On Tuesday, August 13, 2013 9:59:22 PM UTC-5, Ygor wrote:
>
> I have a problem with variables in defined types.
>
> I have dug a hole consisting of three levels of nested defines as in
> -------------------------------------------
> class users {
> ...
> }
> -------------------------------------------
> define users::useraccount (
> $username = $name,
> $uid,
> $info,
> $ingroups = [],
> $dotfiles = [],
> $userhome = "/home/${name}",
> $ensure = absent,
> $is_role = false,
> $role_users = [],
> $delete_role_users = [],
> $user_options = [],
> ) {
>
> ...
> if $is_role {
> ...
> if ! empty ( $role_users ) {
> $local_role_users = suffix ( $role_users,
> "_${username}" )
>
> users::role_user_keys { $local_role_users:
> ensure => present,
> key_options => $user_options,
> is_role => $is_role,
> }
> }
> }
>
> ...
> }
> -------------------------------------------
> define users::role_user_keys (
> $ensure = absent,
> $key_options = [],
> $is_role = true,
> ) {
> include 'stdlib'
>
> $foo = split ( $title, '_' )
> $the_user = $foo[0]
> $the_role = $foo[1]
>
> users::restricted_ssh_user { $title:
> username => $the_user,
> ensure => $ensure,
> ssh_options => $key_options,
> role_name => $the_role,
> is_role => $is_role,
> }
> }
> -------------------------------------------
> define users::restricted_ssh_user (
> $username,
> $ensure = absent,
> $ssh_options = [],
> $is_role = true,
> $role_name,
> ) {
> include stdlib
>
> case $is_role {
> ‘roleA' : {
> $command_string = “/usr/local/${role_name}/local/bin/commandA
> --user=${username}"
> $canned_options = [
> 'no-port-forwarding',
> 'no-agent-forwarding',
> 'no-X11-forwarding',
> 'no-pty',
> ]
>
> $option_string = "command=\"${command_string}\""
> $local_options = concat ( $canned_options, [$option_string] )
> }
> ‘roleB' : {
> $command_string = “/usr/local/${role_name}/bin/commandB
> --user=${username}"
> $canned_options = [
> 'no-port-forwarding',
> 'no-X11-forwarding',
> 'no-pty',
> ]
>
> $option_string = "command=\"${command_string}\""
> $local_options = concat ( $canned_options, [$option_string] )
>
> }
> 'admin' : {
> $local_options = $ssh_options
> }
> default : {
> $linkit = link
> $command_string =
> "${homedir}/bin/ssh_${role_name}_${username}”
>
> $option_string = "command=\"${command_string}\""
> $local_options = concat ( $ssh_options, [$option_string] )
> }
> }
>
> ssh_authorized_key {
> "${username}_rsa_key_for_${role_name}_${is_role}":
> ensure => $ensure,
> key => file ( "/etc/puppet/config/keys/${username}-rsa" ),
> type => 'ssh-rsa',
> user => $role_name,
> options => $local_options,
> }
>
> ssh_authorized_key {
> "${username}_dss_key_for_${role_name}_${is_role}":
> ensure => $ensure,
> key => file ( "/etc/puppet/config/keys/${username}-dss" ),
> type => 'ssh-dss',
> user => $role_name,
> options => $local_options,
> }
>
> }
>
> The problem is in how I manipulate the array of option parameters as I go
> down the levels ( user_options , key_options , ssh_options ) and the
> contents of the array created with the “concat” function persists and
> accumulates (snowballs!!) at the bottom level as the
> "users::restricted_ssh_user" defined type in instantiated many times. The
> parameters were all called “options” at one point, and I made them
> different, hoping that would work.
>
> Is there a way to isolate the variables declared in a defined type
> instance ?
> Or do I need to trash this design and start over ?
I'm not sure I understand the problem(s).
With respect to the $local_options arrays generated via concat(), these are
each assigned as resource parameters, so Puppet must retain them all until
it finishes compiling the catalog. The point appears to be that the
options may vary from user to user, so if you have many users then many of
these option strings must accumulate during catalog compilation. How do
you imagine it could be different?
However, it does look like in some cases you are creating temporary arrays
that you do not need. It could be that Puppet retains these for the
duration of catalog compilation, even though it shouldn't need to do. If
that's the case, then you might be able to lighten the load a bit by
dropping the temporaries. For instance, you could avoid the
$canned_options, $command_string, and $option_string variables in the
'roleA' case by writing the option array like this:
$local_options = [
'no-port-forwarding',
'no-agent-forwarding',
'no-X11-forwarding',
'no-pty',
"command=\"/usr/local/${role_name}/local/bin/commandA
--user=${username}\""
]
I don't know whether that will really gain you anything, though, especially
inasmuch as you cannot do the same for the default case.
You might also achieve a bit of savings by merging
users::restricted_ssh_user back into users::role_user_keys. As you present
those, I don't see what you gain by separating them.
Ultimately, though, I don't think your option arrays grossly outweigh
everything else declared per-user. If you are experiencing a capacity
problem, then you may need to take an altogether different approach, such
as managing ~/.ssh/authorized_keys as a whole, via a template, instead of
declaring thousands of Ssh_authorized_key resources.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
