[Puppet Users] how do you name and group your data in hiera?

[Robert]

Hi List,

I'm on the verge of refactoring all our modules to the roles&profile
workflow with r10k etc. and the stuff is taking shape - thanks for all the
help so far! - and the only thing I'm still not very convenient with is the
naming/grouping of data put into Hiera and using that data in the profiles.
Let me explain.
Somehow I always wanted to do something like this:

---
profile::tomcat::sudoers:
  tomcatadmingroup:
- systemctl start tomcat.service
- systemctl stop tomcat.service
profile::apache::sudoers
  apacheadmingroup:
- systemctl start httpd.service
- systemctl stop httpd.service

since if I classify a node with the Tomcat module, I'd like the tomcat
admins to be able to start and stop the service. I think this resource
belongs to the profile::tomcat. This way, I'd use:
profiles::tomcat {
...
  class { "sudoers":
sudoers => $::profiles::tomcat::sudoers
  }
}

profiles::apache {
...
  class { "sudoers":
sudoers =>$::profiles::apache::sudoers
  }
}

This is (imho) way nicer than trying to remember to extend all these
resources every time I need something new, like "Tomcat needs a port, a
user, a certificate so let's extend profile::firewall with the port,
profile::certs with the cert. Ah crap I forgot the java version in
profiles::java at the bottom of the yaml file!".

But this solution obviously doesn't work if a node has both the tomcat and
apache modules because of the multiple resource-like class declarations of
the same class.

Another example would be that if the tomcat module is assigned to a node,
then the tomcat-admins should be able to login via ssh. And the same goes
for other admin groups. Assuming this:

profiles::tomcat::pamd:
  - 'tomcatadmins'
profiles::oracle::pamd:
  - 'oracleadmins'

the final variable used in the pamd class should be ["tomcatadmins",
"oracleadmins"] but I can't really get this array in the pamd profile with
hiera (or can I?).

Maybe some merging would be possible but I can't simply look up
"profile::*::pamd" and merge the results.
Afaik hiera_array is only possible with data on different Hiera levels.
I could use subclasses like ::sudoers::tomcat, ::sudoers::apache...
::pamd::oracle ::pamd::tomcat etc. but that'd be complex and time-consuming.

How could I (meaningfully) use "include ::classname" everywhere without
doing something weird?
How do you group your data?

Best
Rp

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANwwCtz08AZz2f8qCtkE%2BOwVsx9vAZkCjAYr7hcJUe5DeDG4tw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: r10k, git and .gitignore

[Robert]

Hey guys,

I just wanted to give you a follow-up on this topic (maybe somebody will
have the same question in the future).

All ideas have been helpful but fpm is awesome :)

I now build rpm's from software which do need dependencies,
pre/post(un)install scripts etc., but if there's no need for that,  simply
packaging a plain a .zip or .tgz with fpm is so simple and painful that
even some other teams are happy with it and adopted the tool.

That way our git repo can be kept at a small size, which is useful if used
in combination with r10k and dynamic environments - every environment would
take up the whole size of the the checked out modules - so I'm glad I asked
- and you replied.

Thanks,
rp

On Mon, Dec 19, 2016 at 5:24 PM, John Gelnaw  wrote:

>
> We used Gavin's approach and created a "downloads" mount within Puppet, so
> Puppet still handles the file transfer, but it's from a different set of
> directories outside of the git repo(s).
>
> Also, for anyone creating .deb / .rpm package files, if you aren't using
> 'fpm', you should be.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/69b3bf0e-d8ab-46b3-881b-04cb595aa2ed%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CANwwCtxYLLpz60fibync7fJh3J%3DzNeoaMtYFqKnHvdq65bq_oQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: how do you name and group your data in hiera?

[Rob Nelson]

I apparently use a different sudo module than you do (saz/sudo), but have 
the same concerns. We have a general sudoers setup that gets applied to all 
nodes and additional config for certain roles. We manage this in the base 
profile class using iteration (note: I don't think I guard against 
`$sudo_confs` actually being undef, which may cause catalog compilation 
failures if it occurred):

class profile::base::linux (
  $sudo_confs = undef,
) {
  ... 
  # Sudo setup
  include ::sudo
  $sudo_confs.each |$group, $config| {
sudo::conf{ $group:
  * => $config,
}
  }
}

In hiera/global.yaml:

---
lookup_options:
  profile::base::linux::sudo_confs:
merge: deep
profile::base::linux::sudo_confs:
  sysadmin:
priority: 10
content: '%sysadminALL=(ALL)   ALL'

The `lookup_options` ensures that the content is found and merged across 
hiera tiers rather than overwriting at each level. Then we can do things 
like this in hiera/puppet_role/build.yaml, for a 'build' role:

---
profile::base::linux::sudo_confs:
  infrastructure:
priority: 15
content: '%infrastructureALL=(ALL)   ALL'

On almost every node, profile::base::linux::sudo_confs has a single key 
'sysadmin'. On nodes with the `puppet_role` fact set to `build`, there's a 
second key, `infrastructure`, and thus a second sudo configuration is 
applied on those nodes. You can also look at the `knockout_prefix` key for 
`lookup_options` if you decide you need to eliminate some keys on certain 
nodes.

