I'm struggling with some node specific heria

[Dan Crisp]

Hello experts,

I'm struggling with some node specific heria.  I basically want to add the following lines to a number of nodes:

Match Address xx.xx.xx.xx

PermitRootLogin without-password

I have the following in place in an attempt to acheive this:

# pwd

/etc/puppetlabs/code/environments/production/modules/permitroot/manifests

# more *

::::::::::::::

config.pp

::::::::::::::

class permitroot::config (

  $config_path = $permitroot::params::config_path

) inherits permitroot::params {

  if $facts['os']['release']['major'] =~ /7/ {

    file { 'Update SSHD PermitRoot':

      ensure    => $permitroot::config_present,

      path      => $permitroot::config_path,

      content   => $permitroot::permitroot_config.join("\n"),

      owner  => root,

      group  => root,

      mode   => '0600'

    }

  } else {

      notice ('Assuming RHEL 6.x thus taking no action')

    }

}

::::::::::::::

init.pp

::::::::::::::

class permitroot (

  $service_name = $permitroot::params::service_name,

  $config_path  = $permitroot::params::config_path,

  Array[String] $permitroot_config,

  String $service_ensure,

  Boolean $service_enable,

  Boolean $service_hasrestart,

) inherits permitroot::params {

  contain permitroot::config

  contain permitroot::service

  Class['permitroot::config']

    -> Class['permitroot::service']

}

::::::::::::::

params.pp

::::::::::::::

class permitroot::params {

  $service_name = 'sshd'

  $config_path = '/etc/ssh/sshd_config'

}

::::::::::::::

service.pp

::::::::::::::

class permitroot::service (

  $service_name = $permitroot::params::service_name,

) inherits permitroot::params {

  service {'permitroot_service':

    name       => $service_name,

    ensure     => $permitroot::service_ensure,

    enable     => $permitroot::service_enable,

    hasrestart => $permitroot::service_hasrestart,

  }

}

This is probably not the best method and I'm still learning and don't want to use a module that has already been created by someone else at this point.

Here is the node specific heria:

# pwd

/etc/puppetlabs/code/environments/production/nodes

# more *

permitroot::permitroot_config:

  - 'Match Address xx.xx.xx.xx

  - 'PermitRootLogin without-password'

Hiera file:

# pwd

/etc/puppetlabs/code/environments/production

# more hiera.yaml

---

version: 5

defaults:

  # The default value for "datadir" is "data" under the same directory as the hiera.yaml

  # file (this file)

  # When specifying a datadir, make sure the directory exists.

  # See https://puppet.com/docs/puppet/latest/environments_about.html for further details on environments.

  #datadir: data

  data_hash: yaml_data

hierarchy:

  - name: "Per-node data"                   # Human-readable name.

    path: "nodes/%{trusted.certname}.yaml"  # File path, relative to datadir.

  - name: "Per-OS defaults"

    path: "os/%{facts.os.family}.yaml"

  - name: "Common data"

    path: "common.yaml"

Site.pp file:

# more site.pp

...

...

...

node lhcsrvprdcms01.domain.com {

  class { 'permitroot': }

}

When I run the puppet agent on the server about were I want the new vaules added, I see the see returned the following:

# puppet agent --no-daemonize --onetime --verbose --noop

Info: Using configured environment 'production'

Info: Retrieving pluginfacts

Info: Retrieving plugin

Info: Retrieving locales

Info: Loading facts

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Permitroot]: expects a value for parameter 'permitroot_config' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 49, column: 3) on node lhcsrvprdcms01.fixnetix.com

Info: Using cached catalog from environment 'production'

Info: Applying configuration version '1596101172'

Notice: Applied catalog in 2.39 seconds

Any help here would be appreciated.

Thanks,

Dan.

[A Manzer]

You need to put your nodes hiera folder under a data folder.  (All your hiera data goes under a data folder.)

Also, ensure that your yaml file is named lhcsrvprdcms01.domain.com.yaml.  You need the full node name, and the .yaml at the end for hiera to find it.  That's tripped me up a few times...

[Dan Crisp]

Thanks for the reply.

 Unfortunately although my YAML file didn't have the .yaml suffix and I didn't have a data directory, after making the necessary changes, the same problem persists:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Permitroot]: expects a value for parameter 'permitroot_config' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 49, column: 3) on node lhcsrvprdcms01.fixnetix

# pwd

/etc/puppetlabs/code/environments/production

# ll data/nodes/lhcsrvprdcms01.fixnetix.com.yaml

-rw-r--r--. 1 root root 103 Jul 30 12:09 data/nodes/lhcsrvprdcms01.fixnetix.com.yaml

[A Manzer]

I've noticed two other things that may need fixing:

 - It may be a copy and paste error, but you don't close your Match Address string in the pasted Hiera file above.  That would cause your Yaml to be incorrect, and probably ignored.

