puppet, hiera, and overrides

[Nathan Earixson]

Hi, I think I'm misunderstanding either Hiera data bindings or the hash merge functions, but I'm not sure which.

When I override a Hiera setting in a more specific level of the heriarchy, only that setting gets applied. In fact, settings from more general levels get removed.

Example:

I'm using the saz-ssh module to set SSH server options.

Testing with a simple Hierarchy like so:

- %{::osfamily}

  - %{::kernel}

  - common

Linux.yaml:

ssh::server_options:

  TCPKeepAlive: 'yes'

  ClientAliveInterval: 540

  PermitRootLogin: 'no'

RedHat.yaml

ssh::server_options:

  TCPKeepAlive: 'yes'

  ClientAliveInterval: 540

  PermitRootLogin: 'yes'

Gives me the expected sshd_config:

# File is managed by Puppet

AcceptEnv LANG LC_*

ChallengeResponseAuthentication no

ClientAliveInterval 540

PermitRootLogin yes

PrintMotd no

Subsystem sftp /usr/libexec/openssh/sftp-server

TCPKeepAlive yes

UsePAM yes

X11Forwarding yes

If I change the RedHat.yaml to include ONLY the setting I want to override (Linux.yaml is unchanged):

ssh::server_options:

  PermitRootLogin: 'yes'

After puppet agent runs, sshd_config is missing the other two settings (ClientAliveInterval and TCPKeepAlive) settings:

AcceptEnv LANG LC_*

ChallengeResponseAuthentication no

PermitRootLogin yes

PrintMotd no

Subsystem sftp /usr/libexec/openssh/sftp-server

UsePAM yes

X11Forwarding yes

Hiera lookups from the command line work as I expect them to, returning a has of all three settings with the overridden one correct:

 sudo -u puppet hiera --hash ssh::server_options environment=test ::kernel=Linux ::osfamily=RedHat

 

{"PermitRootLogin"=>"yes", "TCPKeepAlive"=>"yes", "ClientAliveInterval"=>540}

sudo -u puppet hiera --hash ssh::server_options environment=test ::kernel=Linux

{"PermitRootLogin"=>"no", "ClientAliveInterval"=>540, "TCPKeepAlive"=>"yes"}

I have tried this with AND without :merge_behavior: deeper set in the hiera.yaml file.

Any ideas of what I am missing?

[Ramin K]

On 12/8/14 12:56 PM, Nathan Earixson wrote:
> sudo -u puppet hiera --hash ssh::server_options environment=test
> ::kernel=Linux
> {"PermitRootLogin"=>"no", "ClientAliveInterval"=>540, "TCPKeepAlive"=>"yes"}
>
> |
>
> I have tried this with AND without :merge_behavior: deeper set in the
> hiera.yaml file.
>
> Any ideas of what I am missing?

If you're using data bindings to lookup the hiera values, it will return
a matching hash, but will not merge. You must explicitly use a
hiera_hash call to get merging.

Ramin

[Nathan Earixson]

Thank you. I get it now.

-n

[Ramin K]

np. There is any interesting discussion on what to change in the future
here. https://tickets.puppetlabs.com/browse/HI-118

Ramin

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/b1371998-455e-4fdf-9e5d-c712a66a5fbe%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/b1371998-455e-4fdf-9e5d-c712a66a5fbe%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.