SIMP 6.4.0: What r10k-friendly RPM features should it include?
Add your comments directly to the page. Include links to any relevant research, data, or feedback.
This log updates an earlier decision
This decision refines decisions from the log, How to restructure the RPM installation sequence to be more r10k/Code Manager friendly.
Background
- SIMP 6.4.0 will begin to treat the r10k/Code Manager workflow as a first-class citizen.
- Puppet modules are distributed as RPMs, signed by a known GPG key as part of SIMP's implementation of NIST 800.53, CM-7(5).
- Modern Puppet module management practices use git and r10k, a model that does not fit well with RPM-distribution.
(Distant background:)
- SIMP supports installations in offline/network-isolated enclaves.
- Installation by ISO is intended to be an easy way to get started and ensure that all files are present (including Puppet modules).
Relevant data
Evolution of SIMP-packaged Puppet module RPMs
- Early versions of SIMP: Puppet module RPMs installed directly into the master's
$modulepath
. - SIMP 5.0(/4.2): To support Puppet environments, SIMP module RPMs installed with
Prefix:
/etc/puppet/environments/simp/modules
. On new installations, thesimp/
environment directory was symlinked toproduction/
. - SIMP 6.0: To accommodate environment deployment tools like r10k and Code Manager AND permit the original practice of installing directly into the environment directory where the Puppet Server could find them:
- Puppet module RPMs were modified to install into
Prefix: /usr/share/simp/modules
- The
simp_rpm_helper
script was introduced to centralize the logic for modules' RPM scriptlets- Under default conditions, the contents of just-installed Puppet module RPM would be immediately rsynced from
/usr/share/simp
/modules/
to${codedir}/environments/simp/modules/
. - (This behavior depended on the configuration of
copy_rpm_data
in/etc/simp/adapter_config.yaml
, and various safety checks.)
- Under default conditions, the contents of just-installed Puppet module RPM would be immediately rsynced from
- Puppet module RPMs were modified to install into
- SIMP 6.4: (This decision log)
The simp_rpm_helper
script
Since the introduction of simp_rpm_helper
in 6.0, the script's post-RPM management of ${codedir}/environments/simp/modules/
has been fraught with complications (not least being that most users don't know it's happening). Some RPM edge cases can have dangerous implications in the modules directory, particularly when upgrading obsoleted modules (SIMP-3895, SIMP-5331). Fixing or working around these problems (e.g., trigger scriptlets) can get intensely intricate, especially when combined with the tortuous RPM spec file logic inside simp-rake-helpers and its LUA and ERB assets.
Most of these complications can be avoided if the simp_rpm_helper
script's post-deploy is changed to maintain a version-collecting local git repository (Option 1, below). Tagged versions accumulate in a module's local git repository and are never lost, and it is easy to add them to a Puppetfile and deploy with r10k, even from an offline monolithic ISO installation. However, once we switch over to using local repositories with Puppetfile support, there are similar decisions to be made:
- Should we require r10k/Code Manager to deploy Puppet modules?
- Should we continue to automatically copy modules into
${codedir}/environments/simp/modules/ ?
- If so, under what circumstances is this appropriate (or not)?
- How far is too far in terms of developing and maintaining assistive tooling to automatically support more advanced r10k assets?
- Should we provide Puppetfiles?
- Should we maintain a control repo?
- Should we create an initial control repo on the file system when SIMP is initially installed from ISO or RPMs and an 'simp' environment does not already exist?
- How would that be implemented?
