[OpenStack-Infra] Proposal for changes to openstack-infra/config puppet architecture.
Aaron Greengrass
aaron at greenbtn.com
Tue Feb 11 20:46:05 UTC 2014
1. Flatten includes -- 6+ layers of include are a bit much. Move all
default items currently buried in base and template up to a top scope
"default" node, and inherit that.
example:
site.pp -> server -> template -> base -> iptables
some nodes pull in from base, some from template.
I propose the following:
move base to a top level node, all sub includes in base should be
evaluated, and moved to the node level unless they absolutely need to be
includes.move exim to a top level 'server' node, and inherit baseinherit
'server' node for all boxes that use 'server' or template now, base node
for all other nodes.
2. Remove hardcoding -- openstack_project is only usable for ... o.o.
Any hardcoded items should be variables, with a hiera lookup and a
default as their default value.
ie $puppetmaster = hiera('puppetmaster',
'ci-puppetmaster.openstack.org') -- then you can set puppetmaster:
'puppethostname' in hiera, in the node that calls the puppetmaster
manifest, or default to o.o
3. Redesign hiera.yaml to include a second data directory for 'public'
data. Start taking advantage of hiera's ability to load different data
based on hierachy.
See https://review.openstack.org/#/c/71739/ for the open review that
addresses this.
4. move package installs into hiera. It depends on task #3 to split out
the hiera data, so that a given host will load a common.yaml, a private
yaml, and then a host specific yaml.
* just pushed to upstream review:
https://review.openstack.org/#/c/71630/
This would be a fairly large change, but could be approached in
sections. It would allow you to specify the following in a common.yaml:
packages::versioned
gear:
ensure: 'present'
provider: 'pip'
deep_merge:
ensure: 'latest'
provider: 'gem'
unzip:
ensure: '6.0-4ubuntu2'
And have the following in something like puppetmaster.yaml
packages::versioned
puppetmaster:
ensure: '2.7.25-1puppetlabs1'
When loading package lists, this module deduplicates, which removes the
issue of 'package already defined' on future code blocks.
5. move user management into hiera. This works best when used with task
#3, as you can then specify "public" users, and "custom" (private)
users. This would also make it easier to handle adding users on specific
servers.
Should support having no password (which means the account can not
authenticate with a password)
Support adding/updating/removing ssh keys
Supports adding/updating/removing accounts and groups.
users::hiera::_users:
testuser:
ensure: present
password: nobodyknows
managehome: true
ssh_authorized_keys:
public_key_1:
ensure: present
key:
AAAAB3NzaC1yc2EAAAABJQAAAQBzosfmzVV2hxckSV3kwwcYE9RFfDsV+/Zu2PlZrcpP97SHNh/+AwXfaTy8p5qyRFqeO+WYtabzW$
type: ssh-rsa
users::hiera::_groups:
group1:
ensure: present
gid: 401
6. continued refactoring of all modules until:
they can be used in any environmentthey can be used in puppet 2.7 or 3.x
interchangeablythey don't implicitly include more than is required.
Please note, these items are wide, sweeping changes, and as such I'm
expecting we would want to tackle them in small, safe steps (ie get the
framework in place and inert, then test changes on sandboxed machines,
then gradually roll out to production).
For this reason we may even want to consider a new module to house these
items, to completely isolate them and remove risk.
That's my pitch, thanks for reading this far.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-infra/attachments/20140211/f111bb28/attachment.html>
More information about the OpenStack-Infra
mailing list