each device. We cannot force hostnames on servers(belonging to customers) so our unique device name is forced on the certname.

Anyways.. Can you also shed some light on the mysql error that I am getting...

ken.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTnu2bU3X2uu6PJbAn8vEpqB7D7Ht4KDAqpLF6nLPU-TRw%40mail.gmail.com.

[Ken Barber]

> I need to use certnames as we are an IDC and need to handle large number of
> instances and have a unique naming convention for each device. We cannot
> force hostnames on servers(belonging to customers) so our unique device name
> is forced on the certname.

Fair enough.

> Anyways.. Can you also shed some light on the mysql error that I am
> getting...

I can't see it in the posted configs ... not sure. This would normally
happen if you had configured legacy storedconfigs but I can't see this
in your puppet.conf files you've provided. As something to at least
try, I'd try commenting out anything to do with mysql in your
puppet.conf perhaps, like the ENC settings and the report settings on
your master? Otherwise I'm short of ideas TBH. Are the puppet.conf
files you provided accurate?

ken.

[Ken Barber]

Also, try running puppet facts upload --debug --trace and see if that
gives us more info.

[Rakesh Kathpal]

This doesnt only happen in case of a "puppet facts upload" but even in a case of puppet agent --test

And yes the master configs that I have provided are correct ones that I have been using now.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNTkomRvHu9T_m36P5DCrMtYcCi6ghc3Oys%3DZ%3DJJjrS7kfw%40mail.gmail.com.