As promised, for those of you playing along at home, here's what I came up with.
The complicating factor in my situation is that I need to write Puppet code
that will execute correctly today when run using 'puppet apply...' as a
non-priviliged user, but still work correctly at some future date when my
systems group sets up a proper Puppet infrastructure with a master and agents
on the managed nodes running as the root user. The solution I came up with is
inelegant, but it works.
I have one module that works whether it is called as root or as an unprivileged
user. It is a defined resource.
File compression module:
define compress_roleid::roleid ( $hour = 0,
$minute = 22,
$weekday = 0,
$compress_files = "",
$user = $title, ) {
[some Puppet code goes here to create a bash script, some configuration files
and a cron job]
}
I have a file saved under .../hiera/node/[fqdn].yaml with the following data:
---
# data to be used when Puppet is run as the dpr2 user
dpr2::compress:
dpr2:
compress_files:
- "/dpr2/apps/metacat33181/tomcat/logs"
- "/dpr2/postgres/log"
hour: 0
minute: 20
weekday: 0
# data to be used when Puppet is run as the dpr2store user
dpr2store::compress:
dpr2store:
compress_files:
- "/dpr2store/apps/fixity33143/tomcat/logs"
- "/dpr2store/apps/storage35121/tomcat/logs"
hour: 0
minute: 25
weekday: 0
# data to be used when Puppet is run as root
compress_roleid::roleid::user:
dpr2:
user: "dpr2"
compress_files:
- "/dpr2/apps/metacat33181/tomcat/logs"
- "/dpr2/postgres/log"
hour: 0
minute: 25
weekday: 0
dpr2store:
user: "dpr2store"
compress_files:
- "/dpr2store/apps/fixity33143/tomcat/logs"
- "/dpr2store/apps/storage35121/tomcat/logs"
hour: 0
minute: 25
weekday: 0
My nodes.pp file contains the following:
node 'uc3-mrt-store-stg.cdlib.org' inherits basenode {
if $::id == "root" {
# Retrieve all parameters from .../puppet/hiera/node/[fqdn].yaml
$logrotate_roleid_options = hiera_hash('logrotate_roleid::roleid::user',
false)
$compress_roleid_options = hiera_hash('compress_roleid::roleid::user',
false)
# If parameters are found, create the resources
if $logrotate_roleid_options {
create_resources('logrotate_roleid::roleid', $logrotate_roleid_options)
}
if $compress_roleid_options {
create_resources('compress_roleid::roleid', $compress_roleid_options)
}
}
else {
# Retrieve per-user parameters from .../puppet/hiera/node/[fqdn].yaml
$per_user_compress = hiera_hash("${::id}::compress", false)
$per_user_logrotate = hiera_hash("${::id}::logrotate", false)
# If parameters are found, create the resources
if $per_user_compress {
create_resources('compress_roleid::roleid', $per_user_compress)
}
if $per_user_logrotate {
create_resources('logrotate_roleid::roleid', $per_user_logrotate)
}
}
}
When Puppet is run as an unprivileged user, the parameters for the
create_resources statement use the ${::id} as the key to the YAML hash. Puppet
must be run twice, once as the dpr2 user, and again as the dpr2store user.
If, on the other hand, Puppet is run as root, then the hash data keyed as
'compress_roleid::roleid' is used, which contains information to set up file
compression for both users in a single operation.
I haven't been able to fully test this as root, but when I edit the nodes.pp
file to force execution of the create_resources statement using the root YAML
hash, the output of puppet apply --noop certainly looks like it will do the
right thing. And when I run the script as dpr2 or dpr2store it definitely does
do the right thing.
Thanks to everyone, and especially Chris, for helping me over the rough patch.
--Ken
------------------------------------------------------------
Ken Weiss
ken.we...@ucop.edu<mailto:ken.we...@ucop.edu>
UC Office of the President 510-587-6311 (office)
California Digital Library 916-905-6933 (mobile)
UC Curation Center
415 20th Street, 4th Floor
Oakland, CA 94612
From: Chris McDermott <csmcderm...@gmail.com<mailto:csmcderm...@gmail.com>>
Reply-To: "puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>"
<puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>>
Date: Friday, August 23, 2013 10:17 PM
To: "puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>"
<puppet-users@googlegroups.com<mailto:puppet-users@googlegroups.com>>
Subject: Re: [Puppet Users] Using hiera lookups with defined types
Well normally you would use hiera_hash() and create_resources() to do it, like
this:
# yaml data source
---
cron_jobs::logrotate::users
kenweiss:
hour => 5
tomjones:
hour => 3
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
