API query tutorial

See the curl tips page for more information about constructing curl commands.

Without SSL:

curl -X GET http://puppetdb.example.com:8080/pdb/query/v4/resources \
  --data-urlencode query@<FILENAME>

curl -X POST http://puppetdb.example.com:8080/pdb/query/v4/resources \
  -H 'Content-Type:application/json'
  -d '{"query":["=","certname","foo.com"]}'

This requires that PuppetDB be configured to accept non-SSL connections. By default, it will only accept unencrypted traffic from localhost.

With SSL:

curl -X GET https://puppetdb.example.com:8081/pdb/query/v4/resources \
  --tlsv1 \
  --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem \
  --cert /etc/puppetlabs/puppet/ssl/certs/thisnode.pem \
  --key /etc/puppetlabs/puppet/ssl/private_keys/thisnode.pem \
  --data-urlencode query@<FILENAME>

This requires that you specify a certificate (issued by the same CA PuppetDB trusts), a private key, and a CA certificate.

In both examples, <filename> should be a file that contains the query to execute.

The PuppetDB terminus includes the puppetdb_query function, which can be used to query PuppetDB from within a Puppet manifest. For example,

$debian_nodes_query = '["from", "nodes", ["=", ["fact", "operatingsystem"], "Debian"]]'
$debian_nodes = puppetdb_query($debian_nodes_query).each |$value| { $value["certname"] }
Notify {"Debian nodes":
    message => "Your debian nodes are ${join($debian_nodes, ', ')}",
}

Let's start by taking a look at a simple resource query. Suppose we want to find the user "nick" on every node. We can use this query:

["and",
  ["=", "type", "User"],
  ["=", "title", "nick"]]

This query has two "=" clauses, both of which must be true.

In general, the "=" operator follows a specific structure:

["=", <attribute to compare>, <value>]

In this case, the attributes are "type" and "title", and the values are "User" and "nick".

The "and" operator also has a well-defined structure:

["and", <query clause>, <query clause>, <query clause>, ...]

The query clauses can be any legal query (including another "and"). At least one clause must be specified, and all the clauses must be true for the "and" clause to be true. An "or" operator is also available, which looks just like the "and" operator, except that, as you'd expect, it's true if any specified clause is true.

The query format is declarative: it describes conditions the results must satisfy, not how to find them. This means that the order of the clauses is irrelevant.

You can list either the type clause or the title clause first without impacting the performance or the results of the query.

If we execute this query against the /resources route, and assuming that we're using the production environment, we get results that look something like this:

[{
  "parameters" : {
    "comment" : "Nick Lewis",
    "uid" : "1115",
    "shell" : "/bin/bash",
    "managehome" : false,
    "gid" : "allstaff",
    "home" : "/home/nick",
    "groups" : "developers",
    "ensure" : "present"
  },
  "line" : 111,
  "file" : "/etc/puppetlabs/code/environments/production/manifests/user.pp",
  "exported" : false,
  "tags" : [ "firewall", "default", "node", "nick", "role::base", "users", "virtual", "user", "account", "base", "role::firewall::office", "role", "role::firewall", "class", "account::user", "office", "virtual::users", "allstaff" ],
  "title" : "nick",
  "type" : "User",
  "resource" : "0ae7e1230e4d540caa451d0ade2424f316bfbf39",
  "certname" : "foo.example.com"
}]

Our results are an array of "resources", where each resource is an object with a particular set of keys.

• parameters: this field is itself an object, containing all the parameters and values of the resource

• line: the line the resource was declared on

• file: the file the resource was specified in

• exported: true if the resource was exported by this node, or false otherwise

• tags: all the tags on the resource

• title: the resource title

• type: the resource type

• resources: this is an internal identifier for the resource used by PuppetDB

• certname: the node that the resource came from

There will be an entry in the list for every resource. A resource is specific to a single node, so if the resource is on 100 nodes, there will be 100 copies of the resource (each with at least a different certname field).

We know this instance of the user "nick" is defined on line 111 of /etc/puppetlabs/code/environments/production/manifests/user.pp. What if we want to check whether or not we define the same resource somewhere else? After all, if we're repeating ourselves, something may be wrong! Fortunately, there's an operator to help us:

["and",
  ["=", "type", "User"],
  ["=", "title", "nick"],
  ["not",
    ["and",
      ["=", "file", "/etc/puppetlabs/code/environments/production/manifests/user.pp"],
      ["=", "line", 111]]]]

The "not" operator wraps another clause, and returns results for which the clause is not true. In this case, we want resources which aren't defined on line 111 of /etc/puppetlabs/code/environments/production/manifests/user.pp.

So far we've seen that we can query for resources based on their certname, type, title, file, and line. There are a few more available:

["and",
  ["=", "tag", "foo"],
  ["=", "exported", true],
  ["=", ["parameter", "ensure"], "present"]]

This query returns resources whose set of tags contains the tag "foo", and which are exported, and whose "ensure" parameter is "present". Because the parameter name can take any value (including that of another attribute), it must be namespaced using ["parameter", <parameter name>].

For easy reference, the full set of queryable attributes can be found in the resource endpoint documentation.

What if we want to restrict our results to a certain subset of nodes? We could use something like this:

["or",
  ["=", "certname", "www1.example.com"],
  ["=", "certname", "www2.example.com"],
  ["=", "certname", "www3.example.com"]]

And this works great if we know exactly the set of nodes we want. But what if we want all the 'www' servers, regardless of how many we have? In this case, we can use the regular expression match operator ~:

["~", "certname", "www\\d+\\.example\\.com"]

Because our regular expression is specified inside a string, the backslash characters must be escaped. The rules for which constructs can be used in the regular expression depend on which database is in use, so common features should be used for interoperability. The regular expression operator can be used on every field of resources except for parameters and exported.

In the last query, we saw that a "fact" consists of a "certname", a "name", and a "value". As you might expect, we can query using "name" or "value".

["and",
  ["=", "name", "operatingsystem"],
  ["=", "value", "Debian"]]

This will find all the "operatingsystem = Debian" facts, and their corresponding nodes. As you see, "and" is supported for facts, as are "or" and "not".

As with resources, facts also support the ~ regular expression match operator for all their fields. In addition, numeric comparisons are supported for fact values:

["and",
  ["=", "name", "uptime_seconds"],
  [">=", "value", 100000],
  ["<", "value", 1000000]]

This will find nodes for which the "uptime_seconds" fact is in the range 100000 to 1000000. Numeric comparisons will always be false for fact values which are not numeric. Importantly, version numbers such as 2.6.12 are not numeric, and numeric comparison operators can't be used with them at this time.

Nodes can also be queried based on their facts, using the same operators as for fact queries:

["and",
  ["=", ["fact", "operatingsystem"], "Debian"],
  ["<", ["fact", "uptime_seconds"], 10000]]

This will return Debian nodes with "uptime_seconds" less than 10,000.