Thomas Howard Uphill, profile picture
Uploaded byThomas Howard Uphill
PPTX, PDF306 views

Troubleshooting Puppet

This document provides troubleshooting information for Puppet failures. It begins with common failure messages and their potential causes such as "can't find puppet", "can't connect to puppet", and "can't get certificate". It then covers tools for investigating failures like the Puppet REST API, debugging Puppet compiles and applies, and checking for issues via notify resources and debug scripts. The document outlines techniques for locating problems with nodes, workers, variables, and resources conflicting or going stale.

Embed presentation

Download to read offline
Troubleshooting Puppet Thomas Uphill thomas@narrabilis.com
Latest version http://goo.gl/b2NISc If you see something, say something! Google Comments enabled
Watch in Presentation Mode! Seriously, Trust Me ...Animations Are Good things
Me PuppetConf 2013 Mastering Puppet / Puppet Cookbook 4* PUGS /r/dadjokes
Outline network rest api certificates catalog problem workers compiling printing scope
Failures - can't find puppet - can't connect to puppet - can't get certificate - can't get/compile a catalog - can't apply a catalog - can't upgrade puppet
can't connect to puppet...
can't find puppet puppet puppet.domain [main/agent] server ca_server DNS nsswitch.conf /etc/hosts
can't connect to puppet node puppet master network pixies 8140 masterport
can't connect to puppet ● ping ● mtr (--port 8140) ● netcat (nc)
can't connect to puppet $ ping puppet ping: unknown host puppet $ mtr puppet My traceroute [v0.75] cookbook.example.com (0.0.0.0) Sat Oct 25 01:26:31 2014 Keys: Help Display mode Restart statistics Order of fields quit $ nc -v puppet 8140 Packets Pings Ncat: Version 6.45 ( http://nmap.org/ncat ) Ncat: Connected to 192.168.122.100:8140. Host Loss% Snt Last Avg Best Wrst StDev 1. puppet.example.com 0.0% 157 0.7 0.5 0.2 1.6 0.2
can't get certificate ● already signed (clean) ● dates off - expired CA, expired cert puppet cert clean host.example.com rm /var/lib/puppet/ssl/*/hostname* openssl x509 -in cert.pem -text ntpq -p
can't get certificate ● don't know your own name ● basic unix permissions ● something else... root@puppet:~# sudo -iu puppet puppet@puppet:~$ cd /etc/puppet/environments/ -bash: cd: /etc/puppet/environments/: Permission denied SELinux
REST API
Rest API node puppet master 8140 GET https://puppet:8140/production/certificate/ca HTTP/1.1 -----BEGIN CERTIFICATE ----- MIIFXjCCA0agAwIBAgIBATANBgkqhkiG9w0BAqsFADAcMRowGAYDVQQDDBFQdXdb w FiyvryAxxuETs9KORMwoThDIMd4bHLDbqtAz0q0cJ7W/8w== -----END CERTIFICATE-----
Rest API ca_server/server environment GET https://puppet:8140/production/certificate/ca HTTP/1.1 ca_port/masterport resource key
Rest API GET https://puppet:8140/production/certificate/ca HTTP/1.1 resource key resource certificate file_metadata file_content node catalog
Rest API ● wget ● curl # diff puppet-ca.pem /var/lib/puppet/ssl/ca.pem # echo $? 0 # curl --insecure https://puppet:8140/production/certificate/ca >puppet-ca.pem % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 101 1923 101 1923 0 0 25506 0 --:--:-- --:--:-- --:--:-- 312k # openssl x509 -in puppet-ca.pem -fingerprint SHA1 Fingerprint=5A:C2:03:7B:40:44:2C:81:45:81:07:11:D3:AC:29:FB:A5:EC:E3:55
Rest API # curl --cacert puppet-ca.pem https://puppet:8140/production/certificate/lisa.example.com Not Found: Could not find certificate lisa.example.com # curl --cacert puppet-ca.pem https://puppet:8140/production/certificate/cookbook.example.com -----BEGIN CERTIFICATE----- MIIFcTCCA1mgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFQdXBw ZXQgQ0E6IHB1cHBldDAeFw0xNDA5MzAwNDM1MDdaFw0xOTA5MzAwNDM1MDdaMB8x # openssl x5.0.9. -in cookbook.pem -text … Issuer: CN=Puppet CA: puppet Validity Not Before: Sep 30 04:35:07 2014 GMT Not After : Sep 30 04:35:07 2019 GMT Subject: CN=cookbook.example.com …
Catalog # curl --cacert puppet-ca.pem --cert /var/lib/puppet/ssl/certs/cookbook.example.com.pem --key /var/lib/puppet/ssl/private_keys/cookbook.example.com.pem -H 'Accept: yaml' https://puppet:8140/production/catalog/cookbook.example.com > cookbook.yaml % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 26099 100 26099 0 0 17434 0 0:00:01 0:00:01 --:--:-- 18642
Tools (gnutls-cli or openssl s_client) $ gnutls-cli --insecure --port 8140 puppet.example.com GET /production/certificate/ca HTTP/1.0 Accept: s HTTP/1.1 200 Server: nginx/1.6.1 Date: Thu, 23 Oct 2014 21:03:58 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 875 Connection: close X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11 Status: 200
can't get/compile a catalog
Problem workers node puppet worker 8140 puppet worker 8140 mod_proxy_balancer puppet master 8140 devel puppet worker 8140 problem production
problem/bugfixes branches git branches ● per user ● per problem ● per ticket
Problem workers puppet worker 8140 --logdest /var/log/puppet/problem.log --debug --profile logrotate
Compiling $ sudo puppet master Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'bucketdir': 'File[/var/lib/puppet/bucket]{:loglevel=>:debug, :group=>"puppet", :ensure=>:directory, :links=>:follow, :owner=>"puppet", :backup=>false, :mode=>"750", :path=>"/var/lib/puppet/bucket"}' Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'publickeydir': 'File[/var/lib/puppet/ssl/public_keys]{:loglevel=>:debug, :group=>"puppet", :ensure=>:directory, :links=>:follow, :owner=>"puppet", :backup=>false, :mode=>"755", :path=>"/var/lib/puppet/ssl/public_keys"}' Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'plugindest': 'File[/var/lib/puppet/lib]{:loglevel=>:debug, :ensure=>:directory, :links=>:follow, :backup=>false, :path=>"/var/lib/puppet/lib"}' Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'fileserverconfig': 'File[/etc/puppet/fileserver.conf]{:loglevel=>:debug, :ensure=>:file, :links=>:follow, :backup=>false, :path=>"/etc/puppet/fileserver.conf"}' --compile problem.example.com --debug --trace --logdest /tmp/problem.puppet.log --environment sandbox { "data": { "resources": [ { "title": "main", "exported": false, "tags": ["stage"], "type": "Stage", "parameters": { JSON "before": "Stage[post]",
