Hello...
I need some help with tags. as an example:
# pseudo code
class ssh {
file { "/etc/ssh/ssh_config":
# normal stuff
tag("dangerous") }
file { "/etc/ssh/sshd_config":
# normal stuff
tag("dangerous") }
file { "/etc/ssh/ssh_known_hosts":
# normal stuff
tag("safe") }
}
on client: puppetd --tags safe # only do ''safe'' files
automagically
# after much testing of config files
on server: puppetrun --tags dangerous --host client.computer
####
I would like for puppetd to auto update the files and configs that are
relatively ''safe'' and only update
''dangerous'' files on demand. locking myself out of every
server at once with a broken sshd_config would be bad, or breaking every web
server at once with a broken httpd.conf would be very, very bad.
What I see is that I can never break out of the subset ( safe in this case)
specified on the client puppetd
So:
1: Is this behaviour by design?
2: Is there some way of specifying ''only if tag foo set''?
e.g. require tag("foo")
3: Is there some other way to get the results that I am looking for?
thanks
--
Christopher McCrory
"The guy that keeps the servers running"
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
IMHO, descriptions like "safe" and "dangerous" are far too subjective to be of any use. A better solution might be: 1. Store all code in a conversioning system like subversion or CVS 2. Create a testing branch and check it out on the puppet server under /etc/puppet.testing. The puppetd.conf that resides in this directory should not be part of the checkout and should be configured so puppetmasterd listens on port 8141 (anything but the regular port with is 8140 by default) 3. Commit new code to testing branch 4. On 1 (or more) dedicated test node, run puppetd --test --masterport=8141 5. Once the code has proven to be stable, it can be merged with production and /etc/puppet can be updated with the merged code. Obviously there is more that can be done here but this is a general start. All of this is actually covered on the wiki as well. Best, Adam Christopher McCrory wrote:> Hello... > > I need some help with tags. as an example: > > # pseudo code > class ssh { > file { "/etc/ssh/ssh_config": > # normal stuff > tag("dangerous") } > file { "/etc/ssh/sshd_config": > # normal stuff > tag("dangerous") } > file { "/etc/ssh/ssh_known_hosts": > # normal stuff > tag("safe") } > } > > on client: puppetd --tags safe # only do ''safe'' files automagically > > # after much testing of config files > on server: puppetrun --tags dangerous --host client.computer > > #### > > I would like for puppetd to auto update the files and configs that are relatively ''safe'' and only update ''dangerous'' files on demand. locking myself out of every server at once with a broken sshd_config would be bad, or breaking every web server at once with a broken httpd.conf would be very, very bad. > > What I see is that I can never break out of the subset ( safe in this case) specified on the client puppetd > > So: > > 1: Is this behaviour by design? > 2: Is there some way of specifying ''only if tag foo set''? e.g. require tag("foo") > 3: Is there some other way to get the results that I am looking for? > > > thanks > >
What we did is to do something like this:
case $dangerop1 {
"true":
exec { borkit:
}
default: {}
}
Then on the client you must
export facter_dangerpo1=true
For it to fire. This is a "little-known fact" about facter - it can
report back from EVs.
If you want server-side control I would suggest
http://reductivelabs.com/trac/puppet/wiki/ExternalNodes and using that
to set a variable but as you are talking about tags I suspect you want
control from the client.
Regards,
Derek
-----Original Message-----
From: puppet-users-bounces@madstop.com
[mailto:puppet-users-bounces@madstop.com] On Behalf Of Christopher
McCrory
Sent: 26 November 2007 23:42
To: Puppet User Discussion
Subject: [Puppet-users] Help with tags
Hello...
I need some help with tags. as an example:
# pseudo code
class ssh {
file { "/etc/ssh/ssh_config":
# normal stuff
tag("dangerous") }
file { "/etc/ssh/sshd_config":
# normal stuff
tag("dangerous") }
file { "/etc/ssh/ssh_known_hosts":
# normal stuff
tag("safe") }
}
on client: puppetd --tags safe # only do ''safe'' files
automagically
# after much testing of config files
on server: puppetrun --tags dangerous --host client.computer
####
I would like for puppetd to auto update the files and configs that are
relatively ''safe'' and only update
''dangerous'' files on demand. locking
myself out of every server at once with a broken sshd_config would be
bad, or breaking every web server at once with a broken httpd.conf would
be very, very bad.
