Re: [Puppet Users] Re: Roles and profiles dissent

[Rob Nelson]

On Fri, Aug 2, 2019 at 9:03 PM Chris Southall  wrote:

>
>
> Lets say a module has 10 parameters and supplies defaults for most of
> them.  When writing a profile you have to choose how many of the class
> parameters can remain defaults, how many to override, and how many to
> expose as profile parameters.  It's sounds fine to limit the number of
> parameters at the profile, right up until you hit an edge case that doesn't
> work with the default values and the parameter you need to change now
> requires a profile update...
>

Are you using “include classname” or “class { classname: }” in your
manifests? It sounds like the latter, which means you’re likely to pass
down class parameters which must now be exposed as parameters in your class.

The former is far more flexible. Because of hiera’s automatic parameter
lookup, you could write this:

class profile::base::linux {
  include ntp
  include ssh::server
}

Pair it with this hiera data:

---
ntp::servers:
- ‘pool.example.com’
- ‘pool2.example.com’
ssh::servers::ciphers: “blowfish,aes-128,aes-256”

And now your profile needs to expose zero parameters, which means you don’t
need to write the code to accept AND pass the parameters or even really
know the modules; your ntp and security team can be the experts on that,
instead.

Similarly, a profile::mysql::server class wouldn’t need to pass any
parameters down, and your DBA can come up with the various key/value pairs
like mysql::root_password: “changeme” to use.

Your class parameters would then be restricted to things like feature flags
and site specific details (if $manage_some_feature {include some_feature}
or if ($datacenter == “onprem”) {mount {“/nfs}: … }), which are things
y’all would know lots about, and in turn let the subject matter experts
focus on the component modules that require their expertise.


As far as tests go, check out puppet-retrospec. It’s a gem that will create
(naive) rspec-puppet tests for existing code. It’s a good way to get
started and illustrate how it works with the least amount of pain.

> --
Rob Nelson

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAC76iT_9VqYYia107Ows8dMyW5-rTA3tvTaVUuXQHcx4Xj1j6Q%40mail.gmail.com.

[Puppet Users] Re: Roles and profiles dissent

[Chris Southall]

Hi Luke.  Thanks for a thoughtful and detailed response.

Quite a similar question was posted about two weeks back, you might find 
> that very interesting:
> https://groups.google.com/forum/#!topic/puppet-users/NW2yuHMJvsY
>

I saw this, and have been kicking around the idea leading to this post

If you are a confident Puppet Coder, you might prefer to import the source, 
> patch the module to add your feature, then submit the patch back upstream.
>

This is likely part of my problem.  I am not a confident puppet coder, 
probably closer to barely competent.
  

> When using roles and profiles you end up declaring all the module 
>> parameters again to avoid losing functionality and flexibility.
>>
>
> ... Not sure I agree with that statement.  That sounds odd.  Why would you 
> be re-declaring module parameters if you're not changing something from the 
> defaults?  And if you are intending to change something, then of course you 
> are supplying different parameters?
>

Lets say a module has 10 parameters and supplies defaults for most of 
them.  When writing a profile you have to choose how many of the class 
parameters can remain defaults, how many to override, and how many to 
expose as profile parameters.  It's sounds fine to limit the number of 
parameters at the profile, right up until you hit an edge case that doesn't 
work with the default values and the parameter you need to change now 
requires a profile update...
 

> You also need to be familiar with all the classes, types, and parameters 
>> from all modules in order to use them effectively.
>>
>
> Ideally the README page of a module would contain amazing user level 
> documentation of how the module should work... but not that many do.  I 
> often find I have to go read the Puppet code itself to figure out exactly 
> what a parameter does.
>

Ditto on the documentation.  Some modules are better than others, and of 
course you can review the manifests, but with my admitted weakness in 
Puppet DSL it's not always immediately apparent to me what some classes are 
doing.
 

> To avoid all of the above, I put together the 'basic' module and posted it 
>> on the forge:  https://forge.puppet.com/southalc/basic
>>
>
> Ok :-) I'm beginning to see what the core of your problem is.  The fact 
> that you've created your own module to effectively do create_resources() 
> hash definitions says to me that you haven't quite grasped the concepts of 
> the Role / Profile design pattern.  I know I have a very strong view on 
> this subject and many others will disagree, but personally I think the Role 
> / Profile pattern and the "do-everything-with-Hiera-data" pattern are 
> practically incompatible.
>

I'd like to think I grasp the roles/profiles concept, but am just not 
convinced it's a better approach.  Abstracting away configuration details 
and exposing a limited set of parameters results in uniform 
configurations.  In doing so it also seems it limits flexibility and 
ensures that you'll continue to spend a good deal of time maintaining your 
collection of profiles/modules.
 

> This module uses the hiera_hash/create_resources model for all the native 
>> puppet (version 5.5) types, using module parameters that match the type 
>> (exceptions for metaparameters, per the README).  The module also includes 
>> the 'file_line' type from puppetlabs/stdlib, the 'archive' type from 
>> puppet/archive, and the local defined type 'binary', which together provide 
>> a simple and powerful way to create complex configurations from hiera.  All 
>> module parameters default to an empty hash and also have a merge strategy 
>> of 'hash' to enable a great deal of flexibility.  With this approach I've 
>> found it possible to replace many single purpose modules it's much faster 
>> and easier to get the results I'm looking for.
>>
>
> A Hiera-based, data-driven approach will always be faster to produce a 
> "new" result (just like writing Ansible YAML is faster to produce than 
> Puppet code)...  It's very easy to brain dump configuration into YAML and 
> have it work, and that's efficient up to a certain point.  For your simple 
> use cases, yes, I can completely see why you would be looking at the Role 
> Profile pattern and saying to yourself "WTF for?".  I think the tipping 
> point of which design method becomes more efficient directly relates to how 
> complicated (or how much control) you want over your systems.
>

A number of people I've talked to like Ansible because of the easy learning 
curve and great time-to-results.
 

> The more complicated you go, the more I think you will find that Hiera 
> just doesn't quite cut it.  Hiera is a key value store.  You can start 
> using some neat tricks like hash merging, you can look up other keys to 
> de-duplicate data... When you start to model more and more complicated 
> infrastructure, I think you will find that you don't have enough power in 
> Hiera to describe what you want to describe, and that you need an 

[Puppet Users] sshkeys from puppetdb failing after migration to puppet 6

[Andy Hall]

Hey there. We use the combination of jtopjian/sshkeys and 
dalen/puppetdbquery as it's a great solution to store and retrieve sshkeys 
from puppetdb. Currently we are migrating from puppet 3.8 to 6.6 and all 
issues have been ironed out except for the following:

When calling query_facts against puppetdb 6 I can see the connection on 
port 8081 with tcpdump but get the following error:


Error while evaluating a Function Call, undefined method facts_query for 
#


Which seems to relate to the following code in the query_facts function:


parser = PuppetDB::Parser.new

query = parser.facts_query query, facts_for_query if query.is_a? String 

parser.facts_hash(puppetdb.query(:facts, query, :extract => [:certname, 
:name, :value]), facts)


Of course we will check with the module authors but wonder has anyone else 
seen something similar and could it relate to the version of puppetdb ? As 
noted we can see the database connection being made but can't view the 
payload due to SSL. Any help would be greatly appreciated.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/eb98b80c-354e-4be9-833c-5e84376a6922%40googlegroups.com.