Apply $ sudo puppet apply --debug --trace --environment sandbox code.pp JSON $date = "+%S" exec {'epoch': command => "echo $((`date $date` / 86400))", path => '/bin:/usr/bin:/sbin:/usr/sbin', } Info: Applying configuration version '1415729233' Debug: Exec[epoch](provider=posix): Executing 'echo $((`date +%S` / 86400))' Debug: Executing 'echo $((`date +%S` / 86400))' Notice: /Stage[main]/Main/Exec[epoch]/returns: executed successfully
Catalog YAML - read it JSON - jq
Catalog catalog classes.txt jq '.data.classes[]' < catalog
Catalog fails to compile ● duplicate resource ● modulepath/bad module name fails to apply ● unpredicable exec ● bad/broken service ● bad/missing variable
fails to compile
duplicate resource separate into subclass ( package {'httpd'} ) virtual resources ( @user, @package, @service) modulepath puppet config print modulepath root@puppet:~# puppet config print modulepath --environment production /etc/puppet/environments/production/public:/etc/puppet/environments/producti on/modules root@puppet:~# puppet config print modulepath --environment master /etc/puppet/modules:/usr/share/puppet/modules
fails to apply
Unpredictable exec #!/bin/bash echo $JAVA_HOME /home/javadev/.bashrc JAVA_HOME=/your/face
Broken Service service provider hasstatus => true /sbin/service $service status /etc/init.d/$service status /usr/bin/systemctl is-active $service
Bad/Missing Variable $one = "1" file {"lisaone": Info: Caching catalog for node1.example.com Error: path Failed => "/to tmp/apply lisa$catalog: one", Cannot alias File[lisa1] to ["/ensure tmp/lisa1"] => 'directory', at /} etc/puppet/environments/production/manifests/site.pp:34; resource file {"lisa1": ["File", "/tmp/lisa1"] already declared at /etc/puppet/environments/production/manifests/site.pp:30 path => "/tmp/lisa1", ensure => 'file', }
Bad/Missing Variable lisa {'one': place => "/tmp/$LISA", type => "directory", Info: Caching catalog for node1.example.com Error: Failed to apply catalog: Cannot alias File[two] to ["/tmp"] at /etc/puppet/environments/production/modules/lisa/manifests/i nit.pp:5; resource ["File", "/tmp"] already declared at /etc/puppet/environments/production/modules/lisa/manifests/i nit.pp:5 } lisa {'two': place => "/tmp/$LISA", type => "file", } define lisa ($place,$type) { file {"$title": path => $place, ensure => $type, } }
Printing - Notify notify {"$variable": }
chaining notify {'something': }->exec{'thingthatfails': }->notify{'after': }
Checking exec{'before resolv.conf': command => '/usr/local/bin/puppet-debug before resolv.conf', require => Class['debug'] } -> file { '/etc/resolv.conf': source => template("dns/resolv.conf"), noop => true, } class debug { file {'puppet-debug': path => '/usr/local/bin/puppet-debug', source => 'puppet:///modules/debug/puppet-debug', mode => 0755, } }
Debug Script… just an example #!/bin/bash LOG=$(mktemp /tmp/puppet-debug.XXXXXX) echo Puppet Debug -- $@ -- $(date) | tee $LOG echo "-- Disk --" | tee -a $LOG df -h |tee -a $LOG df -i |tee -a $LOG echo "-- Mem --" | tee -a $LOG free | tee -a $LOG echo "-- Files --" | tee -a $LOG PUPPET=$(pgrep puppet) for proc in $PUPPET do lsof -p $proc |tee -a $LOG done Puppet Debug -- before resolv.conf -- Fri Oct 24 01:13:34 EDT 2014 -- Disk -- Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 6.7G 2.5G 3.9G 39% / tmpfs 246M 0 246M 0% /dev/shm /dev/vda1 485M 80M 380M 18% /boot Filesystem Inodes IUsed IFree IUse% Mounted on /dev/mapper/VolGroup-lv_root 440640 79253 361387 18% / tmpfs 62783 1 62782 1% /dev/shm /dev/vda1 128016 50 127966 1% /boot -- Mem -- total used free shared buffers cached Mem: 502268 415488 86780 0 22176 172036 -/+ buffers/cache: 221276 280992 Swap: 835580 0 835580 -- Files -- COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME puppet 2058 root cwd DIR 253,0 4096 14 /root puppet 2058 root rtd DIR 253,0 4096 2 / puppet 2058 root txt REG 253,0 10600 36617 /usr/bin/ruby puppet 2058 root mem REG 253,0 156928 4134 /lib64/ld-2.12.so puppet 2058 root mem REG 253,0 1926680 6282 /lib64/libc-2.12.so
Printing - Template - scope.to_hash - reject a few file { "/tmp/puppet-debug.txt": content => inline_template("<% vars = - sort scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| %><%= k %>=<%= v %>n<% end %>"), - print, one per line } vars = scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| k=vn end
_timestamp=2014-10-23 22:29:52 -0700 architecture=x86_64 augeasversion=1.0.0 bios_release_date=01/01/2011 bios_vendor=Bochs bios_version=Bochs blockdevice_vda_size=8589934592 blockdevice_vda_vendor=6900 blockdevices=vda caller_module_name= clientcert=cookbook.example.com clientnoop=false clientversion=3.7.1 concat_basedir=/var/lib/puppet/concat domain=example.com environment=production facterversion=2.2.0 filesystems=ext4,iso9660 fqdn=cookbook.example.com gid=root hardwareisa=x86_64 hardwaremodel=x86_64 hostname=cookbook id=root interfaces=eth0,lo Printing - Template - scope.to_hash - reject a few file { "/tmp/puppet-debug.txt": content => inline_template("<% vars = - sort scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| %><%= k %>=<%= v %>n<% end %>"), - print, one per line } vars = scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| k=vn end
Scope The scene: class ntp { include ntp::server ● roles and profiles ● ntp server class role::ntp { include ntp } }
Scope The solution: class ntp { include ntp::server ● fully scope everything ● remember scope class role::ntp { include ::ntp } }
Summary learn some networking remember the REST api read up on SSL / x509 use --trace make a debug class remember scope
Questions/Comments? http://goo.gl/b2NISc http://ramblings.narrabilis.com

