Ask Your Question
0

Is it safe to use case statements as node definition in site.pp?

asked 2015-01-27 17:07:21 -0500

victorbrca gravatar image

I know that the advised way is to use something like hiera for node definition. However I have a very basic setup and I already have the configuration below working.

So my question is, is there a problem in using the code below in my site.pp for node definition?

As it is, a node with $::server_type = WMOS gets the classes motd, base, wmos, msf and jboss assigned.

node default {
        include motd
        include base
}


case $::server_type {
        'WMOS': {
                include wmos
                include msf
                include jboss
        }
        'DOM': {
                include dom
                include msf
                include jboss
        }
        'EEM': {
                include eem
                include jboss
        }
        'MIF': {
                include mif
        }
}

Thanks, Victor.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-01-27 19:23:47 -0500

cbarbour gravatar image

updated 2015-01-27 19:24:15 -0500

Using a case statement for node classification is fine from a stability standpoint.

There is a security risk in this code: If $server_type is a fact, or there is a case where it might not being defined by your puppetmaster, a user with an authorized key could manipulate the value of the $server_type fact to pull down a catalog they aren't intended to have. If your manifests include passwords, this could potentially be used to compromise your infrastructure.

As a general rule, I advise against using hiera or site.pp for node classification unless your site is very small and nodes are modified very infrequently. For sites with more node turnover, using a classifier or console avoids the need to make a git commit for every update.

I also generally advise using the roles & profiles pattern

With that said, don't get overwhelmed by best practices stuff.

edit flag offensive delete link more

Comments

Thanks for the reply. Our environment is completely static and I don't see any changes being made in the puppet configuration for the next few years. I have a semi-implemt. of roles and profiles, where `$::server_type='WMOS'` is the role, `wmos` and `msf` are the profiles, and `jboss` is the compon.

victorbrca gravatar imagevictorbrca ( 2015-01-28 12:00:07 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-01-27 17:07:21 -0500

Seen: 326 times

Last updated: Jan 27 '15