date:20150306

Re: [Puppet-dev] Puppet Faces Install Location

2015-03-06 Thread Erik Dalén

Well, faces can be installed as gems as well if they are packaged that way.
Some modules include both functions and faces though, my puppetdbquery
module would be an example of that. It could of course be split into
different parts for the functions and the face, but I'm not entirely
convinced of the benefit.

Also if they are installed as modules they can be pluginsynced to agents
which can be pretty handy.

On Fri, 6 Mar 2015 at 13:24 Trevor Vaughan tvaug...@onyxpoint.com wrote:

Hi All,

I was building a custom Face and realized that there really should be
another way to handle these in the local filesystem.

The current method for adding Faces, as evidenced by 'strings', seems to
be to drop them in as a module.

I dislike this for two reasons. First, they're cluttering up my module
space (and function namespace) with something that is not a module. Second,
I don't want to have to add things to 'modules' if my node is simply a
client where I want additional functionality (puppetdb hooks, whatever).

So, I would like to propose the following:

* The module tool and Forge are enhanced to support a 'face' tag
* The 'face' tag will indicate that the module is installing a Face
* Faces cannot co-exist with other module components (no actual puppet
management code should be in a Face module)
* Faces will live at $facedir, by default $confdir/faces
* Face functionality will not pollute the global namespace (if possible)

Thanks,

Trevor

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoXyTmRocvMBFR3qNnzyZyuhLdjsVTFAA-9vgtiOoJ5NMg%40mail.gmail.com
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoXyTmRocvMBFR3qNnzyZyuhLdjsVTFAA-9vgtiOoJ5NMg%40mail.gmail.com?utm_medium=emailutm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLc9%2BBzsAQzmq%2BUKmWxWw9VBK0STA_JAJ5xcOVgEya3xSQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Puppet 5 changes

2015-03-06 Thread Trevor Vaughan

+1 to OCSP support!

Trevor

On Fri, Mar 6, 2015 at 9:41 AM, Erik Dalén erik.gustav.da...@gmail.com
wrote:

On Fri, 6 Mar 2015 at 05:30 Eric Sorenson eric.soren...@puppetlabs.com
wrote:

Hi all, this may seem a bit far-out since we haven't pushed Puppet 4
completely out of the nest, but I wanted to talk about some plans for the
next cycle of breaking changes/deprecations that are headed for Puppet 5.

There are two main areas of change, both related to continuing to move
server-side functionality into Puppet Server: the certificate authority and
the network stack. There may be other semver-major breaks that get rolled
in, but at this point we're planning to deliberately NOT have language
changes that would necessitate revising modules.

Currently there are two separate certificate authority implementations,
one in Ruby and one in Clojure. Puppet 5 will consolidate onto the new
Clojure CA, removing the Ruby CA code and building new command-line tools
to interact with it. (See SERVER-270 for the design/requirements work
here.) This is cool because right now there are a few overlapping /
conflicting subcommands like `puppet ca`, `puppet cert`, `puppet
certificate_request`, etc that are pretty inconsistent, and it'll be great
to have the chance to clean them up.

Similarly, on the network stack, we want to consolidate on the
jetty/puppet-server/jruby stack as the single way to run Puppet masters, so
the built-in webrick support and Rack support layer will ride off into the
sunset. The webrick one shouldn't be too controversial: it causes a lot of
people to start off on a bad path because it tips over so easily. My
hypothesis is if you're just dipping a toe in the water to try out Puppet,
running standalone with `puppet apply` is probably going to work better
than a webrick agent/server setup.

But I'm interested in hearing opinions on the Rack deprecation,
especially if there are significant functionality gaps between what people
are currently doing in your Passenger setup and what's possible with Puppet
Server. Overall it's obviously easier to support fewer, more opinionated
ways of running a Puppet infrastructure but not if it comes at the price of
breaking stuff without adequate replacement. There have already been some
pretty substantial improvements to Puppet Server based on feedback like
SERVER-18, so conversations like Hey I'm doing this cool thing with nginx
right now, will that still work? are really helpful.

We would need support for If-Modified-Since headers to be able to switch.
Using a custom Apache config to get them working under the passenger CA
(serving all CA files by apache using mod_rewrite instead of going through
the Ruby code).
We mostly use that for knowing when to update the CRL though, so some
better mechanism for that like OCSP would work as well.

Also a solution to https://tickets.puppetlabs.com/browse/SERVER-115 is
really needed. It can sort of be solved in the Ruby version by only using a
single worker instance.

But really I think it would be good if the whole cert request stuff could
use some standard protocol like SCEP so other CA implementations like
Dogtag or even Active Directory would work as well as the puppet-server one.

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLeRBPWsLcevR-t9rn7HW%3Dxp69Au1tQepZBKBKgN06RXOg%40mail.gmail.com
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLeRBPWsLcevR-t9rn7HW%3Dxp69Au1tQepZBKBKgN06RXOg%40mail.gmail.com?utm_medium=emailutm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoURh52CYLJVohcN5po46PhN1TCfB5c%3DWyUx5mBPz1Fatw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Puppet 5 changes

2015-03-06 Thread Chris Price

On Fri, Mar 6, 2015 at 6:41 AM, Erik Dalén erik.gustav.da...@gmail.com
wrote:


 Also a solution to https://tickets.puppetlabs.com/browse/SERVER-115 is
 really needed. It can sort of be solved in the Ruby version by only using a
 single worker instance.


This is definitely slated for Puppet 5.0/Puppet Server 3.0.



 But really I think it would be good if the whole cert request stuff could
 use some standard protocol like SCEP so other CA implementations like
 Dogtag or even Active Directory would work as well as the puppet-server one.


