David Lutterkort wrote:
> On Sun, 2008-09-28 at 15:54 +0200, Jeroen van Meeuwen wrote:
>> Hi there,
>>
>> I'd like to collect some feedback on a conceptual simple Puppet Common
>> Module I want to propose;
>>
>> http://reductivelabs.com/trac/puppet/wiki/PuppetCommonModules/SSH
>
> Nice. The one thing that leaves a bad taste in my mouth is the way the
> file statements try to let you control which exact ssh{,d}_config file
> is used on a client: won't that in practice go back pretty quickly to a
> situation of one file per host on the server ? Even worse, when an
> update to the package wants to change the default for some setting (or
> add a new one), you'll have to spend lots of time merging that change
> into all the copies of ssh{,d}_config.
>
No. Package defaults do not concern you unless the package default comes
with a major operating system version upgrade, and the package defaults
are moot as soon as you start managing the SSHd service (in grant
total). If the package defaults are really of interest, then all you
need to do is:
service { sshd: ensure => running, enable => true }
rather then:
include ssh::server
meaning that you won't need a module to begin with, or the module is of
no interest to anyone.
> Not surprisingly, I'd advocate to only manage the places where the
> ssh{,d}_config needs to deviate from the default that's shipped in the
> package, and to do that with Augeas. So, instead of blowing out the
> entire file to a client, just say something like
>
> augeas { "sshd-config-mods":
> context => "/files/etc/ssh/sshd_config"
> changes => [
> "set UsePam no",
> "set PermitRootLogin yes"
> ]
> }
>
> with appropriate Puppet-specific logic to adjust for differing file
> locations etc.
>
Although I understand your point, I'm not sure how ready anyone is right
now to "migrate" to auguas, especially seeing how it is only a few
months old. Then again, I'm not familiar with augeas and I could ask a
random large number of questions about it right now but it's besides the
point.
Even when using augeas, the settings provided in a module like you
describe will differ in over a dozen ways even if just one or two
organizations are using the module.
Besides, the file sshd_config *will* need to be managed as soon as you
attempt to manage the sshd server/service, regardless of the file
remaining to be the package default, or a default being shipped with the
module.
In addition, if you end up with a file per host in the puppet
configuration tree, the question becomes how you implement configuration
management in the bigger picture to begin with, not how difficult it is
to change a bunch of settings spread over all these files. I for one
once started out with a sshd_config.wheel-only, to which I symlinked
sshd_config.$hostname and ended up having too many symbolic links to
that one file, as I moved hosts from being publicly accessible to
privately accessible. Right about then is the time you make
sshd_config.wheel-only to be the default, and make the exemptions for
the other hosts (and create symbolic links sshd_config.$hostname =>
sshd_config.public).
On another note, if you do the augeas changes you forget to manage the
other aspects that may be important to you. Suppose I manage symbolic
links between foo and bar... My manifest would look like:
file { "/tmp/foo":
ensure => "/tmp/bar"
}
But what I forget is that if the default for "links => manage" changes
to "links => follow", I'm screwed. The point being, even within a
manifest, if you do not manage the defaults that are important to you,
you will most probably find out just how important they are when it is
too late.
Kind regards,
Jeroen van Meeuwen
-kanarip
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
