Hi,
I am currently looking to move away from node inheritance towards hiera,
and I have a question how to achieve merge/overloading functionality with
hiera.
I have written an elaborate example below, but let me just quickly
summarize all that into a question:
With hiera:
- How would you go about when certain nodes need data merged from all
scopes, but other nodes need data from just the last scope?
- What backend would you use?
- How would you best mimic the behaviour or node inheritance (regarding
array appends and replacements)?
- Probably I am looking towards custom backend, right? :)
Thank you for your opinions,
b.
Full example goes like this:
- there is a 'tpl_base' node template definition with all default variables
- there is a 'tpl_base_dc1' node template which appends to inherited values
from 'tpl_base'
- there is a 'tpl_base_dc1_special' node template which REPLACES certain
values from 'tpl_base_dc1'
Let's implement this with node inheritance:
-----------------------------------------------------------------------------------------
node 'tpl_base'
{
#...(other vars)...
$syslog_servers = [ '9.9.9.51', '9.9.9.52' ] # Global syslog servers
}
node 'tpl_base_dc1'
inherits 'tpl_base'
{
#...(other vars)...
$syslog_servers += [ '1.1.1.53', '1.1.1.54' ] # Additional syslog
servers for nodes in DC1
}
node 'tpl_base_dc1*_special*'
inherits 'tpl_base_dc1'
{
#...(other vars)...
$syslog_servers = [ '1.1.1.55', '1.1.1.56' ] *# REPLACE syslog
servers (note the = vs += operator)*
}
node 'srv-0.no-dc'
inherits 'tpl_base'
{
include 'syslog_ng'
}
node 'srv-1.dc1'
inherits 'tpl_base_dc1'
{
include 'syslog_ng'
}
node 'srv-2-special.dc1'
inherits 'tpl_base_dc1_special'
{
include 'syslog_ng'
}
-----------------------------------------------------------------------------------------
The result is:
- nodes from all datacenters log to 9.9.9.51 and 9.9.9.52 syslog servers
- nodes from dc1 additionaly log to dc1-specific logservers, 1.1.1.53 and
1.1.1.54
- SPECIAL nodes from dc1 log do specially designated log servers (.55 and
.56) and not to other log servers (consider they are logging
security-sensitive data which must not be visible on common log servers
- this aligns neatly with module/class definitions, as they do not have to
care about how data arrays are costructed (defined, appended, replaced,
whatever), they just use whatever is given to them
Now lets remodel this into hiera scopes:
-----------------------------------------------------------------------------------------
# /etc/hiera.yaml
--- :hierarchy:
- "%{::clientcert}"
- "tpl_%{::domain}" <-- one way to include dcX-specific configuration
- "tpl_base"
# tpl_base.yaml
syslog_servers:
- 9.9.9.51
- 9.9.9.52
# tpl_dc1.yaml
syslog_servers:
- 1.1.1.53
- 1.1.1.54
# tpl_dc1-special.yaml
syslog_servers:
- 1.1.1.55
- 1.1.1.56
-----------------------------------------------------------------------------------------
When data is ported into hiera, there are two options available for
retrieving data:
a) hiera()
b) hiera_merge()
These would be the results:
1. hiera() would work fine for srv-0.no-dc (just global syslog servers)
2. hiera() would work fine for srv-2-special (just specific servers for
special nodes)
3. hiera_merge() would work fine for srv-0
4. hiera_merge() would work fine for srv-1 (merges base and dc1-specific
syslog servers)
5. hiera() would NOT work fine for srv-1 (gets just dc1-specific syslog
servers, as it is the most specific match)
5. hiera_merge() would NOT work fine for srv-2 (gets ALL syslog servers,
despite only last two being a reqirement)
Problematic are last two cases, which (as it seems) are not supported with
current hiera backends. Or am I wrong?
b.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/7205e414-506f-41b4-8c5d-c1e0a9da1d4e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