I'm a huge fan of that suggestion... we'll at least look into it :)

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/CAMx1QfKNC0LYeTm%2B%3DJuzDzaBo%3DxrpjSWWegzXMqHDCQNrryryg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Felix Frank

On 03/06/2015 02:45 PM, Trevor Vaughan wrote:
 file { '/export': ensure = 'directory' }
 file { '/export/home': ensure = 'directory' }
 user { 'foo': home = '/export/home/foo' } # This probably needs to come
 after /export/home, otherwise the user will get a nasty surprise when
 they first login
 
 Sure, I *can* create the user without having the directory in place. But
 what good does that do anyone?

Ah, a misunderstanding. It had actually not occured to me that users
might manage the $HOME dir as a file resource as well, and that we
should autorequire that. I'm all caught up in autorequiring the parent.

And yes, both these things do make sense. I see no issues with adding
the relationship to either homedir or parent. (It's parent+1 that makes
no sense, but we agree on that as well).

Thanks,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/54F9B3CA.7030700%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Trevor Vaughan

Sorry for the confusion. That's what I get for typing prior to the morning
caffeine.

Trevor

On Fri, Mar 6, 2015 at 9:03 AM, Felix Frank felix.fr...@alumni.tu-berlin.de
wrote:

On 03/06/2015 02:45 PM, Trevor Vaughan wrote:
file { '/export': ensure = 'directory' }
file { '/export/home': ensure = 'directory' }
user { 'foo': home = '/export/home/foo' } # This probably needs to come
after /export/home, otherwise the user will get a nasty surprise when
they first login

Sure, I *can* create the user without having the directory in place. But
what good does that do anyone?

Ah, a misunderstanding. It had actually not occured to me that users
might manage the $HOME dir as a file resource as well, and that we
should autorequire that. I'm all caught up in autorequiring the parent.

And yes, both these things do make sense. I see no issues with adding
the relationship to either homedir or parent. (It's parent+1 that makes
no sense, but we agree on that as well).

Thanks,
Felix

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoWiBpz5mKXgfNGwTpH1SmsRByRjuo_KMQVS3nY66hYKSQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Trevor Vaughan

Interestingly, I ran into just this issue yesterday.

The scenario was using autofs.

Autofs home directories get installed in /export/home/$USER.
Autofs takes care of $USER.

However, puppet takes care of /export and /home.

So, if all resources are managed by Puppet, then User['foo'] should
autorequire at least /export/home which, in turn, will autorequire /export.
However, the actual /export/home/$USER directory is completely irrelevant
(and should not show up in Puppet anyway).

If, for some reason, /export/home was *not* controlled by Puppet, then I
would want User['foo'[ to autorequire /export as well as /export/home.

In this case, I would want the user's target directory +1 to be
autorequired and I would like to vote for that.

I couldn't come up with any scenarios that would push me past target +1.

Trevor

On Fri, Mar 6, 2015 at 5:50 AM, Felix Frank felix.fr...@alumni.tu-berlin.de
wrote:

Since we're winding down :)

As nobody seems to love generated resources as passionately as I do
(it's OK, we still have each other), I would still ask for a compromise:
Autorequire does make sense, but can we tone it down?

As I understand it, the following resource

user { 'foo': home = '/var/lib/vendor/toolset/vendor-tool' }

will autorequire either
File['/var/lib/vendor/toolset']
File['/var/lib/vendor']
File['/var/lib']
or
File['/var']

which is a bit much for my taste. Autorequiring the immediate parent
only would make more sense to me.

Thanks,
Felix

On 03/03/2015 10:38 PM, Trevor Vaughan wrote:
Indeed, I too apologize for the complete tangent!

And, as would be expected, I'm for the autorequires since it does what I
would expect it to do.

Which, again, is counter to what John wants ;-). But, that's my answer
to the original question.

Thanks,

Trevor

On Tue, Mar 3, 2015 at 3:37 PM, John Bollinger
john.bollin...@stjude.org mailto:john.bollin...@stjude.org wrote:

On Wednesday, February 25, 2015 at 5:41:19 PM UTC-6, Raphaël Pinson
wrote:

Hello,

As per Kylo's comment in PR for PUP-4036

https://github.com/puppetlabs/puppet/pull/3645#issuecomment-76032829,
I'd like to discuss the possibility and implications of
autorequiring parent directories of the home directory for user
resources.

As stated in the PR, the idea came from stumbling upon a code
like this one:

file { '/srv/home': ensure = directory }
file { '/home': ensure = link, target = '/srv/home' } - User
| |

where it made a lot of sense that all users should just
autorequire the nearest parent directory to their home directory.

What are your thoughts on this feature?

My sincere apologies for my part in what I now recognize as taking
this thread off on a tangent. The lively discussion we had,
however, did allow me to frame my general position on
autorequirements, which is that they should be implemented only when
they are directly indicated by the nature of the resource. If User
resources /can/ be applied without first applying the File resources
representing their home directories, then there should be no
autorequirement.

John

--
You received this message because you are subscribed to the Google
Groups Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-dev+unsubscr...@googlegroups.com
mailto:puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-dev/b8d5e560-9357-4d8f-8234-3b593d9be246%40googlegroups.com

https://groups.google.com/d/msgid/puppet-dev/b8d5e560-9357-4d8f-8234-3b593d9be246%40googlegroups.com?utm_medium=emailutm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

Re: [Puppet-dev] Puppet Faces Install Location

2015-03-06 Thread Trevor Vaughan

Hi Erik,

I was thinking of just having the 'module' subcommand shove things into
$confdir/faces/facename if the module is tagged as a face.

