On Mar 5, 11:33 am, Pablo Fernandez <pablo.fernan...@cscs.ch> wrote:
> Dear Puppeteers,
>
> After many hours of reading manuals, books and google, I'm starting to thing
> there is no right way to edit files in puppet, and I must be wrong. A massive
> work is ahead (puppetizing our whole cluster) and I would like to start with
> the right foot.
>
> My idea is to make puppet a tool that describes the system as it should be,
> and files are no different. I don't want to have old entries in the
> /root/.ssh/authorized_keys, or in the /etc/sysctl.conf. I want that, when I
> remove a configuration item in Puppet, the file comes back to the situation it
> was before (as much as possible).
>
> Because of this, using Augeas, or Ssh_authorized_key, or custom shell-scripts
> "add_line_if_not_present" do not help by themselves (removing the item - or
> unimporting the containing class - does not remove the line). So, what I
> thought, is that I should use "default files" for those cases, and then edit
> afterwards. I do this, for example:
>
> class parent:
> file { "/root/.ssh/authorized_keys": content => "" }
>
> class child inherits parent:
> ssh_authorized_key { "Pablo": blabla }
> File ["/root/.ssh/authorized_keys"] -> Ssh_authorized_key ["Pablo"]
>
> The problem I have is that, every time I run puppetd -t, I see how puppet is
> emptying the file, and populating it again, on the same run. And no matter how
> many times I run it (no changes in the manifests) it tells me the diffs of
> what the changes would be, that leave the file exactly like it was.
Well, yes. You are managing the same physical resources via multiple
Puppet resources. They disagree about the required state for the
physical resource, so each is certain to resync on every run.
> And I
> noticed this happens with Augeas all the same, and if a file has a
> notification on a service, it will trigger a restart.
>
> Do you know a way to avoid this? Having a file changing all the time (even if
> it's wrong just for a second) is not what I want, and the same goes for
> restarting the service every 30 minutes for no reason.
Others can speak more intelligently about Augeas.
As for your file, you need to stop making contradictory declarations
about it. In principle, you should be able to use the Resources meta-
resource to purge unmanaged authorized keys, but in practice that
doesn't work (yet). See this feature request for more information:
http://projects.puppetlabs.com/issues/1581. You have (at least) these
options:
1) Manage all possible(*) ssh_authorized_keys for every node, ensuring
each one either "present" or "absent" as appropriate, but do not
manage the file via a File resource. This approach will only clear
out keys you know to ensure absent, however, which may be a major
shortcoming.
2) Manage the file only via a File resource. The most scalable
approach here would involve writing a template for it, so that you
wouldn't need to maintain a combinatorial number of the different
files.
3) Write a custom provider for ssh_authorized_keys that provides for
purging. Easiest would probably be to base such a thing on the
existing provider. Distribute the provider via pluginsync, and name
it explicitly in your ssh_authorized_key resource declarations. Use
Resources to purge unwanted keys.
> Or is there any other method to ensure a file is what you want it to be,
> without having all the possible options in different files?
That's what templates are for. In some cases, the Puppet::Concat
module can also be useful for this purpose, but I'm not certain
whether it satisfies your criterion of avoiding resyncing the file on
every run, which is why I didn't mention it above.
John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