On Friday, January 27, 2017 at 3:47:58 AM UTC-5, Robert wrote:
>
> Hi List,
>
> I'm on the verge of refactoring all our modules to the roles&profile 
> workflow with r10k etc. and the stuff is taking shape - thanks for all the 
> help so far! - and the only thing I'm still not very convenient with is the 
> naming/grouping of data put into Hiera and using that data in the profiles. 
> Let me explain.
> Somehow I always wanted to do something like this:
>
> ---
> profile::tomcat::sudoers:
>   tomcatadmingroup:
> - systemctl start tomcat.service
> - systemctl stop tomcat.service
> profile::apache::sudoers
>   apacheadmingroup:
> - systemctl start httpd.service
> - systemctl stop httpd.service
>
> since if I classify a node with the Tomcat module, I'd like the tomcat 
> admins to be able to start and stop the service. I think this resource 
> belongs to the profile::tomcat. This way, I'd use: 
> profiles::tomcat {
> ...
>   class { "sudoers":
> sudoers => $::profiles::tomcat::sudoers
>   }
> }
>
> profiles::apache {
> ...
>   class { "sudoers":
> sudoers =>$::profiles::apache::sudoers
>   }
> }
>
> This is (imho) way nicer than trying to remember to extend all these 
> resources every time I need something new, like "Tomcat needs a port, a 
> user, a certificate so let's extend profile::firewall with the port, 
> profile::certs with the cert. Ah crap I forgot the java version in 
> profiles::java at the bottom of the yaml file!".
>
> But this solution obviously doesn't work if a node has both the tomcat and 
> apache modules because of the multiple resource-like class declarations of 
> the same class.
>
> Another example would be that if the tomcat module is assigned to a node, 
> then the tomcat-admins should be able to login via ssh. And the same goes 
> for other admin groups. Assuming this:
>
> profiles::tomcat::pamd: 
>   - 'tomcatadmins'
> profiles::oracle::pamd: 
>   - 'oracleadmins'
>
> the final variable used in the pamd class should be ["tomcatadmins", 
> "oracleadmins"] but I can't really get this array in the pamd profile with 
> hiera (or can I?).
>
> Maybe some merging would be possible but I can't simply look up 
> "profile::*::pamd" and merge the results.
> Afaik hiera_array is only possible with data on different Hiera levels.
> I could use subclasses like ::sudoers::tomcat, ::sudoers::apache... 
> ::pamd::oracle ::pamd::tomcat etc. but that'd be complex and time-consuming.
>
> How could I (meaningfully) use "include ::classname" everywhere without 
> doing something weird? 
> How do you group your data?
>
> Best
> Rp
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8a068b3a-22aa-493f-8ec7-1c5396bfea95%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] How to read in file into array of hashes to use build start script template

[James Perry]

I am looking to see if I can make this work with a define or have to resort 
to an each loop.  Still hacking away to see what I can find. With the each 
I can still loop through to try to get to the goal of having a key/value 
pair to pass on to a template only if the current client matches one of the 
host names in scope. 

Worst case I will just go ahead to split the variables up accordingly per 
client and hard code in the module / parms file. 

My goal was to have it so we could just use the CSV file we were given to 
dynamically build the data. But it may be less costly (from a CPU cycle 
level) to just go back to the good old days :) 

On Sunday, January 22, 2017 at 10:56:46 PM UTC-5, John Gelnaw wrote:
>
> On Friday, January 20, 2017 at 12:28:02 PM UTC-5, James Perry wrote:
>>
>> Thanks.
>>
>> The reason I have a CSV is that is what is provided from the users out of 
>> their own private database where they keep this data. I have to take the 
>> detail as it is given. Now I can manually process the data to be how I 
>> think I want, but I'm trying to keep this as simple as possible for the 
>> other team members (KISS principal).  
>>
>> For the custom ENC, the new environment is Foreman over top of Puppet. 
>>  Can I use a Puppet ENC when Foreman is setup to do that itself? 
>>
>
> I have a very complex ENC myself, so the idea of merging the Foreman ENC 
> with my own ENC appeals to me-- Ultimately, they're both just spitting out 
> YAML.
>
> My current line of attack is to have my ENC (configured already within 
> puppet) call the Foreman node.rb script, merge the two data structures and 
> output the resulting YAML, but the migration to puppet 4.x has priority at 
> the moment.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2c504b24-599a-4251-bcbf-25c8fbf75377%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Is ruby-based facter stuck at 2.4.6?

