Hello, we have been using puppet 3 with hiera based config and several (usually "typical") environments: test predev dev preprod prod ... Basically we apply the puppet config to test, then predev, then dev, etc But within each environment we have quite a large number of hosts (20/50/100/300/...). We would like to "group" them into sort of subgroups. For example "dev" hosts are for developers from different applications teams: app1, app2, app3, appN. We need to create accounts (user accounts are just an example - there are other similar tasks) on all servers from dev environments: user accounts for dev team app1 don''t need to be on all dev servers - just on the following nodes: node10 - node20 user accounts for dev team app2 should be just on the following nodes: node35 - node88 etc (and I can''t use any regular expressions to select nodes - the same servers in each group could have quite different FQDN) Can you recommend what puppet/hiera feature could I use to group servers ? It would be good if I could use it just on central puppet master server and not need to login to every node and assign it locally to a group. Regards -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
You can always use tags with virtual resources of some sort. Let''s say
that user1 is in group app1, user2 and user3 are in group app2. You can
"tag" those user accounts with that:
user{''user1''
...
tag => ''app1'',
}
user {[''user2'', ''user3'']:
...
tag => ''app2'',
}
now in your hiera configurations or somewhere else(like ENC) you can
specify which user accounts belong to that host by realizing only those
that you need.
node node10,node20 {
User<<| tag == ''app1'' |>>
}
I would also introduce a fact that exposes the fact that user accounts
of ''app1'' "belong" to a particular host
On Thu, May 30, 2013 at 08:02:34AM -0700, przemol wrote:> Hello,
>
> we have been using puppet 3 with hiera based config and several (usually
> "typical") environments:
> test
> predev
> dev
> preprod
> prod
> ...
> Basically we apply the puppet config to test, then predev, then dev, etc
> But within each environment we have quite a large number of hosts
> (20/50/100/300/...).
> We would like to "group" them into sort of subgroups. For example
"dev"
> hosts
> are for developers from different applications teams: app1, app2, app3,
> appN.
> We need to create accounts (user accounts are just an example - there are
> other similar tasks) on all servers from dev environments:
> user accounts for dev team app1 don''t need to be on all dev
servers - just
> on the following nodes: node10 - node20
> user accounts for dev team app2 should be just on the following nodes:
> node35 - node88
> etc
> (and I can''t use any regular expressions to select nodes - the
same servers
> in each group could have quite different FQDN)
> Can you recommend what puppet/hiera feature could I use to group servers ?
> It would be good if I could use it just on central puppet master server and
> not need to login to every node
> and assign it locally to a group.
>
> Regards
>
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
This approach requires to keep all the users in *.pp files.
Currently we keep users in yaml file:
accounts::users::accounts:
sysadmin:
ensure: present
home: /home/sysadmin
managehome: "true"
shell: /bin/bash
uid: 4000
gid: sysadmin
comment: Systems Admin
etc
and create them using create_resource. Is it possible to use hiera to
associate all the users to particular servers ?
On Thursday, May 30, 2013 4:39:02 PM UTC+1, nikolavp
wrote:>
> You can always use tags with virtual resources of some sort. Let''s
say
> that user1 is in group app1, user2 and user3 are in group app2. You can
> "tag" those user accounts with that:
>
> user{''user1''
> ...
> tag => ''app1'',
> }
>
> user {[''user2'', ''user3'']:
> ...
> tag => ''app2'',
> }
>
> now in your hiera configurations or somewhere else(like ENC) you can
> specify which user accounts belong to that host by realizing only those
> that you need.
>
> node node10,node20 {
> User<<| tag == ''app1'' |>>
> }
>
> I would also introduce a fact that exposes the fact that user accounts
> of ''app1'' "belong" to a particular host
>
> On Thu, May 30, 2013 at 08:02:34AM -0700, przemol wrote:
> > Hello,
> >
> > we have been using puppet 3 with hiera based config and several
(usually
> > "typical") environments:
> > test
> > predev
> > dev
> > preprod
> > prod
> > ...
> > Basically we apply the puppet config to test, then predev, then dev,
etc
> > But within each environment we have quite a large number of hosts
> > (20/50/100/300/...).
