Hello Puppet World - My company is in the early phase of building out a configuration automation solution using Puppet. As we hash out the design, one of the biggest questions that keeps coming up is how and *where* we should be defining nodes. At the moment we are using external nodes. We have a single XML file with a custom schema that defines a list of servers and which group they belong to, along with some other attributes. This is working fine at the moment, but it feels a little dirty. If we ever need to add in additional attributes to make available to Puppet we''ll need to redefine our schema and potentially have to rewrite some of our xpath queries. I''ve looked at LDAP and it seems like a much more elegant solution. You can add additional attributes which then get bound "for free" to Puppet variables. I''ve stood up an OpenLDAP server and added the Puppet schema. I went through the process of converting all of the nodes declared in the XML to LDIF and added them to the directory and everything looks good. I was told recently at a Puppet workshop that using LDAP for managing node information is not advised. Anybody care to comment? What is it about using LDAP that''s not a good idea? One of the main concerns from my colleagues is that we''d be introducing another central point of failure. We would lose all Puppet functionality if the LDAP server became unresponsive. If we stay with the XML file, we have more "stability". We also have the advantage of being able to version control our configuration... Thanks in advance for your time. Lars -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Mar-08 05:23 UTC
Re: [Puppet Users] nodes: internal, external, or LDAP?
On Mon, Mar 7, 2011 at 4:06 PM, LarsP <larspete@gmail.com> wrote:> Hello Puppet World - > > My company is in the early phase of building out a configuration > automation solution using Puppet. As we hash out the design, one of > the biggest questions that keeps coming up is how and *where* we > should be defining nodes. > > At the moment we are using external nodes. We have a single XML file > with a custom schema that defines a list of servers and which group > they belong to, along with some other attributes. This is working fine > at the moment, but it feels a little dirty. If we ever need to add in > additional attributes to make available to Puppet we''ll need to > redefine our schema and potentially have to rewrite some of our xpath > queries. > > I''ve looked at LDAP and it seems like a much more elegant solution. > You can add additional attributes which then get bound "for free" to > Puppet variables. I''ve stood up an OpenLDAP server and added the > Puppet schema. I went through the process of converting all of the > nodes declared in the XML to LDIF and added them to the directory and > everything looks good. > > I was told recently at a Puppet workshop that using LDAP for managing > node information is not advised. Anybody care to comment? What is it > about using LDAP that''s not a good idea? One of the main concerns from > my colleagues is that we''d be introducing another central point of > failure. We would lose all Puppet functionality if the LDAP server > became unresponsive. If we stay with the XML file, we have more > "stability". We also have the advantage of being able to version > control our configuration... > >I''d go with plain files..... why? It''s simple and you can version control your changes. Doug -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Mar 07, 2011 at 09:23:58PM -0800, Douglas Garstang wrote:> On Mon, Mar 7, 2011 at 4:06 PM, LarsP <larspete@gmail.com> wrote: > > > > > I was told recently at a Puppet workshop that using LDAP for managing > > node information is not advised. Anybody care to comment? What is it > > about using LDAP that''s not a good idea? One of the main concerns from > > my colleagues is that we''d be introducing another central point of > > failure. We would lose all Puppet functionality if the LDAP server > > became unresponsive. If we stay with the XML file, we have more > > "stability". We also have the advantage of being able to version > > control our configuration... > > > > > I''d go with plain files..... why? It''s simple and you can version control > your changes. > > DougHi Douglas, I saw this advice from a post of yours from a few weeks back. It makes good sense to me, but as a novice, I don''t have a picture of how these plane files are structured. Could you provide examples?> > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- -ashley Did you try poking at it with a stick? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mar 7, 2011, at 7:06 PM, LarsP wrote:> I was told recently at a Puppet workshop that using LDAP for managing node information is not advised. Anybody care to comment? What is it about using LDAP that''s not a good idea?I’ve never heard this. I hope it’s not true because you’ll have to pry LDAP from my cold, dead hands.> One of the main concerns from my colleagues is that we''d be introducing another central point of failure. We would lose all Puppet functionality if the LDAP server became unresponsive.A couple of thoughts on this: 1. Setting up multiple LDAP servers for load balancing and failover is really pretty easy (though it may seem intimidating) 2. Puppet will still work to some degree if LDAP goes away. Anything that applies to all systems by default, or depends on facts from facter will still happen. Only things that depend on classes, puppetVars or other variables defined in LDAP will cease to happen (possibly without error). 3. It''s not as though something is going to break if Puppet quits working entirely. How long would you expect it to take to get your LDAP server back up and running? So what if your Puppet runs are delayed by 2 hours instead of 30 minutes? In theory, Puppet doesn''t need to do anything 99% of the time.> If we stay with the XML file, we have more "stability". We also have the advantage of being able to version control our configuration...Yes, but if you put details for your systems in LDAP, there’s so so much you can automate outside of Puppet as well. Every scripting language understands LDAP, so use your imagination. One good example is a web-based front-end to allow manger types to view the information (as sort of an inventory tracking tool). The reason databases like this get out of date is that keeping them current is a pain. The only way it works is if *not* keeping it current is even *more* painful. Puppet can help with this. If you don’t go into LDAP and add a node and classify it as a web server, it literally won’t function as a web server. So when a human looks at the information about a system via the web, they know it has to be correct. We also use information in LDAP to configure our monitoring system. Again, this keeps you on your toes. If you don’t add it to LDAP, it doesn’t get monitored. If you don’t remove it from LDAP when it’s gone, you’ll get annoyed with alerts that it went down. And there are the daily tasks that can be sped up, like connecting (in a loop or via cluster SSH) to all systems with certain attributes. Answering the constant requests for “a list of all the XYZ servers with ABC”, running `ssh-keyscan`, populating a local file for hostname completion in your shell, etc. I could go on, but I think you get the idea. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.