Discussion of the Puppet configuration management framework

Sean Carolan | 17 Aug 2012 20:45

[Puppet Users] Override a file{} directive - is it possible?

Maybe one of you can help with this.  I have a class that's got a
file{} type directive in it.  It populates /etc/security/limits.conf
with specific settings.  I have a small handful of hosts where we want
to manage /etc/security/limits.conf manually.  Is there a simple way
to tell puppet to exclude this file type just on those hosts, without
copying the entire class?

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

headers

Tim Mooney | 18 Aug 2012 00:33

Re: [Puppet Users] Override a file{} directive - is it possible?

In regard to: [Puppet Users] Override a file{} directive - is it possible?,...:

> Maybe one of you can help with this.  I have a class that's got a
> file{} type directive in it.  It populates /etc/security/limits.conf
> with specific settings.  I have a small handful of hosts where we want
> to manage /etc/security/limits.conf manually.  Is there a simple way
> to tell puppet to exclude this file type just on those hosts, without
> copying the entire class?

Is there a way that puppet can detect these particular hosts?  For
example, is it true for all hosts that are in a particular datacenter,
or for which some class (or even user) is present?

I ask, because the way you would typically do what you're asking is to
either use facts about systems to trigger the "don't manage
/etc/security/limits.conf" logic, or to have your manifests key on
external configuration that you keep in something like extlookup(),
hiera(), or your ENC (external node classifier).

So, there are several ways to accomplish what you're looking for, but
which one is best depends on your needs and how you actually detect that
hostB shouldn't have limits.conf managed.

You don't say what version of puppet you're using, whether you're using
an ENC, or whether you're already using either extlookup() or hiera(),
so it's really difficult to suggest something that integrates well with
your current environment.

I can give you two examples from my environment, though.

(Continue reading)

headers

Sean Carolan | 18 Aug 2012 00:41

Re: [Puppet Users] Override a file{} directive - is it possible?

> You don't say what version of puppet you're using, whether you're using
> an ENC, or whether you're already using either extlookup() or hiera(),
> so it's really difficult to suggest something that integrates well with
> your current environment.

Sorry I didn't provide more detail.  We're using puppet 2.6.13.  We
have a single *.pp config file for each and every host, so specifying
additional classes is not hard to do on a host-per-host basis.  Here's
the limits.conf config from the class that has been applied to these
hosts:

file { "/etc/security/limits.conf":
   owner   => "root",
   group   => "root",
   mode    => "644",
   content => "#<domain>\t\t<type>\t\t<item>\t\t<value>\n*\t\t-\t\tnofile\t\t65000\n*\t\t-\t\tnproc\t\t140000\n*\t\thard\t\tcore\t\tunlimited\ncdc-dev\t\t-\t\tpriority\t\t15\nhtc\t\t-\t\tnofile\t\t250000\n";
}

Basically I just want this "file" type to not be active on three
hosts.  I don't need to be able to detect the hosts, as I can specify
the config manually in each of their config files.

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

headers

Calvin Walton | 19 Aug 2012 06:45

Re: [Puppet Users] Override a file{} directive - is it possible?

On Fri, 2012-08-17 at 15:41 -0700, Sean Carolan wrote:
> > You don't say what version of puppet you're using, whether you're using
> > an ENC, or whether you're already using either extlookup() or hiera(),
> > so it's really difficult to suggest something that integrates well with
> > your current environment.
> 
> Sorry I didn't provide more detail.  We're using puppet 2.6.13.  We
> have a single *.pp config file for each and every host, so specifying
> additional classes is not hard to do on a host-per-host basis.  Here's
> the limits.conf config from the class that has been applied to these
> hosts:
<snip>
> Basically I just want this "file" type to not be active on three
> hosts.  I don't need to be able to detect the hosts, as I can specify
> the config manually in each of their config files.

It's not really the cleanest-looking thing, but the easiest option for
your particular case is to wrap the file resource in an if statement
like this:
  if (! $::security_limits_disabled) {
    file { '/etc/security/limits.conf':
      ...
    }
  }
then, on each of the nodes where you don't want to use the limits.conf
file, you can just set the variable to true:
  node special_box {
    include some_classes
    $security_limits_disabled = true
  }

(Continue reading)

headers

Sean Carolan | 20 Aug 2012 22:19

Re: [Puppet Users] Override a file{} directive - is it possible?