> > We would like to "group" them into sort of subgroups. For
example "dev"
> > hosts
> > are for developers from different applications teams: app1, app2,
app3,
> > appN.
> > We need to create accounts (user accounts are just an example - there
> are
> > other similar tasks) on all servers from dev environments:
> > user accounts for dev team app1 don''t need to be on all dev
servers -
> just
> > on the following nodes: node10 - node20
> > user accounts for dev team app2 should be just on the following nodes:
> > node35 - node88
> > etc
> > (and I can''t use any regular expressions to select nodes -
the same
> servers
> > in each group could have quite different FQDN)
> > Can you recommend what puppet/hiera feature could I use to group
servers
> ?
> > It would be good if I could use it just on central puppet master
server
> and
> > not need to login to every node
> > and assign it locally to a group.
> >
> > Regards
> >
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com <javascript:>.
> > To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
>
> > Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> >
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
On 31 May 2013 01:02, przemol <p.bak@cmcmarkets.com> wrote:> Hello, > > we have been using puppet 3 with hiera based config and several (usually > "typical") environments: > test > predev > dev > preprod > prod > ... > Basically we apply the puppet config to test, then predev, then dev, etc > But within each environment we have quite a large number of hosts > (20/50/100/300/...). > We would like to "group" them into sort of subgroups. For example "dev" > hosts > are for developers from different applications teams: app1, app2, app3, > appN. >If you have that many nodes I would suggest an ENC like Foreman and use host groups to include the classes you want for each group. Foreman also talks to puppetdb to get facts and the like and you can send puppet reports to it which will also be handy for that many nodes. Using an enc also gives you a centralised way of managing which host group or environment a node uses. In fact if you use a ENC it ignores the environment setting on the node and only uses the one set in the enc.> We need to create accounts (user accounts are just an example - there are > other similar tasks) on all servers from dev environments: > user accounts for dev team app1 don''t need to be on all dev servers - just > on the following nodes: node10 - node20 > user accounts for dev team app2 should be just on the following nodes: > node35 - node88 >Also given the number of nodes you have I would also suggest some form of centralised user management like FreeIPA, LDAP or AD. Then you can define the access rights you want for each use or use group. (if you are tricky you can also use LDAP as an ENC but that may be an exercise for the future.) etc> (and I can''t use any regular expressions to select nodes - the same > servers in each group could have quite different FQDN) > Can you recommend what puppet/hiera feature could I use to group servers ? > It would be good if I could use it just on central puppet master server > and not need to login to every node > and assign it locally to a group. > > Regards > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Yes you can just tag them from there:
accounts::users::accounts:
sysadmin:
ensure: present
home: /home/sysadmin
managehome: "true"
shell: /bin/bash
uid: 4000
gid: sysadmin
comment: Systems Admin
tags aren''t special in any way - they are just a metaparameter that
each
resource in puppet can have -
http://docs.puppetlabs.com/references/latest/metaparameter.html#tag
If you don''t want to repeat yourself and can deduce the user
team(group)
from the yaml file or something, you can use the third parameter for
create_resource which is just the default parameters. So you would have
something like this:
$tags = {
tag => ''app1''
}
create_resource(user, $myhash, $tags)
--
Nikola
On Thu, May 30, 2013 at 09:51:48AM -0700, przemol wrote:> This approach requires to keep all the users in *.pp files.
> Currently we keep users in yaml file:
>
> accounts::users::accounts:
> sysadmin:
> ensure: present
> home: /home/sysadmin
> managehome: "true"
> shell: /bin/bash
> uid: 4000
> gid: sysadmin
> comment: Systems Admin
> etc
> and create them using create_resource. Is it possible to use hiera to
> associate all the users to particular servers ?
>
>
> On Thursday, May 30, 2013 4:39:02 PM UTC+1, nikolavp wrote:
> >
> > You can always use tags with virtual resources of some sort.
Let''s say
> > that user1 is in group app1, user2 and user3 are in group app2. You
can
> > "tag" those user accounts with that:
> >
> > user{''user1''
> > ...
> > tag => ''app1'',
> > }
> >
> > user {[''user2'', ''user3'']:
> > ...
> > tag => ''app2'',
> > }
> >
> > now in your hiera configurations or somewhere else(like ENC) you can
> > specify which user accounts belong to that host by realizing only
those
> > that you need.
