Whenever possible, I try to write Puppet code that is purgable and “Comment Safe”. That is not a very good description. What I mean is, Puppet code that removes resources from a system when the corresponding Puppet code is “Commented” out of a manifest. Lets look at a few examples.
Example: Managed Sudo
Lets say you used this popular sudo module with the following params:
1 2 3
Great start. All future
sudo::conf blocks you write will automatically disappear
from the host:
1 2 3 4 5 6 7 8 9
Good stuff. Do this.
Example: Managed Firewall
How about another example with the Puppetlabs Firewall module?
1 2 3 4 5 6 7 8 9 10 11 12 13 14
The point here is that we should encourage a culture of purging. Having resources get automatically purged when you comment them out from puppet is great.
Of course, this is obsoleted in the short-lived world of docker or possibly Amazon EC2. But for those engineers who work on long lived servers, this prevents cruft.
Going Further: Purging Packages
I want to purge packages. If someone installs a package not controlled by Puppet, I want puppet to purge it. Crazy I know.
1 2 3 4 5
Of course puppet will leave the package behind. I should be doing
ensure => purged
But what if the package is deep within nested classes or simply manually installed?
Some day I would like to get to the point where I at least get notified when puppet detects packages that don’t need to be there. I’m open to suggestions on how to do this.
Going Further: Purging /etc/
Most of the time stale configuration leftover in /etc/ causes no harm.
But what about cron jobs in
/etc/cron.d? I would love to purge them, but there
are non-puppet controlled things installed by system packages. If everything was
a puppet module this could eventually be achieved, but it would be too hard
to keep in sync with upstream package changes.
Crossing the Line: Purging /var/lib/mysql
Seems like if you asked puppet to install mysql databases, and then commented them out, you would not want puppet to purge them.
The subtle difference here might be the difference between configuration and data.
Whenever possible I try to
purge => true on whatever I can. I would like to see
this as the default in new puppet modules.
Someday I would like us to purge more than just files and iptables rules.