Hiera mod not working

26 views
Skip to first unread message

John

unread,
Aug 2, 2018, 9:36:06 AM8/2/18
to Puppet Users
I've got a puppet instance where I'm trying to setup a hiera job to modify a file managed by puppet.  The file is /etc/security/access.conf.  The file looks like (some details removed):

[root@util nodes]# more hostx.yaml
XXXXX::os::auth::access: '+ : USERACCOUNT : ALL'
XXXXX::os::auth::access: '- :ALL EXCEPT root wheel jboss GGGGG XXXXX-wheel XXXXX-local-it XXXXX-net-admin XXXXX-app-admin XXXXX-app-support : ALL EXCEPT LOCAL'

[root@util nodes]#

it does not work. Here is a Hiera config that does work:


[root@util nodes]# more  hostz.yaml
XXXXX::os::timezone::zone: 'US/Central'
[root@util nodes]#

If I run puppet agent with a --verbose I get the following (snippet) in the output:

Debug: /Stage[main]/XXXXX::Os::Auth::App/XXXXX::Os::Auth::Access[app_access]/Concat::Fragment[frag_sec_access_app_access]/File[/opt/puppetlabs/puppet/cache/concat/_etc_security_access.conf/fragments/200_frag_sec_access_app_access]: Adding autorequire relationship with File[/opt/puppetlabs/puppet/cache/concat/_etc_security_access.conf/fragments]

The timezone mod works, but not the one for /etc/security/access.conf.  Any advice or hints would be appreciated.

TIA

jcbollinger

unread,
Aug 3, 2018, 8:56:35 AM8/3/18
to Puppet Users

On Thursday, August 2, 2018 at 8:36:06 AM UTC-5, John wrote:
I've got a puppet instance where I'm trying to setup a hiera job to modify a file managed by puppet.


"Hiera job" is not a meaningful term.  Hiera's job is to provide data (as specified by you) to the catalog builder.  It has no control over how or whether any particular data are used to build catalogs.  It is your Puppet manifests that play the central role in how your machines are managed.

 
 The file is /etc/security/access.conf.  The file looks like (some details removed):

[root@util nodes]# more hostx.yaml
XXXXX::os::auth::access: '+ : USERACCOUNT : ALL'
XXXXX::os::auth::access: '- :ALL EXCEPT root wheel jboss GGGGG XXXXX-wheel XXXXX-local-it XXXXX-net-admin XXXXX-app-admin XXXXX-app-support : ALL EXCEPT LOCAL'


Since you feel the need to redact the name of the module with which you are using the data, I suppose that it's a local one.  We really can't say what it expects or requires.

I can, however, observe that your Hiera data appear to be providing two different mappings for the same key.  That's not valid YAML.  Perhaps you wanted the value associated with that key to be an array of strings; that could be spelled like this:

XXXXX::os::auth::access:
  - '+ : USERACCOUNT : ALL'
  - '- :ALL EXCEPT root wheel jboss GGGGG XXXXX-wheel XXXXX-local-it XXXXX-net-admin XXXXX-app-admin XXXXX-app-support : ALL EXCEPT LOCAL'

 
If I run puppet agent with a --verbose I get the following (snippet) in the output:

Debug: /Stage[main]/XXXXX::Os::Auth::App/XXXXX::Os::Auth::Access[app_access]/Concat::Fragment[frag_sec_access_app_access]/File[/opt/puppetlabs/puppet/cache/concat/_etc_security_access.conf/fragments/200_frag_sec_access_app_access]: Adding autorequire relationship with File[/opt/puppetlabs/puppet/cache/concat/_etc_security_access.conf/fragments]


That tells us that the agent is applying a catalog that contains the named resources, and not much else.  Inasmuch as that could be a cached catalog, it doesn't even tell us whether catalog building succeeded on the master.  If catalog building did succeed, it tells us nothing about how the Hiera data were used.

If a YAML syntax correction does not solve the problem for you, then we'll probably need to see the relevant parts or your manifests in order to render any assistance.


John

Reply all
Reply to author
Forward
0 new messages