> >
> > node node10,node20 {
> > User<<| tag == ''app1'' |>>
> > }
> >
> > I would also introduce a fact that exposes the fact that user accounts
> > of ''app1'' "belong" to a particular host
> >
> > On Thu, May 30, 2013 at 08:02:34AM -0700, przemol wrote:
> > > Hello,
> > >
> > > we have been using puppet 3 with hiera based config and several
(usually
> > > "typical") environments:
> > > test
> > > predev
> > > dev
> > > preprod
> > > prod
> > > ...
> > > Basically we apply the puppet config to test, then predev, then
dev, etc
> > > But within each environment we have quite a large number of hosts
> > > (20/50/100/300/...).
> > > We would like to "group" them into sort of subgroups.
For example "dev"
> > > hosts
> > > are for developers from different applications teams: app1, app2,
app3,
> > > appN.
> > > We need to create accounts (user accounts are just an example -
there
> > are
> > > other similar tasks) on all servers from dev environments:
> > > user accounts for dev team app1 don''t need to be on all
dev servers -
> > just
> > > on the following nodes: node10 - node20
> > > user accounts for dev team app2 should be just on the following
nodes:
> > > node35 - node88
> > > etc
> > > (and I can''t use any regular expressions to select nodes
- the same
> > servers
> > > in each group could have quite different FQDN)
> > > Can you recommend what puppet/hiera feature could I use to group
servers
> > ?
> > > It would be good if I could use it just on central puppet master
server
> > and
> > > not need to login to every node
> > > and assign it locally to a group.
> > >
> > > Regards
> > >
> > >
> > > --
> > > You received this message because you are subscribed to the
Google
> > Groups "Puppet Users" group.
> > > To unsubscribe from this group and stop receiving emails from it,
send
> > an email to puppet-users...@googlegroups.com <javascript:>.
> > > To post to this group, send email to
puppet...@googlegroups.com<javascript:>.
> >
> > > Visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> > > For more options, visit https://groups.google.com/groups/opt_out.
> > >
> > >
> >
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Pete, thank you for suggestions. As for my environments: the users example is just an example. The same problem exists when I want to apply other config settings to subset of servers. We use The Foreman so this is one option. In general I wanted to ask you if you could share your experience regarding deploying hiera based puppet in more diverse environments. On Friday, May 31, 2013 1:36:52 AM UTC+1, Pete wrote:> > On 31 May 2013 01:02, przemol <p....@cmcmarkets.com <javascript:>> wrote: > >> Hello, >> >> we have been using puppet 3 with hiera based config and several (usually >> "typical") environments: >> test >> predev >> dev >> preprod >> prod >> ... >> Basically we apply the puppet config to test, then predev, then dev, etc >> But within each environment we have quite a large number of hosts >> (20/50/100/300/...). >> We would like to "group" them into sort of subgroups. For example "dev" >> hosts >> are for developers from different applications teams: app1, app2, app3, >> appN. >> > > If you have that many nodes I would suggest an ENC like Foreman and use > host groups to include the classes you want for each group. > Foreman also talks to puppetdb to get facts and the like and you can send > puppet reports to it which will also be handy for that many nodes. > Using an enc also gives you a centralised way of managing which host group > or environment a node uses. > In fact if you use a ENC it ignores the environment setting on the node > and only uses the one set in the enc. > > >> We need to create accounts (user accounts are just an example - there are >> other similar tasks) on all servers from dev environments: >> user accounts for dev team app1 don''t need to be on all dev servers - >> just on the following nodes: node10 - node20 >> user accounts for dev team app2 should be just on the following nodes: >> node35 - node88 >> > > Also given the number of nodes you have I would also suggest some form of > centralised user management like FreeIPA, LDAP or AD. > Then you can define the access rights you want for each use or use group. > > (if you are tricky you can also use LDAP as an ENC but that may be an > exercise for the future.) > > etc >> (and I can''t use any regular expressions to select nodes - the same >> servers in each group could have quite different FQDN) >> Can you recommend what puppet/hiera feature could I use to group servers ? >> It would be good if I could use it just on central puppet master server >> and not need to login to every node >> and assign it locally to a group. >> >> Regards >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To post to this group, send email to puppet...