1. Flatten includes -- 6+ layers of include are a bit much. Move all default items currently buried in base and template up to a top scope "default" node, and inherit that.


    site.pp -> server -> template -> base -> iptables

some nodes pull in from base, some from template.

I propose the following:

move base to a top level node, all sub includes in base should be evaluated, and moved to the node level unless they absolutely need to be includes.move exim to a top level 'server' node, and inherit baseinherit 'server' node for all boxes that use 'server' or template now, base node for all other nodes.

2. Remove hardcoding -- openstack_project is only usable for ... o.o. Any hardcoded items should be variables, with a hiera lookup and a default as their default value. ie $puppetmaster = hiera('puppetmaster', 'ci-puppetmaster.openstack.org') -- then you can set puppetmaster: 'puppethostname' in hiera, in the node that calls the puppetmaster manifest, or default to o.o

3. Redesign hiera.yaml to include a second data directory for 'public' data. Start taking advantage of hiera's ability to load different data based on hierachy.

See https://review.openstack.org/#/c/71739/ for the open review that addresses this.

4. move package installs into hiera. It depends on task #3 to split out the hiera data, so that a given host will load a common.yaml, a private yaml, and then a host specific yaml. * just pushed to upstream review: https://review.openstack.org/#/c/71630/

This would be a fairly large change, but could be approached in sections. It would allow you to specify the following in a common.yaml:

    ensure: 'present'
    provider: 'pip'
    ensure: 'latest'
    provider: 'gem'
    ensure: '6.0-4ubuntu2'

And have the following in something like puppetmaster.yaml

    ensure: '2.7.25-1puppetlabs1'

When loading package lists, this module deduplicates, which removes the issue of 'package already defined' on future code blocks.

5. move user management into hiera. This works best when used with task #3, as you can then specify "public" users, and "custom" (private) users. This would also make it easier to handle adding users on specific servers.

Should support having no password (which means the account can not authenticate with a password)
Support adding/updating/removing ssh keys
Supports adding/updating/removing accounts and groups.

    ensure: present
    password: nobodyknows
    managehome: true
        ensure: present
key: AAAAB3NzaC1yc2EAAAABJQAAAQBzosfmzVV2hxckSV3kwwcYE9RFfDsV+/Zu2PlZrcpP97SHNh/+AwXfaTy8p5qyRFqeO+WYtabzW$
        type: ssh-rsa
    ensure: present
    gid: 401

6. continued refactoring of all modules until:
they can be used in any environmentthey can be used in puppet 2.7 or 3.x interchangeablythey don't implicitly include more than is required.

Please note, these items are wide, sweeping changes, and as such I'm expecting we would want to tackle them in small, safe steps (ie get the framework in place and inert, then test changes on sandboxed machines, then gradually roll out to production).

For this reason we may even want to consider a new module to house these items, to completely isolate them and remove risk.

That's my pitch, thanks for reading this far.

OpenStack-Infra mailing list

Reply via email to