hiera-eyaml - performance implications?
69 views
Skip to first unread message
Tim Skirvin
Oct 24, 2014, 3:01:35 PM10/24/14
to puppet...@googlegroups.com
I've started investigating hiera-eyaml as a tool for managing
secrets within our puppet repository. It looks pretty promising,
especially in connection with 'show_diff => false'. For those that
haven't seen it:
http://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
That said, I'm not sure what its performance implications are, and
how many decryption calls we can afford. Has anybody played with this
enough to be able to know how how these decryption calls will affect
performance problems?
More concretely: I'm currently supporting ~1250 nodes with two
fairly-hefty puppet servers, but we're not managing much in the way of
secrets. If I were to, say, start managing the root password on all of
our nodes using this tool, should I expect our entirely environment to
melt down?
- Tim Skirvin (tski...@fnal.gov)
--
HPC Systems Administrator / Developer http://www.linkedin.com/in/tskirvin
USCMS-T1 Collaboration Fermilab Scientific Computing
secrets within our puppet repository. It looks pretty promising,
especially in connection with 'show_diff => false'. For those that
haven't seen it:
http://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
That said, I'm not sure what its performance implications are, and
how many decryption calls we can afford. Has anybody played with this
enough to be able to know how how these decryption calls will affect
performance problems?
More concretely: I'm currently supporting ~1250 nodes with two
fairly-hefty puppet servers, but we're not managing much in the way of
secrets. If I were to, say, start managing the root password on all of
our nodes using this tool, should I expect our entirely environment to
melt down?
- Tim Skirvin (tski...@fnal.gov)
--
HPC Systems Administrator / Developer http://www.linkedin.com/in/tskirvin
USCMS-T1 Collaboration Fermilab Scientific Computing
Christopher Wood
Oct 24, 2014, 3:12:03 PM10/24/14
to puppet...@googlegroups.com
On Fri, Oct 24, 2014 at 02:01:27PM -0500, Tim Skirvin wrote:
> I've started investigating hiera-eyaml as a tool for managing
> secrets within our puppet repository. It looks pretty promising,
> especially in connection with 'show_diff => false'. For those that
> haven't seen it:
>
> http://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
>
> That said, I'm not sure what its performance implications are, and
> how many decryption calls we can afford. Has anybody played with this
> enough to be able to know how how these decryption calls will affect
> performance problems?
I haven't noticed any performance issues. On the other hand, maybe I would if I didn't have so many classes, resources, and hiera lookups.
> I've started investigating hiera-eyaml as a tool for managing
> secrets within our puppet repository. It looks pretty promising,
> especially in connection with 'show_diff => false'. For those that
> haven't seen it:
>
> http://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
>
> That said, I'm not sure what its performance implications are, and
> how many decryption calls we can afford. Has anybody played with this
> enough to be able to know how how these decryption calls will affect
> performance problems?
> More concretely: I'm currently supporting ~1250 nodes with two
> fairly-hefty puppet servers, but we're not managing much in the way of
> secrets. If I were to, say, start managing the root password on all of
> our nodes using this tool, should I expect our entirely environment to
> melt down?
Ramin K
Oct 24, 2014, 3:23:34 PM10/24/14
to puppet...@googlegroups.com
On 10/24/14 12:01 PM, Tim Skirvin wrote:
> I've started investigating hiera-eyaml as a tool for managing
> secrets within our puppet repository. It looks pretty promising,
> especially in connection with 'show_diff => false'. For those that
> haven't seen it:
>
> http://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
>
> That said, I'm not sure what its performance implications are, and
> how many decryption calls we can afford. Has anybody played with this
> enough to be able to know how how these decryption calls will affect
> performance problems?
>
> More concretely: I'm currently supporting ~1250 nodes with two
> fairly-hefty puppet servers, but we're not managing much in the way of
> secrets. If I were to, say, start managing the root password on all of
> our nodes using this tool, should I expect our entirely environment to
> melt down?
>
> - Tim Skirvin (tski...@fnal.gov)
>
My experience is the same as Christopher's though our frontend servers
> I've started investigating hiera-eyaml as a tool for managing
> secrets within our puppet repository. It looks pretty promising,
> especially in connection with 'show_diff => false'. For those that
> haven't seen it:
>
> http://puppetlabs.com/blog/encrypt-your-data-using-hiera-eyaml
>
> That said, I'm not sure what its performance implications are, and
> how many decryption calls we can afford. Has anybody played with this
> enough to be able to know how how these decryption calls will affect
> performance problems?
>
> More concretely: I'm currently supporting ~1250 nodes with two
> fairly-hefty puppet servers, but we're not managing much in the way of
> secrets. If I were to, say, start managing the root password on all of
> our nodes using this tool, should I expect our entirely environment to
> melt down?
>
> - Tim Skirvin (tski...@fnal.gov)
>
pull 50+ encrypted keys for everything from db credentials to third
party shared secrets per environment. I didn't notice a change when we
switched to eyaml, but I also coupled it with a upgrade to Ruby 1.9.3
from 1.8.7. Also we have only 150 nodes.
I'd say start slowly or on your stage master, but don't be surprised if
adding a few keys fails to impact performance.
Ramin
Reply all
Reply to author
Forward
0 new messages