Re: [Puppet Users] profiles/hiera, defalults and defined
Hi
I do not wish for my juniors to need to learn Puppet at all:-) Hint:
They work in support center and mostly on windows.
We think we can expand our hiera hierarchy like this to achieve
separation in a non-complicated way:
:hierarchy:
- "customers/%{::domain}/%{::hostname}"
- "customers/%{::domain}/common"
- "roles/%{::role}" #new line
- "os/%{::osfamily}/common"
- common
Does this seem like a good way to do this?
I have read about Puppet Lookup [1] and see that this also might solve
this for us. When can we expect it to be stable?
Bjørge
[1] https://docs.puppet.com/puppet/latest/reference/lookup_quick_module.html
On 03. nov. 2016 15:49, Andrew Grimberg wrote:
Sounds like you could use a little code-review process (such as Gerrit)
managing the hiera repo. That coupled with something like
hiera-eyaml-gpg (or similar) would allow you to have your junior admins
submit changes for review allowing such hiera configs to be worked on by
multiple parties and still have any sensitive data kept from folks that
shouldn't have it.
As for configurations like you're talking about here, my team doesn't do
any sort of direct class or configuration calls. We rely on having
modules for managing everything. In this case we're using saz/ssh and
our ssh profile, which is included in the base config for all nodes,
just does an 'include ::ssh'. It also then pulls in the hiera
configuration and takes care of opening firewall ports and configuring
monitoring as appropriate.
This way, we set our standard ssh configuration up at our common hiera
base layer and any special system tweaks are just at the node specific
layer in our hiera.
On 11/03/2016 06:59 AM, Bjørge Solli wrote:
Hi Rob, thanks for your reply.
The main defaults is for every host (all customers, datacenters, etc),
but some, like a jump-host or managed-file-transfer-host, will need to
have different values. Doing this in hiera is fine for those who are
allowed to edit hiera, but setting up machines for new customers are
often done by juniors that only set the role in the provisioning system
and will have to contact a senior to get something added to hiera.
Adding defaults to hiera also makes the code less portable.
I could do something like this in the base-sshd (pseudo-code):
if $role = 'foo'; then use foo-specific values, else use default.
But I really think code belonging to the profile for jump-hosts should
be set in the corresponding profile, not as an exception in the base setup.
Lets say this is my current code in base-sshd-profile:
#Using herculesteam/augeasproviders_ssh
sshd_config { 'ConfigVariable':
value => 'no',
} #Code for overwriting this in hiera is omitted
Now I would like to change this same value for some roles, preferably
without doing changes in hiera manually for each host having this role.
Bjørge
On 03. nov. 2016 14:19, Rob Nelson wrote:
You mentioned that a specific role would like a different value, but
is there another logical division between the two configs? Perhaps
per-datacenter, or per-network, or some other differentiator? At a
worst case scenario, per individual node? You could add whatever that
differentiator is to your hiera hierarchy, if it isn't there already,
and keep your more common settings toward the bottom of the hierarchy
(perhaps even in the global/common/default tier) and the exceptions
higher up. If that sounds reasonable, then we could look at your code
and see how to separate the data appropriately.
Rob Nelson
rnels...@gmail.com <mailto:rnels...@gmail.com>
On Thu, Nov 3, 2016 at 9:11 AM, Bjørge Solli <bjorge.so...@gmail.com
<mailto:bjorge.so...@gmail.com>> wrote:
Hi
Setup: Puppet 4, profiles and roles, hiera
Trying to understand what is the best way to solve this problem:
I have a base-profile that includes default setup of sshd. The
sshd-profile sets up sane defaults, reads specific setups from
hiera and uses separate resources to manage each setting in the
sshd_config-file. But now some other profile would like to have a
different default value in one of the sshd-settings, resulting in
a conflict.
I understand using 'defined()' is discouraged and has it's
limitations, and those stating this says there are 'plenty of ways
to get around this', but I could find none.
I am willing to rewrite how I do this entirely if it makes my wish
to keep working defaults in profiles, with no need to overwrite
with hiera unless it is system specific.
Any tips, hints, websites, etc. welcome!
Regards,
Bjørge
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-user
Re: [Puppet Users] profiles/hiera, defalults and defined
Hi Rob, thanks for your reply.
The main defaults is for every host (all customers, datacenters, etc),
but some, like a jump-host or managed-file-transfer-host, will need to
have different values. Doing this in hiera is fine for those who are
allowed to edit hiera, but setting up machines for new customers are
often done by juniors that only set the role in the provisioning system
and will have to contact a senior to get something added to hiera.
Adding defaults to hiera also makes the code less portable.
I could do something like this in the base-sshd (pseudo-code):
if $role = 'foo'; then use foo-specific values, else use default.
But I really think code belonging to the profile for jump-hosts should
be set in the corresponding profile, not as an exception in the base setup.
Lets say this is my current code in base-sshd-profile:
#Using herculesteam/augeasproviders_ssh
sshd_config { 'ConfigVariable':
value => 'no',
} #Code for overwriting this in hiera is omitted
Now I would like to change this same value for some roles, preferably
without doing changes in hiera manually for each host having this role.
