[Puppet Users] Roles / profile pattern , inquire on how you handle some specific situations
I've been using puppet on different companies and implementing the roles /
profile pattern on some of them.
In theory the patter works very well but in practice I usually face
challenges that I sort out implementing my own designs / solutions. I would
like to know how you guys deal with that in case you do.
Say you have a typical LAMP stack and you have to deploy a web app so my
classes would look something like this (super simplified version):
*Modules:*
class apache { //puppetlabs class }
class mysql { //puppetlabs class }
etc./.
*Profile*:
class profile::webapp {
class 'apache'
class 'mysql'
$name = hiera('webapp::name')
apache::vhost {$webapp::name:}
}
*Roles:*
class role::prod_web {
include 'base'
include 'profile::webapp'
}
Now some of the questions I face:
1- Say thate for whatever reason the profile::webap requires a specific
package... ie php-apc that is not covered by the apache module. The roles /
profile states that you should always reference modules. Would you guys
create a new class just to include a resource? What I usually end up doing
is to add that package into the profile for the sake of simplicity.
2- Sometimes modules from puppetlabs or other contributors lacks of some
functionality. Say for example you need to deploy a file under
/etc/sysconfig. I wouldn't place that file under the profile class as that
is used for multiple profiles definitions. However creating a new module
for just a single file seams like too much of an overhead. What I usually
do is I split up the profile module into multiple profile modules and use
the repo - install - config - service pattern. That allows me to create
a file / template where to place my specific resources for that profile and
still consume data from hiera to customize the behaviour.
3- The problem with point 2 is that you might end up with too many profile
classes and some of them might include a simple reference to a module. That
is not much of a problem to me as I prefer to have my files attached to the
right profile module rather than having multiple files on a single profile
module... or multiple modules with just a couple of files.
Cheers!
Juan Breinlinger
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/88ae6576-7407-4b27-a7b4-034e21683d43%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How do I quiesce a puppetmaster before reconfiguring it?
service httpd graceful will help. I would highly recommend you to have a dev / prd environment for your puppetmaster as well. Vagrant is very helpful for that. Having auto provisioned puppet masters is really helpful as it allows you to test new puppet master upgrades and configuration changes. Cheers Juan On Sunday, February 9, 2014 12:14:54 AM UTC, Trevor Vaughan wrote: Try 'service httpd graceful' On Sat, Feb 8, 2014 at 6:45 PM, Larry Fast lfas...@gmail.comjavascript: wrote: If I need to do any maintenance on my puppetmaster I would like to ensure that I don't break any partially completed puppet runs. Is there any way to quiesce the puppetmaster before shutting down the service? I run my puppetmaster on top of apache passenger. If I execute service httpd stop it breaks all incomplete puppet runs. Is there another way that I should stop the service so that the puppetmaster can properly wind down? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7cc18c28-5e60-493b-b732-beefa4a91959%40googlegroups.com . For more options, visit https://groups.google.com/groups/opt_out. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvau...@onyxpoint.com javascript: -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/92e99744-d872-44ca-8915-50581fb24784%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Is there a way to find unused puppet code (2.7)?
On 2014-09-02 2:53, Amos Shapira wrote: Hello, Is there a way to systematically find all modules we have which aren't used? Basically, the answer is no because it is not possible to statically analyze puppet code since all inputs are unknown. (This because references to types can be dynamic - i.e. based on combination of values that are only present when evaluation takes place). At best, it is possible to find candidates that *may* be removed, but only with knowledge that there are no dynamic references, and/or after testing. Having a tool that finds modules that a given module depends on but without anything actually being used is a great tool to have - suggest filing an enhancement request for Geppetto for this. (It will still not be able to tell you if there are dynamic references - only testing can answer that). Regards - henrik -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ld8aqp%24h04%241%40ger.gmane.org. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Is there a way to find unused puppet code (2.7)?
On 2/8/14 8:53 PM, Amos Shapira wrote: Hello, Is there a way to systematically find all modules we have which aren't used? Two reasons for this question: 1. We use librarian-puppet to manage external modules and would like to find which of them can we remove. 2. We did some major refactoring over the years, in particular we moved from a mix of old distribution to a single Ubuntu LTS version, and there could be some of our own classes which aren't used. 3. If it's an automatic way, it will be great to run it as part of our Continuous Integration suite to find code which can be removed. So - is there such a thing? Cheers, --Amos Hi Amos, With PuppetDB you can query[1] for the most recent catalog of a given node which will list all of the classes used. You could the use the process of elimination to see what classes you had in your modulepath that are not showing up in your catalogs. [1] - http://docs.puppetlabs.com/puppetdb/1.6/api/query/v3/catalogs.html BR, -g -- Garrett Honeycutt learnpuppet.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F7B043.7030308%40garretthoneycutt.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] can puppet manage puppet agents or puppetmasters?