More Related Content

PDF
Puppet camp2021 testing modules and controlrepo
byPuppet
 
PDF
Developing IT infrastructures with Puppet
byAlessandro Franceschi
 
PDF
Puppet Continuous Integration with PE and GitLab
byAlessandro Franceschi
 
PDF
Puppet evolutions
byAlessandro Franceschi
 
PDF
Puppet Systems Infrastructure Construction Kit
byAlessandro Franceschi
 
PDF
Scalable Cloud-Native Masterless Puppet, with PuppetDB and Bolt, Craig Watson...
byPuppet
 
PDF
Configuring Highly Scalable Compile Masters, Vasco Cardoso, AWS
byPuppet
 
PPTX
Puppetizing Your Organization
byRobert Nelson
 
Puppet camp2021 testing modules and controlrepo
byPuppet
 
Developing IT infrastructures with Puppet
byAlessandro Franceschi
 
Puppet Continuous Integration with PE and GitLab
byAlessandro Franceschi
 
Puppet evolutions
byAlessandro Franceschi
 
Puppet Systems Infrastructure Construction Kit
byAlessandro Franceschi
 
Scalable Cloud-Native Masterless Puppet, with PuppetDB and Bolt, Craig Watson...
byPuppet
 
Configuring Highly Scalable Compile Masters, Vasco Cardoso, AWS
byPuppet
 
Puppetizing Your Organization
byRobert Nelson
 

What's hot

PDF
Modules of the twenties
byPuppet
 
PPTX
Virtual Bolt Workshop - March 16, 2020
byPuppet
 
PDF
OpenRheinRuhr 2018 - Ops hates containers! Why?
byMartin Alfke
 
ODP
PHP Quality Assurance Workshop PHPBenelux
byNick Belhomme
 
PDF
Dependencies Managers in C/C++. Using stdcpp 2014
bybiicode
 
PDF
Zend Framework 1.8 workshop
byNick Belhomme
 
PPTX
Auto Deploy Deep Dive – vBrownBag Style
byRobert Nelson
 
PDF
Puppet Camp Paris 2016 Data in Modules
byMartin Alfke
 
PDF
Virtual Bolt Workshop, 5 May 2020
byPuppet
 
PDF
Test Driven Development with Puppet
byPuppet
 
PDF
Learning Puppet Chapter 1
byVishal Biyani
 
PPTX
C++ for the Web
byPatrick Charrier
 
PDF
Puppet Camp Dallas 2014: How Puppet Ops Rolls
byPuppet
 
PPTX
Virtual Bolt Workshop - 6 May
byPuppet
 
ODP
Vagrant move over, here is Docker
byNick Belhomme
 
PDF
Essential applications management with Tiny Puppet
byAlessandro Franceschi
 
PPTX
What is Puppet? | How Puppet Works? | Puppet Tutorial For Beginners | DevOps ...
bySimplilearn
 
PDF
Puppet devops wdec
byWojciech Dec
 
PDF
Nginx pres
byJames Fuller
 
PPTX
Enjoying the Journey from Puppet 3.x to Puppet 4.x (PuppetConf 2016)
byRobert Nelson
 
Modules of the twenties
byPuppet
 
Virtual Bolt Workshop - March 16, 2020
byPuppet
 
OpenRheinRuhr 2018 - Ops hates containers! Why?
byMartin Alfke
 
PHP Quality Assurance Workshop PHPBenelux
byNick Belhomme
 
Dependencies Managers in C/C++. Using stdcpp 2014
bybiicode
 
Zend Framework 1.8 workshop
byNick Belhomme
 
Auto Deploy Deep Dive – vBrownBag Style
byRobert Nelson
 
Puppet Camp Paris 2016 Data in Modules
byMartin Alfke
 
Virtual Bolt Workshop, 5 May 2020
byPuppet
 
Test Driven Development with Puppet
byPuppet
 
Learning Puppet Chapter 1
byVishal Biyani
 
C++ for the Web
byPatrick Charrier
 
Puppet Camp Dallas 2014: How Puppet Ops Rolls
byPuppet
 
Virtual Bolt Workshop - 6 May
byPuppet
 
Vagrant move over, here is Docker
byNick Belhomme
 
Essential applications management with Tiny Puppet
byAlessandro Franceschi
 
What is Puppet? | How Puppet Works? | Puppet Tutorial For Beginners | DevOps ...
bySimplilearn
 
Puppet devops wdec
byWojciech Dec
 
Nginx pres
byJames Fuller
 
Enjoying the Journey from Puppet 3.x to Puppet 4.x (PuppetConf 2016)
byRobert Nelson
 

Similar to Troubleshooting Puppet

PDF
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
byPuppet
 
PDF
PuppetCamp SEA 1 - Use of Puppet
byOlinData
 
PDF
PuppetCamp SEA 1 - Use of Puppet
byWalter Heck
 
PPTX
Puppet
bySeenaah Seenaahzadeh
 
PDF
DevOps Braga #6
byDevOps Braga
 
KEY
Stanford Hackathon - Puppet Modules
byPuppet
 
PDF
20090514 Introducing Puppet To Sasag
bygarrett honeycutt
 
ODP
Puppet slides for intelligrape
bySharad Aggarwal
 
PDF
Puppet fundamentals
byMurali Boyapati
 
PDF
Strategies for Puppet code upgrade and refactoring
byAlessandro Franceschi
 
PDF
Systems Automation with Puppet
byelliando dias
 
PPTX
Installaling Puppet Master and Agent
byRanjit Avasarala
 
PDF
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
byPuppet
 
PDF
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
byCarlos Sanchez
 
PDF
Writing and Publishing Puppet Modules - PuppetConf 2014
byPuppet
 
PDF
Creating a mature puppet system
byrkhatibi
 
PDF
Creating a Mature Puppet System
byPuppet
 
PDF
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
byNETWAYS
 
PDF
Workflow story: Theory versus practice in Large Enterprises
byPuppet
 
PPTX
Puppet for Developers
bysagarhere4u
 
PuppetConf 2016: Puppet Troubleshooting – Thomas Uphill, Wells Fargo
byPuppet
 
PuppetCamp SEA 1 - Use of Puppet
byOlinData
 
PuppetCamp SEA 1 - Use of Puppet
byWalter Heck
 
Puppet
bySeenaah Seenaahzadeh
 
DevOps Braga #6
byDevOps Braga
 
Stanford Hackathon - Puppet Modules
byPuppet
 
20090514 Introducing Puppet To Sasag
bygarrett honeycutt
 
Puppet slides for intelligrape
bySharad Aggarwal
 
Puppet fundamentals
byMurali Boyapati
 
Strategies for Puppet code upgrade and refactoring
byAlessandro Franceschi
 
Systems Automation with Puppet
byelliando dias
 
Installaling Puppet Master and Agent
byRanjit Avasarala
 
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
byPuppet
 
How to Develop Puppet Modules: From Source to the Forge With Zero Clicks
byCarlos Sanchez
 
Writing and Publishing Puppet Modules - PuppetConf 2014
byPuppet
 
Creating a mature puppet system
byrkhatibi
 
Creating a Mature Puppet System
byPuppet
 
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
byNETWAYS
 
Workflow story: Theory versus practice in Large Enterprises
byPuppet
 
Puppet for Developers
bysagarhere4u
 

Recently uploaded

PDF
Supercharging Grafana with Community Plugins
byImma Valls Bernaus
 
PDF
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
PPTX
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
PDF
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
PDF
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Supercharging Grafana with Community Plugins
byImma Valls Bernaus
 
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Building with AI using Local & Cloud-based AI IDE: Evaluation-Driven Developm...
byKunal Suri
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Powering Spring AI with Model Context Protocol Integration
byJuarez Junior
 
Prime Teams – Real-Time Employee Monitoring & Project Management Software
byPrime Teams
 
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
Prompt Engineering vs Content Engineering vs RAG.pdf
byVineet Sharma
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 

Troubleshooting Puppet

  • 1.
    Troubleshooting Puppet ThomasUphill thomas@narrabilis.com
  • 2.
    Latest version http://goo.gl/b2NISc If you see something, say something! Google Comments enabled
  • 3.
    Watch in PresentationMode! Seriously, Trust Me ...Animations Are Good things
  • 4.
    Me PuppetConf 2013 Mastering Puppet / Puppet Cookbook 4* PUGS /r/dadjokes
  • 5.
    Outline network restapi certificates catalog problem workers compiling printing scope
  • 7.
    Failures - can'tfind puppet - can't connect to puppet - can't get certificate - can't get/compile a catalog - can't apply a catalog - can't upgrade puppet
  • 8.
  • 9.
    can't find puppet puppet puppet.domain [main/agent] server ca_server DNS nsswitch.conf /etc/hosts
  • 10.
    can't connect topuppet node puppet master network pixies 8140 masterport
  • 11.
    can't connect topuppet ● ping ● mtr (--port 8140) ● netcat (nc)
  • 12.
    can't connect topuppet $ ping puppet ping: unknown host puppet $ mtr puppet My traceroute [v0.75] cookbook.example.com (0.0.0.0) Sat Oct 25 01:26:31 2014 Keys: Help Display mode Restart statistics Order of fields quit $ nc -v puppet 8140 Packets Pings Ncat: Version 6.45 ( http://nmap.org/ncat ) Ncat: Connected to 192.168.122.100:8140. Host Loss% Snt Last Avg Best Wrst StDev 1. puppet.example.com 0.0% 157 0.7 0.5 0.2 1.6 0.2
  • 13.
    can't get certificate ● already signed (clean) ● dates off - expired CA, expired cert puppet cert clean host.example.com rm /var/lib/puppet/ssl/*/hostname* openssl x509 -in cert.pem -text ntpq -p
  • 14.
    can't get certificate ● don't know your own name ● basic unix permissions ● something else... root@puppet:~# sudo -iu puppet puppet@puppet:~$ cd /etc/puppet/environments/ -bash: cd: /etc/puppet/environments/: Permission denied SELinux
  • 15.
  • 16.
    Rest API node puppet master 8140 GET https://puppet:8140/production/certificate/ca HTTP/1.1 -----BEGIN CERTIFICATE ----- MIIFXjCCA0agAwIBAgIBATANBgkqhkiG9w0BAqsFADAcMRowGAYDVQQDDBFQdXdb w FiyvryAxxuETs9KORMwoThDIMd4bHLDbqtAz0q0cJ7W/8w== -----END CERTIFICATE-----
  • 17.
    Rest API ca_server/server environment GET https://puppet:8140/production/certificate/ca HTTP/1.1 ca_port/masterport resource key
  • 18.
    Rest API GEThttps://puppet:8140/production/certificate/ca HTTP/1.1 resource key resource certificate file_metadata file_content node catalog
  • 19.
    Rest API ●wget ● curl # diff puppet-ca.pem /var/lib/puppet/ssl/ca.pem # echo $? 0 # curl --insecure https://puppet:8140/production/certificate/ca >puppet-ca.pem % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 101 1923 101 1923 0 0 25506 0 --:--:-- --:--:-- --:--:-- 312k # openssl x509 -in puppet-ca.pem -fingerprint SHA1 Fingerprint=5A:C2:03:7B:40:44:2C:81:45:81:07:11:D3:AC:29:FB:A5:EC:E3:55
  • 20.
