So I've been in contact with Puppet Labs and will be doing a blog post on
how to do Puppet without Root. I'm hoping to keep it very 'this is what I
do, there are lots of ways to solve this problem'. If there are specific
things you'd like to see in this please speak up. My plan is to punt on
installing it, and get straight to package, file, service with Puppet in a
rootless environment.
R. I., you said to install:
> export GEM_HOME=~/.gem
> gem install puppet
> export PATH=$PATH:~/.gem/bin
> puppet --version
This is the easiest installation and not representative of my situation. At
my place of work we don't have Ruby installed from packages so we have to
build one from source and push it out. We also have to push out some
libraries, most notably libyaml, as well. After this is set up the gem/rvm
install works okay. I've tried pushing binary rubies out with rvm's tooling
but I couldn't get it working. I think the problem is that even when rvm is
pushing a binary, it depends on having some minimum libraries installed as
system libs.
With any source installation, upgrading is a major undertaking, and its not
clear to me under the current scheme how I would use Puppet to upgrade
itself.
With any non-root installation the question comes up how to enable a
daemon. Right now I have @reboot crons to fire off the Puppet agent. More
time than I would like is spent looking which hosts' Puppet has died in
icinga and going out and restarting them.
Two(related) problems I have when running Puppet without root:
1) The File resource:
If we have a file resource like:
file { '/tmp/foobar':
source => "puppet:///blah",
ensure => file,
}
The group and owner are unmanaged but do not default to the user puppet is
running as. They also don't default to the root user. The user and group
are copied over from the file on disk on the puppet master. Or at least I
think thats whats going on. This means I have to do stuff like this:
file {'/tmp/foobar':
source => 'puppet://blah',
ensure => file,
owner => $owner,
group => $group,
}
Which means I need to know the owner and group of Puppet. Which takes us to
my second problem:
2) Facter doesn't have native facts for detecting what user its running as.
It has $id which is ~= the running user, but nothing for the group.
I've written three facts into my rootless module:
$puppet_user
$puppet_group
$puppet_user_home
These are very small facts that just read information from getent.
Again I'm mostly using Puppet to roll out the application.
Thanks,
Spencer Krum
On Fri, Oct 11, 2013 at 10:22 AM, Trevor Vaughan <tvaug...@onyxpoint.com>wrote:
> OpenShifit is trying to abstract away a lot of the issues with this type
> of scenario.
>
> Unfortunately, I'm not certain of the support on non RHEL-based distros at
> this point but the idea is at least worth looking at.
>
> http://openshift.github.io/
>
>
> On Fri, Oct 11, 2013 at 8:12 AM, Klavs Klavsen <kl...@enableit.dk> wrote:
>
>> I know of several who have managed servers, but want to use Puppet to
>> roll manage the applications they install, and whatelse they have been
>> allowed to manage - but that will never be able to run puppet as root,
>> since the OS is not their responsibility.
>>
>> Also - some of those, the managers of the server use puppet (as root) to
>> set them up - but again - they can't share puppet repo.. so it would be
>> preferrable to be able to install root elsewhere (they build their own
>> patched version of puppet, to make it support installing under /opt - not
>> something puppet supports very well currently). They are also using puppet
>> on a lot of diff. unix OS'es - so they have to compile it for several
>> themselves, and since they want thing uniform (and none-intrusive) - they
>> choose to install under /opt on all.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Trevor Vaughan
> Vice President, Onyx Point, Inc
> (410) 541-6699
> tvaug...@onyxpoint.com
>
> -- This account not approved for unencrypted proprietary information --
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
Spencer Krum
(619)-980-7820
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
