Grouping and classifying nodes
Configure nodes by assigning classes, parameters, and variables to them. This is called classification.
- Create node groups to contain nodes and preferences (classes, parameters, and variables) you want to apply to nodes in the group. Make sure you understand the Best practices for classifying node groups and the difference between Environment versus classification node groups.
- Add nodes to groups.
- Declare classes and Define data used by node groups. You might need to Enable data editing in the console.
Nodes can belong to multiple node groups, and they inherit classes, class parameters, and variables from all node groups they belong to.
After classifying nodes, you can View nodes in a node group and Make changes to node groups.
How node group inheritance works
Node groups are organized in a parent-child-grandchild hierarchy. When added to a group, nodes inherit classes, parameters, variables, and rules from their immediate node group and the group's ancestors.
- Classes: If a class is declared in an ancestor node group, the class is inherently declared in all node groups descending from that group.
-
Class parameters and variables:
Descendant node groups inherit class parameters and variables from ancestors unless a
different value is set in a descendant node group. CAUTION: Because nodes can belong to multiple groups in separate hierarchies, it’s possible for two node groups to contribute conflicting variable or class parameter values. Conflicting values cause Puppet runs on agent nodes to fail.
- Dynamic node group rules: To belong to a group, a node must match all rules in the immediate group and the rules in the ancestor groups. Use rule inheritance to refine group membership: Create broad rules for parent groups (such as an OS family) and more specific rules for the child groups that refine the parent group rules (such as specific platforms or versions). This way you can take a large, generic set of nodes and filter them into specific child groups.
group-children
endpoint to review group lineage.Best practices for classifying node groups
To organize node groups, start with the high-level functional groups that reflect the business requirements of your organization, and work down to smaller segments within those groups.
For example, if a large portion of your infrastructure consists of web servers, create a node group called web servers and add any classes that need to be applied to all web servers.
Next, identify subsets of web servers that have common characteristics but differ from other subsets. For example, you might have production web servers and development web servers. So, create a dev web child node group under the web servers node group. Nodes that match the dev web node group get all of the classes in the parent node group in addition to the classes assigned to the dev web node group.
Environment versus classification node groups
Environment node groups assign environments to nodes, such as test
, development
, or
production
.
- Must correspond to a Git branch in a control repo you want to use for targeted code deployments. The Git branch and environment group must have the same name.
- Must be a child of the All Environments node group (or whichever is the highest-level environment node group in your installation). Furthermore, your environment node groups, themselves, must not have any child groups, except one-time run exception subgroups used for canary testing.
- Must not include classes or configuration data.
Classification node groups assign classification data to nodes, including classes, parameters, and variables. A node can belong in more than one classification group.
- Must be a child of All Nodes or another classification group.
- Must not be specified as an environment group in the group metadata.
Create node groups
Use the console to create node groups to assign either an environment or classification.
Create environment node groups
Create custom environment node groups so you can target Puppet code deployments.
Create classification node groups
Classification node groups assign classification data to nodes.
Add nodes to a node group
There are two ways to add nodes to a node group.
You can Statically add individual nodes to a node group or use fact-based rules to Dynamically add nodes to a node group. With dynamic node group rules, Puppet Enterprise (PE) automatically adds and removes nodes from your groups based on the rules you set, whereas you must manually add or remove static (pinned) nodes.
If you expect a node to belong to multiple node groups, make sure you understand How node group inheritance works. If nodes inherit conflicting values from different groups, then Puppet runs on agent nodes fail.
Statically add nodes to a node group
You can pin individual nodes to node groups.
If you need to add a lot of nodes to a group, it is more useful to Dynamically add nodes to a node group with logical rules that automatically add and remove nodes from your node groups. Pinning individual nodes to groups is only recommended if the node group only has a few nodes or if you need to add some specific nodes that weren't captured by the group's dynamic rules.
Pinning a node is the same as creating a rule for certname =
<EXACT_NODE_CERTNAME>
, and Puppet Enterprise (PE) processes this rule along with the group's other fact-based rules (if there are
any).
