Pablo Fernandez
2012-Mar-05 17:33 UTC
[Puppet Users] File class overwritten by other classes
Dear Puppeteers,
After many hours of reading manuals, books and google, I''m starting to
thing
there is no right way to edit files in puppet, and I must be wrong. A massive
work is ahead (puppetizing our whole cluster) and I would like to start with
the right foot.
My idea is to make puppet a tool that describes the system as it should be,
and files are no different. I don''t want to have old entries in the
/root/.ssh/authorized_keys, or in the /etc/sysctl.conf. I want that, when I
remove a configuration item in Puppet, the file comes back to the situation it
was before (as much as possible).
Because of this, using Augeas, or Ssh_authorized_key, or custom shell-scripts
"add_line_if_not_present" do not help by themselves (removing the item
- or
unimporting the containing class - does not remove the line). So, what I
thought, is that I should use "default files" for those cases, and
then edit
afterwards. I do this, for example:
class parent:
file { "/root/.ssh/authorized_keys": content => "" }
class child inherits parent:
ssh_authorized_key { "Pablo": blabla }
File ["/root/.ssh/authorized_keys"] -> Ssh_authorized_key
["Pablo"]
The problem I have is that, every time I run puppetd -t, I see how puppet is
emptying the file, and populating it again, on the same run. And no matter how
many times I run it (no changes in the manifests) it tells me the diffs of
what the changes would be, that leave the file exactly like it was. And I
noticed this happens with Augeas all the same, and if a file has a
notification on a service, it will trigger a restart.
Do you know a way to avoid this? Having a file changing all the time (even if
it''s wrong just for a second) is not what I want, and the same goes for
restarting the service every 30 minutes for no reason.
Or is there any other method to ensure a file is what you want it to be,
without having all the possible options in different files?
Thanks a lot!
Pablo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2012-Mar-06 17:26 UTC
[Puppet Users] Re: File class overwritten by other classes
On Mar 5, 11:33 am, Pablo Fernandez <pablo.fernan...@cscs.ch> wrote:> Dear Puppeteers, > > After many hours of reading manuals, books and google, I''m starting to thing > there is no right way to edit files in puppet, and I must be wrong. A massive > work is ahead (puppetizing our whole cluster) and I would like to start with > the right foot. > > My idea is to make puppet a tool that describes the system as it should be, > and files are no different. I don''t want to have old entries in the > /root/.ssh/authorized_keys, or in the /etc/sysctl.conf. I want that, when I > remove a configuration item in Puppet, the file comes back to the situation it > was before (as much as possible). > > Because of this, using Augeas, or Ssh_authorized_key, or custom shell-scripts > "add_line_if_not_present" do not help by themselves (removing the item - or > unimporting the containing class - does not remove the line). So, what I > thought, is that I should use "default files" for those cases, and then edit > afterwards. I do this, for example: > > class parent: > file { "/root/.ssh/authorized_keys": content => "" } > > class child inherits parent: > ssh_authorized_key { "Pablo": blabla } > File ["/root/.ssh/authorized_keys"] -> Ssh_authorized_key ["Pablo"] > > The problem I have is that, every time I run puppetd -t, I see how puppet is > emptying the file, and populating it again, on the same run. And no matter how > many times I run it (no changes in the manifests) it tells me the diffs of > what the changes would be, that leave the file exactly like it was.Well, yes. You are managing the same physical resources via multiple Puppet resources. They disagree about the required state for the physical resource, so each is certain to resync on every run.> And I > noticed this happens with Augeas all the same, and if a file has a > notification on a service, it will trigger a restart. > > Do you know a way to avoid this? Having a file changing all the time (even if > it''s wrong just for a second) is not what I want, and the same goes for > restarting the service every 30 minutes for no reason.Others can speak more intelligently about Augeas. As for your file, you need to stop making contradictory declarations about it. In principle, you should be able to use the Resources meta- resource to purge unmanaged authorized keys, but in practice that doesn''t work (yet). See this feature request for more information: http://projects.puppetlabs.com/issues/1581. You have (at least) these options: 1) Manage all possible(*) ssh_authorized_keys for every node, ensuring each one either "present" or "absent" as appropriate, but do not manage the file via a File resource. This approach will only clear out keys you know to ensure absent, however, which may be a major shortcoming. 2) Manage the file only via a File resource. The most scalable approach here would involve writing a template for it, so that you wouldn''t need to maintain a combinatorial number of the different files. 3) Write a custom provider for ssh_authorized_keys that provides for purging. Easiest would probably be to base such a thing on the existing provider. Distribute the provider via pluginsync, and name it explicitly in your ssh_authorized_key resource declarations. Use Resources to purge unwanted keys.> Or is there any other method to ensure a file is what you want it to be, > without having all the possible options in different files?That''s what templates are for. In some cases, the Puppet::Concat module can also be useful for this purpose, but I''m not certain whether it satisfies your criterion of avoiding resyncing the file on every run, which is why I didn''t mention it above. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.