Bjørge
On 03. nov. 2016 14:19, Rob Nelson wrote:
You mentioned that a specific role would like a different value, but
is there another logical division between the two configs? Perhaps
per-datacenter, or per-network, or some other differentiator? At a
worst case scenario, per individual node? You could add whatever that
differentiator is to your hiera hierarchy, if it isn't there already,
and keep your more common settings toward the bottom of the hierarchy
(perhaps even in the global/common/default tier) and the exceptions
higher up. If that sounds reasonable, then we could look at your code
and see how to separate the data appropriately.
Rob Nelson
rnels...@gmail.com <mailto:rnels...@gmail.com>
On Thu, Nov 3, 2016 at 9:11 AM, Bjørge Solli <bjorge.so...@gmail.com
<mailto:bjorge.so...@gmail.com>> wrote:
Hi
Setup: Puppet 4, profiles and roles, hiera
Trying to understand what is the best way to solve this problem:
I have a base-profile that includes default setup of sshd. The
sshd-profile sets up sane defaults, reads specific setups from
hiera and uses separate resources to manage each setting in the
sshd_config-file. But now some other profile would like to have a
different default value in one of the sshd-settings, resulting in
a conflict.
I understand using 'defined()' is discouraged and has it's
limitations, and those stating this says there are 'plenty of ways
to get around this', but I could find none.
I am willing to rewrite how I do this entirely if it makes my wish
to keep working defaults in profiles, with no need to overwrite
with hiera unless it is system specific.
Any tips, hints, websites, etc. welcome!
Regards,
Bjørge
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users%2bunsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3b68e251-eb42-4fab-9409-6c64e607eb25%40gmail.com
<https://groups.google.com/d/msgid/puppet-users/3b68e251-eb42-4fab-9409-6c64e607eb25%40gmail.com>.
For more options, visit https://groups.google.com/d/optout
<https://groups.google.com/d/optout>.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscr...@googlegroups.com
<mailto:puppet-users+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAC76iT84yb_aoKyXO-FkMKcmHuuf-wNMbW6HjSTSyxZOmbN%2BFA%40mail.gmail.com
<https://groups.google.com/d/msgid/puppet-users/CAC76iT84yb_aoKyXO-FkMKcmHuuf-wNMbW6HjSTSyxZOmbN%2BFA%40mail.gmail.com?utm_medium=email_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/e8b1b63d-a8c0-3cae-f721-7407d05f4352%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
[Puppet Users] profiles/hiera, defalults and defined
Hi Setup: Puppet 4, profiles and roles, hiera Trying to understand what is the best way to solve this problem: I have a base-profile that includes default setup of sshd. The sshd-profile sets up sane defaults, reads specific setups from hiera and uses separate resources to manage each setting in the sshd_config-file. But now some other profile would like to have a different default value in one of the sshd-settings, resulting in a conflict. I understand using 'defined()' is discouraged and has it's limitations, and those stating this says there are 'plenty of ways to get around this', but I could find none. I am willing to rewrite how I do this entirely if it makes my wish to keep working defaults in profiles, with no need to overwrite with hiera unless it is system specific. Any tips, hints, websites, etc. welcome! Regards, Bjørge -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3b68e251-eb42-4fab-9409-6c64e607eb25%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] PE - installation error
Did you install puppet on that machine before? Bjørge On 03/21/2012 12:24 PM, Surendra Singhi wrote: Hi, I am trying to install puppet enterprise on a fresh Debian Squeeze machine, but I am getting an error midway with no information on what went wrong. How do I troubleshoot or look for more debugging information? This is what the screen output for installation is: thanks for your help in advance! Setting up pe-rubygem-fog (1.0.0e-1puppet2) ... Setting up pe-cloud-provisioner (1.0.1-puppet1) ... ## Setting up puppet master... /opt/puppet/share/puppet/modules does not exist, creating. Installed puppetlabs-pe_accounts-1.0.2 into directory: pe_accounts Installed puppetlabs-pe_mcollective-0.0.39 into directory: pe_mcollective Installed puppetlabs-pe_compliance-0.0.4 into directory: pe_compliance Installed puppetlabs-stdlib-2.1.2 into directory: stdlib ## Checking the agent certificate name detection... ## Setting up puppet agent... == !! ERROR: Cancelling installation == -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Unknown number of multiple templates - File?
Hi!
Currently working on a proposal for implementation and are wondering if
anyone could help me solve this one specific situation:
I have a dir that I need to put on my hosts, it changes over time and
has some template files.
Without the templates I would do something like this:
file { /path/to:
source = puppet://server/path/to,
recurse = true,
purge = true,
}
But what when I have an unknown bunch of erb-files in the mix?
I was thinking about making my own ruby module to make it handle
erb-files differently.
Maybe folks here have a different idea on how to solve this, or even
have similar modules I could modify to suite our needs?
Also, when storing large (~10MB) files for this kind of stuff,
should/could I set up a separate server to handle the large files? These
are all in subversion so I could place them on as many servers as I like.
All this will be done using Puppet Enterprise, but for now I'm before
PoC-level and don't (yet) have a support agreement (yet) with Puppetlabs.
Thanks for making my life automated!
Bjørge
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppetlabs-firewall gsub error
Hi, I am testing https://github.com/puppetlabs/puppetlabs-firewall and get this error: err: Could not prefetch firewall provider 'iptables': private method `gsub' called for nil:NilClass I don't know ruby so any help appreciated! -- Bjørge Solli -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