Hi, I just voted for Martin Alfke's recent answer. Specifically, I recommend to prefer cron over the running agent, that makes agent management much easier. Updating puppet and its configuration can be done via puppet easily. HTH, Felix On 02/09/2014 12:53 AM, Larry Fast wrote: https://ask.puppetlabs.com/question/4694/updating-puppet-agents/ I'm looking at this thread from ask.puppetlabs and so far the the only answer seems to be - don't use puppet to manage puppet. I'm asking the broader community because I'm still naively hopeful that puppet can manage its own installations. Is there anything in Puppet Enterprise that supports this? Is there a best practice for how to update or reconfigure puppet installations? Or is this problem too self referencial and completely out of scope for the puppet system? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F7C670.3000609%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Ubuntu Network Proxy via Puppet
Hi,
in what way is puppet failing?
Generally, I'll have to remark that the manifest you shared facilitates
(at least) three anti-patterns.
1. You rely on a large number of exec resources to do your work. Where
so many commands need executing, you would be better off deploying a
script via file { } and running it through a single exec.
2. Your exec resources specify no conditions and run always. Each should
have either a creates, onlyif or unless parameter.
3. There is no order declared for your resources, e.g. using
before/require or the - arrow syntax.
The latter points may be non-issues of the pertinent parts had merely
been redacted. Otherwise, point 3 may be a reason for your problems.
Regards,
Felix
On 01/29/2014 10:05 PM, steven.lo...@imemories.com wrote:
So we have hit a wall pretty hard here:
We have a series of Ubuntu Desktops running 12.04 LTS and we've
configured puppet to do enable to Network Proxy and it does the weirdest
thing. It will refuse to set the proxy until we do an initial setting
in the GUI. (Gnome Desktop) Here's our config (some info redacted) but
has anyone else figured out a fix for this?
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52F7C9AD.6070009%40Alumni.TU-Berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] How to deploy puppetserver? I do some stupid mistake, and I don't know which.
I am trying to redeploy my puppetmaster infrastructure on new hardware. I am unable to get a simple (hello world) connection between puppet master and puppet client. I tried Ubuntu Saucy, and Ubuntu Precise as well as Puppet 3.4.2 and Puppet 3.2.4 (4 combinations in total). The steps I do are basic: 1. Install 2x vanilla Ubuntu from either ISO or by lxc-template (I used both VirtualBox and LXC container for testing). One will be Puppet server, and one will be Puppet client (will run puppet agent). 2. Set up networking so that both hosts can netcat each other on port 8140 and that both know each other by fqdn. For the last part I edited the /etc/hosts file. 3. Install a single package on puppetmaster on server, and puppet on client (either the 3.2.4 or 3.4.2 version). 4. On server kill the puppetmaster service and start one manually by sudo puppet master --no-daemonize --debug --logdest console. The servers runs fine and waits for incoming connections. 5. On client run sudo puppet agent --test --debug --server puppetmaster.mydomain.com.I've got only this error: Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Could not retrieve file metadata for puppet://puppetmaster.mydomain.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] What can I do to get the connection? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/beb0170e-54f2-4f0d-a04e-305d2840e2e5%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to deploy puppetserver? I do some stupid mistake, and I don't know which.