    Rest API #curl --cacert puppet-ca.pem https://puppet:8140/production/certificate/lisa.example.com Not Found: Could not find certificate lisa.example.com # curl --cacert puppet-ca.pem https://puppet:8140/production/certificate/cookbook.example.com -----BEGIN CERTIFICATE----- MIIFcTCCA1mgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDDBFQdXBw ZXQgQ0E6IHB1cHBldDAeFw0xNDA5MzAwNDM1MDdaFw0xOTA5MzAwNDM1MDdaMB8x # openssl x5.0.9. -in cookbook.pem -text … Issuer: CN=Puppet CA: puppet Validity Not Before: Sep 30 04:35:07 2014 GMT Not After : Sep 30 04:35:07 2019 GMT Subject: CN=cookbook.example.com …
  • 21.
    Catalog # curl--cacert puppet-ca.pem --cert /var/lib/puppet/ssl/certs/cookbook.example.com.pem --key /var/lib/puppet/ssl/private_keys/cookbook.example.com.pem -H 'Accept: yaml' https://puppet:8140/production/catalog/cookbook.example.com > cookbook.yaml % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 26099 100 26099 0 0 17434 0 0:00:01 0:00:01 --:--:-- 18642
  • 22.
    Tools (gnutls-cli oropenssl s_client) $ gnutls-cli --insecure --port 8140 puppet.example.com GET /production/certificate/ca HTTP/1.0 Accept: s HTTP/1.1 200 Server: nginx/1.6.1 Date: Thu, 23 Oct 2014 21:03:58 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 875 Connection: close X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.11 Status: 200
  • 23.
  • 24.
    Problem workers node puppet worker 8140 puppet worker 8140 mod_proxy_balancer puppet master 8140 devel puppet worker 8140 problem production
  • 25.
    problem/bugfixes branches gitbranches ● per user ● per problem ● per ticket
  • 26.
    Problem workers puppet worker 8140 --logdest /var/log/puppet/problem.log --debug --profile logrotate
  • 27.
    Compiling $ sudopuppet master Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'bucketdir': 'File[/var/lib/puppet/bucket]{:loglevel=>:debug, :group=>"puppet", :ensure=>:directory, :links=>:follow, :owner=>"puppet", :backup=>false, :mode=>"750", :path=>"/var/lib/puppet/bucket"}' Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'publickeydir': 'File[/var/lib/puppet/ssl/public_keys]{:loglevel=>:debug, :group=>"puppet", :ensure=>:directory, :links=>:follow, :owner=>"puppet", :backup=>false, :mode=>"755", :path=>"/var/lib/puppet/ssl/public_keys"}' Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'plugindest': 'File[/var/lib/puppet/lib]{:loglevel=>:debug, :ensure=>:directory, :links=>:follow, :backup=>false, :path=>"/var/lib/puppet/lib"}' Thu Oct 23 14:34:24 -0700 2014 Puppet (debug): Using settings: adding file resource 'fileserverconfig': 'File[/etc/puppet/fileserver.conf]{:loglevel=>:debug, :ensure=>:file, :links=>:follow, :backup=>false, :path=>"/etc/puppet/fileserver.conf"}' --compile problem.example.com --debug --trace --logdest /tmp/problem.puppet.log --environment sandbox { "data": { "resources": [ { "title": "main", "exported": false, "tags": ["stage"], "type": "Stage", "parameters": { JSON "before": "Stage[post]",
  • 28.
    Apply $ sudopuppet apply --debug --trace --environment sandbox code.pp JSON $date = "+%S" exec {'epoch': command => "echo $((`date $date` / 86400))", path => '/bin:/usr/bin:/sbin:/usr/sbin', } Info: Applying configuration version '1415729233' Debug: Exec[epoch](provider=posix): Executing 'echo $((`date +%S` / 86400))' Debug: Executing 'echo $((`date +%S` / 86400))' Notice: /Stage[main]/Main/Exec[epoch]/returns: executed successfully
  • 29.
    Catalog YAML -read it JSON - jq
  • 30.
    Catalog catalog classes.txt jq '.data.classes[]' < catalog
  • 31.
    Catalog fails tocompile ● duplicate resource ● modulepath/bad module name fails to apply ● unpredicable exec ● bad/broken service ● bad/missing variable
  • 32.
  • 33.
    duplicate resource separateinto subclass ( package {'httpd'} ) virtual resources ( @user, @package, @service) modulepath puppet config print modulepath root@puppet:~# puppet config print modulepath --environment production /etc/puppet/environments/production/public:/etc/puppet/environments/producti on/modules root@puppet:~# puppet config print modulepath --environment master /etc/puppet/modules:/usr/share/puppet/modules
  • 34.
  • 35.
    Unpredictable exec #!/bin/bash echo $JAVA_HOME /home/javadev/.bashrc JAVA_HOME=/your/face
  • 36.
    Broken Service serviceprovider hasstatus => true /sbin/service $service status /etc/init.d/$service status /usr/bin/systemctl is-active $service
  • 37.