- In the console, click Node groups and select the node group that you want to pin the node to.
- On the Rules tab, enter the node's certname in the Certname field.
- Click Pin node and commit changes.
Dynamically add nodes to a node group
Rules are the most powerful and scalable way to include nodes in a node group. Rules use facts to identify nodes to include in a group.
Rules are based on facts, such as operating system, BIOS version, hardware model, UUID, or time zone. In addition to most core facts, you can also use structured and trusted facts for node group rules.
As long as a node matches the node group's rules, the node is included in the group and classified with the node group's classification data (classes, parameters, and variables). If the node changes and no longer matches the node group's rules, the node is no longer considered part of the group, and the node group's classification data no longer applies to the node.
Writing node group rules
To create a dynamic node group rule, you must specify a Fact, Operator, and Value.
These three fields are required to Dynamically add nodes to a node group.
- To descend into a hash, use periods (
.
) to designate path segments, such asos.release.major
ortrusted.certname
. - To specify an item in an array, put square brackets around the item's
numerical index, such as
processors.models[0]
ormountpoints./.options[0]
. - To identify path segments that have periods, dashes, spaces, or UTF
characters, put single or double quotes around the segment, such as
trusted.extensions."1.3.6.1.4.1.34380.1.2.1"
. - To use
trusted.extensions
short names, append the short name after a second period, such astrusted.extensions.pp_role
.
- =: Is
- !=: Is not
- ~: Matches regex
- !~: Does not match regex
- >: Greater than
- >=: Greater than or equal to
- <: Less than
- <=: Less than or equal to
The ~ and !~ operators require a
regular expression (regex) Value and are useful for matching
highly-specific node facts (for example, you want to find nodes with UUIDs starting
with 9999*
)
The Value field describes the relevant Fact value. Depending on the Fact and Operator, the Value can be a string, number, or regular expression.
Together these fields create a logical rule that PE uses to find matching nodes. If you have multiple dynamic rules for one node group, you can choose whether Nodes must match all rules or if Nodes may match any rule to be added to the group.
Using structured and trusted facts for node group rules
Structured facts group related facts, and trusted facts are a type of structured fact.
Structured facts group related facts in a hash or array. For example,
the os
structured fact contains multiple individual facts about
the operating system, such as architecture, family, and release. In the Puppet Enterprise (PE) console, when you view a node's facts, structured facts
are surrounded by curly braces.
Trusted facts are a type of structured fact where the facts are immutable and extracted from a node’s certificate. Because these facts can’t be changed or overridden, trusted facts enhance security by verifying a node’s identity before sending sensitive data in its catalog.
custom_trusted_oid_mapping.yaml
file.Declare classes
Classes are blocks of Puppet code that configure nodes and assign resources to nodes.
Enable data editing in the console
In new Puppet Enterprise (PE) installations, you can, by default,
edit configuration data in the console. If you upgraded from an earlier PE version where you hadn't already enabled editing of
configuration data, you must use Hiera to manually enable Classifier Configuration Data
.
Define data used by node groups
The console offers multiple ways to specify data used in your manifests.
- Set configuration data: Specify values through automatic parameter lookup.
- Set parameters: Specify resource-style values used by a declared class.
- Set variables: Specify values to make available in Puppet code as top-scope variables.
Set configuration data
Configuration data set in the PE console is used for automatic parameter lookup in the same way that Hiera data is used. Console configuration data takes precedence over Hiera data, but you can combine data from both sources to configure nodes.
- You want to override Hiera data. Data set in the console overrides Hiera data when configured as recommended.
- You want to give someone permission to define or edit data, and they don’t have the skill set to do it in Hiera.
- You simply prefer the console user interface.
Set parameters
Parameters are declared resource-style, which means you can use them to override other data; however, this override capability can introduce class conflicts and declaration errors that cause Puppet runs to fail.
Set variables
Variables you set in the console become top-scope variables available to all Puppet manifests.
- In the console, click Node groups and select the node group you want to set a variable for.
- On the Variables tab, enter the name of the variable in the Key field, and enter the value you want to assign to the variable in the Value field.