Installing them as a gem is irritating, but doable. It doesn't really keep
things tidy within the ecosystem though.

I actually don't like pluginsync'ing them since I really don't think that
items that are not related to the application of the system configuration
should be sync'd to clients.

Could the face portion be put in a 'face' directory in the module and that
be pulled to the alternate location by the module tool if it exists?

Thanks,

Trevor

On Fri, Mar 6, 2015 at 9:19 AM, Erik Dalén erik.gustav.da...@gmail.com
wrote:

Well, faces can be installed as gems as well if they are packaged that
way. Some modules include both functions and faces though, my puppetdbquery
module would be an example of that. It could of course be split into
different parts for the functions and the face, but I'm not entirely
convinced of the benefit.

Also if they are installed as modules they can be pluginsynced to agents
which can be pretty handy.

On Fri, 6 Mar 2015 at 13:24 Trevor Vaughan tvaug...@onyxpoint.com wrote:

Hi All,

I was building a custom Face and realized that there really should be
another way to handle these in the local filesystem.

The current method for adding Faces, as evidenced by 'strings', seems to
be to drop them in as a module.

So, I would like to propose the following:

Thanks,

Trevor

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLc9%2BBzsAQzmq%2BUKmWxWw9VBK0STA_JAJ5xcOVgEya3xSQ%40mail.gmail.com
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLc9%2BBzsAQzmq%2BUKmWxWw9VBK0STA_JAJ5xcOVgEya3xSQ%40mail.gmail.com?utm_medium=emailutm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoURo-0aZ0AtD2%3DPJbpEb%3DQRbZANSpE-aLfx2%2BFe70Ar%3Dw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Trevor Vaughan

That's a really good point and an unfortunate situation, kind of like the
group/user dependency chain for removals.

So, there goes that thread :-)

On Fri, Mar 6, 2015 at 9:23 AM, Erik Dalén erik.gustav.da...@gmail.com
wrote:

On Fri, 6 Mar 2015 at 15:04 Felix Frank felix.fr...@alumni.tu-berlin.de
wrote:

Sure, I *can* create the user without having the directory in place. But
what good does that do anyone?

And yes, both these things do make sense. I see no issues with adding
the relationship to either homedir or parent. (It's parent+1 that makes
no sense, but we agree on that as well).

Won't the $HOME file resource autorequire the user resource already? At
least if $HOME is owned by $USER, which it usually is. So then you would
get a dependency loop.

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLfcUqwhAAg-k_KF%2BGU%2B1txbSfg6%2Bbgh6Y1OXjojfK5e5w%40mail.gmail.com
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLfcUqwhAAg-k_KF%2BGU%2B1txbSfg6%2Bbgh6Y1OXjojfK5e5w%40mail.gmail.com?utm_medium=emailutm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoVim-bzk3XPt0NDQxGWYCTJ5-JSBikZxm49ELLAeFxA9w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Puppet 5 changes

2015-03-06 Thread Erik Dalén

On Fri, 6 Mar 2015 at 05:30 Eric Sorenson eric.soren...@puppetlabs.com
wrote:

But I'm interested in hearing opinions on the Rack deprecation, especially
if there are significant functionality gaps between what people are
currently doing in your Passenger setup and what's possible with Puppet
Server. Overall it's obviously easier to support fewer, more opinionated
ways of running a Puppet infrastructure but not if it comes at the price of
breaking stuff without adequate replacement. There have already been some
pretty substantial improvements to Puppet Server based on feedback like
SERVER-18, so conversations like Hey I'm doing this cool thing with nginx
right now, will that still work? are really helpful.

Also a solution to https://tickets.puppetlabs.com/browse/SERVER-115 is
really needed. It can sort of be solved in the Ruby version by only using a
single worker instance.

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLeRBPWsLcevR-t9rn7HW%3Dxp69Au1tQepZBKBKgN06RXOg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Erik Dalén

On Fri, 6 Mar 2015 at 15:04 Felix Frank felix.fr...@alumni.tu-berlin.de
wrote:

Sure, I *can* create the user without having the directory in place. But
what good does that do anyone?

And yes, both these things do make sense. I see no issues with adding
the relationship to either homedir or parent. (It's parent+1 that makes
no sense, but we agree on that as well).

Won't the $HOME file resource autorequire the user resource already? At
least if $HOME is owned by $USER, which it usually is. So then you would
get a dependency loop.

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CAAAzDLfcUqwhAAg-k_KF%2BGU%2B1txbSfg6%2Bbgh6Y1OXjojfK5e5w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet-dev] Puppet Faces Install Location

2015-03-06 Thread Trevor Vaughan

Hi All,

I was building a custom Face and realized that there really should be
another way to handle these in the local filesystem.

The current method for adding Faces, as evidenced by 'strings', seems to be
to drop them in as a module.

I dislike this for two reasons. First, they're cluttering up my module
space (and function namespace) with something that is not a module. Second,
I don't want to have to add things to 'modules' if my node is simply a
client where I want additional functionality (puppetdb hooks, whatever).

So, I would like to propose the following:

* The module tool and Forge are enhanced to support a 'face' tag
* The 'face' tag will indicate that the module is installing a Face
* Faces cannot co-exist with other module components (no actual puppet
management code should be in a Face module)
* Faces will live at $facedir, by default $confdir/faces
* Face functionality will not pollute the global namespace (if possible)

Thanks,

Trevor

-- 
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoXyTmRocvMBFR3qNnzyZyuhLdjsVTFAA-9vgtiOoJ5NMg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Felix Frank

On 03/06/2015 12:20 PM, Trevor Vaughan wrote:
 
 If, for some reason, /export/home was *not* controlled by Puppet, then I
 would want User['foo'[ to autorequire /export as well as /export/home.