Never mind. I've got the answer. I don't know, why I get the idea, that this is a problem with connectivity. The problem was with certificates, just as the output said so. After regerenerating certificates on puppet master and puppet client (as shown in http://webcache.googleusercontent.com/search?q=cache:d34kqxwodrYJ:projects.puppetlabs.com/projects/1/wiki/certificates_and_security+cd=1hl=enct=clnk ) everything got fixed. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5ab7c71c-85fc-491f-a941-2c6c3009d1db%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Facter errors with InfiniBand and VDSM
I have an ovirt node that has Infiniband and I'm seeing two seperate errors when running facter. sh: vdsmdummy: command not found and Ifconfig uses the ioctl access method to get the full address information, which limits hardware addresses to 8 bytes. Because Infiniband address has 20 bytes, only the first 8 bytes are displayed correctly. Ifconfig is obsolete! For replacement check ip. I'm using the --trace option with facter but am not seeing any backtrace information to identify and submit a fix for these two issues. Installed packages on CentOS 6.5: facter.x86_64 1:1.7.4-1.el6 @puppetlabs-products puppet.noarch 3.4.2-1.el6 @puppetlabs-products The vdsmdummy is likely from the bridge created by VDSM: $ brctl show bridge name bridge id STP enabled interfaces ;vdsmdummy; 8000. no ipmi8000.003048bc981e no eth0.2 ovirtmgmt 8000.003048bc981e no eth0.1 public 8000.003048bc981f no eth1 So far I think the reason the vdsmdummy: command not found is the semi-colons are passed to the /sbin/ip command and appear like subcommands. The Infiniband issue seems to be STDERR being printed as a ifconfig 2/dev/null does not print that message. Thanks - Trey -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/64b3dc17-6e6f-472d-b280-da91158dcc49%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How do I quiesce a puppetmaster before reconfiguring it?
graceful-stop seems to be a modest improvement but its not a panacea. AFAIK it only ensures that open connections are not dropped. A puppet run seems to involve multiple connections. At best this only completes individual transactions before shutdown. Also, when I look at this problem in a bit more detail, the puppetmaster doesn't seem to know if there are active puppet runs still in progress. So the best I could hope for is a way to block new puppet runs from starting and then waiting a reasonable length of time before halting the service. Is there anything in the puppetmaster arsenal that could allow it to run without allowing new puppet runs to start? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/87b7e8c3-b336-4ee1-94f1-5d9673f833e0%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Facter errors with InfiniBand and VDSM
After some debugging it seems it's the ;vdsmdummy; interface that's causing both problems. I have a host with Infiniband, and the same version of Puppet and Facter, that has no errors running facter. My guess is when ifconfig is executed for ;vdsmdummy; it's not using '2 /dev/null', but I can't identify where in the Facter code this is happening. I updated Facter to 1.7.5-rc2 and the error is still the same on the host with the ;vdsmdummy; bridge device. Thanks - Trey On Sunday, February 9, 2014 3:17:10 PM UTC-6, treydock wrote: I have an ovirt node that has Infiniband and I'm seeing two seperate errors when running facter. sh: vdsmdummy: command not found and Ifconfig uses the ioctl access method to get the full address information, which limits hardware addresses to 8 bytes. Because Infiniband address has 20 bytes, only the first 8 bytes are displayed correctly. Ifconfig is obsolete! For replacement check ip. I'm using the --trace option with facter but am not seeing any backtrace information to identify and submit a fix for these two issues. Installed packages on CentOS 6.5: facter.x86_64 1:1.7.4-1.el6 @puppetlabs-products puppet.noarch 3.4.2-1.el6 @puppetlabs-products The vdsmdummy is likely from the bridge created by VDSM: $ brctl show bridge name bridge id STP enabled interfaces ;vdsmdummy; 8000. no ipmi8000.003048bc981e no eth0.2 ovirtmgmt 8000.003048bc981e no eth0.1 public 8000.003048bc981f no eth1 So far I think the reason the vdsmdummy: command not found is the semi-colons are passed to the /sbin/ip command and appear like subcommands. The Infiniband issue seems to be STDERR being printed as a ifconfig 2/dev/null does not print that message. Thanks - Trey -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/80905d1a-2f20-44ce-9582-024e6a792f35%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Unable to start puppetmaster on Mac OSX Mavericks
I've followed the installation guide for Mac OSX and I get this in puppetmaster.err upon starting the daemon with launchctl: Error: Could not create resources for managing Puppet's files and directories in sections [:main, :master, :ssl, :metrics]: undefined method `each' for nil:NilClass Error: Could not prepare for execution: Could not create resources for managing Puppet's files and directories in sections [:main, :master, :ssl, :metrics]: undefined method `each' for nil:NilClass undefined method `each' for nil:NilClass ($:/var/log/puppet)- ruby -v ruby 2.0.0p247 (2013-06-27 revision 41674) [universal.x86_64-darwin13] Puppet v3.4.2 ($:/var/log/puppet)- ls -ltr /etc/puppet/ total 12K -rw-r--r-- 1 puppet puppet 4.1K Jan 6 14:39 auth.conf drwxrwx--x 8 puppet puppet 272 Feb 5 07:13 ssl/ drwxr-xr-x 2 puppet puppet 68 Feb 7 07:55 manifests/ -rw-r--r-- 1 puppet puppet 255 Feb 7 07:58 puppet.conf Any ideas? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/580faa3b-fdb5-4f65-b263-3104f48a78da%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] can puppet manage puppet agents or puppetmasters?
Larry, I would assume that a masterless puppet could configure your puppet master and/or agent if desired. You would need to have puppet itself and the necessary manifests/modules available to you but what it sounds like you're looking for sounds imminently doable. You may want to just consider going masterless across the board. -Sterling On Feb 8, 2014, at 6:53 PM, Larry Fast lfast1...@gmail.com wrote: https://ask.puppetlabs.com/question/4694/updating-puppet-agents/ I'm looking at this thread from ask.puppetlabs and so far the the only answer seems to be - don't use puppet to manage puppet. I'm asking the broader community because I'm still naively hopeful that puppet can manage its own installations. Is there anything in Puppet Enterprise that supports this? Is there a best practice for how to update or reconfigure puppet installations? Or is this problem too self referencial and completely out of scope for the puppet system? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/06df5e93-cf9c-4f53-b06c-9413b5346a1a%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1A442764-05F9-4B34-B46A-AF25B7E109CA%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Is there a way to find unused puppet code (2.7)?
On 2014-09-02 17:36, Henrik Lindberg wrote: On 2014-09-02 2:53, Amos Shapira wrote: Hello, Is there a way to systematically find all modules we have which aren't used? Basically, the answer is no because it is not possible to statically analyze puppet code since all inputs are unknown. (This because references to types can be dynamic - i.e. based on combination of values that are only present when evaluation takes place). At best, it is possible to find candidates that *may* be removed, but only with knowledge that there are no dynamic references, and/or after testing. Having a tool that finds modules that a given module depends on but without anything actually being used is a great tool to have - suggest filing an enhancement request for Geppetto for this. (It will still not be able to tell you if there are dynamic references - only testing can answer that). I logged a feature issue for Geppetto - https://tickets.puppetlabs.com/browse/PUP-1625 Regards - henrik -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ld9bva%24cbg%241%40ger.gmane.org. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Roles / profile pattern , inquire on how you handle some specific situations
On 2/9/2014 4:47 AM, JuanBrein wrote:
I've been using puppet on different companies and implementing the roles
/ profile pattern on some of them.
In theory the patter works very well but in practice I usually face
challenges that I sort out implementing my own designs / solutions. I
would like to know how you guys deal with that in case you do.
**Say you have a typical LAMP stack and you have to deploy a web app so
my classes would look something like this (super simplified version):
*Modules:*
class apache { //puppetlabs class }
class mysql { //puppetlabs class }
etc./.
*Profile*:
class profile::webapp {
class 'apache'
class 'mysql'
$name = hiera('webapp::name')
apache::vhost {$webapp::name:}
}
*Roles:*
class role::prod_web {
include 'base'
include 'profile::webapp'
}
Now some of the questions I face:
1- Say thate for whatever reason the profile::webap requires a specific
package... ie php-apc that is not covered by the apache module. The
roles / profile states that you should always reference modules. Would
you guys create a new class just to include a resource? What I usually
end up doing is to add that package into the profile for the sake of
simplicity.
2- Sometimes modules from puppetlabs or other contributors lacks of some
functionality. Say for example you need to deploy a file under
/etc/sysconfig. I wouldn't place that file under the profile class as
that is used for multiple profiles definitions. However creating a new
module for just a single file seams like too much of an overhead. What I
usually do is I split up the profile module into multiple profile
modules and use the repo - install - config - service pattern. That
allows me to create a file / template where to place my specific
resources for that profile and still consume data from hiera to
customize the behaviour.
3- The problem with point 2 is that you might end up with too many
profile classes and some of them might include a simple reference to a
module. That is not much of a problem to me as I prefer to have my files
attached to the right profile module rather than having multiple files
on a single profile module... or multiple modules with just a couple of
files.
Cheers!
Juan Breinlinger
1. profiles::php with create_resources around a Package resource that
pulls in php-apc, php-mcrypt, php-gd, and all the other usual suspects
based on Hiera data. When was the last time anyone needed just one PHP
module? Also not a terrible place to set apc.ini and other config files.
2. profile::myrole and yeah I add the resource directly particularly if
it'll never ever conflict with another module. Also a good place to pull
in very simple modules. I'm not a fan of breaking things up into more
specific subclasses within a profile::class.
3. See #2
I recently took a crack at writing some examples of profile uses as
well as philosophizing on good profile classes. Probably needs another
hour of editing, but might be helpful in its current state.
https://ask.puppetlabs.com/question/5235/what-goes-in-the-profile-part-of-roleprofile/
Ramin
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52F87657.1020503%40badapple.net.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Roles / profile pattern , inquire on how you handle some specific situations
THanks and great post by the way!
I think we are pretty much on the same thinking behind. You don't add the
package resource directly but using create_resources from hiera is
almost the same thing. THe only difference is that your way is more
flexible as you can add / remove packages just changing data and not code.
But if you know beforehand what are the requires and you think they'll be
static in the long term I prefer that to be on the code side so my hiera
data looks small compact relevant and tidy.
My problem is with the file resources and templates. if if you have a
decent amount of different applications you'll end up with a super profile
class. It'll contain all different type of files and templates and too many
sub profile modules. Some companies have more than 200 different
applications type with an average of 2 to 4 config files to be deployed by
app. I know some of them could be moved to rpms but is normal to have at
least 1 config file managed by templates. DO you think it is good to have a
profile class with say 300 400 files from different applications?
That's where I prefer to use a different pattern and that is one profile
class per application: ie:
profile_webapp
profile_alpha_app
profile_gamma_app
etc...
And sometimes when needed use the repo-config-install-service pattern.
Do you see any cons on that approach?
Thanks!
Juan
1. profiles::php with create_resources around a Package resource that
pulls in php-apc, php-mcrypt, php-gd, and all the other usual suspects
based on Hiera data. When was the last time anyone needed just one PHP
module? Also not a terrible place to set apc.ini and other config files.
2. profile::myrole and yeah I add the resource directly particularly if
it'll never ever conflict with another module. Also a good place to pull
in very simple modules. I'm not a fan of breaking things up into more
specific subclasses within a profile::class.
On Monday, February 10, 2014 6:48:55 AM UTC, Ramin K wrote:
On 2/9/2014 4:47 AM, JuanBrein wrote:
I've been using puppet on different companies and implementing the roles
/ profile pattern on some of them.
In theory the patter works very well but in practice I usually face
challenges that I sort out implementing my own designs / solutions. I
would like to know how you guys deal with that in case you do.
**Say you have a typical LAMP stack and you have to deploy a web app so
my classes would look something like this (super simplified version):
*Modules:*
class apache { //puppetlabs class }
class mysql { //puppetlabs class }
etc./.
*Profile*:
class profile::webapp {
class 'apache'
class 'mysql'
$name = hiera('webapp::name')
apache::vhost {$webapp::name:}
}
*Roles:*
class role::prod_web {
include 'base'
include 'profile::webapp'
}
Now some of the questions I face:
1- Say thate for whatever reason the profile::webap requires a specific
package... ie php-apc that is not covered by the apache module. The
roles / profile states that you should always reference modules. Would
you guys create a new class just to include a resource? What I usually
end up doing is to add that package into the profile for the sake of
simplicity.
2- Sometimes modules from puppetlabs or other contributors lacks of some
functionality. Say for example you need to deploy a file under
/etc/sysconfig. I wouldn't place that file under the profile class as
that is used for multiple profiles definitions. However creating a new
module for just a single file seams like too much of an overhead. What I
usually do is I split up the profile module into multiple profile
modules and use the repo - install - config - service pattern. That
allows me to create a file / template where to place my specific
resources for that profile and still consume data from hiera to
customize the behaviour.
3- The problem with point 2 is that you might end up with too many
profile classes and some of them might include a simple reference to a
module. That is not much of a problem to me as I prefer to have my files
attached to the right profile module rather than having multiple files
on a single profile module... or multiple modules with just a couple of
files.
Cheers!
Juan Breinlinger
1. profiles::php with create_resources around a Package resource that
pulls in php-apc, php-mcrypt, php-gd, and all the other usual suspects
based on Hiera data. When was the last time anyone needed just one PHP
module? Also not a terrible place to set apc.ini and other config files.
2. profile::myrole and yeah I add the resource directly particularly if
it'll never ever conflict with another module. Also a good place to pull
in very simple modules. I'm not a fan of breaking things up into more
specific subclasses within a profile::class.
3. See
