This document provides an introduction to Hiera, a tool for separating data from Puppet configuration. It describes what Hiera is, how it works, and some examples of using Hiera to lookup data based on operating system families and define common values. It also discusses the Hiera architecture, backends for different data sources, best practices, and common issues faced by new users.

1. Introduction to Hiera

2. Spencer Krum
cc by sa

4. cc by sa

6. cc by sa //

7. Agenda
• What is hiera
• Hiera architecture
• Basic examples
• More complicated example
• Trouble points for new users

8. What is hiera
• Software from puppetlabs
• Started in 2011
• Started out as a puppet plugin, core
now

9. What is hiera
• A way to plug data into your puppet
code
• Separate concerns of data and
configuration

10. What is hiera
• Exposes hiera() function to puppet
• Plugable backend
• Different from PuppetDB

11. Hiera Architecture

12. Puppet Architecture
cc by sa

13. Puppet Architecture w/
hiera

14. cc by sa

15. # ln -s /etc/hiera.yaml /etc/puppet/hiera.yaml

16. # cat /etc/puppet/hiera.yaml
---
:backends:
- yaml
:yaml:
:datadir: /etc/puppet/hieradata
:hierarchy:
- "%{clientcert}/common"
- "osfamily/%{osfamily}/common"
- common

17. # find /etc/puppet/hieradata
.
./common.yaml
./osfamily
./osfamily/RedHat
./osfamily/RedHat/common.yaml
./osfamily/Debian
./osfamily/Debian/common.yaml

18. Hiera
• A place to put your data
• Backend driven
• Function call to lookup on keys

19. class { 'jenkins::slave':
jenkins_ssh_key => 'AAAAB3Nzbu84a....'
}

20. # cat /etc/puppet/hieradata/common.yaml
---
jenkins_key: AAAAB3NzaC1yc2EAAAADA...
...
# hiera -d jenkins_key
DEBUG: Hiera YAML backend starting
DEBUG: Looking up jenkins_key in YAML backend
DEBUG: Looking for data source common
DEBUG: Found jenkins_key in common
AAAAB3NzaC1yc2EAAAADAQAB...

21. $ssh_key = hiera('jenkins_key')
class { 'jenkins::slave':
jenkins_ssh_key => $ssh_key,
}

22. class { 'mysql::server':
root_password => 'hunter2',
}

23. # cat /etc/puppet/hieradata/common.yaml
---
...
mysql_root_password: hunter2
...
# hiera -d mysql_root_password
DEBUG: Hiera YAML backend starting
DEBUG: Looking up mysql_root_password in YAML backend
DEBUG: Looking for data source common
DEBUG: Found mysql_root_password in common
hunter2

24. $password = hiera('mysql_root_password')
class { 'mysql::server':
root_password => $password,
}

25. Questions?

26. class graphite {
if $::osfamily == 'RedHat' {
$pkgs = [
'git',
'python-django',
'g++',
'sqlite3',]
...
}
}

27. Hiera
• Hierarchy that is facter aware
• Defaults and overrides

28. # cat /etc/puppet/hiera.yaml
---
:backends:
- yaml
:yaml:
:datadir: /etc/puppet/hieradata
:hierarchy:
- "%{clientcert}/common"
- "osfamily/%{osfamily}/common"
- common

29. # find /etc/puppet/hieradata
.
./common.yaml
./osfamily
./osfamily/RedHat
./osfamily/RedHat/common.yaml
./osfamily/Debian
./osfamily/Debian/common.yaml

30. Conditional data in code
class { 'graphite':
if $::osfamily == 'RedHat' {
$pkgs = [
'git',
'python-django',
'g++',
'sqlite3',]
...
}
}

31. # cat osfamily/Debian/common.yaml
---
graphite::pkgs:
- graphite
- python-django
- virtualenv

32. # cat osfamily/RedHat/common.yaml
---
graphite::pkgs:
- git
- python-django
- g++
- sqlite3
- sqlite3-devel
- python26-virtualenv

33. Hiera data
# hiera graphite::pkgs osfamily=RedHat
["git",
"python-django",
"g++",
"sqlite3",
"sqlite3-devel",
"python26-virtualenv"]

34. # hiera graphite::pkgs osfamily=Debian
["graphite", "python-django", "virtualenv"]

35. # hiera graphite::pkgs
nil

36. class graphite {
if $::osfamily == 'RedHat' {
$pkgs = [
'git',
'python-django',
'g++',
'sqlite3',]
...
}
}

37. class graphite {
$pkgs = hiera('graphite::pkgs')
package { $pkgs:
ensure => latest,
}
}

38. Backends
• yaml, json
• file, ldap
• gpg, eyaml
• mysql, postgres, redis

39. Pros
• Separation between data and code
• Secret storage
• Backends, integration with existing
datastores
• Some conditional logic irrelevant
• Puppet code sanitized

40. Cons
• hard to figure out where things come
from
• hiera-yaml can only support one data
directory
• debugging
• public modules + hirea is unsolved

41. In module data:
puppet-module-data

42. User issues
• Complicated hierarchy
• Runaway backends
• Latency/Load
• Architecture

43. Positive note
• Use hiera, its awesome
• Start with yaml
• Try and experiment, iterate

44. Questions on Hiera

45. Questions?
Thanks!
Spencer Krum (nibalizer)
irc/twitter/github
nibz@spencerkrum.com
nibz@hp.com