On Saturday, August 23, 2014 12:46:59 PM UTC-5, Matt W wrote: > > Will, > Thanks for the response. I know its a bit of a unique model -- but when > you think about it, it makes a decent amount of sense. We run hundreds of > nodes that are fundamentally similar >
And therein is one of the key problems: "similar", not "identical". If any node facts (including $hostname, $fqdn, etc.) vary among these hosts that are identifying themselves to the master as the *same machine*, then you are putting yourself at risk for problems. Moreover, if security around your puppet catalogs is a concern for you, then be aware that positioning your node-type certificates as a shared resource makes it far more likely that they will be breached. Additionally, you cannot limit which machines can get configuration from your master. Lest it didn't catch your eye as it went by, I re-emphasize that Puppet is built around the idea that a machine's SSL certname is a unique machine identifier within the scope of your certificate authority. What you are doing can work with Puppet, but you will run into issues such as the file naming effects you asked about. > .. i.e. "this is a web server, it gets the XYZ package installed" and > "this is a web server, it gets the ABC package installed". Using hostnames > to identify the systems node-definition makes very little sense and leaves > quite a bit of room for error. Explicitly setting the node-type as a fact > allows us to re-use the same node types but for many different environments > and keeps host-names out of the mix. > Classifying based on a fact instead of based on host name is a fine idea, provided that you are willing to trust clients to give their type accurately to the server. Having accepted that risk, however, you do not by any means need the node-type fact to be expressed to the master as the node's *identity*. It could as easily be expressed via an ordinary fact. In particular, your site manifest does not need a separate node block for each node [identity], nor even to enumerate all the known node names. In fact, it doesn't need any node blocks at all if you are not going to classify based on node identity. Even if you're using an ENC, it is possible for it to get the node facts to use for classification. > For example, I can quickly boot up a > "prod-mwise-dev-test-web-sever-thingy" using the same node definition as > our "prod-frontend-host" for some testing, without worrying about the > hostname regex structure. > And you could do that, too, with a plain fact. > > Anyways that said ... what I'm really interested in knowing is why the > puppet-agents are pulling DOWN their "node information" from the puppet > masters? > Can you say a bit more about that? What do you see that suggests agents are pulling down "node information" other than their catalogs (and later, any 'source'd files)? John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b93f6baa-6433-4773-b647-a06b1f1c602c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
