Puppet users - May 2010 - Question about templates from variables

I''m running into an issue trying to do something like the following:

class test {
 file {"test":
  content =>
template(''mytemplate1'',''mytemplate2''),
 }
}

class test::test2 inherits test {
 File["test"] { content +>
template(''mytemplate3''), }
}

So, basically I want the inherited class to tack on another template file
to the one in the parent class.  The above works (that is, it doesn''t
result in any puppet errors), but nodes that include test::test2 don''t
see
the template content from "mytemplate3".

Is there a better way to do this, or is there something I''m missing?


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, 20 May 2010 15:05:28 -0500, James Cammarata <jimi@sngx.net>
wrote:
> I''m running into an issue trying to do something like the
following:
> 
> class test {
>  file {"test":
>   content =>
template(''mytemplate1'',''mytemplate2''),
>  }
> }
> 
> class test::test2 inherits test {
>  File["test"] { content +>
template(''mytemplate3''), }
> }
> 
> So, basically I want the inherited class to tack on another template file
> to the one in the parent class.  The above works (that is, it
doesn''t
> result in any puppet errors), but nodes that include test::test2
don''t
see
> the template content from "mytemplate3".
> 
> Is there a better way to do this, or is there something I''m
missing?
Never saw any response to this, so sending a follow-up.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, May 27, 2010 at 11:17 AM, James Cammarata <jimi@sngx.net>
wrote:
>
> On Thu, 20 May 2010 15:05:28 -0500, James Cammarata <jimi@sngx.net>
wrote:
>> I''m running into an issue trying to do something like the
following:
>>
>> class test {
>>  file {"test":
>>   content =>
template(''mytemplate1'',''mytemplate2''),
>>  }
>> }
>>
>> class test::test2 inherits test {
>>  File["test"] { content +>
template(''mytemplate3''), }
>> }
>>
>> So, basically I want the inherited class to tack on another template
file
>> to the one in the parent class.  The above works (that is, it
doesn''t
>> result in any puppet errors), but nodes that include test::test2
don''t
> see
>> the template content from "mytemplate3".
>>
>> Is there a better way to do this, or is there something I''m
missing?
>
> Never saw any response to this, so sending a follow-up.
This seems like it''s a bug with plusassignment to me, can you open a
ticket on this?

--Michael

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> This seems like it''s a bug with plusassignment to me, can you open
a
> ticket on this?
> 
I had a moment of inspiration this morning and figured out what I needed to
do to get this working the way I wanted:

class foo {
  $file_content =
template(''foo/foo-base'',''foo/foo-bar'')
  file { "/etc/foo":
    content => $file_content,
  }
}

class foo::bab inherits foo {
  $foo::file_content += template(''foo/foo-bab'')
  File["/etc/foo"]{
    content => $foo::file_content,
  }
}

I believe this is the way the plussignment operator should work, so you can
avoid the hackish use of variables like I''m doing above.

My primary motivation for this is something like sudoers, where certain
system roles require sudoers commands for different groups to use.  A
perfect example from our environment is any system that has an
Oracle-related role requires sudoers commands for the DBAs, on top of the
base roles we as Linux admins require on every system.  Essentially I want
to avoid having to list every template combination for every possible
permutation of roles.

An alternative to this would be to allow the template() function to take a
list as a variable, something like this:

$template_list =
["template1","template2","template3"]
content => template($template_list),

When I try that currently, I get the following error (which is a weird
error in and of itself):

err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Syntax error at ''[''; expected '']'' at ...



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

* James Cammarata <jimi at sngx.net> [2010/05/28
10:09]:
> My primary motivation for this is something like sudoers, where
> certain system roles require sudoers commands for different groups
> to use.
But sudoers has native support for exactly this use case, in that
you can assign permissions based on host as well as user.  So you
could do something like:

  Host_Alias DB_SERVERS = orasrv1, orasrv2, orasrv3
  User_Alias DBA = jsmith, tjones, brogers
  Runas_Alias ORACLE_USER = orauser
  Cmnd_Alias ORACLE_COMMANDS = ...

  DBA DB_SERVERS = (ORACLE_USER) ORACLE_COMMANDS

You could distribute this sudoers to every host and sudo will do the
right thing.

Of course, this doesn''t invalidate what you''re doing,
I''m just
pointing out an alternate implementation.

-- 
The Net views censorship as a network failure, and routes around it.
    -- John Gilmore

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

James Cammarata <jimi@sngx.net> writes:
>> This seems like it''s a bug with plusassignment to me, can you
open a
>> ticket on this?
>
> I had a moment of inspiration this morning and figured out what I needed to
> do to get this working the way I wanted:
[...]
> My primary motivation for this is something like sudoers, where certain
> system roles require sudoers commands for different groups to use.
FWIW, my short term solution to that problem is to use a concatenated file
module, which allows me to incorporate arbitrary ordered fragments into the
output file.

Those can be nicely generated from a puppet define, wrapping up the process
in a way that is reasonably error-checked and in which the nasty
implementation details are hidden from the "end users" in my sysadmin
team.

        Daniel

-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> $template_list =
["template1","template2","template3"]
> content => template($template_list),
Puppet has a split() function that splits a string into an array, that
should do what you want there.

template(split($template_list))

--Michael

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, May 28, 2010 at 12:40 PM, Michael DeHaan <michael@puppetlabs.com>
wrote:
>> $template_list =
["template1","template2","template3"]
>> content => template($template_list),
>
> Puppet has a split() function that splits a string into an array, that
> should do what you want there.
>
> template(split($template_list))
>
> --Michael
>
Sorry, I posted too quickly, you can also specify the delimiter:

http://docs.puppetlabs.com/references/latest/function.html

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Sat, 29 May 2010 02:30:03 +1000, Daniel Pittman <daniel@rimspace.net>
wrote:
> James Cammarata <jimi@sngx.net> writes:
> 
>>> This seems like it''s a bug with plusassignment to me, can
you open a
>>> ticket on this?
>>
>> I had a moment of inspiration this morning and figured out what I
needed
>> to
>> do to get this working the way I wanted:
> 
> [...]
> 
>> My primary motivation for this is something like sudoers, where certain
>> system roles require sudoers commands for different groups to use.
> 
> FWIW, my short term solution to that problem is to use a concatenated
file
> module, which allows me to incorporate arbitrary ordered fragments into
the
> output file.
> 
> Those can be nicely generated from a puppet define, wrapping up the
process
> in a way that is reasonably error-checked and in which the nasty
> implementation details are hidden from the "end users" in my
sysadmin
team.

That sounds like just what I need, any documentation on the web for that,
or anything you can share?

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

James Cammarata <jimi@sngx.net> writes:
> On Sat, 29 May 2010 02:30:03 +1000, Daniel Pittman
<daniel@rimspace.net> wrote:
>> James Cammarata <jimi@sngx.net> writes:
[...]
>>> My primary motivation for this is something like sudoers, where
certain
>>> system roles require sudoers commands for different groups to use.
>> 
>> FWIW, my short term solution to that problem is to use a concatenated
file
>> module, which allows me to incorporate arbitrary ordered fragments into
the
>> output file.
>> 
>> Those can be nicely generated from a puppet define, wrapping up the
process
>> in a way that is reasonably error-checked and in which the nasty
>> implementation details are hidden from the "end users" in my
sysadmin team.
>
> That sounds like just what I need, any documentation on the web for that,
> or anything you can share?
I based my concat module on the work of R.I.Pienaar, which you can find here:
http://www.devco.net/archives/2010/05/07/puppet_concat_20100507.php

The changes are pretty much insignificant outside some specialized
requirements of our use of the code; grab his bits and go with it.


I suspect the implementation will be obvious, but just in case it isn''t
the
rough template is that you create a class for sudo:

class sudo {
    package { "sudo": ensure => latest }
    # do the stuff to get concat working
    concat { "/etc/sudoers": }

    # ...and the bulk of the file:
    concat::fragment { "sudoers header":
        order => 10, source => "whatever"
    }
    concat::fragment { "sudoers trailer":
        order => 90, source => "whatever"
    }
}

That will put those two fragments, the header and trailer, in the right places
for you.  Now you can inject stuff between them.  (Obviously, you can have as
many fragments and injection points as you want. :)

Then, make life easy for other people:

define sudo::grant (users => ''ALL'', hosts =>
''ALL'', commands => ''ALL'') {
    concat::fragment { "sudoers ${name} grant":
        order => 30,  # right in the middle
        content => template(''sudoers_grant.erb'')  # or
whatever...
    }
}

That way your team can use the high level "sudo::grant" definition to
grant
someone a right, and the whole concat thing does the magic to make it work.

Regards,
        Daniel
-- 
✣ Daniel Pittman            ✉ daniel@rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> That way your team can use the high level "sudo::grant"
definition to
grant
> someone a right, and the whole concat thing does the magic to make it
work.

Awesome, thanks!

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.