Virtual resources

A common use example of virtual resources is the use of special access administrative users. With a robust security policy, you may not want any single user having administrative access to all systems in an infrastructure. You'd then want to declare the administrative user as a virtual resource and allow profiles to realize those users where appropriate. In the following example, I'll add myself to a Linux system as an administrative user, and then realize the resource in multiple manifests, not causing resource conflict but allowing me to  place myself surgically on the appropriate systems.

First, I need to declare myself and possibly other users as a virtual resource:

# modules/admins/manifests/infrastructure.pp
# This manifest declares the virtual resource for my administrative user
class admins::infrastructure {
  @user {'rrussellyates':
    ensure => present,
    comment => 'Ryan Russell-Yates',
    groups => ['wheel']
  }
}

I want to use the realize function in multiple profiles to call the user object from the catalog, and ensure it is on the system. Notice the use of the capital letter in the reference: User['rrussellyates']. This object already exists in the catalog, so I'm calling an object that already exists. I'll want to make sure that I include the manifest this is declared in so that the virtual user is already in the catalog and realized by the profile:

# modules/profile/manifests/monitoring_support.pp
# Assume I'm a member of a monitoring team, that monitors critical applications
class profile::monitoring_support {
  include admins::infrastructure
  include profile::nagios
  include profile::monitoring_baseline

  realize User['rrussellyates']
}

# modules/profile/manifests/team/baseline.pp
# This profile combines our multiple required classes for the application
class profile::my_app
 {

  include admins::infrastructure
  include security
  include ntp
  include dns

  realize User['rrussellyates']
}

Now, my production-level application requires two manifests that call me as an administrative user. Because this is a virtual resource that has only been declared once, both manifests can call the user independently or together without conflict:

# The role for our production application with special SLA monitoring
# Notice that both my_app and monitoring support require me as an administrative
# user. A development version of the application needs my support, as well as
# anything with a production-level SLA for monitoring. If I attempted to declare
# myself as a resource in both of these profiles, we'd have a duplicate resource
# declaration.
class role::production_app {
  include profile::my_app
  include profile::monitoring_support
}

We'll then apply this role to our node, using our site.pp:

# site.pp

node 'appserver' {
  include role::production_app
}

When we run this on our system, this administrative user will be realized with no duplicate resource declaration errors, even though the user is realized in both profiles. We can successfully call this user from multiple places, without resource conflicts:

[root@wordpress vagrant]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Info: Caching catalog for wordpress
Info: Applying configuration version '1529120853'
Notice: /Stage[main]/Admins::Infrastructure/User[rrussellyates]/ensure: created
Notice: Applied catalog in 0.10 seconds
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.174.168