Ask Your Question

Creating custom facts: how to access the 'trusted' hash?

asked 2015-10-12 14:07:04 -0600

kmizser gravatar image

updated 2015-10-12 14:09:30 -0600

I'm setting up some custom facts in the modules/facts/lib/facter directory and I want to access the 'trusted' hash that contains the trusted/verified node data. However I can't seem to find a way to access that it available in that scope?

Here's what I'm trying to do:

Facter.add("mpenvironment2") do
  setcode do
    mpenv = trusted['certname'].split("-").last
    case mpenv
    when /qa/
    when "prod"
    when "dev"
    when "stg"

but I get this error: Error: Facter: error while resolving custom fact "mpenvironment2": undefined local variable or method `trusted' for #<facter::util::resolution:0x00000004d35320> I'm using puppet-agent-1.2.5 and puppetserver-2.1.1

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2016-11-17 11:09:57 -0600

geoff_williams gravatar image

I ran into this issue today and this question was the only useful thing I could find in google. I did some digging through the Puppet and Facter source code, in a nutshell:

  • Trusted Facts aren't defined in the Facter source code at all (no match for grep -i trusted)
  • Trusted facts get setup inside the main Puppet source code instead, in the Puppet::SSL::Certificate by the looks of things
  • I'd be cautious around instantiating or otherwise messing with this private and undocumented API for fear of competing with upstream changes or introducing agent-side memory leaks
  • Some of the trusted facts, notably 'certname' are available in the puppet settings hash and can be used directly (puppet config print on the command line to see what's available), eg:


  • The easiest and safest way to get hold of the trusted facts is to directly read the agent certificate into a variable using openssl and then use something like awk to pick out the information you need, eg:

    certname = Facter::Core::Execution.exec( "openssl x509 -text < #{Puppet.settings[:certdir]}/#{Facter.value(:fqdn).downcase}.pem | awk -F'=' '/Subject: CN/ {print $2}'" ).strip

In this example we read the certname which is redundant given access to Puppet.settings[:certname] but we could easily update this code to lookup the custom OIDs


edit flag offensive delete link more

answered 2015-10-12 20:02:00 -0600

lupin gravatar image

YOu can access another facts value using Facter.value('fact_name')

value = Facter.value('trusted['certname'])
mpenv = value.split("-").last
edit flag offensive delete link more


I assume you meant: value = Facter.value('trusted')['certname'] but this gives me the following error: Error: Facter: error while resolving custom fact "mpenvironment2": undefined method `[]' for nil:NilClass

kmizser gravatar imagekmizser ( 2015-10-13 12:11:26 -0600 )edit

Facter.value('trusted['certname']') does that give you a result? Test it from irb, e.g lupin-MacBook-Air:useless lupin$ irb irb(main):001:0> require 'puppet' => true irb(main):002:0> Facter.value('hostname') => "lupin-MacBook-Air" irb(main):003:0> Facter.value('hostname').split("-").last => "Air"

lupin gravatar imagelupin ( 2015-10-13 13:39:48 -0600 )edit

No, that doesn't work: irb(main):004:0> Facter.value('trusted["certname"]') => nil I believe the 'trusted' hash is not a true fact, according to the docs they are variables that puppet generates, so I'm not sure we can use the Facter.value call here.

kmizser gravatar imagekmizser ( 2015-10-14 17:34:55 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-10-12 14:07:04 -0600

Seen: 1,396 times

Last updated: Nov 17 '16