Hi Trevor,

I see your example, but don't really see the value in requiring /export.

If /export/home appears through a mount, then the user should make the
User require the mount resource explicitly, not its mount point. If
there is no mount resource (autofs), then requiring the mount point adds
comparatively little safety, at the cost of complexity and potential
surprises.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/54F9A1D6.8060107%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Trevor Vaughan

Oh, no, we would be requiring /export/home, not /export.

user { 'foo':
home = '/export/home/foo
}

/export/home/foo = Autofs controlled
/export/home = Something Puppet creates

If it doesn't create it, then nothing happens, no added complexity.

I'm not sure what kind of surprise you could have with autorequiring
/export/home. I'm also not sure what complexity arises.

file { '/export': ensure = 'directory' }
file { '/export/home': ensure = 'directory' }
user { 'foo': home = '/export/home/foo' } # This probably needs to come
after /export/home, otherwise the user will get a nasty surprise when they
first login

Sure, I *can* create the user without having the directory in place. But
what good does that do anyone?

Trevor

On Fri, Mar 6, 2015 at 7:47 AM, Felix Frank felix.fr...@alumni.tu-berlin.de
wrote:

On 03/06/2015 12:20 PM, Trevor Vaughan wrote:

If, for some reason, /export/home was *not* controlled by Puppet, then I
would want User['foo'[ to autorequire /export as well as /export/home.

Hi Trevor,

I see your example, but don't really see the value in requiring /export.

If /export/home appears through a mount, then the user should make the
User require the mount resource explicitly, not its mount point. If
there is no mount resource (autofs), then requiring the mount point adds
comparatively little safety, at the cost of complexity and potential
surprises.

Cheers,
Felix

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoWKrZQad85WfR%3D_PhRGJ5CDL-LuWniVZesT60sWGrZG9A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Puppet 5 changes

2015-03-06 Thread Felix Frank

On 03/06/2015 05:30 AM, Eric Sorenson wrote:
 There are two main areas of change, both related to continuing to move 
 server-side functionality into Puppet Server: the certificate authority and 
 the network stack.  There may be other semver-major breaks that get rolled 
 in, but at this point we're planning to deliberately NOT have language 
 changes that would necessitate revising modules.

I guess that means that dynamic scoping of resource defaults will have
to linger until Puppet 6, yes?

This is not necessarily a problem - depending on how fast we get to
Puppet 5, we may not even have the solution ready in time, anyway.

On the other hand, I dearly hope that no Forge module currently relies
on dynamic scoping.

Cheers,
Felix

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/54F9CD7B.4060006%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Puppet 5 changes

2015-03-06 Thread Trevor Vaughan

I was going back and forth on this and I have to agree with John.

There have been several times where I pushed out a lightweight Puppet
server on a VM running 512M RAM, 1 CPU, just to try something in a
'production-like' scenario.

I'm OK with losing Rack support, but a lightweight server instance is great
for testing.

Trevor

On Fri, Mar 6, 2015 at 12:01 PM, John Bollinger john.bollin...@stjude.org
wrote:

On Thursday, March 5, 2015 at 10:30:47 PM UTC-6, Eric Sorenson wrote:

My hypothesis is if you're just dipping a toe in the water to try out
Puppet, running standalone with `puppet apply` is probably going to work
better than a webrick agent/server setup.

I'm doubtful of the validity of that hypothesis. The use cases for
`puppet apply` tend to be different from the use cases for agent / master.
If I wanted to try out Puppet for a scenario in which agent / master was
the appropriate choice, or especially if the agent / master setup itself
were part of what I wanted to evaluate, then `puppet apply` would simply
not be a good alternative.

As light-duty as webrick may be, it has the virtue of being extremely easy
get up and running. I'm not specially tied to webrick itself, but I think
Puppet benefits from having a lightweight, out-of-the-box server option.

John

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/d9061cc6-93a8-40fd-8572-d4fdfc9170cf%40googlegroups.com
https://groups.google.com/d/msgid/puppet-dev/d9061cc6-93a8-40fd-8572-d4fdfc9170cf%40googlegroups.com?utm_medium=emailutm_source=footer
.

For more options, visit https://groups.google.com/d/optout.

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoWjOt7UXAd%3DXqUOS-x84WdkeSnjV0ixhOcXJyVRVZReYQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet-dev] Re: Puppet 5 changes

2015-03-06 Thread John Bollinger



On Thursday, March 5, 2015 at 10:30:47 PM UTC-6, Eric Sorenson wrote:

My hypothesis is if you're just dipping a toe in the water to try out 
 Puppet, running standalone with `puppet apply` is probably going to work 
 better than a webrick agent/server setup. 



I'm doubtful of the validity of that hypothesis.  The use cases for `puppet 
apply` tend to be different from the use cases for agent / master.  If I 
wanted to try out Puppet for a scenario in which agent / master was the 
appropriate choice, or especially if the agent / master setup itself were 
part of what I wanted to evaluate, then `puppet apply` would simply not be 
a good alternative.

As light-duty as webrick may be, it has the virtue of being extremely easy 
get up and running.  I'm not specially tied to webrick itself, but I think 
Puppet benefits from having a lightweight, out-of-the-box server option.


John

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/d9061cc6-93a8-40fd-8572-d4fdfc9170cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Puppet 5 changes

2015-03-06 Thread Felix Frank

Seconded. For debugging purposes, the webrick master is still useful as
well.

On 03/06/2015 06:04 PM, Trevor Vaughan wrote:
 I was going back and forth on this and I have to agree with John.
 
