Ask Your Question
0

Multiple independent control repos

asked 2015-01-22 04:11:46 -0500

grundic gravatar image

Hello.

I'm using puppet with git repo, managed by r10k. Currently my puppet master is managing my infrastructure servers, which are not related to out company's business servers. Our business servers have nothing related to infrastructure servers - they should be configured differently. And what is more, in the future we are going to share our business puppet configuration with our partners, so they could use it locally. We don't want to share infrastructure puppet configuration, because it has nothing in common and shoul not be shared. So we have to separate puppet configurations: infrastrucrure and business. We got our central puppet server. What I would like to do is to share those configurations as separate repositories on single puppet master server. Gary Larizza wrote good article about application tiers - On R10k and 'Environments'. But he suggests to use single repository which will separate tiers by hiera. I need to have separate repositories, so we can share one of them, without not sharing the other.

So, here is how I see it: in puppet.conf there is setting for dynamic envitonments: environmentpath = $confdir/environments I would configure it like this: environmentpath = $confdir/$tier/environments. Somewhere on agent I would configure it's tier - may be in puppet.conf. Next, I would make folders with my git repos for insfrastructure and business configurations: /etc/puppet/infrastructure/environments and /etc/puppet/business/environments. If that would be possible it would be great!

But unfortunately I failed to implement this scheme: puppet master throws this error: Error converting value for param 'environmentpath': Could not find value for $tier (Puppet::Settings::InterpolationError). I tried to set tier like hiera (just in case) and in puppet.conf - no luck.

So here is my questions: is it ever possible to implement aformentions solution? If not, then is it possible to have multiple independent control repos so puppet master would use one or another?

Thanks in advance.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2015-01-22 16:31:32 -0500

cbarbour gravatar image

updated 2015-01-26 15:28:51 -0500

You cannot interpolate arbitrary facts or variables into the modulepath; only the documented variables can be used.

The normal solution to this problem is to use the r10k prefix parameter to ensure uniqueness, and to drop multiple control repositories into your environment basepath. Alternatively, you can omit the prefix and use multiple environment directories, but in doing this you should be aware that environment names must be unique; in the event of a conflict, the environment earliest in the path wins.

Something to consider... Environments do not provide complete isolation; if you are using lot of custom ruby code, you may experience conflicts between environments. This also poses a security risk. If you need absolute isolation between control repositories, the best approach is to run multiple instances of the puppetmaster. This can be done without having multiple masters; they simple need to be separate processes.

I was thinking about multiple environment directories, but I found it very inconvenient: the uniqueness of modules in each environment is very error prone.

You don't have to worry about unique module names in each environment; so long as the environments themselves have unique names you won't have any problems. The R10k prefix option can ensure this. The only major limitation with environments is when dealing with Ruby code. See PUP-731 and the document on environment weirdness.

Could you please describe how can I have single puppet master server with multiple puppet master processes? My puppet daemon is running behind apache web server, also I'm using PuppetDB for storing configs.

This is relatively straightforward.

With passenger: 1. Create a copy of your puppet configuration files and rack application directory. 2. Clone your puppetmaster virtual host, and assign it a unique port or IP address. 3. Configure your vhost to use the new rack application, and new SSL directory. 4. Add the confdir argument to your copied rack application. Point it at your cloned Puppet config directory. 5. Ensure that all the settings in your cloned puppet config appear to be correct. Most stuff should be relative to confdir, but also check that CA settings, logging, etc is correct and unique to this master. --genconfig will be handy here.

See the passenger configuration docs for details. https://docs.puppetlabs.com/guides/passenger.html

FWIW... Building a new puppetmaster VM would probably be the simplest approach in the long run.

edit flag offensive delete link more
0

answered 2015-01-23 03:59:53 -0500

grundic gravatar image

@cbarbour, thanks for your answer! Can't answer via comment - it's too short :(

I was thinking about multiple environment directories, but I found it very inconvenient: the uniqueness of modules in each environment is very error prone.

Could you please describe how can I have single puppet master server with multiple puppet master processes? My puppet daemon is running behind apache web server, also I'm using PuppetDB for storing configs.

  • Should another process be configured in different path, like /etc/puppet_business/?
  • Should I configure another virtual host for second puppetmaster?
  • Could I reuse existing PuppetDB within multiple masters?

    Anyway, the more I'm thinking about this solution, the more I'm feeling that I need another puppetmaster server. It would be more reliable, more standard setup and it would be no security risks at all.

  • edit flag offensive delete link more

    Your Answer

    Please start posting anonymously - your entry will be published after you log in or create a new account.

    Add Answer

    Question Tools

    1 follower

    Stats

    Asked: 2015-01-22 04:11:46 -0500

    Seen: 764 times

    Last updated: Jan 26 '15