Ask Your Question
0

How can I do conditional logic based on a Role?

asked 2016-06-30 15:43:11 -0600

Rob Ogilvie gravatar image

Given a Roles & Profiles pattern set up with site.pp matching nodes to roles, and roles then including profiles, is there a way to do conditional logic in my custom classes based on the assigned Role?

My specific use case has to do with Splunk. I have three Splunk servers (given the role "splunkserver") that should NOT include the Splunk Universal Forwarder. However, every other system should include the Splunk Universal Forwarder. I have a base profile that includes specifications that are essentially global, and I'd like to be able to essentially say:

if ! (the splunkserver role is defined in site.pp) {
  include profile::splunkuf
} # Else don't include the splunk universal forwarder

I'm currently defining an "exclude" parameter to the splunkuf class and setting it to true for the individual splunk servers via hiera, but I feel there should be a better way.

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
3

answered 2016-07-03 05:06:30 -0600

updated 2016-07-06 04:26:10 -0600

While you can do this, you shouldn't. By convention, you are supposed to end up with a simple 1-to-1 relationship between roles & nodes. There would be two ways to solve this without violating the roles/profiles pattern:

1) If you regard the presence or absence of the Splunk UF as intrinsic to the role, you would create two roles, one with and one without the UF.

2) More likely, you would add the conditional logic at the profile level:

class profile::base (
  $splunkuf,
) {
  if ($splunkuf) {
    include profile::base::splunkuf
  }
  ...
}

In Hiera:

common.yaml:

---
profile::base::splunkuf: false

node/mysplunkufnode.yaml:

---
profile::base::splunkuf: true
edit flag offensive delete link more

Comments

We use a similar idea for our ntp profile, everything that's not an ntp_server role is an ntp_client.

DarylW gravatar imageDarylW ( 2016-07-04 09:55:55 -0600 )edit
1

answered 2016-07-02 23:32:19 -0600

DarylW gravatar image

updated 2016-07-02 23:33:16 -0600

If you are using puppet4 and using hiera as your ENC, you can use the 'knockout' prefix to remove the class.. Example found here(https://www.devco.net/archives/2016/03/22/a-puppet-4-hiera-based-classifier.php) or here(https://www.devco.net/archives/2016/03/13/the-puppet-4-lookup-function.php)

Given data like this:

common.yaml

classification:
  classes:
    - sensu
    - sysadmin

node1.example.net.yaml

classification:
  classes:
    - --sensu #Knockout prefix to remove the sensu class
    - nagios
    - webserver
edit flag offensive delete link more
0

answered 2016-06-30 18:12:09 -0600

lupin gravatar image

You can either;

Assign your specific role class(splunk server) on node definition via cert/nodename:

 node '<splunk_server_hostname>' {
       include ::role::splunkserver
}

Or evaluate a server role base on custom facts( you need to create a custom facts).

if $server_role == 'splunk_server" {
  include '::role::splunkserver'
}
edit flag offensive delete link more

Comments

The node definitions (assigning a role to each node) are the easy part; I'm wondering if I can then use that information (what role has been assigned) later in my code to exclude other classes that are otherwise defaults. Custom facts could solve this, but I'm in search of best practice.

Rob Ogilvie gravatar imageRob Ogilvie ( 2016-07-01 09:56:41 -0600 )edit

Yes, use of custom facts is another solution. See my answer above.

Alex Harvey gravatar imageAlex Harvey ( 2016-07-03 05:08:01 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-06-30 15:43:11 -0600

Seen: 228 times

Last updated: Jul 06 '16