 There have been several times where I pushed out a lightweight Puppet
 server on a VM running 512M RAM, 1 CPU, just to try something in a
 'production-like' scenario.
 
 I'm OK with losing Rack support, but a lightweight server instance is
 great for testing.
 
 Trevor
 
 On Fri, Mar 6, 2015 at 12:01 PM, John Bollinger
 john.bollin...@stjude.org mailto:john.bollin...@stjude.org wrote:
 
 
 
 On Thursday, March 5, 2015 at 10:30:47 PM UTC-6, Eric Sorenson wrote:
 
 My hypothesis is if you're just dipping a toe in the water to
 try out Puppet, running standalone with `puppet apply` is
 probably going to work better than a webrick agent/server setup.
 
 
 
 I'm doubtful of the validity of that hypothesis.  The use cases for
 `puppet apply` tend to be different from the use cases for agent /
 master.  If I wanted to try out Puppet for a scenario in which agent
 / master was the appropriate choice, or especially if the agent /
 master setup itself were part of what I wanted to evaluate, then
 `puppet apply` would simply not be a good alternative.
 
 As light-duty as webrick may be, it has the virtue of being
 extremely easy get up and running.  I'm not specially tied to
 webrick itself, but I think Puppet benefits from having a
 lightweight, out-of-the-box server option.
 
 
 John

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/54F9DFE0.7010503%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Puppet 5 changes

2015-03-06 Thread Chris Price

On Fri, Mar 6, 2015 at 8:46 AM, Eric Thompson er...@puppetlabs.com wrote:


 Currently there are two separate certificate authority implementations,
 one in Ruby and one in Clojure. Puppet 5 will consolidate onto the new
 Clojure CA, removing the Ruby CA code and building new command-line tools
 to interact with it. (See SERVER-270 for the design/requirements work
 here.) This is cool because right now there are a few overlapping /
 conflicting subcommands like `puppet ca`, `puppet cert`, `puppet
 certificate_request`, etc that are pretty inconsistent, and it'll be great
 to have the chance to clean them up.


 I hadn't heard about this portion of puppet 5.  If some of these
 subcommands are going away do we have deprecation notices going into some y
 or z release of puppet 4?


One option that we've discussed is replacing the old commands with stubs
that just print out some info about how to find / use the new versions.
Eric may have more thoughts re: deprecation notices, though.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/CAMx1Qf%2BzYOgb-Y9WoE7AWz46MWrTgneo7KLBSuM%2BM74S%3DJ%2BYOA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Default environment_timeout preference

2015-03-06 Thread John Bollinger


On Thursday, March 5, 2015 at 8:42:34 PM UTC-6, Adrien Thebo wrote:

 To me, following the principle of least astonishment indicates that 
 caching be disabled by default; it'll work correctly for new users and has 
 no hidden gotchas. When people want to do performance tuning they're 
 probably fairly sophisticated users and can deal with weird cache 
 invalidation issues; since they're opting into this feature they should be 
 prepared to deal with the ramifications.


+1

Perhaps it would make sense for PE to be configured differently out of the 
box, but between the two options presented, Puppet's built-in default 
should be no caching.


John

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/fbe05736-89bf-42d1-8125-dd4ea6865b45%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Puppet 5 changes

2015-03-06 Thread Eric Thompson



 Currently there are two separate certificate authority implementations,
 one in Ruby and one in Clojure. Puppet 5 will consolidate onto the new
 Clojure CA, removing the Ruby CA code and building new command-line tools
 to interact with it. (See SERVER-270 for the design/requirements work
 here.) This is cool because right now there are a few overlapping /
 conflicting subcommands like `puppet ca`, `puppet cert`, `puppet
 certificate_request`, etc that are pretty inconsistent, and it'll be great
 to have the chance to clean them up.


I hadn't heard about this portion of puppet 5.  If some of these
subcommands are going away do we have deprecation notices going into some y
or z release of puppet 4?

-- 
Eric Thompson
eric.thomp...@puppetlabs.com er...@puppetlabs.com
Senior Software Quality Assurance Engineer

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-dev/CAC3n4yQhvtnM3WB-MvpkfAswbK9uczmZ8rbtqxy9JnRXUDuMsQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

2015-03-06 Thread Felix Frank

Since we're winding down :)

As nobody seems to love generated resources as passionately as I do
(it's OK, we still have each other), I would still ask for a compromise:
Autorequire does make sense, but can we tone it down?

As I understand it, the following resource

user { 'foo': home = '/var/lib/vendor/toolset/vendor-tool' }

will autorequire either
File['/var/lib/vendor/toolset']
File['/var/lib/vendor']
File['/var/lib']
or
File['/var']

which is a bit much for my taste. Autorequiring the immediate parent
only would make more sense to me.

Thanks,
Felix

On 03/03/2015 10:38 PM, Trevor Vaughan wrote:
Indeed, I too apologize for the complete tangent!

And, as would be expected, I'm for the autorequires since it does what I
would expect it to do.

Which, again, is counter to what John wants ;-). But, that's my answer
to the original question.

Thanks,

Trevor

On Tue, Mar 3, 2015 at 3:37 PM, John Bollinger
john.bollin...@stjude.org mailto:john.bollin...@stjude.org wrote:

On Wednesday, February 25, 2015 at 5:41:19 PM UTC-6, Raphaël Pinson
wrote:

Hello,

As per Kylo's comment in PR for PUP-4036

As stated in the PR, the idea came from stumbling upon a code
like this one:

file { '/srv/home': ensure = directory }
file { '/home': ensure = link, target = '/srv/home' } - User | |

where it made a lot of sense that all users should just
autorequire the nearest parent directory to their home directory.

