[puppet][packaging] Switching to policy.yaml (over policy.json)
zigo at debian.org
Tue Apr 28 20:16:26 UTC 2020
In the light of the discussion that recently happened in
#openstack-nova, it looks like switching from a .json file to a .yaml
file is what we should do. Indeed, the file generated in .json format,
if used pristine with the nova.conf and without enforcing scope, makes a
nova-api service that simply doesn't work.
Please read https://bugs.launchpad.net/nova/+bug/1875418 for more insights.
The issue is that both packages are generating a .json (at least in
Debian and Ubuntu) and puppet expect a policy.json, not a policy.yaml.
With the policy.yaml, we don't have the same problem as by default, all
policies are commented out. Operators just need to uncomment to activate.
So, my proposal is the following: before the final release of OpenStack,
I will modify all Debian OpenStack packages to generate (and package)
both policy.json and policy.yaml. Then puppet-openstack can switch over
to the .yaml file, and uncomment only the parts that the operator sees
I also would like to add a policy.d folder by default in each package,
where operators can override stuff. Just having the folder will be a
sign to operators that they are invited to write stuff in there, and
that it will not be overwritten by a package upgrade.
Then what I would like to do, is get puppet-openstack to only write
there, for example in /etc/nova/policy.d/my-custom-policy.yaml. The file
in /etc/nova/policy.yaml will be marked as "CONFFILE" in Debian, meaning
that dpkg will prompt for changes on upgrades, while what's in the
policy.d will remain.
Last, I do believe that the yaml files are a way more easy to handle
with puppet than the .json counterpart. Indeed, we could use something
like the .ini management thing, with the : (Semicolumn) sign replacing
the = (equal) sign. Moreover, the .yaml files contain comments which the
.json files are lacking, making it auto-documented for operators.
The only reason why I didn't use .yaml files earlier in the Debian
packages was that, somehow, loading them with the API didn't work. I
confirm that now it looks like working (though I'd have to test if
changing a value is taken into account, I didn't do that yet).
Your thoughts everyone?
Thomas Goirand (zigo)
More information about the openstack-discuss