Find out which nodes connect to orchestration services, which nodes connect to PuppetDB, and which nodes send reports to the primary server in Puppet Enterprise

For Puppet Enterprise to function correctly, all of your nodes should be sending reports to the primary server via PuppetDB (at intervals) and be connected to the orchestrator (persistently). If they aren’t, it indicates communication or configuration issues. You can check whether nodes that are actively sending reports are connected to the orchestrator by querying the Orchestrator inventory endpoint.

Version and installation information

PE version: All supported versions

Solution

If more nodes are sending reports to the primary via PuppetDB than connected to the orchestrator, it might indicate that there are firewall rules preventing orchestrator communication or that one of the brokers can’t connect to orchestration services on the primary server. If many nodes are connected to the orchestrator service, but don’t send reports to the primary server via PuppetDB, either the nodes are not connected to PuppetDB, or they are not sending report information.

Before you can check which nodes are connected to orchestration services, you must

• Install jq, a lightweight JSON command line processor.
  Note: We cannot troubleshoot third-party software.
• Have a token with orchestrator permissions at the following location: ~/.puppetlabs/token

Get a list of all nodes that are sending reports to PuppetDB that are connected to orchestration services

On the primary server, run

comm <(puppet query 'nodes[certname] {deactivated is null and expired is null}' | jq -r '.[].certname' | sort) <(curl -s -k -X GET https://localhost:8143/orchestrator/v1/inventory -H "X-Authentication:$(cat ~/.puppetlabs/token)" | jq -r '.items[].name' | sort)

Get a list of all nodes sending reports to PuppetDB that are not connected to orchestration services

On the primary server, run

comm -23 <(puppet query 'nodes[certname] {deactivated is null and expired is null} ' | jq -r '.[].certname' | sort) <(curl -s -k -X GET https://localhost:8143/orchestrator/v1/inventory -H "X-Authentication:$(cat ~/.puppetlabs/token)" | jq -r '.items[].name' | sort)

Get a list of all expired nodes not sending reports to PuppetDB that are connected to orchestration services

On the primary server, run

`comm -23 <(curl -s -k -X GET https://localhost:8143/orchestrator/v1/inventory -H "X-Authentication:$(cat ~/.puppetlabs/token)"| jq -r '.items[].name' | sort) <(puppet query 'nodes[certname] {deactivated is null and expired is null} ' | jq -r '.[].certname' | sort)`