Exported resources from multiple sources?
32 views
Skip to first unread message
Atom Powers
Oct 30, 2014, 12:36:32 PM10/30/14
to puppet...@googlegroups.com
Is it possible, and how, to collect exported resources from multiple
puppetdb sources?
I have a network which, for policy reasons, can not connect back into
the main network but the main network can connect into the partitioned
network.
I have a stand-alone puppet master in the partitioned network that
generates stored resources for Nagios in exactly the same way as the
main network.
Is there a way for the puppet master on the main network to collect
the stored resources from the partitioned network and the stored
resources from the main network to build a Nagios server that checks
both networks?
Putting a single puppet master in the partitioned network isn't an
option for the same reason that the network is a partitioned one.
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
puppetdb sources?
I have a network which, for policy reasons, can not connect back into
the main network but the main network can connect into the partitioned
network.
I have a stand-alone puppet master in the partitioned network that
generates stored resources for Nagios in exactly the same way as the
main network.
Is there a way for the puppet master on the main network to collect
the stored resources from the partitioned network and the stored
resources from the main network to build a Nagios server that checks
both networks?
Putting a single puppet master in the partitioned network isn't an
option for the same reason that the network is a partitioned one.
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
Nick Cammorato
Oct 30, 2014, 1:00:21 PM10/30/14
to puppet...@googlegroups.com
I don't see why you couldn't write a hiera backend to do exactly this.
The current puppetdb hiera backend wouldn't be too hard to modify to
do it I don't think.
--Nick
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAF-H%3DO%3DYvnJQDo1Jm8sQoYDuQobE_%2BFjLjgpT9OiBYLAFQ5QeA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
The current puppetdb hiera backend wouldn't be too hard to modify to
do it I don't think.
--Nick
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAF-H%3DO%3DYvnJQDo1Jm8sQoYDuQobE_%2BFjLjgpT9OiBYLAFQ5QeA%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
jcbollinger
Oct 31, 2014, 9:28:01 AM10/31/14
to puppet...@googlegroups.com
On Thursday, October 30, 2014 12:00:21 PM UTC-5, Nick Cammorato wrote:
I don't see why you couldn't write a hiera backend to do exactly this.
The current puppetdb hiera backend wouldn't be too hard to modify to
do it I don't think.
You couldn't write an Hiera back end to do this particular thing because Hiera is not involved in collecting exported resources. You could write a DB-based Hiera backend that bridges networks, but it wouldn't be useful for exported resources.
John
John
jcbollinger
Oct 31, 2014, 9:44:59 AM10/31/14
to puppet...@googlegroups.com
On Thursday, October 30, 2014 11:36:32 AM UTC-5, Atom Powers wrote:
Is it possible, and how, to collect exported resources from multiple
puppetdb sources?
I have a network which, for policy reasons, can not connect back into
the main network but the main network can connect into the partitioned
network.
I have a stand-alone puppet master in the partitioned network that
generates stored resources for Nagios in exactly the same way as the
main network.
Is there a way for the puppet master on the main network to collect
the stored resources from the partitioned network and the stored
resources from the main network to build a Nagios server that checks
both networks?
I understand what you want to do, but I don't think it's a good idea. A puppetmaster defines the scope of the resources it exports (among many other things). A resource exported by one master is logically unrelated to resources exported by unrelated masters. For two masters to be "related", they need at least the following:
- They must rely on the same CA.
- They must share the same (logical) puppetdb.
- If they ever do or can build catalogs for any of the same nodes, they must use the same manifests and data to do so.
Putting a single puppet master in the partitioned network isn't an
option for the same reason that the network is a partitioned one.
Could you possibly make your master dual-homed, so that it resides on both networks?
Alternatively, the biggest hurdle for establishing related masters in separate networks may be the shared CA. If you can solve that, then you could perhaps address the other issues with some form of replication between the two environments, but replicating the CA is not appropriate.
John
Alternatively, the biggest hurdle for establishing related masters in separate networks may be the shared CA. If you can solve that, then you could perhaps address the other issues with some form of replication between the two environments, but replicating the CA is not appropriate.
John
Atom Powers
Oct 31, 2014, 10:17:34 AM10/31/14
to puppet...@googlegroups.com
Thank you John.
I think I understand the limitation.
I should be able to create a work-around by scripting a puppetdb query
to build "resources" manually or simply fetching the files I need from
the partitioned puppetmaster.
I think I understand the limitation.
I should be able to create a work-around by scripting a puppetdb query
to build "resources" manually or simply fetching the files I need from
the partitioned puppetmaster.
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/d24f3ecd-5387-44f8-b09b-3b926ecec059%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
Juan Sierra Pons
Oct 31, 2014, 11:16:53 AM10/31/14
to puppet...@googlegroups.com
>
> Alternatively, the biggest hurdle for establishing related masters in
> separate networks may be the shared CA. If you can solve that, then you
> could perhaps address the other issues with some form of replication between
> the two environments, but replicating the CA is not appropriate.
>
>
> John
>
About the Shared CA and certificates management, have a look to this
> Alternatively, the biggest hurdle for establishing related masters in
> separate networks may be the shared CA. If you can solve that, then you
> could perhaps address the other issues with some form of replication between
> the two environments, but replicating the CA is not appropriate.
>
>
> John
>
post [1] Sync Puppet Certs between EC2 regions.
Disclaimer: I started to configure the solution explained on it but I
haven't finished it yet
Hope it helps
[1] http://blog.mague.com/?p=468
--------------------------------------------------------------------------------------
Juan Sierra Pons ju...@elsotanillo.net
Linux User Registered: #257202
Web: http://www.elsotanillo.net Git: http://www.github.com/juasiepo
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------
Nick Cammorato
Nov 1, 2014, 11:02:20 AM11/1/14
to puppet...@googlegroups.com
You'd have to mine the database and reconstruct the exported resource
as a resource, but it would be doable. I was assuming strict
adherance to what an exported resource is wasn't really what Atom was
after.
--Nick
as a resource, but it would be doable. I was assuming strict
adherance to what an exported resource is wasn't really what Atom was
after.
--Nick
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/dfb3ff9a-0f2b-421a-900e-e9c27cb88efa%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages