[Puppet Users] Roles / profile pattern , inquire on how you handle some specific situations
I've been using puppet on different companies and implementing the roles / profile pattern on some of them. In theory the patter works very well but in practice I usually face challenges that I sort out implementing my own designs / solutions. I would like to know how you guys deal with that in case you do. Say you have a typical LAMP stack and you have to deploy a web app so my classes would look something like this (super simplified version): *Modules:* class apache { //puppetlabs class } class mysql { //puppetlabs class } etc./. *Profile*: class profile::webapp { class 'apache' class 'mysql' $name = hiera('webapp::name') apache::vhost {$webapp::name:} } *Roles:* class role::prod_web { include 'base' include 'profile::webapp' } Now some of the questions I face: 1- Say thate for whatever reason the profile::webap requires a specific package... ie php-apc that is not covered by the apache module. The roles / profile states that you should always reference modules. Would you guys create a new class just to include a resource? What I usually end up doing is to add that package into the profile for the sake of simplicity. 2- Sometimes modules from puppetlabs or other contributors lacks of some functionality. Say for example you need to deploy a file under /etc/sysconfig. I wouldn't place that file under the profile class as that is used for multiple profiles definitions. However creating a new module for just a single file seams like too much of an overhead. What I usually do is I split up the profile module into multiple profile modules and use the repo - install - config - service pattern. That allows me to create a file / template where to place my specific resources for that profile and still consume data from hiera to customize the behaviour. 3- The problem with point 2 is that you might end up with too many profile classes and some of them might include a simple reference to a module. That is not much of a problem to me as I prefer to have my files attached to the right profile module rather than having multiple files on a single profile module... or multiple modules with just a couple of files. Cheers! Juan Breinlinger -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/88ae6576-7407-4b27-a7b4-034e21683d43%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How do I quiesce a puppetmaster before reconfiguring it?
service httpd graceful will help. I would highly recommend you to have a dev / prd environment for your puppetmaster as well. Vagrant is very helpful for that. Having auto provisioned puppet masters is really helpful as it allows you to test new puppet master upgrades and configuration changes. Cheers Juan On Sunday, February 9, 2014 12:14:54 AM UTC, Trevor Vaughan wrote: Try 'service httpd graceful' On Sat, Feb 8, 2014 at 6:45 PM, Larry Fast lfas...@gmail.comjavascript: wrote: If I need to do any maintenance on my puppetmaster I would like to ensure that I don't break any partially completed puppet runs. Is there any way to quiesce the puppetmaster before shutting down the service? I run my puppetmaster on top of apache passenger. If I execute service httpd stop it breaks all incomplete puppet runs. Is there another way that I should stop the service so that the puppetmaster can properly wind down? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7cc18c28-5e60-493b-b732-beefa4a91959%40googlegroups.com . For more options, visit https://groups.google.com/groups/opt_out. -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 tvau...@onyxpoint.com javascript: -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/92e99744-d872-44ca-8915-50581fb24784%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Is there a way to find unused puppet code (2.7)?
On 2014-09-02 2:53, Amos Shapira wrote: Hello, Is there a way to systematically find all modules we have which aren't used? Basically, the answer is no because it is not possible to statically analyze puppet code since all inputs are unknown. (This because references to types can be dynamic - i.e. based on combination of values that are only present when evaluation takes place). At best, it is possible to find candidates that *may* be removed, but only with knowledge that there are no dynamic references, and/or after testing. Having a tool that finds modules that a given module depends on but without anything actually being used is a great tool to have - suggest filing an enhancement request for Geppetto for this. (It will still not be able to tell you if there are dynamic references - only testing can answer that). Regards - henrik -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ld8aqp%24h04%241%40ger.gmane.org. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Is there a way to find unused puppet code (2.7)?
On 2/8/14 8:53 PM, Amos Shapira wrote: Hello, Is there a way to systematically find all modules we have which aren't used? Two reasons for this question: 1. We use librarian-puppet to manage external modules and would like to find which of them can we remove. 2. We did some major refactoring over the years, in particular we moved from a mix of old distribution to a single Ubuntu LTS version, and there could be some of our own classes which aren't used. 3. If it's an automatic way, it will be great to run it as part of our Continuous Integration suite to find code which can be removed. So - is there such a thing? Cheers, --Amos Hi Amos, With PuppetDB you can query[1] for the most recent catalog of a given node which will list all of the classes used. You could the use the process of elimination to see what classes you had in your modulepath that are not showing up in your catalogs. [1] - http://docs.puppetlabs.com/puppetdb/1.6/api/query/v3/catalogs.html BR, -g -- Garrett Honeycutt learnpuppet.com -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F7B043.7030308%40garretthoneycutt.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] can puppet manage puppet agents or puppetmasters?
Hi, I just voted for Martin Alfke's recent answer. Specifically, I recommend to prefer cron over the running agent, that makes agent management much easier. Updating puppet and its configuration can be done via puppet easily. HTH, Felix On 02/09/2014 12:53 AM, Larry Fast wrote: https://ask.puppetlabs.com/question/4694/updating-puppet-agents/ I'm looking at this thread from ask.puppetlabs and so far the the only answer seems to be - don't use puppet to manage puppet. I'm asking the broader community because I'm still naively hopeful that puppet can manage its own installations. Is there anything in Puppet Enterprise that supports this? Is there a best practice for how to update or reconfigure puppet installations? Or is this problem too self referencial and completely out of scope for the puppet system? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F7C670.3000609%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Ubuntu Network Proxy via Puppet
Hi, in what way is puppet failing? Generally, I'll have to remark that the manifest you shared facilitates (at least) three anti-patterns. 1. You rely on a large number of exec resources to do your work. Where so many commands need executing, you would be better off deploying a script via file { } and running it through a single exec. 2. Your exec resources specify no conditions and run always. Each should have either a creates, onlyif or unless parameter. 3. There is no order declared for your resources, e.g. using before/require or the - arrow syntax. The latter points may be non-issues of the pertinent parts had merely been redacted. Otherwise, point 3 may be a reason for your problems. Regards, Felix On 01/29/2014 10:05 PM, steven.lo...@imemories.com wrote: So we have hit a wall pretty hard here: We have a series of Ubuntu Desktops running 12.04 LTS and we've configured puppet to do enable to Network Proxy and it does the weirdest thing. It will refuse to set the proxy until we do an initial setting in the GUI. (Gnome Desktop) Here's our config (some info redacted) but has anyone else figured out a fix for this? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F7C9AD.6070009%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] How to deploy puppetserver? I do some stupid mistake, and I don't know which.
I am trying to redeploy my puppetmaster infrastructure on new hardware. I am unable to get a simple (hello world) connection between puppet master and puppet client. I tried Ubuntu Saucy, and Ubuntu Precise as well as Puppet 3.4.2 and Puppet 3.2.4 (4 combinations in total). The steps I do are basic: 1. Install 2x vanilla Ubuntu from either ISO or by lxc-template (I used both VirtualBox and LXC container for testing). One will be Puppet server, and one will be Puppet client (will run puppet agent). 2. Set up networking so that both hosts can netcat each other on port 8140 and that both know each other by fqdn. For the last part I edited the /etc/hosts file. 3. Install a single package on puppetmaster on server, and puppet on client (either the 3.2.4 or 3.4.2 version). 4. On server kill the puppetmaster service and start one manually by sudo puppet master --no-daemonize --debug --logdest console. The servers runs fine and waits for incoming connections. 5. On client run sudo puppet agent --test --debug --server puppetmaster.mydomain.com.I've got only this error: Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Could not retrieve file metadata for puppet://puppetmaster.mydomain.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppetmaster.mydomain.com] What can I do to get the connection? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/beb0170e-54f2-4f0d-a04e-305d2840e2e5%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: How to deploy puppetserver? I do some stupid mistake, and I don't know which.
Never mind. I've got the answer. I don't know, why I get the idea, that this is a problem with connectivity. The problem was with certificates, just as the output said so. After regerenerating certificates on puppet master and puppet client (as shown in http://webcache.googleusercontent.com/search?q=cache:d34kqxwodrYJ:projects.puppetlabs.com/projects/1/wiki/certificates_and_security+cd=1hl=enct=clnk ) everything got fixed. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5ab7c71c-85fc-491f-a941-2c6c3009d1db%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Facter errors with InfiniBand and VDSM
I have an ovirt node that has Infiniband and I'm seeing two seperate errors when running facter. sh: vdsmdummy: command not found and Ifconfig uses the ioctl access method to get the full address information, which limits hardware addresses to 8 bytes. Because Infiniband address has 20 bytes, only the first 8 bytes are displayed correctly. Ifconfig is obsolete! For replacement check ip. I'm using the --trace option with facter but am not seeing any backtrace information to identify and submit a fix for these two issues. Installed packages on CentOS 6.5: facter.x86_64 1:1.7.4-1.el6 @puppetlabs-products puppet.noarch 3.4.2-1.el6 @puppetlabs-products The vdsmdummy is likely from the bridge created by VDSM: $ brctl show bridge name bridge id STP enabled interfaces ;vdsmdummy; 8000. no ipmi8000.003048bc981e no eth0.2 ovirtmgmt 8000.003048bc981e no eth0.1 public 8000.003048bc981f no eth1 So far I think the reason the vdsmdummy: command not found is the semi-colons are passed to the /sbin/ip command and appear like subcommands. The Infiniband issue seems to be STDERR being printed as a ifconfig 2/dev/null does not print that message. Thanks - Trey -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/64b3dc17-6e6f-472d-b280-da91158dcc49%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] How do I quiesce a puppetmaster before reconfiguring it?
graceful-stop seems to be a modest improvement but its not a panacea. AFAIK it only ensures that open connections are not dropped. A puppet run seems to involve multiple connections. At best this only completes individual transactions before shutdown. Also, when I look at this problem in a bit more detail, the puppetmaster doesn't seem to know if there are active puppet runs still in progress. So the best I could hope for is a way to block new puppet runs from starting and then waiting a reasonable length of time before halting the service. Is there anything in the puppetmaster arsenal that could allow it to run without allowing new puppet runs to start? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/87b7e8c3-b336-4ee1-94f1-5d9673f833e0%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: Facter errors with InfiniBand and VDSM
After some debugging it seems it's the ;vdsmdummy; interface that's causing both problems. I have a host with Infiniband, and the same version of Puppet and Facter, that has no errors running facter. My guess is when ifconfig is executed for ;vdsmdummy; it's not using '2 /dev/null', but I can't identify where in the Facter code this is happening. I updated Facter to 1.7.5-rc2 and the error is still the same on the host with the ;vdsmdummy; bridge device. Thanks - Trey On Sunday, February 9, 2014 3:17:10 PM UTC-6, treydock wrote: I have an ovirt node that has Infiniband and I'm seeing two seperate errors when running facter. sh: vdsmdummy: command not found and Ifconfig uses the ioctl access method to get the full address information, which limits hardware addresses to 8 bytes. Because Infiniband address has 20 bytes, only the first 8 bytes are displayed correctly. Ifconfig is obsolete! For replacement check ip. I'm using the --trace option with facter but am not seeing any backtrace information to identify and submit a fix for these two issues. Installed packages on CentOS 6.5: facter.x86_64 1:1.7.4-1.el6 @puppetlabs-products puppet.noarch 3.4.2-1.el6 @puppetlabs-products The vdsmdummy is likely from the bridge created by VDSM: $ brctl show bridge name bridge id STP enabled interfaces ;vdsmdummy; 8000. no ipmi8000.003048bc981e no eth0.2 ovirtmgmt 8000.003048bc981e no eth0.1 public 8000.003048bc981f no eth1 So far I think the reason the vdsmdummy: command not found is the semi-colons are passed to the /sbin/ip command and appear like subcommands. The Infiniband issue seems to be STDERR being printed as a ifconfig 2/dev/null does not print that message. Thanks - Trey -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/80905d1a-2f20-44ce-9582-024e6a792f35%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Unable to start puppetmaster on Mac OSX Mavericks
I've followed the installation guide for Mac OSX and I get this in puppetmaster.err upon starting the daemon with launchctl: Error: Could not create resources for managing Puppet's files and directories in sections [:main, :master, :ssl, :metrics]: undefined method `each' for nil:NilClass Error: Could not prepare for execution: Could not create resources for managing Puppet's files and directories in sections [:main, :master, :ssl, :metrics]: undefined method `each' for nil:NilClass undefined method `each' for nil:NilClass ($:/var/log/puppet)- ruby -v ruby 2.0.0p247 (2013-06-27 revision 41674) [universal.x86_64-darwin13] Puppet v3.4.2 ($:/var/log/puppet)- ls -ltr /etc/puppet/ total 12K -rw-r--r-- 1 puppet puppet 4.1K Jan 6 14:39 auth.conf drwxrwx--x 8 puppet puppet 272 Feb 5 07:13 ssl/ drwxr-xr-x 2 puppet puppet 68 Feb 7 07:55 manifests/ -rw-r--r-- 1 puppet puppet 255 Feb 7 07:58 puppet.conf Any ideas? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/580faa3b-fdb5-4f65-b263-3104f48a78da%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] can puppet manage puppet agents or puppetmasters?
Larry, I would assume that a masterless puppet could configure your puppet master and/or agent if desired. You would need to have puppet itself and the necessary manifests/modules available to you but what it sounds like you're looking for sounds imminently doable. You may want to just consider going masterless across the board. -Sterling On Feb 8, 2014, at 6:53 PM, Larry Fast lfast1...@gmail.com wrote: https://ask.puppetlabs.com/question/4694/updating-puppet-agents/ I'm looking at this thread from ask.puppetlabs and so far the the only answer seems to be - don't use puppet to manage puppet. I'm asking the broader community because I'm still naively hopeful that puppet can manage its own installations. Is there anything in Puppet Enterprise that supports this? Is there a best practice for how to update or reconfigure puppet installations? Or is this problem too self referencial and completely out of scope for the puppet system? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/06df5e93-cf9c-4f53-b06c-9413b5346a1a%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1A442764-05F9-4B34-B46A-AF25B7E109CA%40gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Is there a way to find unused puppet code (2.7)?
On 2014-09-02 17:36, Henrik Lindberg wrote: On 2014-09-02 2:53, Amos Shapira wrote: Hello, Is there a way to systematically find all modules we have which aren't used? Basically, the answer is no because it is not possible to statically analyze puppet code since all inputs are unknown. (This because references to types can be dynamic - i.e. based on combination of values that are only present when evaluation takes place). At best, it is possible to find candidates that *may* be removed, but only with knowledge that there are no dynamic references, and/or after testing. Having a tool that finds modules that a given module depends on but without anything actually being used is a great tool to have - suggest filing an enhancement request for Geppetto for this. (It will still not be able to tell you if there are dynamic references - only testing can answer that). I logged a feature issue for Geppetto - https://tickets.puppetlabs.com/browse/PUP-1625 Regards - henrik -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ld9bva%24cbg%241%40ger.gmane.org. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Roles / profile pattern , inquire on how you handle some specific situations
On 2/9/2014 4:47 AM, JuanBrein wrote: I've been using puppet on different companies and implementing the roles / profile pattern on some of them. In theory the patter works very well but in practice I usually face challenges that I sort out implementing my own designs / solutions. I would like to know how you guys deal with that in case you do. **Say you have a typical LAMP stack and you have to deploy a web app so my classes would look something like this (super simplified version): *Modules:* class apache { //puppetlabs class } class mysql { //puppetlabs class } etc./. *Profile*: class profile::webapp { class 'apache' class 'mysql' $name = hiera('webapp::name') apache::vhost {$webapp::name:} } *Roles:* class role::prod_web { include 'base' include 'profile::webapp' } Now some of the questions I face: 1- Say thate for whatever reason the profile::webap requires a specific package... ie php-apc that is not covered by the apache module. The roles / profile states that you should always reference modules. Would you guys create a new class just to include a resource? What I usually end up doing is to add that package into the profile for the sake of simplicity. 2- Sometimes modules from puppetlabs or other contributors lacks of some functionality. Say for example you need to deploy a file under /etc/sysconfig. I wouldn't place that file under the profile class as that is used for multiple profiles definitions. However creating a new module for just a single file seams like too much of an overhead. What I usually do is I split up the profile module into multiple profile modules and use the repo - install - config - service pattern. That allows me to create a file / template where to place my specific resources for that profile and still consume data from hiera to customize the behaviour. 3- The problem with point 2 is that you might end up with too many profile classes and some of them might include a simple reference to a module. That is not much of a problem to me as I prefer to have my files attached to the right profile module rather than having multiple files on a single profile module... or multiple modules with just a couple of files. Cheers! Juan Breinlinger 1. profiles::php with create_resources around a Package resource that pulls in php-apc, php-mcrypt, php-gd, and all the other usual suspects based on Hiera data. When was the last time anyone needed just one PHP module? Also not a terrible place to set apc.ini and other config files. 2. profile::myrole and yeah I add the resource directly particularly if it'll never ever conflict with another module. Also a good place to pull in very simple modules. I'm not a fan of breaking things up into more specific subclasses within a profile::class. 3. See #2 I recently took a crack at writing some examples of profile uses as well as philosophizing on good profile classes. Probably needs another hour of editing, but might be helpful in its current state. https://ask.puppetlabs.com/question/5235/what-goes-in-the-profile-part-of-roleprofile/ Ramin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F87657.1020503%40badapple.net. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Roles / profile pattern , inquire on how you handle some specific situations
THanks and great post by the way! I think we are pretty much on the same thinking behind. You don't add the package resource directly but using create_resources from hiera is almost the same thing. THe only difference is that your way is more flexible as you can add / remove packages just changing data and not code. But if you know beforehand what are the requires and you think they'll be static in the long term I prefer that to be on the code side so my hiera data looks small compact relevant and tidy. My problem is with the file resources and templates. if if you have a decent amount of different applications you'll end up with a super profile class. It'll contain all different type of files and templates and too many sub profile modules. Some companies have more than 200 different applications type with an average of 2 to 4 config files to be deployed by app. I know some of them could be moved to rpms but is normal to have at least 1 config file managed by templates. DO you think it is good to have a profile class with say 300 400 files from different applications? That's where I prefer to use a different pattern and that is one profile class per application: ie: profile_webapp profile_alpha_app profile_gamma_app etc... And sometimes when needed use the repo-config-install-service pattern. Do you see any cons on that approach? Thanks! Juan 1. profiles::php with create_resources around a Package resource that pulls in php-apc, php-mcrypt, php-gd, and all the other usual suspects based on Hiera data. When was the last time anyone needed just one PHP module? Also not a terrible place to set apc.ini and other config files. 2. profile::myrole and yeah I add the resource directly particularly if it'll never ever conflict with another module. Also a good place to pull in very simple modules. I'm not a fan of breaking things up into more specific subclasses within a profile::class. On Monday, February 10, 2014 6:48:55 AM UTC, Ramin K wrote: On 2/9/2014 4:47 AM, JuanBrein wrote: I've been using puppet on different companies and implementing the roles / profile pattern on some of them. In theory the patter works very well but in practice I usually face challenges that I sort out implementing my own designs / solutions. I would like to know how you guys deal with that in case you do. **Say you have a typical LAMP stack and you have to deploy a web app so my classes would look something like this (super simplified version): *Modules:* class apache { //puppetlabs class } class mysql { //puppetlabs class } etc./. *Profile*: class profile::webapp { class 'apache' class 'mysql' $name = hiera('webapp::name') apache::vhost {$webapp::name:} } *Roles:* class role::prod_web { include 'base' include 'profile::webapp' } Now some of the questions I face: 1- Say thate for whatever reason the profile::webap requires a specific package... ie php-apc that is not covered by the apache module. The roles / profile states that you should always reference modules. Would you guys create a new class just to include a resource? What I usually end up doing is to add that package into the profile for the sake of simplicity. 2- Sometimes modules from puppetlabs or other contributors lacks of some functionality. Say for example you need to deploy a file under /etc/sysconfig. I wouldn't place that file under the profile class as that is used for multiple profiles definitions. However creating a new module for just a single file seams like too much of an overhead. What I usually do is I split up the profile module into multiple profile modules and use the repo - install - config - service pattern. That allows me to create a file / template where to place my specific resources for that profile and still consume data from hiera to customize the behaviour. 3- The problem with point 2 is that you might end up with too many profile classes and some of them might include a simple reference to a module. That is not much of a problem to me as I prefer to have my files attached to the right profile module rather than having multiple files on a single profile module... or multiple modules with just a couple of files. Cheers! Juan Breinlinger 1. profiles::php with create_resources around a Package resource that pulls in php-apc, php-mcrypt, php-gd, and all the other usual suspects based on Hiera data. When was the last time anyone needed just one PHP module? Also not a terrible place to set apc.ini and other config files. 2. profile::myrole and yeah I add the resource directly particularly if it'll never ever conflict with another module. Also a good place to pull in very simple modules. I'm not a fan of breaking things up into more specific subclasses within a profile::class. 3. See