- Click Add variable and commit changes.
Tips for specifying parameter and variable values
Parameters and variables can be structured as JSON, but, if they can't be parsed as JSON, they're treated as strings.
- Strings (for example,
"centos"
): You can use variable-style syntax, which interpolates the result of referencing a fact (for example,"I live at $ipaddress."
), or expression-style syntax, which interpolates the result of evaluating the embedded expression (for example,${$os"release"}
).Important: Strings must be double-quoted, because single quotes aren't valid JSON.Tip: In the console, to provide a value containing a dollar sign that is not part of variable syntax (such as password hashes), you must use a backslash to escape each dollar sign and disable interpolation. For example, the password hash$1$nnkkFwEc$safFMXYaUVfKrDV4FLCm0/
must be escaped as\$1\$nnkkFwEc\$safFMXYaUVfKrDV4FLCm0/
. - Booleans (for example,
true
orfalse
). - Numbers (for example,
123
). - Hashes (for example,
{"a": 1}
).Important: You must use colons, not hash rockets. - Arrays (for example,
["1","2.3"]
).
Variable-style syntax
Variable-style syntax uses a dollar sign ($
) followed
by a Puppet fact name, such as: "I live at
$ipaddress"
Variable-style syntax is interpolated as the value of the fact. For example,
$ipaddress
resolves to the value of the
ipaddress
fact.
$pe_node_groups
endpoint
variable cannot be interpolated when used as a classifier in class variable
values.You can't use indexing in variable-style syntax because the indices are treated as
part of the string literal. For example, given the following fact:
processors => {"count" => 4, "physicalcount" => 1}
, if
you use variable-style syntax to specify $processors[count]
, the
value of the processors
fact is interpolated and followed by
literally [count]
. After interpolation, the final
value is {"count" => 4,"physicalcount" => 1}[count]
.
::
top-level scope indication
because the console is not aware of Puppet variable
scope.Expression-style syntax
Use expression-style syntax when you need to index into a fact (such as
${$os[release]}
), refer to trusted facts (such as "My
name is ${trusted[certname]}"
), or delimit fact names from strings
(such as "My ${os} release"
).
For example, this expression-style syntax accesses an operating system's full release
number: ${$os"release"}
- An initial dollar sign and curly brace:
${
- A legal Puppet fact name preceded by an optional dollar sign.
- Any number of index expressions. Quotation marks around indices are optional unless the index string contains spaces or square brackets.
- A closing curly brace:
}
Indices in expression-style syntax can be used to refer to trusted facts or to access individual fields in structured facts. Use strings in an index to access keys in a hashmap. If you want to access a particular item or character in an array or string based on the order in which it is listed, you can use a zero-indexed integer.
${os}
${$os}
${$os[release]}
${$os['release']}
${$os["release"]}
-
${$os[2]}
(Being zero-indexed, this accesses the value of the third key-value pair in theos
hash) -
${$osrelease}
(This accesses the value of the third key-value pair in therelease
hash)
${$::os}
{$os[$release]}
${$os[0xff]}
${$os[6/3]}
${$os[$family + $release]}
${$os + $release}
Trusted facts
Trusted facts are considered to be keys of a hashmap called trusted
.
This means that trusted facts must be interpolated using expression-style syntax.
For example, the certname
trusted fact is expressed
as "My name is ${trusted[certname]}"
. Any trusted facts that are
themselves structured facts can have further index expressions to access individual
fields of that trusted fact.
undef
) are not supported.View nodes in a node group
You can view all nodes that currently match the rules specified for a node group.
- In the console, click Node groups and select the node group you want to view.
- Click Matching nodes.
If you use rules to Dynamically add nodes to a node group, matching nodes are determined by facts collected during the nodes' last Puppet runs, and the matching nodes list is updated when dynamic rules are added, deleted, and edited. Because of How node group inheritance works, nodes must match the rules in ancestor node groups, as well as the rules of the current node group, in order to be appear on the matching nodes list.
If you Statically add nodes to a node group, the pinned nodes belong to the group regardless of other rules.