What are your thoughts on this feature?

John

--
You received this message because you are subscribed to the Google
Groups Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-dev+unsubscr...@googlegroups.com
mailto:puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit

https://groups.google.com/d/msgid/puppet-dev/b8d5e560-9357-4d8f-8234-3b593d9be246%40googlegroups.com

https://groups.google.com/d/msgid/puppet-dev/b8d5e560-9357-4d8f-8234-3b593d9be246%40googlegroups.com?utm_medium=emailutm_source=footer.

For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Re: Puppet 5 changes

2015-03-06 Thread Trevor Vaughan

John, Felix, and I agreemarking on calendar

On Fri, Mar 6, 2015 at 12:12 PM, Felix Frank
felix.fr...@alumni.tu-berlin.de wrote:

Seconded. For debugging purposes, the webrick master is still useful as
well.

On 03/06/2015 06:04 PM, Trevor Vaughan wrote:
I was going back and forth on this and I have to agree with John.

There have been several times where I pushed out a lightweight Puppet
server on a VM running 512M RAM, 1 CPU, just to try something in a
'production-like' scenario.

I'm OK with losing Rack support, but a lightweight server instance is
great for testing.

Trevor

On Fri, Mar 6, 2015 at 12:01 PM, John Bollinger
john.bollin...@stjude.org mailto:john.bollin...@stjude.org wrote:

On Thursday, March 5, 2015 at 10:30:47 PM UTC-6, Eric Sorenson wrote:

My hypothesis is if you're just dipping a toe in the water to
try out Puppet, running standalone with `puppet apply` is
probably going to work better than a webrick agent/server setup.

I'm doubtful of the validity of that hypothesis. The use cases for
`puppet apply` tend to be different from the use cases for agent /
master. If I wanted to try out Puppet for a scenario in which agent
/ master was the appropriate choice, or especially if the agent /
master setup itself were part of what I wanted to evaluate, then
`puppet apply` would simply not be a good alternative.

As light-duty as webrick may be, it has the virtue of being
extremely easy get up and running. I'm not specially tied to
webrick itself, but I think Puppet benefits from having a
lightweight, out-of-the-box server option.

John

--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699
tvaug...@onyxpoint.com

-- This account not approved for unencrypted proprietary information --

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/CANs%2BFoVu5pJB0J6A-GdM7yrNpXA3KDxa7wcFngfSZaLQgeusyA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Default environment_timeout preference

2015-03-06 Thread Reid Vandewiele

The principle of least astonishment is absolutely what we should be 
targeting. The use of any kind of timer upon whose ticks behavior changes 
is in inarguable opposition to this, whether it's 10 seconds, 3 minutes, or 
15 minutes. However, I think the use of implementation terms like caching 
in describing the two proposed options clouds the water a bit, as both 
options result in clear and consistent behavior.

Described without the term caching, option 1 effectively proposes that 
puppet-server should read all configuration files on startup (puppet.conf, 
auth.conf, fileserver.conf, environments/**/*.pp, etc.), and not 
automatically re-read any of these files unless the user issues an explicit 
`service puppet-server reload` command.

Described without the term caching, option 2 effectively proposes that 
puppet-server should read some configuration files on startup (puppet.conf, 
auth.conf, fileserver.conf, etc.), and that puppet-server should read 
directly from disk all relevant files from environments/**/*.pp when 
compiling a catalog, once per agent request.

Both proposals move strongly away from the problem behavior we have today - 
a clock-based timeout. Were this a new product, either option seems like it 
would satisfy principle of least astonishment. The only difference between 
them, from an astonishment perspective, is that long-time Puppet users are 
accustomed to behavior resembling option 2 (though in the past 
implementation it's been more optimized, similar to the inotify suggestion 
put forth by Trevor).

I don't know that thinking about it this way changes anyone's opinion, but 
I do want to make sure we aren't getting hung up on implementation terms in 
considering what the actual proposed behaviors are.

Is having files live-updated (via guaranteed re-read) a value proposition 
itself? There seem to be some minor benefits to a reload-required behavior. 
In-progress requests are guaranteed not to get half files from one revision 
and half files from another if the catalog request timing is particularly 
bad, since the user won't issue a reload command mid-file-update, and if 
they do puppet-server will flush in-progress requests anyway. Are those 
benefits worth considering proposal 2 for?

Does this perspective make sense, or am I missing something?

~Reid

On Thursday, March 5, 2015 at 6:42:34 PM UTC-8, Adrien Thebo wrote:

 To me, following the principle of least astonishment indicates that 
 caching be disabled by default; it'll work correctly for new users and has 
 no hidden gotchas. When people want to do performance tuning they're 
 probably fairly sophisticated users and can deal with weird cache 
 invalidation issues; since they're opting into this feature they should be 
 prepared to deal with the ramifications.

 On Thu, Mar 5, 2015 at 5:19 PM, Owen Rodabaugh ow...@puppetlabs.com 
 javascript: wrote:

 To clarify, I am asking for opinions on whether the default 
 environment_timeout should be 0 or unlimited in future releases of puppet.  
 The current plan is to default to unlimited. 

 I'm concerned that shipping with this default assumes prior experience 
 and will be another hurdle to getting started with puppet. Anecdotally I've 
 heard that a common question in #puppet is I changed my puppet code, why 
 isn't it showing when I do a test run?.

 Conversely setting environment_timeout=0 will result in lower 
 performance, but no need to restart puppet or hit the API to flush a cache 
 to see code changes. The users impacted by this are likely more experienced 
 and would already be managing, or easily able to manage this setting if 
 they had performance concerns or a pre-existing code deployment workflow.