> It's not really the cleanest-looking thing, but the easiest option for
> your particular case is to wrap the file resource in an if statement
> like this:
>   if (! $::security_limits_disabled) {
>     file { '/etc/security/limits.conf':
>       ...
>     }
>   }

Thanks, this is just what I was looking for.

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

headers

Sean Carolan | 20 Aug 2012 23:08

Re: [Puppet Users] Override a file{} directive - is it possible?

>> It's not really the cleanest-looking thing, but the easiest option for
>> your particular case is to wrap the file resource in an if statement
>> like this:
>>   if (! $::security_limits_disabled) {
>>     file { '/etc/security/limits.conf':
>>       ...
>>     }
>>   }
>
> Thanks, this is just what I was looking for.

One last question, is it possible to do this:

class profile::server::java {
  $security_limits_disabled = true
}

and then simply include that class on my target node?  I tried to do
this but the file is still getting overwritten...

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

headers

Martin Alfke | 21 Aug 2012 08:34

Re: [Puppet Users] Override a file{} directive - is it possible?


On 20.08.2012, at 23:08, Sean Carolan wrote:

>>> It's not really the cleanest-looking thing, but the easiest option for
>>> your particular case is to wrap the file resource in an if statement
>>> like this:
>>>  if (! $::security_limits_disabled) {
>>>    file { '/etc/security/limits.conf':
>>>      ...
>>>    }
>>>  }
>> 
>> Thanks, this is just what I was looking for.
> 
> One last question, is it possible to do this:
> 
> class profile::server::java {
>  $security_limits_disabled = true
> }
> 
> and then simply include that class on my target node?  I tried to do
> this but the file is still getting overwritten...
> 

In this case you need to add the scope to the variable used in the if clause:
if ( ! $profile::server::java::security_limits_disabled) { ........       <- add class name as scope

hth,

Martin

(Continue reading)

headers

Sean Carolan | 22 Aug 2012 00:16

Re: [Puppet Users] Override a file{} directive - is it possible?

>>>> It's not really the cleanest-looking thing, but the easiest option for
>>>> your particular case is to wrap the file resource in an if statement
>>>> like this:
>>>>  if (! $::security_limits_disabled) {
>>>>    file { '/etc/security/limits.conf':
>>>>      ...
>>>>    }
>>>>  }

Super, thanks Martin!

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

headers

Keiran Sweet | 23 Aug 2012 12:14

Re: [Puppet Users] Override a file{} directive - is it possible?

Another option worth mentioning, and this may not be suitable for your environment, is to allow host overrides of configuration files within your module using file precedence like the below.

file { '/etc/security/limits.conf' :

ensure => file,

mode => 755,

owner => root,

group => root,

source => [ "puppet:///modules/modulename/limits.conf.$::hostname" ,

"puppet:///modules/modulename/limits.conf",

}

By default, all nodes get the standard limits.conf file that is served out from your module, however, if you create a limits.conf.oracleserver1 file that contains the required settings, the server oracleserver1 will get the overridden limits.conf file when it checks in.

This has been extremely useful in my environment when importing the odd 'unique snowflake' type server quickly without having to make any code/logic changes or introduce large numbers of ENC values to disable certain functionality or alter the flow of your puppet code.

Cheers,

On Monday, August 20, 2012 9:19:45 PM UTC+1, Sean wrote:

> It's not really the cleanest-looking thing, but the easiest option for
> your particular case is to wrap the file resource in an if statement
> like this:
> if (! $::security_limits_disabled) {
> file { '/etc/security/limits.conf':
> ...
> }
> }

Thanks, this is just what I was looking for.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/M1aiScBQy4UJ.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

headers

Sean Carolan | 24 Aug 2012 00:32

Re: [Puppet Users] Override a file{} directive - is it possible?

> This has been extremely useful in my environment when importing the odd
> 'unique snowflake' type server quickly without having to make any code/logic
> changes or introduce large numbers of ENC values to disable certain
> functionality or alter the flow of your puppet code.

Yes. Puppet doesn't seem to deal with snowflakes well, thanks for sharing this.

--

-- 
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users <at> googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe <at> googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.