    Bad/Missing Variable $one= "1" file {"lisaone": Info: Caching catalog for node1.example.com Error: path Failed => "/to tmp/apply lisa$catalog: one", Cannot alias File[lisa1] to ["/ensure tmp/lisa1"] => 'directory', at /} etc/puppet/environments/production/manifests/site.pp:34; resource file {"lisa1": ["File", "/tmp/lisa1"] already declared at /etc/puppet/environments/production/manifests/site.pp:30 path => "/tmp/lisa1", ensure => 'file', }
  • 38.
    Bad/Missing Variable lisa{'one': place => "/tmp/$LISA", type => "directory", Info: Caching catalog for node1.example.com Error: Failed to apply catalog: Cannot alias File[two] to ["/tmp"] at /etc/puppet/environments/production/modules/lisa/manifests/i nit.pp:5; resource ["File", "/tmp"] already declared at /etc/puppet/environments/production/modules/lisa/manifests/i nit.pp:5 } lisa {'two': place => "/tmp/$LISA", type => "file", } define lisa ($place,$type) { file {"$title": path => $place, ensure => $type, } }
  • 39.
    Printing - Notify notify {"$variable": }
  • 40.
    chaining notify {'something': }->exec{'thingthatfails': }->notify{'after': }
  • 41.
    Checking exec{'before resolv.conf': command => '/usr/local/bin/puppet-debug before resolv.conf', require => Class['debug'] } -> file { '/etc/resolv.conf': source => template("dns/resolv.conf"), noop => true, } class debug { file {'puppet-debug': path => '/usr/local/bin/puppet-debug', source => 'puppet:///modules/debug/puppet-debug', mode => 0755, } }
  • 42.
    Debug Script… justan example #!/bin/bash LOG=$(mktemp /tmp/puppet-debug.XXXXXX) echo Puppet Debug -- $@ -- $(date) | tee $LOG echo "-- Disk --" | tee -a $LOG df -h |tee -a $LOG df -i |tee -a $LOG echo "-- Mem --" | tee -a $LOG free | tee -a $LOG echo "-- Files --" | tee -a $LOG PUPPET=$(pgrep puppet) for proc in $PUPPET do lsof -p $proc |tee -a $LOG done Puppet Debug -- before resolv.conf -- Fri Oct 24 01:13:34 EDT 2014 -- Disk -- Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup-lv_root 6.7G 2.5G 3.9G 39% / tmpfs 246M 0 246M 0% /dev/shm /dev/vda1 485M 80M 380M 18% /boot Filesystem Inodes IUsed IFree IUse% Mounted on /dev/mapper/VolGroup-lv_root 440640 79253 361387 18% / tmpfs 62783 1 62782 1% /dev/shm /dev/vda1 128016 50 127966 1% /boot -- Mem -- total used free shared buffers cached Mem: 502268 415488 86780 0 22176 172036 -/+ buffers/cache: 221276 280992 Swap: 835580 0 835580 -- Files -- COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME puppet 2058 root cwd DIR 253,0 4096 14 /root puppet 2058 root rtd DIR 253,0 4096 2 / puppet 2058 root txt REG 253,0 10600 36617 /usr/bin/ruby puppet 2058 root mem REG 253,0 156928 4134 /lib64/ld-2.12.so puppet 2058 root mem REG 253,0 1926680 6282 /lib64/libc-2.12.so
  • 43.
    Printing - Template - scope.to_hash - reject a few file { "/tmp/puppet-debug.txt": content => inline_template("<% vars = - sort scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| %><%= k %>=<%= v %>n<% end %>"), - print, one per line } vars = scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| k=vn end
  • 44.
    _timestamp=2014-10-23 22:29:52 -0700 architecture=x86_64 augeasversion=1.0.0 bios_release_date=01/01/2011 bios_vendor=Bochs bios_version=Bochs blockdevice_vda_size=8589934592 blockdevice_vda_vendor=6900 blockdevices=vda caller_module_name= clientcert=cookbook.example.com clientnoop=false clientversion=3.7.1 concat_basedir=/var/lib/puppet/concat domain=example.com environment=production facterversion=2.2.0 filesystems=ext4,iso9660 fqdn=cookbook.example.com gid=root hardwareisa=x86_64 hardwaremodel=x86_64 hostname=cookbook id=root interfaces=eth0,lo Printing - Template - scope.to_hash - reject a few file { "/tmp/puppet-debug.txt": content => inline_template("<% vars = - sort scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| %><%= k %>=<%= v %>n<% end %>"), - print, one per line } vars = scope.to_hash.reject { |k,v| !( k.is_a?(String) && v.is_a?(String) ) }; vars.sort.each do |k,v| k=vn end
  • 45.
    Scope The scene: class ntp { include ntp::server ● roles and profiles ● ntp server class role::ntp { include ntp } }
  • 46.
    Scope The solution: class ntp { include ntp::server ● fully scope everything ● remember scope class role::ntp { include ::ntp } }
  • 47.
    Summary learn somenetworking remember the REST api read up on SSL / x509 use --trace make a debug class remember scope
  • 48.

