Ask Your Question

Is there a way to see the final output of a file built in puppet?

asked 2017-09-22 09:23:29 -0500

DundieDude gravatar image

My environment is inherited and large. It covers thousands of machines and is complex, unclear or unnatural dependancies and circular logic are not strange problems to run into.

We build significant numbers of apache confs out of puppet using bits and pieces of different files from different places. This makes it very easy to place a directive at the wrong place in a file, that exact scenario recently caused an outage.

I'd like to be able to see a list of compiled files before they make it to the host, so that I can verify them externally from puppet through apache configtest, code review, or other methods.

I've looked at puppet master --compile hostname but I really need something that would just put together raw files, as this could be used to clean up many, many other things in my environment.

Any idea?

edit retag flag offensive close merge delete


I did something similar to what you are trying to do a while back In my class I checked the syntax of a new named.conf file before allowing my name servers to use it.

Red Cricket gravatar imageRed Cricket ( 2017-09-22 20:50:21 -0500 )edit

Oh yea, I overlooked the 'validate' parameter!

DarylW gravatar imageDarylW ( 2017-09-23 23:11:04 -0500 )edit

@DarylW What's a validate parameter. Sounds very useful!

Red Cricket gravatar imageRed Cricket ( 2017-09-23 23:18:10 -0500 )edit

DarylW gravatar imageDarylW ( 2017-09-25 11:25:26 -0500 )edit

2 Answers

Sort by » oldest newest most voted

answered 2017-09-22 14:37:40 -0500

DarylW gravatar image

updated 2017-09-25 11:28:35 -0500

There are several ways to accomplish this. One example was discussed at PuppetConf 2017. Slides - Video - In that case, they use their octocatalog-diff tool to create the catalog based on facts from either a pre-canned set, or getting them from other servers that are available, to see the effect of any changes that they've made in their PR, and diff them against other configurations (different servers, previously commit, etc)

You also could probably create a rake tasks that would create the files you need to compare as build artifacts, and reference them appropriately in your tools. When writing rspec-puppet tests, it does generate the catalog and the contents of any files (from templates or otherwise) that you can access.

-- UPDATE --

If you want to verify that a file is syntactically 'correct' before letting puppet replace it, you can use the validate_cmd parameter on the file resource. From the docs


A command for validating the file’s syntax before replacing it. If Puppet would need to rewrite a file due to new source or content, it will check the new content’s validity first. If validation fails, the file resource will fail.

This command must have a fully qualified path, and should contain a percent (%) token where it would expect an input file. It must exit 0 if the syntax is correct, and non-zero otherwise. The command will be run on the target system while applying the catalog, not on the puppet master.

file { '/etc/apache2/apache2.conf':
  content      => 'example',
  validate_cmd => '/usr/sbin/apache2 -t -f %',

This would replace apache2.conf only if the test returned true.

Note that if a validation command requires a % as part of its text, you can specify a different placeholder token with the validate_replacement attribute.

edit flag offensive delete link more


Thank you very much for both of your answers, you've sent me down a very good path. I very much appreciate it.

DundieDude gravatar imageDundieDude ( 2017-09-25 12:09:06 -0500 )edit

answered 2017-09-24 03:58:23 -0500

Henrik Lindberg gravatar image

I can recommend the catalog-preview tool from Puppet Inc for diffing catalogs. You can run that for one or multiple nodes at once and get both aggregate and detailed views of the result. You find it on the forge.

edit flag offensive delete link more



This is a good answer and I've learned a lot about a bunch of different catalog diffing tools because of it. octocatalog-diff from gtihub is also a very good utility.

DundieDude gravatar imageDundieDude ( 2017-09-25 12:10:41 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2017-09-22 09:23:29 -0500

Seen: 66 times

Last updated: Sep 25