Open Stack

1.  Flatten includes -- 6+ layers of include are a bit much.  Move all 
default items currently buried in base and template up to a top scope 
"default" node, and inherit that.

example:

     site.pp -> server -> template -> base -> iptables

some nodes pull in from base, some from template.

I propose the following:

move base to a top level node, all sub includes in base should be 
evaluated, and moved to the node level unless they absolutely need to be 
includes.move exim to a top level 'server' node, and inherit baseinherit 
'server' node for all boxes that use 'server' or template now, base node 
for all other nodes.

2.  Remove hardcoding -- openstack_project is only usable for ... o.o.  
Any hardcoded items should be variables, with a hiera lookup and a 
default as their default value.
      ie   $puppetmaster = hiera('puppetmaster', 
'ci-puppetmaster.openstack.org') -- then you can set puppetmaster: 
'puppethostname' in hiera, in the node that calls the puppetmaster 
manifest, or default to o.o

3.  Redesign hiera.yaml to include a second data directory for 'public' 
data.  Start taking advantage of hiera's ability to load different data 
based on hierachy.

See https://review.openstack.org/#/c/71739/ for the open review that 
addresses this.

4. move package installs into hiera.  It depends on task #3 to split out 
the hiera data, so that a given host will load a common.yaml, a private 
yaml, and then a host specific yaml.
* just pushed to upstream review: 
https://review.openstack.org/#/c/71630/

This would be a fairly large change, but could be approached in 
sections.  It would allow you to specify the following in a common.yaml:

packages::versioned
   gear:
     ensure: 'present'
     provider: 'pip'
   deep_merge:
     ensure: 'latest'
     provider: 'gem'
   unzip:
     ensure: '6.0-4ubuntu2'

And have the following in something like puppetmaster.yaml

packages::versioned
   puppetmaster:
     ensure: '2.7.25-1puppetlabs1'

When loading package lists, this module deduplicates, which removes the 
issue of 'package already defined' on future code blocks.

5. move user management into hiera.  This works best when used with task 
#3, as you can then specify "public" users, and "custom" (private) 
users. This would also make it easier to handle adding users on specific 
servers.

Should support having no password (which means the account can not 
authenticate with a password)
Support adding/updating/removing ssh keys
Supports adding/updating/removing accounts and groups.

users::hiera::_users:
   testuser:
     ensure: present
     password: nobodyknows
     managehome: true
     ssh_authorized_keys:
       public_key_1:
         ensure: present
         key: 
AAAAB3NzaC1yc2EAAAABJQAAAQBzosfmzVV2hxckSV3kwwcYE9RFfDsV+/Zu2PlZrcpP97SHNh/+AwXfaTy8p5qyRFqeO+WYtabzW$
         type: ssh-rsa
users::hiera::_groups:
   group1:
     ensure: present
     gid: 401

6. continued refactoring of all modules until:
they can be used in any environmentthey can be used in puppet 2.7 or 3.x 
interchangeablythey don't implicitly include more than is required.

Please note, these items are wide, sweeping changes, and as such I'm 
expecting we would want to tackle them in small, safe steps (ie get the 
framework in place and inert, then test changes on sandboxed machines, 
then gradually roll out to production).

For this reason we may even want to consider a new module to house these 
items, to completely isolate them and remove risk.

That's my pitch, thanks for reading this far.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20140211/f111bb28/attachment.html>