puppet overview - pros and cons

David Lutterkort dlutter at redhat.com
Sat Dec 23 23:31:19 UTC 2006 

On Sat, 2006-12-23 at 03:25 +0100, Axel Thimm wrote:
> Thanks for the puppet overview. Maybe we should create a wiki page
> with a product/feature matrix?
> 
> On Fri, Dec 22, 2006 at 04:17:45PM -0800, David Lutterkort wrote:
> 
> > PROS
> > ----
> 
> 
> >               * Override mechanism for classes to allow for simple
> >                 one-off (or hundred-off) tweaks, e.g. to take webserver
> >                 class from above but use with different httpd.conf
> 
> That's nice.

One thing I forgot to mention: puppet lets you also express dependencies
between config elements, so that you can say that the httpd package
should be installed/upgraded first before your custom httpd.conf is
copied from the central server. A similar mechanism also lets you say
that service X should be restarted whenever puppet needs to make a
change to file Y (useful to keep service restarts to the absolute
minimum needed)

> >       * Tie-in with kickstart: provision basic system with ks (including
> >         puppet client), complete config with puppet [4]
> 
> That, of course, defeats lots of the security items, but there is no
> otherway. One just needs to be aware of that.

Yeah, it's not entirely watertight, but the holes that it leaves are
fairly esoteric (somebody posing as a client while you are installing
the client; somebody posing as the server while you are installing a
client), and you'll discover both breaches quickly (when the client you
are installing gets to the point where it asks the server for a cert;
the request will either fail or never show up on your server)

> What about diffing support, e.g. compare what's there and what we'd
> like it to become, kind of a dry-run session to check deviations
> between spec and reality?

Both the command-line tool and the client daemon have a 'noop' option,
that goes through the motions w/o making changes. After changes to
configs, I usually test them by running
        # /usr/sbin/puppetd -v --onetime --noop
which produces output like
        notice: Starting configuration run
        notice: //common/lemon/autofs-server/configfile[/etc/sysconfig/autofs]/file=/etc/sysconfig/autofs/source: is {md5}6cd456ce35b212ea429e63bf892d2535, should be {md5}3ed0678eb6af27c0a264522705e79a08 (noop)
        notice: //common/lemon/autofs-server/configfile[/etc/auto.homes]/file=/etc/auto.homes/owner: is build, should be root (noop)
        notice: //common/lemon/users/user=build/home: is /home/build, should be /homes/build (noop)
        notice: Finished configuration run in 4.56 seconds

The lines are telling me that
      * /etc/sysconfig/autofs has different content from what it should
        be
      * /etc/auto.homes has the wrong owner
      * the user 'build' has the wrong home directory
Of course, puppet would fix all these if I ran that without --noop

David

More information about the infrastructure mailing list