What I see is that I can never break out of the subset ( safe in this
case) specified on the client puppetd
So:
1: Is this behaviour by design?
2: Is there some way of specifying ''only if tag foo set''?
e.g.
require tag("foo")
3: Is there some other way to get the results that I am looking for?
thanks
--
Christopher McCrory
"The guy that keeps the servers running"
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users
------------------------------------------------------------------------
For important statutory and regulatory disclosures and more information about
Barclays Capital, please visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays Group does not
accept legal responsibility for the contents of this message. Although the
Barclays Group operates anti-virus programmes, it does not accept responsibility
for any damage whatsoever that is caused by viruses being passed. Any views or
opinions presented are solely those of the author and do not necessarily
represent those of the Barclays Group. Replies to this email may be monitored
by the Barclays Group for operational or business reasons.
Barclays Capital is the investment banking division of Barclays Bank PLC, a
company registered in England (number 1026167) with its registered office at 1
Churchill Place, London, E14 5HP. This email may relate to or be sent from other
members of the Barclays Group.
------------------------------------------------------------------------
Hello...
----- "Adam Kosmin" <akosmin@247realmedia.com> wrote:
| IMHO, descriptions like "safe" and "dangerous" are far too
subjective
| to
| be of any use. A better solution might be:
|
true, I used those words to illustrate the example
| 1. Store all code in a conversioning system like subversion or CVS
|
it is
| 2. Create a testing branch and check it out on the puppet server under
|
| /etc/puppet.testing. The puppetd.conf that resides in this directory
| should not be part of the checkout and should be configured so
| puppetmasterd listens on port 8141 (anything but the regular port with
|
| is 8140 by default)
|
| 3. Commit new code to testing branch
|
| 4. On 1 (or more) dedicated test node, run puppetd --test
| --masterport=8141
|
| 5. Once the code has proven to be stable, it can be merged with
| production and /etc/puppet can be updated with the merged code.
|
| Obviously there is more that can be done here but this is a general
| start. All of this is actually covered on the wiki as well.
|
But that does not help with the (common for me) case where updates cannot happen
on puppetd''s schedule. Some updates depend on events outside of
puppet''s realm. Like: pull server(s) out of a loadbalancer, update
server(s), restart daemons, sanity check, put back in loadbalancer. lather,
rinse, repeat. For me this in only about 5% of my configs, but a _very_
important 5%.
|
| Best,
| Adam
|
| Christopher McCrory wrote:
| > Hello...
| >
| > I need some help with tags. as an example:
| >
| > # pseudo code
| > class ssh {
| > file { "/etc/ssh/ssh_config":
| > # normal stuff
| > tag("dangerous") }
| > file { "/etc/ssh/sshd_config":
| > # normal stuff
| > tag("dangerous") }
| > file { "/etc/ssh/ssh_known_hosts":
| > # normal stuff
| > tag("safe") }
| > }
| >
| > on client: puppetd --tags safe # only do ''safe'' files
| automagically
| >
| > # after much testing of config files
| > on server: puppetrun --tags dangerous --host client.computer
| >
| > ####
| >
| > I would like for puppetd to auto update the files and configs that
| are relatively ''safe'' and only update
''dangerous'' files on demand.
| locking myself out of every server at once with a broken sshd_config
| would be bad, or breaking every web server at once with a broken
| httpd.conf would be very, very bad.
| >
| > What I see is that I can never break out of the subset ( safe in
| this case) specified on the client puppetd
| >
| > So:
| >
| > 1: Is this behaviour by design?
| > 2: Is there some way of specifying ''only if tag foo
set''? e.g.
| require tag("foo")
| > 3: Is there some other way to get the results that I am looking
| for?
| >
| >
| > thanks
| >
| >
|
| _______________________________________________
| Puppet-users mailing list
| Puppet-users@madstop.com
| https://mail.madstop.com/mailman/listinfo/puppet-users
--
Christopher McCrory
"The guy that keeps the servers running"
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
Hello...
----- "Derek Whayman" <Derek.Whayman@barclayscapital.com> wrote:
| What we did is to do something like this:
|
| case $dangerop1 {
| "true":
| exec { borkit:
| }
| default: {}
| }
|
| Then on the client you must
| export facter_dangerpo1=true
|
| For it to fire. This is a "little-known fact" about facter - it can
| report back from EVs.
|
| If you want server-side control I would suggest
| http://reductivelabs.com/trac/puppet/wiki/ExternalNodes and using
| that
| to set a variable but as you are talking about tags I suspect you
| want
| control from the client.
|
Actually, I want control from the server when run from puppetrun. I found the
''tagged'' control, but cannot make it work. A similar to your
above example.
using the args '' --tags junk '' ; neither of these seem to
work:
class temptest {
if $junk {
file { "/tmp/test.file":
source => "puppet://puppetmaster/dist/tmptest.file"
}
}
}
class temptest {
if tagged(junk) { # not sure if junk should be "junk"
file { "/tmp/test.file":
source => "puppet://puppetmaster/dist/tmptest.file"
}
}
}
| Regards,
| Derek
|
|
| -----Original Message-----
| From: puppet-users-bounces@madstop.com
| [mailto:puppet-users-bounces@madstop.com] On Behalf Of Christopher
| McCrory
| Sent: 26 November 2007 23:42
| To: Puppet User Discussion
| Subject: [Puppet-users] Help with tags
|
| Hello...
|
| I need some help with tags. as an example:
|
| # pseudo code
| class ssh {
| file { "/etc/ssh/ssh_config":
| # normal stuff
| tag("dangerous") }
| file { "/etc/ssh/sshd_config":
| # normal stuff
| tag("dangerous") }
| file { "/etc/ssh/ssh_known_hosts":
| # normal stuff
| tag("safe") }
| }
|
| on client: puppetd --tags safe # only do ''safe'' files
automagically
|
| # after much testing of config files
| on server: puppetrun --tags dangerous --host client.computer
|
| ####
|
| I would like for puppetd to auto update the files and configs that
| are
| relatively ''safe'' and only update
''dangerous'' files on demand.
| locking
| myself out of every server at once with a broken sshd_config would be
| bad, or breaking every web server at once with a broken httpd.conf
| would
| be very, very bad.
|
| What I see is that I can never break out of the subset ( safe in this
| case) specified on the client puppetd
|
| So:
|
| 1: Is this behaviour by design?
| 2: Is there some way of specifying ''only if tag foo set''?
e.g.
| require tag("foo")
| 3: Is there some other way to get the results that I am looking for?
|
|
| thanks
|
|
| --
| Christopher McCrory
| "The guy that keeps the servers running"
|
| To the optimist, the glass is half full.
| To the pessimist, the glass is half empty.
| To the engineer, the glass is twice as big as it needs to be.
|
| _______________________________________________
| Puppet-users mailing list
| Puppet-users@madstop.com
| https://mail.madstop.com/mailman/listinfo/puppet-users
| ------------------------------------------------------------------------
| For important statutory and regulatory disclosures and more
| information about Barclays Capital, please visit our web site at
| http://www.barcap.com.
|
| Internet communications are not secure and therefore the Barclays
| Group does not accept legal responsibility for the contents of this
| message. Although the Barclays Group operates anti-virus programmes,
| it does not accept responsibility for any damage whatsoever that is
| caused by viruses being passed. Any views or opinions presented are
| solely those of the author and do not necessarily represent those of
| the Barclays Group. Replies to this email may be monitored by the
| Barclays Group for operational or business reasons.
|
| Barclays Capital is the investment banking division of Barclays Bank
| PLC, a company registered in England (number 1026167) with its
| registered office at 1 Churchill Place, London, E14 5HP. This email
| may relate to or be sent from other members of the Barclays Group.
| ------------------------------------------------------------------------
| _______________________________________________
| Puppet-users mailing list
| Puppet-users@madstop.com
| https://mail.madstop.com/mailman/listinfo/puppet-users
--
Christopher McCrory
"The guy that keeps the servers running"
To the optimist, the glass is half full.