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Hi Nikola, this solution seems very interesting :-) Can you please write an example *.pp files with tags and example users which shows how to tag it ? Thanks On Friday, May 31, 2013 10:02:21 AM UTC+1, nikolavp wrote:> > Yes you can just tag them from there: > > > accounts::users::accounts: > sysadmin: > ensure: present > home: /home/sysadmin > managehome: "true" > shell: /bin/bash > uid: 4000 > gid: sysadmin > comment: Systems Admin > > tags aren''t special in any way - they are just a metaparameter that each > resource in puppet can have - > http://docs.puppetlabs.com/references/latest/metaparameter.html#tag > > If you don''t want to repeat yourself and can deduce the user team(group) > from the yaml file or something, you can use the third parameter for > create_resource which is just the default parameters. So you would have > something like this: > > $tags = { > tag => ''app1'' > } > > create_resource(user, $myhash, $tags) > > > -- > Nikola > > On Thu, May 30, 2013 at 09:51:48AM -0700, przemol wrote: > > This approach requires to keep all the users in *.pp files. > > Currently we keep users in yaml file: > > > > accounts::users::accounts: > > sysadmin: > > ensure: present > > home: /home/sysadmin > > managehome: "true" > > shell: /bin/bash > > uid: 4000 > > gid: sysadmin > > comment: Systems Admin > > etc > > and create them using create_resource. Is it possible to use hiera to > > associate all the users to particular servers ? > > > > > > On Thursday, May 30, 2013 4:39:02 PM UTC+1, nikolavp wrote: > > > > > > You can always use tags with virtual resources of some sort. Let''s say > > > that user1 is in group app1, user2 and user3 are in group app2. You > can > > > "tag" those user accounts with that: > > > > > > user{''user1'' > > > ... > > > tag => ''app1'', > > > } > > > > > > user {[''user2'', ''user3'']: > > > ... > > > tag => ''app2'', > > > } > > > > > > now in your hiera configurations or somewhere else(like ENC) you can > > > specify which user accounts belong to that host by realizing only > those > > > that you need. > > > > > > node node10,node20 { > > > User<<| tag == ''app1'' |>> > > > } > > > > > > I would also introduce a fact that exposes the fact that user accounts > > > of ''app1'' "belong" to a particular host > > > > > > On Thu, May 30, 2013 at 08:02:34AM -0700, przemol wrote: > > > > Hello, > > > > > > > > we have been using puppet 3 with hiera based config and several > (usually > > > > "typical") environments: > > > > test > > > > predev > > > > dev > > > > preprod > > > > prod > > > > ... > > > > Basically we apply the puppet config to test, then predev, then dev, > etc > > > > But within each environment we have quite a large number of hosts > > > > (20/50/100/300/...). > > > > We would like to "group" them into sort of subgroups. For example > "dev" > > > > hosts > > > > are for developers from different applications teams: app1, app2, > app3, > > > > appN. > > > > We need to create accounts (user accounts are just an example - > there > > > are > > > > other similar tasks) on all servers from dev environments: > > > > user accounts for dev team app1 don''t need to be on all dev servers > - > > > just > > > > on the following nodes: node10 - node20 > > > > user accounts for dev team app2 should be just on the following > nodes: > > > > node35 - node88 > > > > etc > > > > (and I can''t use any regular expressions to select nodes - the same > > > servers > > > > in each group could have quite different FQDN) > > > > Can you recommend what puppet/hiera feature could I use to group > servers > > > ? > > > > It would be good if I could use it just on central puppet master > server > > > and > > > > not need to login to every node > > > > and assign it locally to a group. > > > > > > > > Regards > > > > > > > > > > > > -- > > > > You received this message because you are subscribed to the Google > > > Groups "Puppet Users" group. > > > > To unsubscribe from this group and stop receiving emails from it, > send > > > an email to puppet-users...@googlegroups.com <javascript:>. > > > > To post to this group, send email to puppet...@googlegroups.com<javascript:>. > > > > > > > > Visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > > > > > > > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-users...@googlegroups.com <javascript:>. > > To post to this group, send email to puppet...@googlegroups.com<javascript:>. > > > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.