 Thanks,

 Owen

 On Thursday, March 5, 2015 at 3:56:24 PM UTC-8, Trevor Vaughan wrote:

 Can you use inotify to invalidate the cache via the API call when 
 selected files in your infrastructure change?

 It looks like you could do this directly from the core 
 https://launchpad.net/inotify-java. You'll just want to queue them up a 
 bit to not go crazy. 10 seconds should probably do it, but you could make 
 that configurable.

 Trevor

 On Wed, Mar 4, 2015 at 4:36 PM, Owen Rodabaugh ow...@puppetlabs.com 
 wrote:

 We've been discussing what the default environment_timeout setting 
 should be. There is general agreement that the current 3 minutes is not 
 great. It's both baffling to new users and does not bring in the full 
 performance benefits.

 Two main perspectives on this:

 1. Performance should be the primary driver and that the default of 
 unlimited (cache never automatically refreshes) is preferred. This assumes 
 most users have a code deployment workflow and tooling which can be 
 adjusted to include the steps required to update the cache. These steps 
 are 
 either hitting the puppetserver environment cache endpoint, or restarting 
 the service to cause the cache to update.

 2. New user experience should be the primary driver and that a default

Re: [Puppet-dev] Default environment_timeout preference

2015-03-06 Thread John Bollinger

On Friday, March 6, 2015 at 11:36:03 AM UTC-6, Reid Vandewiele wrote:

The principle of least astonishment is absolutely what we should be
targeting. The use of any kind of timer upon whose ticks behavior changes
is in inarguable opposition to this, whether it's 10 seconds, 3 minutes, or
15 minutes. However, I think the use of implementation terms like caching
in describing the two proposed options clouds the water a bit, as both
options result in clear and consistent behavior.

Described without the term caching, option 1 effectively proposes that
puppet-server should read all configuration files on startup (puppet.conf,
auth.conf, fileserver.conf, environments/**/*.pp, etc.), and not
automatically re-read any of these files unless the user issues an explicit
`service puppet-server reload` command.

Described without the term caching, option 2 effectively proposes that
puppet-server should read some configuration files on startup (puppet.conf,
auth.conf, fileserver.conf, etc.), and that puppet-server should read
directly from disk all relevant files from environments/**/*.pp when
compiling a catalog, once per agent request.

It would also be clear and consistent to say that when a manifest is
changed, those changes will start being reflected in catalogs emitted by
the master within 3 minutes (or 1 or 20). The exact timing is not quite as
predictable, but the behavior can still be given as a rule, and without
using any variant of the word cache.

Both proposals move strongly away from the problem behavior we have today
- a clock-based timeout. Were this a new product, either option seems like
it would satisfy principle of least astonishment.

Both do move away from the default behavior of 3.7, but I don't see how you
can support a claim that *either* option would provide *least*
astonishment, particularly inasmuch as you also claim that a timeout is
more astonishing than either of the other alternatives. I do not find it
self-evident, for example, that most users would be more astonished that
Puppet eventually notices manifest changes, than that they have to perform
some kind of manual action separate from the change itself to make Puppet
notice changes.

The only difference between them, from an astonishment perspective, is
that long-time Puppet users are accustomed to behavior resembling option 2
(though in the past implementation it's been more optimized, similar to the
inotify suggestion put forth by Trevor).

I disagree. Puppet has always required a restart to recognize changes to
the Ruby code of server-side custom components, but that still throws
people -- sometimes even people who should know better. Not every possible
behavior is equally good or predictable, even when you start with a clean
slate, even when you can state it as a clear and consistent rule. (And in
particular, people seem pre-disposed to expect file changes to be
recognized immediately.)

I don't know that thinking about it this way changes anyone's opinion, but
I do want to make sure we aren't getting hung up on implementation terms in
considering what the actual proposed behaviors are.

I don't think the discussion is (or need be) hung up on implementation
terms. I think Adrien had it exactly right that most users will be less
surprised by manifest changes taking effect immediately than by them not
taking effect until some form of a `notice-my-changes` command is executed.

Is having files live-updated (via guaranteed re-read) a value proposition
itself?

From a least-astonishment perspective, yes. From some other perspectives,
too.

There seem to be some minor benefits to a reload-required behavior.
In-progress requests are guaranteed not to get half files from one revision
and half files from another if the catalog request timing is particularly
bad, since the user won't issue a reload command mid-file-update, and if
they do puppet-server will flush in-progress requests anyway.

You are right that those are issues for which reload-required behavior is a
win, but not on least-astonishment grounds. Are you stepping back from
your position that least astonishment is absolutely what we should be
targeting?

John

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/874f8f69-45c6-4034-b7c9-06005dc6f963%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Default environment_timeout preference

2015-03-06 Thread Eric Sorenson

On Mar 6, 2015, at 9:06 AM, John Bollinger john.bollin...@stjude.org wrote:

On Thursday, March 5, 2015 at 8:42:34 PM UTC-6, Adrien Thebo wrote:
To me, following the principle of least astonishment indicates that caching
be disabled by default; it'll work correctly for new users and has no hidden
gotchas. When people want to do performance tuning they're probably fairly
sophisticated users and can deal with weird cache invalidation issues; since
they're opting into this feature they should be prepared to deal with the
ramifications.

Perhaps it would make sense for PE to be configured differently out of the
box, but between the two options presented, Puppet's built-in default should
be no caching.

This feels quite a bit like consensus to me, I've filed
https://tickets.puppetlabs.com/browse/PUP-4094 to track the change which should
hit both in Puppet 3.8 and the Puppet 4 nightlies.

