On 06/07/12 18:44, DEGREMONT Aurelien wrote: > Le 06/07/2012 18:27, Luke Kanies a écrit : >> On Jul 6, 2012, at 9:24 AM, DEGREMONT Aurelien wrote: >> >>> Le 06/07/2012 18:07, Luke Kanies a écrit : >>>> On Jul 6, 2012, at 1:40 AM, DEGREMONT Aurelien wrote: >>>> >>>>> Le 05/07/2012 19:00, Daniel Pittman a écrit : >>>>>> That would ... probably not show a lot of short-term performance gain >>>>>> for you. The static compiler, >>>>>> >>>>> We tested (and proposed some fixes (pull request #769)) and that looks >>>>> interesting but static compiler as some bad side effect which are >>>>> removing some nice aspect of Puppet. >>>>> >>>>> We like that Puppet, through fileserver, can filter file access based on >>>>> the certificate information. We use it to strictly prevent client to >>>>> access files they should not. >>>>> With static compiler, puppet agent is now accessing file through the >>>>> filebucket which does not have such separation. Any client can access all >>>>> files in the filebucket we cannot filter this. >>>>> It could be nice if static compiler can insert file metadata checksum the >>>>> catalog as it already does to reduce agent/master traffic but still keep >>>>> a file source that agent can use to retrieve file from the fileserver >>>>> when needed. >>>> In order to retrieve a file from a filebucket, you must first know the >>>> checksum of that file's content, and to know that, you must (generally) >>>> know the actual content. >>> We can list the filebucket content (ticket #4871). File bucket is much more >>> usefull with that. >>> But you can also bruteforce the filebucket and get all its content. >> Ah. Well that makes it a bit less useful as a security mechanism, doesn't >> it? > That's why we rely on fileserver only, not a remote filebucket (without > static compiler). >>> Filebucket is much nicer for that. This is one the reason we chose to use >>> Puppet. Anyway, It does not seem very difficult to return in the catalog, >>> the sourcelist AND the computed checksum, instead of only one of those >>> (depending on static compiler behing enabled or not). The puppet agent can >>> check the checksum and retrieve the file from the fileserver as it does >>> usually. It seems 99 % of the code is already there :) just a mix of both >>> mode :) >> I expect we'd accept that patch, but it would likely defeat the point of the >> static compiler, unless you verified the file contents when the file got >> downloaded (to confirm the URL contents hadn't changed). > No, Puppet uses a lot of RPC to ask for each metadata of each file it has to > take care from the catalog. Most of the > time, 95 % of your file are already up to date. They do not have changed > since the latest puppet run. > With static compiler, the file metadata is already known to the agent and you > can avoid 95 % of those requests. That's a > lot! Even more if you have 5000 agents like us.
The counterpart is that your compilation will now take ages (ie you'll have to compute those checksums during compilation). Your clients might timeout. In a more general way, it would be great to have a lighter checksum (ie mtime/size) tried before resorting to md5... -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
