0

Anyone know if you can recover puppet configuration from a host running an agent? We've found the reformatted yaml file that applied to the host, but not the actual puppet code. With CFengine the client creates a local copy of the config files in its working dir, was hoping puppet did something similar for times when the master(s) are unavailable.

Hands up to schoolboy error - we don't have a backup, this was a dev environment that had been worked on a few weeks. We talked about backups but never got around to implementing, then the VM administrator inadvertently deleted the guest...

Thanks in advance

cachonfinga
  • 230
  • 1
  • 6

1 Answers1

2

The original puppet code cannot be reconstructed as it was, because that might have contained conditionals, selectors, parameterised classes, defines, templates and all manner of puppet-language constructs that generates the catalog YAML you have recovered. You could probably, with some effort, use that YAML to recreate a raw set of puppet manifests that implement precisely what was being applied to that agent, but without any context or structure (i.e. not quite as bad as decompiling a binary back to C, but not as good as decompiling java byte-code back to Java language)

Craig Miskell
  • 4,216
  • 1
  • 16
  • 16
  • Hi Craig, and all, thanks for the comments and replies. Thanks for confirming what we suspected. On the bright side this is an early-stage dev setup, we've not lost that much work and the modules and manifests we had written weren't that complex, we should be able to rebuild fairly quickly. I'll make a suggestion to puppetlabs to ask whether they can copy the config around, if the agent is parsing the config from the server and spitting out the yaml why not keep the original puppet code on the clients? – cachonfinga Jun 09 '15 at 09:55
  • 1
    @Rowley pretty simply the reason why this isn't the case is that as Craig said, Puppet isn't just a "config" - it's a rich DSL that can have all manner of language constructs, so it doesn't necessarily "compile" down to a shell script or anything similar. You may be able to ascertain which resources were used, but as far as recompiling the original source manifests, you're on your own - I don't think Puppet ever will (or should) support something like this. – Craig Watson Jun 09 '15 at 20:10
  • The agent isn't parsing the config; all compilation occurs on the puppetmaster, and the resulting YAML is sent to the client (where it is saved for reference). – Craig Miskell Jun 10 '15 at 20:41
  • Not transferring code and data is an essential security feature of Puppet. It is typically for a whole fleet of servers to use the same code base, with huge differences in server roles, and sensitive data being sent exclusively to agents that need it (think SSL private keys etc.) – Felix Frank Jun 12 '15 at 15:17