On Mar 7, 2011, at 7:06 PM, LarsP wrote: > I was told recently at a Puppet workshop that using LDAP for managing node > information is not advised. Anybody care to comment? What is it about using > LDAP that's not a good idea?
I’ve never heard this. I hope it’s not true because you’ll have to pry LDAP from my cold, dead hands. > One of the main concerns from my colleagues is that we'd be introducing > another central point of failure. We would lose all Puppet functionality if > the LDAP server became unresponsive. A couple of thoughts on this: 1. Setting up multiple LDAP servers for load balancing and failover is really pretty easy (though it may seem intimidating) 2. Puppet will still work to some degree if LDAP goes away. Anything that applies to all systems by default, or depends on facts from facter will still happen. Only things that depend on classes, puppetVars or other variables defined in LDAP will cease to happen (possibly without error). 3. It's not as though something is going to break if Puppet quits working entirely. How long would you expect it to take to get your LDAP server back up and running? So what if your Puppet runs are delayed by 2 hours instead of 30 minutes? In theory, Puppet doesn't need to do anything 99% of the time. > If we stay with the XML file, we have more "stability". We also have the > advantage of being able to version control our configuration... Yes, but if you put details for your systems in LDAP, there’s so so much you can automate outside of Puppet as well. Every scripting language understands LDAP, so use your imagination. One good example is a web-based front-end to allow manger types to view the information (as sort of an inventory tracking tool). The reason databases like this get out of date is that keeping them current is a pain. The only way it works is if *not* keeping it current is even *more* painful. Puppet can help with this. If you don’t go into LDAP and add a node and classify it as a web server, it literally won’t function as a web server. So when a human looks at the information about a system via the web, they know it has to be correct. We also use information in LDAP to configure our monitoring system. Again, this keeps you on your toes. If you don’t add it to LDAP, it doesn’t get monitored. If you don’t remove it from LDAP when it’s gone, you’ll get annoyed with alerts that it went down. And there are the daily tasks that can be sped up, like connecting (in a loop or via cluster SSH) to all systems with certain attributes. Answering the constant requests for “a list of all the XYZ servers with ABC”, running `ssh-keyscan`, populating a local file for hostname completion in your shell, etc. I could go on, but I think you get the idea. -- Rob McBroom <http://www.skurfer.com/> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