Options considered
Option 1: Puppet module RPMs updates a local git repository | Option 2: (Includes Option 1) Maintain a reference Puppetfile(s) to use local git repositories | |
---|---|---|
Description | A local bare git repository is created for each Puppet module: This is the most basic strategy, and implements the inital steps of an earlier r10k decision:
| As module RPMs are installed, a reference Puppetfile(s) is kept up-to-date under The reference ./ # Puppet environment directory, or /usr/share/simp/puppetfiles/current/
│
├── Puppetfile # top-level Puppetfile, includes other Puppetfiles (maintained by site admin)
└── Puppetfiles/ # contains Puppetfiles
├── site/ # the local site's Puppetfiles (maintained by site admin)
└── simp/ # SIMP vendored Puppetfiles. <-- COPY /usr/… UPDATES INTO ENVIRONMENT'S simp/
│ # after installing new RPM modules, the updated reference Puppetfiles
│ # can be copied into this directory:
├── Puppetfile.core # core SIMP modules
├── Puppetfile.extras.nfs # SIMP modules for NFS
├── Puppetfile.extras.gitlab # SIMP modules for Gitlab
└── ... The contents are automatically updated whenever SIMP-packaged module RPMs update their local git repos |
Usage |
|
|
Related Issues | - SIMP-6197Getting issue details... STATUS | |
Pros and cons | Immediately provides Puppetfile users with tagged git repos for each module Does not require any external git hosting service Works with network-isolated server installations Allows switching modules that have the same name, but different author. This is not possible with SIMP 6.0.x - SIMP 6.3.x, because of RPM spec file bugs. This option provides a separation between RPM files and Puppet environments Puppet environments (and their modules) are no longer directly updated after SIMP RPM module upgrades
| Immediately provides a working Puppetfile that can deploy tagged modules using Simplifies the move to using control repositories and Site admins decide when/if/how to update their Puppetfiles, and in which environments Reference Puppetfiles always deploys the current RPM-delivered versions of each module The This option encourages, but does not require (or provide) a git Control Repository. This option expects site admins to use r10k/Code Manager to deploy modules (if not environments) Puppet environments (and their modules) are no longer directly updated after SIMP RPM module upgrades Existing SIMP users that are not fluent on r10k will need documentation/support to allow them to take advantage of the Puppetfiles |
Estimated cost | SMALL | MEDIUM |
Option 2.5: (refines Option 2) Provide a simp command to generate a Puppetfile that uses local git repositories | Option 3: (Includes Option 1 + Option 2) Automatically create and maintain a local Control Repository | |
---|---|---|
Description | Provide a The reference ./ # Puppet environment directory │ ├── Puppetfile # Environment's Puppetfile | This is currently no longer considered a viable option for SIMP 6.4.0. It is included here to documentation the fact that we considered it.
However, after exploring different implementation options, it's not clear that this strategy would be simpler or safer. What has become clear is that most implementations are likely to add more trouble and complexity for site admins and SIMP developers than the idea is worth. |
Usage | Initial setup by site admins:
After the initial copy, site admins may:
| N/A |
Related Issues | N/A | |
Pros and cons | Less magical and elaborate than Option 2 Immediately provides a working Puppetfile that can deploy tagged modules using Site admins decide when/if/how to update their Puppetfiles, and in which environments Generated Puppetfiles always deploy the current RPM-delivered versions of each module The Keeps This option encourages, but does not require (or provide) a git Control Repository. This option expects site admins to use r10k/Code Manager to deploy modules (if not environments) Puppet environments (and their modules) are no longer directly updated after SIMP RPM module upgrades Existing SIMP users that are not fluent on r10k will need documentation/support to allow them to take advantage of the Puppetfiles | Sounds convenient when described at a high level Likely to make too many assumptions Requires the creation and maintenance of original tooling and logic. Nullifies the advantages of switching to community-supported deployment tools by adding a layer on top of them. Makes control repo management complicated and brittle for both admins and SIMP development. (Re-)confuses the separation between RPM-delivered files, SCM, control repositories, and local SIMP configurations. Proposals so far have tended to unwittingly re-engineer similar problems to the temporarily-obsoleted module upgrade dilemma that afflicts the original design of SIMP's simp-rpm-helper + module RPMs. No matter what we build, it will be wrong for someone. |
Estimated cost | MEDIUM | INFINITE |
Action items
Outcome
(Working assumption for Sprint 81 as of 08 Mar 2019): Option 1 + Option 2.5 as a stretch goal