Editor's Notes

  • #5 I started using puppet early on, 0.24 I know a guy that crushes coke cans for a living. It's soda pressing.
  • #7 how do we get from this to this. These are the techniques I've used and what I've seen
  • #8 so these errors can be broken into two groups, we'll talk about each separately. There's a third category, hopefully you don't fall into this camp, but if you aren't running the latest stuff you are missing out.
  • #9 so this is network and certificate issues.
  • #11 sometimes there's dragons between you and the server. sometimes the masterport isn't 8140.
  • #12 you can tell mtr to use port 8140, we'll show each of these and why they are useful.
  • #13 ping will show you if your client node can lookup the puppet server, you don't need ping to succeed to still be ok. It uses the gethostbyname system call, which will be the same what that puppet will lookup the host. if this fails, puppet will fail. check what your hostname is, hostname -f will see if your reverse lookup is working. you don't need to have your nodes resolve properly. only the master should resolve, locally is fine. mtr, my traceroute, originally matt's traceroute, it works different than traceroute, it uses icmp by default (traceroute uses udp) netcat - the swiss army knife of network tools.
  • #14 this is not an x509 talk, but you should know how x509 works.
  • #15 puppet uses the certname directive, that's how it knows what to do, it uses the hostname command to do that. ask facter what the hostname is, use config print to show the value basic unix permissions ← I hear Antoine Dodson in my head when it turns out to be basic unix permissions. it's not working, why can't you find that module, it's right there you idiot. it turns out someone changed perms manually or messed up with git. it could be selinux but please don't shut that off. it could be some other communication problem, so to fix it, you need to know how it works, puppet has a built in REST API
  • #16 REST - Representational state transfer I say this in the book, but a lot of puppet is just https traffic ok, everyone hold hands, this might get rough
  • #17 the node starts with a GET request to grab the CA. the server should respond with a certificate so how does the node construct this get request.
  • #18 what resources are available? - next slide
  • #20 verify you can download the CA, your own certificate check that it's the same. I kid you not, some companies actually interject themselves in any http traffic, you might not be getting the CA you asked for.
  • #21 now that we have the ca cert, we can use that with curl to try and download our nodes certificate that should give you a cert, but if it doesn't, that's your problem. Ok, so we'll ask for cookbook and we get it, use openssl x509 to look at the cert. check the validity.
  • #22 like anyone can even know that. well, there's more to it, but you will get a catalog back.
  • #23 wget or curl will just grab whatever but obscure what's happening, if you are having trouble it's better to use an interactive client you're a sysadmin, you should know just enough about everything to get in trouble. so this is an http request, these tools take care of the ssl part of the communication. gnutls-cli can work with startssl type connections.
  • #25 this is how I work, this is the first chapter of my book But we use apache or nginx or whatever and we use mod_proxy_balancer for instance in apache. we can look at the url's coming in, and based on the environment we redirect to a specific worker system that can compile the catalog for us. when you are trying to diagnose a problem it can be useful to just make a problem environment and go to another worker. you need to ability to create arbitrary test branches. so you need git in your workflow. workflow is something I talk about heavily in my LISA talk. next slide git
  • #26 making a branch per user, ticket etc it very useful. ok, back to our problem worker.
  • #27 you would not do this on a production server. this will generate a lot of logs, make sure you logrotate that stuff.
  • #28 this is another way to run, the --trace option is the one that will get you a ton of data. but when you have a problem, that's the best way to find it.
  • #29 this is a good technique, copy the part that you are having trouble with somewhere, run puppet apply on it with --trace you'll get to see how the exec is actually running.
  • #30 so what is the catalog, it's yaml or json. yaml is easy to read json not so much, but jq works. what can you do with the catalog? -- next slide.
  • #31 the catalog you compile should have the same classes as classes.txt if your last run was successful and you haven't changed the class list. errors can come from the class list changing
  • #32 when the catalog fails to compile, debugging is usually a lot simpler either puppet found too many failing to apply is usually much harder to figure out. The first issue with variables is the hardest one to find i'll show examples of the bad exec and service.
  • #34 so how do you fix duplicate resource? separate the thing you need multiple times into their own class. - that's the best option for things like httpd/apache virtual resources, works well for users, sometimes confusing if you can't find the module, maybe it's the modulepath, use config print to show that. it could be basic unix permissions, try going to that place as the puppet or pe-puppet user to make sure.
  • #35 these problems are the stumpers, but after you fix them, they seem super simple
  • #36 scripts that use environment variables, when the user runs it, it works when you sudo puppet agent it works too (unless envreset sure) confusing, but you can run with trace and see what's actually running. puppet agent --trace will show how the script was run.
  • #37 puppet just runs these commands, if the return code is no good, puppet thinks the service is not operational puppet will try and start the service. puppet does a restart when it gets a notify, if restart is broken, your runs will fail
  • #38 this one can stump you for a while. you have two resources with different names they point to the same thing but only after variable substitution. well actually that doesn't matter the main thing is that the name/title of the resource is different and the check to make sure they aren't working on the same thing is done after the catalog is compiled.
  • #39 this one is even worse than the last one :-( the problem when you are debugging is that the error is in the defined type definition, the best thing I've found at this point is to look in the catalog and figure out where the define was called from.
  • #40 anyone can do this, it's the echo "hello" thing
  • #41 you need to use chaining to ensure that things happen near each other.
  • #42 so this is a technique that I've used when I'm stumped. make a class for yourself that installs a script and does some debugging. we then execute that script in an exec, requiring the class with the script.
  • #43 so here's an example, mine is actually a bit more verbose, but here's a start for y'all. explain the lsof and what's going on. and the output, you can see what I'm looking for..
  • #44 ok break it down we use an inline template lets go through how that part works. we take that scope object, translate to hash use the reject function to remove the entries that are not strings place that all into the vars variable now take vars and sort it, go through each variable and print them one per line. so what does this look like ← next slide
  • #45 this is very useful for knowing what the value of everything is at this moment. but when you are working with puppet you have to remember, even though you define something near something else, there's no guarantee that they are executed near each other ← next slide
  • #46 i've seen this a few times, it stumps people.
  • #49 here are the slides, again, please comment