Jira (FACT-3070) Facter allowlist

Facter allowlist

Change By:	Ciprian Badescu
Summary:	Facter whitelist allowlist

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

Ciprian Badescu (Jira)

unread,

Sep 14, 2021, 7:33:02 AM9/14/21

to puppe...@googlegroups.com

Ciprian Badescu updated an issue

Facter /

Facter allowlist

Change By:	Ciprian Badescu

Currently, there is feature to block groups of facts via 'blocklist' facter.conf option. But there is no feature to whitelist allowlist some facts.
Practical example: I have XEN and KVM hypervisors. Networks on them are configured with network module. For bonding I need to gather macaddress_eth0 and macaddress_eth1 info to use it in config files. But with this facts, facter collects all the macaddresses of virtual servers on hypervisor, like:
|macaddress_dxvkvottfafeuf|[ac:1f:6b:bd:65:9a|https://puppet.hosterby.com/fact/macaddress_dxvkvottfafeuf/ac%253A1f%253A6b%253Abd%253A65%253A9a]|
|macaddress_eshezzolxuwgui|[fe:16:3e:ca:52:56|https://puppet.hosterby.com/fact/macaddress_eshezzolxuwgui/fe%253A16%253A3e%253Aca%253A52%253A56]|
|macaddress_eth0|[ac:1f:6b:bd:65:98|https://puppet.hosterby.com/fact/macaddress_eth0/ac%253A1f%253A6b%253Abd%253A65%253A98]|
|macaddress_eth0.505|[ac:1f:6b:bd:65:98|https://puppet.hosterby.com/fact/macaddress_eth0.505/ac%253A1f%253A6b%253Abd%253A65%253A98]|

So now I can't disable macadress_* facts totally, because I need some of them. And there is no option to block group and whitelist allowlist certain facts from blocked group, or maybe block with regex (in my case all except macaddress_eth*).

Ciprian Badescu (Jira)

unread,

Sep 14, 2021, 7:42:03 AM9/14/21

to puppe...@googlegroups.com

Ciprian Badescu commented on

Vladislav Pozniak, on Facter 4 you can define your own fact groups and list the facts you want to block (https://puppet.com/docs/puppet/7/configuring_facter.html#configuring_facter-facter-conf-fact-groups), is this helping?

What would be the purpose of blocking some facts? Blocking facts usually helps if all facts provided by a resolver are disabled (like all networking facts) while disabling specific networking fact will not increase speed since the networking resolver will still be executed.

Vladislav Pozniak (Jira)

unread,

Sep 17, 2021, 4:40:01 AM9/17/21

to puppe...@googlegroups.com

Vladislav Pozniak commented on

Ciprian Badescu as I tested, if I add to custom group some fact like macaddress_eth0, and add to blocklist macaddress_* (there is no other option listed in facter --list-block-groups), then blocklist has more weight over particular fact in this wildcard group, and fact macaddress_eth0 is not gathering even in custom group, it's blocked.

The purpose is to fix warnings of puppet agent after 7.10.0: https://puppet.com/docs/puppet/7/release_notes_puppet.html#enhancements_puppet_x-7-10-0-PUP-11088

As I said, there is hypervisor and there is plenty of not so useful network facts about each virtual network interface, overall warning about having 4000+ facts from one puppet client is really reasonable. Also, this data is stored in puppetdb, so it also the question of overall evaluation speed and not doing useless rewrites in the database, to store perorts and not to gather the rubbish, but only needed for work facts.

Ciprian Badescu (Jira)

unread,

Oct 1, 2021, 9:05:02 AM10/1/21

to puppe...@googlegroups.com

Ciprian Badescu commented on

Vladislav Pozniak, all thresholds for facter limits warnings are configurable using respective puppet settings.

Related to high number of facts we are considering looking more closely to https://tickets.puppetlabs.com/browse/FACT-769. Will that solve your issue?

Vladislav Pozniak (Jira)

unread,

Oct 1, 2021, 2:55:01 PM10/1/21

to puppe...@googlegroups.com

Vladislav Pozniak commented on

Ciprian Badescu to increase the limit of facts is not a good solution. It really has a meaning, pointing on collecting of garbage facts, and that should be fixed indeed.
FACT-769 looks similar, but from the other side of solution. Both regex for filtering facts or whitelist for unblocking some facts from blocked group may be useful.

One more example for whitelisting is legacy group. Rather often that group (notice, that's pretty big group) may be blocked without any issues, except fqdn fact, needed for some modules. So adding legacy to blocklist, and fqdn to whitelist would be great feature too.