To the pessimist, the glass is half empty.
To the engineer, the glass is twice as big as it needs to be.
On Nov 26, 2007, at 5:42 PM, Christopher McCrory wrote:> Hello... > > I need some help with tags. as an example: > > # pseudo code > class ssh { > file { "/etc/ssh/ssh_config": > # normal stuff > tag("dangerous") } > file { "/etc/ssh/sshd_config": > # normal stuff > tag("dangerous") } > file { "/etc/ssh/ssh_known_hosts": > # normal stuff > tag("safe") } > }Note that these should be ''tag => safe'' etc. The function should tag all resources in the current class, and it can''t be used inside a resource specification.> on client: puppetd --tags safe # only do ''safe'' files automagically > > # after much testing of config files > on server: puppetrun --tags dangerous --host client.computer > > #### > > I would like for puppetd to auto update the files and configs that > are relatively ''safe'' and only update ''dangerous'' files on demand. > locking myself out of every server at once with a broken > sshd_config would be bad, or breaking every web server at once with > a broken httpd.conf would be very, very bad. > > What I see is that I can never break out of the subset ( safe in > this case) specified on the client puppetdYou mean that if you have ''tags = safe'' on the client, then there''s no way to reset it to ''all'' from the server? If you use puppetrun, you can specify tags to use, and you should be able to set the tags to an empty string to disable any tag matching. If you don''t want to use puppetrun, then just use a global switch -- have ''$dangeroustag = dangerous'' in your site.pp file, and then switch that to ''$dangeroustag = safe'' when you want to run everything.> So: > > 1: Is this behaviour by design?Well, it''s not so much that I intentionally didn''t provide the behaviour you want; I just didn''t intentiontionally provide it.> 2: Is there some way of specifying ''only if tag foo set''? e.g. > require tag("foo")You mean from the server. No, not at this point.> 3: Is there some other way to get the results that I am looking for?puppetrun or the ''never'' schedule. -- I am a kind of paranoiac in reverse. I suspect people of plotting to make me happy. --J. D. Salinger --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Hello... On Tue, 2007-11-27 at 13:37 -0600, Luke Kanies wrote:> On Nov 26, 2007, at 5:42 PM, Christopher McCrory wrote: > > > Hello... > > > > I need some help with tags. as an example: > > > > # pseudo code > > class ssh { > > file { "/etc/ssh/ssh_config": > > # normal stuff > > tag("dangerous") } > > file { "/etc/ssh/sshd_config": > > # normal stuff > > tag("dangerous") } > > file { "/etc/ssh/ssh_known_hosts": > > # normal stuff > > tag("safe") } > > } ><snip>> > 2: Is there some way of specifying ''only if tag foo set''? e.g. > > require tag("foo") > > You mean from the server. No, not at this point. >"It would be cool" it be able to do that. I can think of lots of places where it would be convenient. Like having two mutually incompatible files/actions/packages ( --tags QA||Production ; --tags perl5||perl6 ) . Or anything that must happen during a maint window and requires actions outside of the puppet realm.> > 3: Is there some other way to get the results that I am looking for? > > puppetrun or the ''never'' schedule. >You ''da man! That did exactly what I wanted. from the puppetmaster running: sudo puppetrun --ignoreschedules --host foo.bar does the trick with schedule { never: period => never, } class whatever { file { whatever: ... schedule => never } } thanks!!! <snip> -- Christopher McCrory "The guy that keeps the servers running" To the optimist, the glass is half full. To the pessimist, the glass is half empty. To the engineer, the glass is twice as big as it needs to be.