Issue #19028 has been reported by John Moser.
----------------------------------------
Bug #19028: Documentation improvement about file server and multiple
environments
https://projects.puppetlabs.com/issues/19028
Author: John Moser
Status: Unreviewed
Priority: Normal
Assignee:
Category: documentation
Target version:
Affected Puppet version:
Keywords:
Branch:
I feel the documentation about environments is outdated. Either that or I am
pioneering new techniques in Puppet utilization.
File serving only works well with environments if you’re only serving files
from modules;
if you’ve set up custom mount points in fileserver.conf, they won’t work in
your custom
environments. (Though hopefully you’re only serving files from modules
anyway.)
-- http://docs.puppetlabs.com/guides/environment.html
This is ... not exactly correct. I will explain my method here and allow the
community to decide on if it makes sense and how to effect verbiage. Puppet
does do this well, however.
I have a small unfinished puppet configuration module that I will use as my
basis for this. For reference, it is at the below repository:
https://github.com/bluefoxicy/puppet-module-puppet
On my filesystem the following structure is present:
---
etc:
puppet:
environments:
dev:
- data
- files
- templates
- manifests
production:
- data
- files
- templates
- manifests
And so on.
I provide a fileserver.conf as follows:
[environments]
path /etc/puppet/environments
allow *
And there is a statement in the puppet.conf.erb template as follows:
<%if environments.is_a? Array -%>
### Environments
###
path /environments
auth any
<% environments.each do |name| -%>
path /environments/<%= name -%>/files
auth yes
environment <%= name %>
allow *
<% end -%><% end -%>
In practice, if we have environments [ 'dev', 'production' ], this produces the
following:
### Environments
###
path /environments
auth any
path /environments/dev/files
auth yes
environment dev
allow *
path /environments/production/files
auth yes
environment production
allow *
In this way, agents may only obtain:
source => "puppet:///environments/$environment/files/$path_to_file"
Agents may may not read:
- Other environments
- Anything outside of files/, including manifests, data, or templates
Data, manifests, and templates may contain sensitive information. Files
absolutely should not, as it is difficult to provide fine-grained access to
specific files. Doing so involves creating another branch (like securefiles/)
and assigning access rights in auth.conf. I have at times used template() to
serve flat files for a number of reasons.
I feel that the documentation is outdated and could use some better guidance as
to how to configure per-environment file servers. I found it a particular easy
problem to solve effectively, in stark contrast to the explanation given in the
documentation. It should be clear, however, that whatever is stuck into the
files/ tree is visible to that entire environment, and that additional
configuration complexity is required to restrict certain paths and files to
nodes; I recommend against putting sensitive information in files.
It is notable that I use a different, less-explored method of providing
configuration as well, which I will leave to another issue after some
discussion about design patterns with the community. I'll touch on this now,
however, to explore another very slight related issue in the documentation.
In Manifests
The $environment variable should only rarely be necessary, but it’s there
if you need it.
Notably I often use:
content => template("$templatedir/foo.conf.erb")
(Caveat: Issue #19006)
As well as:
source =>
"puppet:///environments/$environment/files/foobar-cluster/foo.conf"
There is no $filesdir (and $templatedir is set using $environment to work
around Issue #19006), so of course the above. Mostly this is for modules such
as, for example, the Pacemaker module I wrote:
https://github.com/bluefoxicy/puppet-pacemaker
by which I will often provide a way to overload a template or configuration
file in a class or defined type by passing it as a variable, in this case
node /^cluster-\d+\.example\.com$/ {
class { pacemaker:
authkey =>
"puppet:///environments/$environment/files/loadbalance/authkey.corosync",
bindnetaddr => '10.0.50.0', # mandatory
mcastaddr => '239.255.1.1',
crm_config => "$templatedir/crm-cl0.erb", # per-environment
crm_hash => hiera('crm_config'),
}
}
Thus the $environment variable is relevant in manifests when per-environment
files are served.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
