Puppet users - Jun 2008 - Disabling 'node_name = facter' setting

I''m having a heck of a time trying to fix #1178, which is a problem  
related to inconsistent node names, and it all stems from the  
''node_name'' setting.

In the default setup, your certificate gets created with your host''s  
fully qualified node name, and Puppet uses the value from the  
certificate for everything.

In addition, there''s a setting, ''certname'', that
allows you to
override the value that goes into the certificate.  This is  
reasonable, because your host name might be some dhcp gibberish, or  
you might want to use a UUID or whatever.

However, for some reason I added the ''node_name'' setting to
allow you
to say that you want to use the host''s FQDN when looking up node  
information if you''ve set the certname to something other than the
FQDN.

I am proposing to *disable* this setting, on the grounds that you  
should either set certname and use it for looking up nodes, or not set  
certname at all.  Also, this whole node_name thing makes things  
unnecessarily complicated, far more complicated than it appeared in  
the previous architecture.

This ''node_name'' setting is at the heart of the bug:  The
certificate
is Puppet''s authentication point, so in many ways, the name in it is  
the official Puppet name for that node.  Thus, when facts are saved,  
they''re saved by that name.  When we look for a node, we look for it  
using the certificate name.

Also when we search for a node, it automatically looks up the facts  
matching its name.  If the facts are stored by the cert name, but the  
node is named with the facter name (and the two are different), then  
we have this discrepancy.  If you set certname=''whatever'' and
node_name=facter, then your nodes can''t find their facts.

There are, apparently, no good solutions to this.  I''m currently on my
third attempt, and I''m not satisfied with it, which is why
I''ve
stepped back a bit and concluded that this functionality itself is the  
source of the complexity, so it should be removed.  If you want more  
details on what I''ve tried and why it didn''t work, I can
provide it,
but at this point, hopefully the information itself is sufficient.

Is anyone out there using ''node_name=facter''?  If so, why are
you
using it, and what benefit does it provide?  Will this change cause a  
specific functional problem for you?

-- 
I think that all good, right thinking people in this country are sick
and tired of being told that all good, right thinking people in this
country are fed up with being told that all good, right thinking people
in this country are fed up with being sick and tired. I''m certainly
not, and I''m sick and tired of being told that I am.
     -- Monty Python
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Luke Kanies wrote:
> I am proposing to *disable* this setting, on the grounds that you  
> should either set certname and use it for looking up nodes, or not set  
> certname at all.  Also, this whole node_name thing makes things  
> unnecessarily complicated, far more complicated than it appeared in  
> the previous architecture.
+1.

I don''t think this is required.

Regards

James


- --
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIVGOt9hTGvAxC30ARAkhJAKDEzLQoyFpKoFBghLLTkQncrCFxywCdEQsD
PB4OEABSA+5meZfFuVj/XDQ=ex16
-----END PGP SIGNATURE-----

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

+1

I don''t use it, and it seems overly complex.

On Sat, Jun 14, 2008 at 2:03 PM, Luke Kanies <luke@madstop.com>
wrote:
>
> I''m having a heck of a time trying to fix #1178, which is a
problem
> related to inconsistent node names, and it all stems from the
> ''node_name'' setting.
>
> In the default setup, your certificate gets created with your
host''s
> fully qualified node name, and Puppet uses the value from the
> certificate for everything.
>
> In addition, there''s a setting, ''certname'', that
allows you to
> override the value that goes into the certificate.  This is
> reasonable, because your host name might be some dhcp gibberish, or
> you might want to use a UUID or whatever.
>
> However, for some reason I added the ''node_name'' setting
to allow you
> to say that you want to use the host''s FQDN when looking up node
> information if you''ve set the certname to something other than the
FQDN.
>
> I am proposing to *disable* this setting, on the grounds that you
> should either set certname and use it for looking up nodes, or not set
> certname at all.  Also, this whole node_name thing makes things
> unnecessarily complicated, far more complicated than it appeared in
> the previous architecture.
>
> This ''node_name'' setting is at the heart of the bug:  The
certificate
> is Puppet''s authentication point, so in many ways, the name in it
is
> the official Puppet name for that node.  Thus, when facts are saved,
> they''re saved by that name.  When we look for a node, we look for
it
> using the certificate name.
>
> Also when we search for a node, it automatically looks up the facts
> matching its name.  If the facts are stored by the cert name, but the
> node is named with the facter name (and the two are different), then
> we have this discrepancy.  If you set certname=''whatever''
and
> node_name=facter, then your nodes can''t find their facts.
>
> There are, apparently, no good solutions to this.  I''m currently
on my
> third attempt, and I''m not satisfied with it, which is why
I''ve
> stepped back a bit and concluded that this functionality itself is the
> source of the complexity, so it should be removed.  If you want more
> details on what I''ve tried and why it didn''t work, I can
provide it,
> but at this point, hopefully the information itself is sufficient.
>
> Is anyone out there using ''node_name=facter''?  If so, why
are you
> using it, and what benefit does it provide?  Will this change cause a
> specific functional problem for you?
>
> --
> I think that all good, right thinking people in this country are sick
> and tired of being told that all good, right thinking people in this
> country are fed up with being told that all good, right thinking people
> in this country are fed up with being sick and tired. I''m
certainly
> not, and I''m sick and tired of being told that I am.
>     -- Monty Python
> ---------------------------------------------------------------------
> Luke Kanies | http://reductivelabs.com | http://madstop.com
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

+1, don''t use it, never seen it used.

On Jun 14, 2008, at 2:03 PM, Luke Kanies wrote:
>
> I''m having a heck of a time trying to fix #1178, which is a
problem
> related to inconsistent node names, and it all stems from the
> ''node_name'' setting.
>
> In the default setup, your certificate gets created with your
host''s
> fully qualified node name, and Puppet uses the value from the
> certificate for everything.
>
> In addition, there''s a setting, ''certname'', that
allows you to
> override the value that goes into the certificate.  This is
> reasonable, because your host name might be some dhcp gibberish, or
> you might want to use a UUID or whatever.
>
> However, for some reason I added the ''node_name'' setting
to allow you
> to say that you want to use the host''s FQDN when looking up node
> information if you''ve set the certname to something other than the
> FQDN.
>
> I am proposing to *disable* this setting, on the grounds that you
> should either set certname and use it for looking up nodes, or not set
> certname at all.  Also, this whole node_name thing makes things
> unnecessarily complicated, far more complicated than it appeared in
> the previous architecture.
>
> This ''node_name'' setting is at the heart of the bug:  The
certificate
> is Puppet''s authentication point, so in many ways, the name in it
is
> the official Puppet name for that node.  Thus, when facts are saved,
> they''re saved by that name.  When we look for a node, we look for
it
> using the certificate name.
>
> Also when we search for a node, it automatically looks up the facts
> matching its name.  If the facts are stored by the cert name, but the
> node is named with the facter name (and the two are different), then
> we have this discrepancy.  If you set certname=''whatever''
and
> node_name=facter, then your nodes can''t find their facts.
>
> There are, apparently, no good solutions to this.  I''m currently
on my
> third attempt, and I''m not satisfied with it, which is why
I''ve
> stepped back a bit and concluded that this functionality itself is the
> source of the complexity, so it should be removed.  If you want more
> details on what I''ve tried and why it didn''t work, I can
provide it,
> but at this point, hopefully the information itself is sufficient.
>
> Is anyone out there using ''node_name=facter''?  If so, why
are you
> using it, and what benefit does it provide?  Will this change cause a
> specific functional problem for you?
>
> -- 
> I think that all good, right thinking people in this country are sick
> and tired of being told that all good, right thinking people in this
> country are fed up with being told that all good, right thinking  
> people
> in this country are fed up with being sick and tired. I''m
certainly
> not, and I''m sick and tired of being told that I am.
>     -- Monty Python
> ---------------------------------------------------------------------
> Luke Kanies | http://reductivelabs.com | http://madstop.com
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
> +1
> 
> I don''t use it, and it seems overly complex.
+1

greets pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jun 14, 2008, at 4:03 PM, Luke Kanies wrote:
> [...]
> I am proposing to *disable* this setting, on the grounds that you  
> should either set certname and use it for looking up nodes, or not  
> set certname at all.  Also, this whole node_name thing makes things  
> unnecessarily complicated, far more complicated than it appeared in  
> the previous architecture.
[...]

So if we''re removing this functionality, which seems likely based on  
feedback[1], to what extent do we support anything like it?

For those people who have external node solutions, are you relying on  
Puppet to call your script multiple times, even with
''default''?  It
seems to make more sense to generally rely on the external tool to  
handle whether it wants support for defaults, right?

Will removing the call to ''default'' horribly break
anyone''s existing
system?

In LDAP, I''m supporting the long name, short name, and default, but  
LDAP also supports inheritance and a bit more; with external nodes, I  
think it makes more sense for the app itself to handle all of those  
things, so it can entirely pick its model.

Comments?

1 - I''m not removing it for the AST nodes, since that exists and works
fine.

-- 
If computers get too powerful, we can organize them into a committee --
that will do them in. -- Bradley''s Bromide
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sun, Jun 15, 2008 at 11:39 AM, Luke Kanies <luke@madstop.com>
wrote:
>
> On Jun 14, 2008, at 4:03 PM, Luke Kanies wrote:
>> [...]
>> I am proposing to *disable* this setting, on the grounds that you
>> should either set certname and use it for looking up nodes, or not
>> set certname at all.  Also, this whole node_name thing makes things
>> unnecessarily complicated, far more complicated than it appeared in
>> the previous architecture.
> [...]
>
> So if we''re removing this functionality, which seems likely based
on
> feedback[1], to what extent do we support anything like it?
>
> For those people who have external node solutions, are you relying on
> Puppet to call your script multiple times, even with
''default''?  It
> seems to make more sense to generally rely on the external tool to
> handle whether it wants support for defaults, right?
>
> Will removing the call to ''default'' horribly break
anyone''s existing
> system?
>
> In LDAP, I''m supporting the long name, short name, and default,
but
> LDAP also supports inheritance and a bit more; with external nodes, I
> think it makes more sense for the app itself to handle all of those
> things, so it can entirely pick its model.
>
> Comments?
My thoughts on this are in line with yours; allow external nodes to
choose their model completely.