Thank you Owen for kicking off the discussion, and thanks everyone for your
thoughtful replies.

Eric Sorenson - eric.soren...@puppetlabs.com
mailto:eric.soren...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles

--
You received this message because you are subscribed to the Google Groups
Puppet Developers group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-dev/06737254-6A0C-4FB9-A6D9-85F979BD2572%40puppetlabs.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet-dev] Default environment_timeout preference

2015-03-06 Thread Reid Vandewiele

As Eric said there seems to be clear consensus and an issue has been opened
to make the change. I think it is still be useful for me to respond in
detail to John, but just to wrap up the thoughts - not to further advocate
for reload behavior. There seem to be good reasons to choose to serve files
live as opposed to read-on-start.

On Fri, Mar 6, 2015 at 11:06 AM, John Bollinger john.bollin...@stjude.org
wrote:



 On Friday, March 6, 2015 at 11:36:03 AM UTC-6, Reid Vandewiele wrote:

 The principle of least astonishment is absolutely what we should be
 targeting. The use of any kind of timer upon whose ticks behavior changes
 is in inarguable opposition to this, whether it's 10 seconds, 3 minutes, or
 15 minutes. However, I think the use of implementation terms like caching
 in describing the two proposed options clouds the water a bit, as both
 options result in clear and consistent behavior.

 Described without the term caching, option 1 effectively proposes that
 puppet-server should read all configuration files on startup (puppet.conf,
 auth.conf, fileserver.conf, environments/**/*.pp, etc.), and not
 automatically re-read any of these files unless the user issues an explicit
 `service puppet-server reload` command.

 Described without the term caching, option 2 effectively proposes that
 puppet-server should read some configuration files on startup (puppet.conf,
 auth.conf, fileserver.conf, etc.), and that puppet-server should read
 directly from disk all relevant files from environments/**/*.pp when
 compiling a catalog, once per agent request.



 It would also be clear and consistent to say that when a manifest is
 changed, those changes will start being reflected in catalogs emitted by
 the master within 3 minutes (or 1 or 20).  The exact timing is not quite as
 predictable, but the behavior can still be given as a rule, and without
 using any variant of the word cache.


I'll cede consistent, but I continue to hold that clock-based behavior
lacks clarity. The problem is not that the behavior can't be calculated,
it's that to a new user experimenting with the product the clock-based
behavior hinders their ability to engage in adjust/observe/iterate
experimentation. If I'm trying to understand what a product is doing, I
want to make a change and observe the result to see if the change I made
did what I expected. I want confidence that if I make an adjustment and a
change is observed, it is due to my adjustment. This is a feedback loop.

The problem with a clock is that after I make my adjustment, there usually
won't be any observed change immediately. But, there will be change later.
At best, my feedback loop is delayed and it takes me longer to understand
what's going on. More realistically, this kind of inconsistent feedback
makes me frustrated with the product and don't have confidence that what
I'm doing is having the expected effect. After I figure it out, I can work
with it.





 Both proposals move strongly away from the problem behavior we have today
 - a clock-based timeout. Were this a new product, either option seems like
 it would satisfy principle of least astonishment.



 Both do move away from the default behavior of 3.7, but I don't see how
 you can support a claim that *either* option would provide *least*
 astonishment, particularly inasmuch as you also claim that a timeout is
 more astonishing than either of the other alternatives.  I do not find it
 self-evident, for example, that most users would be more astonished that
 Puppet eventually notices manifest changes, than that they have to perform
 some kind of manual action separate from the change itself to make Puppet
 notice changes.


My assertion that either option provides a least-astonishment experience is
indeed built on a belief that clock-based system is Bad (TM), which I first
took as a given. I've provided more context for why I believe this to be
the case above. Even allowing that this assumption is incorrect, I still
believe that option 1 and 2 are much more similar to each other in terms of
first-time-user astonishment than either is to clock-based, since both give
users consistent feedback.

Users expect to have to restart or refresh most services if their
configuration file(s) change. I have been considering puppet manifests
similar to configuration files in this way. It sounds like most people
would more intuitively consider manifests more like *.php files, or
something to be *served*. The general opinion in this thread supports that.
Given that starting point, I can see how it would be less astonishing to
people if changes made to those files were immediately impactful, rather
than requiring a reload.




 The only difference between them, from an astonishment perspective, is
 that long-time Puppet users are accustomed to behavior resembling option 2
 (though in the past implementation it's been more optimized, similar to the
 inotify suggestion put forth by Trevor).



 I disagree.  Puppet has always

Re: [Puppet-dev] Puppet Faces Install Location

Re: [Puppet-dev] Puppet 5 changes

Re: [Puppet-dev] Puppet 5 changes

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Puppet Faces Install Location

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Puppet 5 changes

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

[Puppet-dev] Puppet Faces Install Location

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Puppet 5 changes

Re: [Puppet-dev] Re: Puppet 5 changes

[Puppet-dev] Re: Puppet 5 changes

Re: [Puppet-dev] Re: Puppet 5 changes

Re: [Puppet-dev] Puppet 5 changes

Re: [Puppet-dev] Default environment_timeout preference

Re: [Puppet-dev] Puppet 5 changes

Re: [Puppet-dev] Re: Autorequiring parent directories to the home directory in user resources

Re: [Puppet-dev] Re: Puppet 5 changes

Re: [Puppet-dev] Default environment_timeout preference

Re: [Puppet-dev] Default environment_timeout preference

Re: [Puppet-dev] Default environment_timeout preference

Re: [Puppet-dev] Default environment_timeout preference

26 matches

Site Navigation

Mail list logo

Footer information