Dear John,
I tryed as you suggested but I think I'm doing something wrong.
I can also see this line is same:
$service_modules = hiera_array('service_modules')
It is correct?
Where do I define array of modules? where you write service_modules?
Regards.
manifests/site.pp:
--------
node somenode {
$service_modules = hiera_array('service_modules')
include $service_modules
include firewall
}
modules/firewall/manifests/init.pp
--------
class firewall {
$service_modules = hiera_array('service_modules')
# other classes
file { 'firewall-rules-filename':
# other properties
content => template('config.erb')
}
}
modules/firewall/templates/config.erb
--------
<% if @service_modules.include?('apache2') -%>
# config-for-apache2
<% end -%>
<% if @service_modules.include?('bind9') -%>
# config-for-bind9
<% end -%>
<% if @service_modules.include?('ssh') -%>
# config-for-ssh
<% end -%>
El viernes, 15 de febrero de 2013 16:09:38 UTC+1, jcbollinger escribió:
>
>
>
> On Friday, February 15, 2013 4:18:20 AM UTC-6, Marc Bolós wrote:
>>
>> Dear John,
>>
>> Thanks for your response.
>>
>> Since I have a large environment setup I was trying to automatize all
>> setups from puppet, being as much simple as I can.
>>
>> For example, let's think that I have a puppet server and more than 1000
>> puppet nodes. So I edit nodes.pp and I declare "server1" and I assign it an
>> "apache2" module, a "bind9" module and an "ssh" module.
>>
>> Once this is working I try and create a shorewall firewall erb template
>> for its rules file, so that it can automatically detect which modules are
>> declared on the host, and write the relevant lines in the rules file to
>> open the appropriate ports depending on that. In this example, the erb
>> template for shorewall rules would be something like:
>>
>>
>> ################################################################################
>> # This file is centrally mantained by puppet, built from a template
>> located at #
>> # Path to file #
>>
>> ################################################################################
>> <% if classes.include?('apache') -%>
>> HTTP(ACCEPT) net $FW
>> <% end -%>
>> <% if classes.include?('bind') -%>
>> DNS/ACCEPT net $FW
>> <% end -%>
>> <% if classes.include?('ssh') -%>
>> SSH/ACCEPT net:someips $FW
>> <% end -%>
>>
>> But this does not work for me. Could you provide me another clean and
>> smart way of achieving that? (Our goal would be not having to declare the
>> whole bunch of servers more than once, even in the nodes.pp file or in any
>> other place).
>>
>>
>>
>>
>> El jueves, 14 de febrero de 2013 17:35:50 UTC+1, Marc Bolós escribió:
>>>
>>> Dear,
>>>
>>> I've been using puppet for some time now. Usually when I have a problem
>>> I read all documentation refered to the problem I have.
>>>
>>> Recently I was trying to write a puppet erb template, that checks if
>>> host has one class defined, and if it has then writes some text to cron.
>>>
>>> After a lot of googleing, I found that the best way to do this was:
>>>
>>> <% if classes.include?( 'class1' ) -%>
>>> Some text
>>> <% end -%>
>>>
>>> And this worked.
>>>
>>> But when I try on the same erb file to look for other classes, then it
>>> only processes 1:
>>> <% if classes.include?( 'class1' ) -%>
>>> Some text
>>> <% end -%>
>>> <% if classes.include?( 'class2' ) -%>
>>> Blah Blah Blah
>>> <% end -%>
>>>
>>> I can find only "Some text" inside file. But this host has class2 also
>>> declared. If I remove if classes.include of class1, and leave alone class2
>>> text, then I can see the text of class2.
>>>
>>> Did anyone had this issue before?
>>>
>>> Thanks for your time.
>>>
>>>
>
> There are basically two good ways to approach this:
>
> 1. Have your service modules (apache2, bind9, ssh) each export an
> appropriate fragment of the FW configuration (using fragment resource
> types
> provided by the Puppet::Concat add-in module), or
> 2. use the same data or logic by which you chose to include those
> modules on a given node in the first place to drive which sections are
> included in the FW config file.
>
> If there are nodes on which you do not configure a firewall, then as a
> variation on option (1), you can declare the fragments as virtual
> resources, to be realized only on those nodes with FW.
>
> There are a lot of ways you could do (2), but one might be
>
> manifests/site.pp:
> --------
> node somenode {
> $service_modules = hiera_array('service_modules')
>
> include $service_modules
> include firewall
> }
>
> modules/firewall/manifests/init.pp
> --------
> class firewall {
> $service_modules = hiera_array('service_modules')
> # other classes
> file { 'firewall-rules-filename':
> # other properties
> content => template('config.erb')
> }
> }
>
> modules/firewall/templates/config.erb
> --------
> <% if @service_modules.include?('apache2') -%>
> # config-for-apache2
> <% end -%>
> <% if @service_modules.include?('bind9') -%>
> # config-for-bind9
> <% end -%>
> <% if @service_modules.include?('ssh') -%>
> # config-for-ssh
> <% end -%>
>
>
> Yes, that template looks a lot like your original. The key difference is
> the data source on which it is drawing: not a list of classes that *have
> been *assigned by that point in the catalog compilation process, but
> rather a list of relevant classes that *will have been* assigned by the
> end of catalog compilation. Furthermore, it's all based on on the same
> data, so there is no risk of your module list falling out of sync with your
> firewall config.
>
> Although I use hiera in the example, I hope you recognize that that's an
> implementation detail (albeit a convenient one), not an essential element.
>
>
> John
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
