On Tuesday, August 13, 2013 9:59:22 PM UTC-5, Ygor wrote: > > I have a problem with variables in defined types. > > I have dug a hole consisting of three levels of nested defines as in > ------------------------------------------- > class users { > ... > } > ------------------------------------------- > define users::useraccount ( > $username = $name, > $uid, > $info, > $ingroups = [], > $dotfiles = [], > $userhome = "/home/${name}", > $ensure = absent, > $is_role = false, > $role_users = [], > $delete_role_users = [], > $user_options = [], > ) { > > ... > if $is_role { > ... > if ! empty ( $role_users ) { > $local_role_users = suffix ( $role_users, > "_${username}" ) > > users::role_user_keys { $local_role_users: > ensure => present, > key_options => $user_options, > is_role => $is_role, > } > } > } > > ... > } > ------------------------------------------- > define users::role_user_keys ( > $ensure = absent, > $key_options = [], > $is_role = true, > ) { > include 'stdlib' > > $foo = split ( $title, '_' ) > $the_user = $foo[0] > $the_role = $foo[1] > > users::restricted_ssh_user { $title: > username => $the_user, > ensure => $ensure, > ssh_options => $key_options, > role_name => $the_role, > is_role => $is_role, > } > } > ------------------------------------------- > define users::restricted_ssh_user ( > $username, > $ensure = absent, > $ssh_options = [], > $is_role = true, > $role_name, > ) { > include stdlib > > case $is_role { > ‘roleA' : { > $command_string = “/usr/local/${role_name}/local/bin/commandA > --user=${username}" > $canned_options = [ > 'no-port-forwarding', > 'no-agent-forwarding', > 'no-X11-forwarding', > 'no-pty', > ] > > $option_string = "command=\"${command_string}\"" > $local_options = concat ( $canned_options, [$option_string] ) > } > ‘roleB' : { > $command_string = “/usr/local/${role_name}/bin/commandB > --user=${username}" > $canned_options = [ > 'no-port-forwarding', > 'no-X11-forwarding', > 'no-pty', > ] > > $option_string = "command=\"${command_string}\"" > $local_options = concat ( $canned_options, [$option_string] ) > > } > 'admin' : { > $local_options = $ssh_options > } > default : { > $linkit = link > $command_string = > "${homedir}/bin/ssh_${role_name}_${username}” > > $option_string = "command=\"${command_string}\"" > $local_options = concat ( $ssh_options, [$option_string] ) > } > } > > ssh_authorized_key { > "${username}_rsa_key_for_${role_name}_${is_role}": > ensure => $ensure, > key => file ( "/etc/puppet/config/keys/${username}-rsa" ), > type => 'ssh-rsa', > user => $role_name, > options => $local_options, > } > > ssh_authorized_key { > "${username}_dss_key_for_${role_name}_${is_role}": > ensure => $ensure, > key => file ( "/etc/puppet/config/keys/${username}-dss" ), > type => 'ssh-dss', > user => $role_name, > options => $local_options, > } > > } > > The problem is in how I manipulate the array of option parameters as I go > down the levels ( user_options , key_options , ssh_options ) and the > contents of the array created with the “concat” function persists and > accumulates (snowballs!!) at the bottom level as the > "users::restricted_ssh_user" defined type in instantiated many times. The > parameters were all called “options” at one point, and I made them > different, hoping that would work. > > Is there a way to isolate the variables declared in a defined type > instance ? > Or do I need to trash this design and start over ?
I'm not sure I understand the problem(s). With respect to the $local_options arrays generated via concat(), these are each assigned as resource parameters, so Puppet must retain them all until it finishes compiling the catalog. The point appears to be that the options may vary from user to user, so if you have many users then many of these option strings must accumulate during catalog compilation. How do you imagine it could be different? However, it does look like in some cases you are creating temporary arrays that you do not need. It could be that Puppet retains these for the duration of catalog compilation, even though it shouldn't need to do. If that's the case, then you might be able to lighten the load a bit by dropping the temporaries. For instance, you could avoid the $canned_options, $command_string, and $option_string variables in the 'roleA' case by writing the option array like this: $local_options = [ 'no-port-forwarding', 'no-agent-forwarding', 'no-X11-forwarding', 'no-pty', "command=\"/usr/local/${role_name}/local/bin/commandA --user=${username}\"" ] I don't know whether that will really gain you anything, though, especially inasmuch as you cannot do the same for the default case. You might also achieve a bit of savings by merging users::restricted_ssh_user back into users::role_user_keys. As you present those, I don't see what you gain by separating them. Ultimately, though, I don't think your option arrays grossly outweigh everything else declared per-user. If you are experiencing a capacity problem, then you may need to take an altogether different approach, such as managing ~/.ssh/authorized_keys as a whole, via a template, instead of declaring thousands of Ssh_authorized_key resources. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.