 - In site.pp, you use the resource-like syntax for including the class.  I'm not sure what this does for automatic hiera parameter lookup, but it's usually safer to use include syntax instead.  I'd change your entry in site.pp to be

node lhcsrvprdcms01.domain.com {

  include permitroot

}

BTW, out of curiosity, are you using the Puppet PDK to develop this module?  It brings a lot of boilerplate, but it also brings things like Yaml syntax validating and syntax validating that might help you out while you're learning.

[Dan Crisp]

Still no luck.  Hiera is now matching (it wasn't before):

root@puppet:/# puppet lookup permitroot_config --node lhcsrvprdcms01.fixnetix.com

---

- Match Address xx.xx.xx.xx

- PermitRootLogin without-password

I had to change the YAML file slightly to:

permitroot_config:

  - 'Match Address xx.xx.xx.xx'

  - 'PermitRootLogin without-password'

From:

permitroot:permitroot_config

  - 'Match Address xx.xx.xx.xx'

  - 'PermitRootLogin without-password'

Thanks for the tip!  I have been using PDK.

[A Manzer]

puppet lookup is a good diagnostic tool.

Now though, you have a naming issue.  You need the permitroot:: prefix if you want Puppet/Hiera to automatically fill in your parameter.

So your puppet lookup debug command should be puppet lookup permitroot::permitroot_config --explain --node lhcsrvprdcms01.fixnetix.com

Once that works, your module should work too.

Does any of this work if you put it in common.yaml to start?

[Dan Crisp]

Don't think it's a hiera issue now:

# puppet lookup permitroot::permitroot_config --node lhcsrvprdcms01.fixnetix.com

---

- Match Address xx.xx.xx.xx

- PermitRootLogin without-password

# pwd

/etc/puppetlabs/code/environments/production/data/nodes

# cat *

permitroot::permitroot_config:

  - 'Match Address 10.20.232.21'

  - 'PermitRootLogin without-password'

Still no joy though.

[A Manzer]

Did you update site.pp to use the include syntax?

I looked at the error again, because I'm really not sure why it's working (other than the fact that you've mixed patterns, and seriously over-complicated your code). So here's your error, right?

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Class[Permitroot]: expects a value for parameter 'permitroot_config' (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 49, column: 3) on node lhcsrvprdcms01.fixnetix.com

Is it still more or less that?

Notice that the error is in the site.pp file, not your init.pp or config.pp.  It could be that since you're using the resource-like syntax, Puppet is expecting you to set that parameter, and isn't using Hiera.  According to the hiera docs, it looks like it should still be looking things up?  But I know that in my own code, I always use include, or specify all my parameters when I'm forced to use the resource-like syntax.

[Henrik Lindberg]

On 2020-07-31 19:41, A Manzer wrote:
> Did you update site.pp to use the include syntax?

That is not needed to make automatic parameter lookup to work.

- henrik

--

Visit my Blog "Puppet on the Edge"
http://puppet-on-the-edge.blogspot.se/

[Dan Crisp]

Hello Henrik,

Do you have a hunch to why this is not working?

Thanks,

Dan.

[Dan Crisp]

Yes I upated the site.pp as recommended.

[Henrik Lindberg]

On 2020-08-01 16:31, Dan Crisp wrote:
> Hello Henrik,
>
> Do you have a hunch to why this is not working?
>

Don't really have the time to dig in at the detail level.
You already got the advice to use the command line 'puppet lookup' with
--explain option turned on to see how hiera resolves the lookups.
Usually people figure it out what is wrong based on that output.

A suggestion is to try out 'puppet lookup --explain' on something you
know works so you get to understand what the tool is doing for you.

Best of luck,
- henrik

> Thanks,
> Dan.
>
> On Friday, July 31, 2020 at 7:40:22 PM UTC+1, Henrik Lindberg wrote:
>
> On 2020-07-31 19:41, A Manzer wrote:
> > Did you update site.pp to use the include syntax?
>
> That is not needed to make automatic parameter lookup to work.
>
> - henrik
>
> --
>
> Visit my Blog "Puppet on the Edge"
> http://puppet-on-the-edge.blogspot.se/

> <http://puppet-on-the-edge.blogspot.se/>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/f4499e4f-192c-4f26-bb12-caf35e051942o%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/f4499e4f-192c-4f26-bb12-caf35e051942o%40googlegroups.com?utm_medium=email&utm_source=footer>.