[Ryan Anderson]

Facter developer attention is with the C++ based facter 3.x, and I get why. 
However, some of us use puppet open source on platforms (eg Solaris, AIX) 
where it is difficult/impossible to get the toolchain needed to compile it. 
I am using ruby facter 2.4.6 on these UNIX boxes, which hasn't been updated 
in a year. It seems this works fine for now, I am more concerned about 
future versions of puppet deprecating it. Granted, these are dead platforms 
that I am trying to get off of, but most organizations take a long time to 
actually do that.

Can anyone provide any info or recommendations on this? Is there any 
masochist out there who has compiled cfacter on Solaris?

Thanks,
RCA

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a9f6110e-eb3c-4d4c-a58c-3d0cadd2311c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Satellite Puppet

[warron.french]

Dan, thank you for that feedback.  It actually did educate me; however, (a
week later from me) I learned this morning what had happened.
Neither agent was properly checking in.  1 due to NetworkManager problems
on a RHEL6 system, and the other the Puppet Agent service wasn't enabled to
run as a daemon, so it only checked in at reboots.  Agh!

Stupid little things like this drive me bonkers.

Thank you Dan for taking the time to articulate a response.
Sincerely,

--
Warron French


On Wed, Jan 18, 2017 at 4:22 PM, Dan White  wrote:

> I will take a crack at this as I am working with Satellite and Puppet in
> the same environment.
>
> First of all, the Puppet inside of Satellite is way back at version
> 3.something, so many newer Puppet technical tips will not work.
>
> About answering your question, start here:
> https://docs.puppet.com/puppet/3.8/lang_node_definitions.html
>
> A node definition or node statement is a block of Puppet code that will
> only be included in one node’s catalog. This feature allows you to assign
> specific configurations to specific nodes.
>
> Node statements are an optional feature of Puppet. They can be replaced by
> or combined with an external node classifier, or you can eschew both and
> use conditional statements with facts to classify nodes.
>
> Unlike more general conditional structures, node statements only match
> nodes by name. By default, the name of a node is its certname (which
> defaults to the node’s fully qualified domain name).
>
> https://docs.puppet.com/puppet/3.8/modules_fundamentals.html#using-modules
>
> Modules are how Puppet finds the classes and defined types it can use — it
> automatically loads any class or defined type stored in its modules. Within
> a manifest or from an external node classifier (ENC), any of these classes
> or defined types can be declared by name.
>
> The Red Hat Satellite Puppet Guide does not really discuss setting up
> nodes.  It seems to focus on how Satellite can manage the Puppet modules.
>
>
>
> Dan White | d_e_wh...@icloud.com
> 
> “Sometimes I think the surest sign that intelligent life exists elsewhere in 
> the universe is that none of it has tried to contact us.”  (Bill Waterson: 
> Calvin & Hobbes)
>
>
> On Jan 18, 2017, at 03:05 PM, "warron.french" 
> wrote:
>
> Does this community support questions related to Red Hat Satellite's
> implementation of Puppet, or only PuppetLabs developed and supported
> products more generically?
>
> I have a question about the phases of tasks that must be completed within
> a Red Hat Satellite Puppet Environment and how to get them "onto" the
> Puppet Client machines running a Puppet agent.
>
>
> I have generated a module, Validated its syntax to find no errors, neither
> in the .pp nor the .erb template files, and have gone through Red Hat
> Satellite's process of creating the module archive, *Uploading,
> Publishing and Promoting* that module; but I can't figure out why its not
> getting applied to the client machines.  Even after a puppet run is
> executed!
>
>
> Thanks for any help and direction anyone can provide me.
> --
> Warron French
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/CAJdJdQnpQfr4Y1fOw0_pTTA2T%2Bcn0eMvHX1SHWHpUXkNX53ZVw%
> 40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/puppet-users/b3445ec5-cf42-44c9-879d-957b9a1ac640%40me.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAJdJdQkVzP4UJM3H7iETQpg5ZFKgkrphOGaA-ka2GbcG%2BD6Vfg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.