--Paul

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Well, since this is my bug, I''ll reply.  Here''s why I use
node_name=facter:

My company uses two domain names for its hosts.  Let''s call them
internal.com
and external.com.  My puppet master is located internally, but accessible to the
  external hosts.  puppet.internal.com is not visible in the external DNS and 
would be against company policy for that to appear on the external hosts. 
Therefore, I set the certname to be puppet.external.com.  However, I use the 
domain name of the host to set a number of variable, such as where to get 
packages from, what dns/ntp servers to talk to, etc.

It also breaks the principle of least surprise not to have the variable named 
"hostname" match the actual hostname of the machine.


Luke Kanies wrote:
> I''m having a heck of a time trying to fix #1178, which is a
problem
> related to inconsistent node names, and it all stems from the  
> ''node_name'' setting.
> 
> In the default setup, your certificate gets created with your
host''s
> fully qualified node name, and Puppet uses the value from the  
> certificate for everything.
> 
> In addition, there''s a setting, ''certname'', that
allows you to
> override the value that goes into the certificate.  This is  
> reasonable, because your host name might be some dhcp gibberish, or  
> you might want to use a UUID or whatever.
> 
> However, for some reason I added the ''node_name'' setting
to allow you
> to say that you want to use the host''s FQDN when looking up node  
> information if you''ve set the certname to something other than the
FQDN.
> 
> I am proposing to *disable* this setting, on the grounds that you  
> should either set certname and use it for looking up nodes, or not set  
> certname at all.  Also, this whole node_name thing makes things  
> unnecessarily complicated, far more complicated than it appeared in  
> the previous architecture.
> 
> This ''node_name'' setting is at the heart of the bug:  The
certificate
> is Puppet''s authentication point, so in many ways, the name in it
is
> the official Puppet name for that node.  Thus, when facts are saved,  
> they''re saved by that name.  When we look for a node, we look for
it
> using the certificate name.
> 
> Also when we search for a node, it automatically looks up the facts  
> matching its name.  If the facts are stored by the cert name, but the  
> node is named with the facter name (and the two are different), then  
> we have this discrepancy.  If you set certname=''whatever''
and
> node_name=facter, then your nodes can''t find their facts.
> 
> There are, apparently, no good solutions to this.  I''m currently
on my
> third attempt, and I''m not satisfied with it, which is why
I''ve
> stepped back a bit and concluded that this functionality itself is the  
> source of the complexity, so it should be removed.  If you want more  
> details on what I''ve tried and why it didn''t work, I can
provide it,
> but at this point, hopefully the information itself is sufficient.
> 
> Is anyone out there using ''node_name=facter''?  If so, why
are you
> using it, and what benefit does it provide?  Will this change cause a  
> specific functional problem for you?
> 
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jun 15, 2008, at 3:47 PM, Martha Greenberg wrote:
> Well, since this is my bug, I''ll reply.  Here''s why I use
> node_name=facter:
>
> My company uses two domain names for its hosts.  Let''s call them  
> internal.com
> and external.com.  My puppet master is located internally, but  
> accessible to the
>  external hosts.  puppet.internal.com is not visible in the external  
> DNS and
> would be against company policy for that to appear on the external  
> hosts.
> Therefore, I set the certname to be puppet.external.com.  However, I  
> use the
> domain name of the host to set a number of variable, such as where  
> to get
> packages from, what dns/ntp servers to talk to, etc.
>
> It also breaks the principle of least surprise not to have the  
> variable named
> "hostname" match the actual hostname of the machine.

This is one of those edge cases that are always going to be hard to  
support well.

As long as you use the language AST nodes, then you should (in 0.24.5)  
get the behaviour that you want.

If you use an external node source of any kind (including ldap), then  
your external node source will need to use the cert name.  I think  
this is reasonable, as your manifests would generally use the Facter  
hostname and the node db would use the certificate name.  Basically,  
your cert name becomes the canonical node name in all apps and  
databases, but you can still have a different hostname in the  
manifests themselves.

I''d agree this can be confusing, but I don''t know that
it''s any more
confusing than having two names in your DNS.

-- 
I respect faith, but doubt is what gets you an education.
     -- Wilson Mizner
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sun, Jun 15, 2008 at 11:39 AM, Luke Kanies <luke@madstop.com>
wrote:
> For those people who have external node solutions, are you relying on
> Puppet to call your script multiple times, even with
''default''?  It
> seems to make more sense to generally rely on the external tool to
> handle whether it wants support for defaults, right?
iClassify supports you calling it multiple times, but you could easily
support the default case.. so I say let the external node tool support
defaults.

Adam

-- 
HJK Solutions - We Launch Startups - http://www.hjksolutions.com
Adam Jacob, Senior Partner
T: (206) 508-4759 E: adam@hjksolutions.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---