Puppet users - Feb 2012 - Controlling agent catalog cache expiration

Hi,

Starting a new thread since the question and problem are completely
different at this point. I''ve written modules that implement a client
side firewall and overwrite and flush any changes made by a user. This
is mandated by several different internal security policies and of
course compliance. I''m pretty much at the stage where I''m
ready to
start deploying but recently hit a snag: catalog expiration on the
client. The client caches and uses the cached catalog as expected, but
unfortunately if a client is "off-network" for too long the catalog
expires and we get fun stuff like:

Not using expired catalog for <hostname> from cache; expired at
<date>

I''ve tried using ''use_cached_catalog'' just as a test,
but it appears
that an expiration date in a catalog takes priority over everything
else.

Of course manually changing the expiration date in the catalog yaml
file fixes the issue, and I''ve written a short shell script that can
do it based on the client''s network, but that feels like a big kludge.

Since these clients are laptops it would be nice to have the ability
to use the cached catalog until the client is back on the network that
the puppet master is on. Our laptops can, in less than ideal
circumstances, be off-network for 1-2 weeks. Is there a way to have
the agent use the cached catalog until it can reach the master again,
regardless of the expiration?

This is probably an edge case, since most of the time most of us are
probably using puppet with servers and perhaps ''mostly-online''
client
workstations. Even when dealing with laptops, I imagine for most
there''s not frequently a concern about a consistent and frequent
applications of a catalog to conform with security policies.

Thanks for any insight you may have.

Best,
Khoury

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Feb 20, 2012 at 12:00 PM, Khoury Brazil <khoury.brazil@gmail.com>
wrote:
> Hi,
>
> Starting a new thread since the question and problem are completely
> different at this point. I''ve written modules that implement a
client
> side firewall and overwrite and flush any changes made by a user. This
> is mandated by several different internal security policies and of
> course compliance. I''m pretty much at the stage where I''m
ready to
> start deploying but recently hit a snag: catalog expiration on the
> client. The client caches and uses the cached catalog as expected, but
> unfortunately if a client is "off-network" for too long the
catalog
> expires and we get fun stuff like:
>
> Not using expired catalog for <hostname> from cache; expired at
<date>
>
> I''ve tried using ''use_cached_catalog'' just as a
test, but it appears
> that an expiration date in a catalog takes priority over everything
> else.
I think you''ve already stumbled on the answer in the previous thread.
The cache timeout is unfortunately tied to runinterval setting. I''m
pretty sure there''s a ticket requesting to split them up. The closest
thing you can do today:

run puppet agent through cron instead of running a daemon.
configure runinterval to a much longer period.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Feb 20, 2012 at 12:07 PM, Nan Liu <nan@puppetlabs.com>
wrote:
> I think you''ve already stumbled on the answer in the previous
thread.
> The cache timeout is unfortunately tied to runinterval setting.
I''m
> pretty sure there''s a ticket requesting to split them up. The
closest
> thing you can do today:
Is there any way I can add my support to that ticket?
>
> run puppet agent through cron instead of running a daemon.
> configure runinterval to a much longer period.
Thanks Nan. A few more questions, if you don''t mind:
What''s the effect of the runinterval on the expiration date? If I set
the runinterval to 14 days, can I then expect a cached catalog to
expire 14 days after compiled? Does the catalog expiration affect how
often it pulls a new compiled catalog from the puppet master? For
example: If node01 has a cached catalog that was compiled on
02/23/2012, expires on 03/08/2012 and the client is back on the
network with the puppet master again on 02/26/2012 does the client
pull a new catalog that would then expire on 03/11/2012?

Thanks,
Khoury

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Feb 20, 2012 at 12:32 PM, Khoury Brazil <khoury.brazil@gmail.com>
wrote:
> On Mon, Feb 20, 2012 at 12:07 PM, Nan Liu <nan@puppetlabs.com> wrote:
>> I think you''ve already stumbled on the answer in the previous
thread.
>> The cache timeout is unfortunately tied to runinterval setting.
I''m
>> pretty sure there''s a ticket requesting to split them up. The
closest
>> thing you can do today:
>
> Is there any way I can add my support to that ticket?
+1 and watch the ticket, and of course I can''t find the ticket # in
redmine at the moment.
>> run puppet agent through cron instead of running a daemon.
>> configure runinterval to a much longer period.
>
> Thanks Nan. A few more questions, if you don''t mind:
> What''s the effect of the runinterval on the expiration date? If I
set
> the runinterval to 14 days, can I then expect a cached catalog to
> expire 14 days after compiled? Does the catalog expiration affect how
> often it pulls a new compiled catalog from the puppet master? For
> example: If node01 has a cached catalog that was compiled on
> 02/23/2012, expires on 03/08/2012 and the client is back on the
> network with the puppet master again on 02/26/2012 does the client
> pull a new catalog that would then expire on 03/11/2012?
Catalog expiration does not affect pulling new catalogs, just how long
it takes to expire. The behavior you described matches what I saw last
time when I tried this.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.