问题描述

我可能误解了puppet agent --noop"的工作原理:

I may have misunderstood how "puppet agent --noop" works:

在类的定义中，我设置了一个文件的存在，并设置了它的用户和组所有权，这就是我在取消puppet agent --noop":

In the definition of a class I set the existence of a file and I set it's user&group ownership and this is what I have when I un "puppet agent --noop" :

• 如果文件不存在，puppet agent --noop"工作正常
• 如果文件存在但用户或组不存在，则puppet agent --noop"失败抱怨缺少用户或群组.
• 如果我只是运行puppet agent"(没有--noop")它工作正常: 不会不管用户、组或文件之前是否存在:它创建组、用户和/或文件.

第一个问题:我想--noop"运行不会验证目录是否要求丢失的资源被创建.不是吗?

第二个问题:有没有什么办法可以做任何mocking来避免启动--noop"?

2nd question: Is there any way to do any kind of mocking to avoid the problem of missing resources when launching "--noop"?

让我们粘贴一些代码来显示它:

Let's paste some code to show it:

   # yes, it should better be virtual resources
   group { $at_group:
     ensure => "present"
   }
   user { $at_user:
     ensure     => present,
     gid        => "$at_group",
     require    => Group[$at_group],
   }

  file { '/etc/afile':
    owner   => $at_user,
    group   => $at_group,
    mode    => '0440',
    content => template('......erb')
    require => User[$at_user]
  }

输出:

# puppet agent --test --noop
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Caching catalog for pagent02
Info: Applying configuration version '1403055383'
Notice: /Stage[main]/Agalindotest::Install/Group[my_group]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Agalindotest::Install/User[my_user]/ensure: current_value absent, should be present (noop)
Error: Could not find user my_user
Error: /Stage[main]/Agalindotest::Install/File[/etc/afile]/owner: change from 1001 to my_user failed: Could not find user my_user
Error: Could not find group my_group
Error: /Stage[main]/Agalindotest::Install/File[/etc/afiles]/group: change from 1001 to my_group failed: Could not find group my_group

如果文件不存在，让我们看看它是如何工作的:
然后puppet agent --test --noop"就像一个魅力:

Let's show how it works if the file doesn't exist:
then "puppet agent --test --noop" works like a charm:

Notice: /Stage[main]/Agalindotest::Install/Group[my_group]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Agalindotest::Install/User[my_user]/ensure: current_value absent, should be present (noop)
Notice: /Stage[main]/Agalindotest::Install/File[/etc/afile]/ensure: current_value absent, should be file (noop)

非常感谢！！
/天使

Thanks a lot!!
/ Angel

推荐答案

很遗憾，目前没有办法克服这个限制.

Unfortunately, there is currently no way to overcome this limitation.

ensure 属性不会因为缺少所有者而失败 - 我相信该文件最终会归 root 所有.这就是为什么当文件不存在时输出更令人愉快的原因.

The ensure property doesn't fail just on account of a missing owner - I believe the file will just end up owned by root. That is why the output is more pleasant when the file doesn't exist.

对于现有文件的行为:每个资源都是单独考虑的，如果评估文件时该组不存在，则文件资源必须承认失败.无法轻松解释组(可能)在没有 noop 的情况下创建的事实.

As for the behavior with an existing file: Each resource is considered individually, and the file resource must admit failure if the group does not exist when the file is evaluated. The fact that the group would (likely) be created without noop cannot be easily accounted for.

至于您在有用户资源的情况下在 noop 条件下忽略问题的想法 - 我相信这是有价值的.您会在 Puppet 的 Jira 上将其作为功能请求提出吗?

As for you idea of ignoring the issue under noop conditions if there is a user resource - that has merit, I believe. Would you raise that as a feature request at Puppet's Jira?

从 Puppet 3.3 开始，您可以依赖代理提供的 $clientnoop 值以及 Facter 事实.请注意，调整您的清单以避免 noop 模式下的失败有两个后果.

As of Puppet 3.3 you can use rely on the $clientnoop value that is supplied by the agent along with Facter facts. Please note that tailoring your manifest to avoid failures in noop mode has two consequences.

1. 清单本身的可维护性和可理解性大大降低.
2. noop 运行的报告变得不准确，因为不安全"的属性值不是 noop 目录的一部分

1. The manifest itself becomes much less maintainable and comprehendible.
2. The reporting from noop runs becomes inaccurate, because the "unsafe" property values are not part of the noop catalog

您可以像这样构建清单:

You could build the manifest like this:

# this scenario does not actually call for virtual resources at all :-)
group { $at_group:
  ensure => "present"
}
user { $at_user:
  ensure     => present,
  gid        => "$at_group",
  require    => Group[$at_group],
}

file { '/etc/afile':
  mode    => '0440',
  content => template('......erb')
  # require => User[$at_user]  # <- not needed at all, Puppet autorequires the user and group
}

if ! $::clientnoop {
  File['/etc/afile'] {
    owner   => $at_user,
    group   => $at_group,
  }
}

owner 和 group 属性在 noop 模式下被忽略，其优缺点如上所述.

The owner and group properties are ignored in noop mode, with the pros and cons as discussed above.

综合考虑，我觉得这根本不值得麻烦.

All things considered, I feel that this is not worth the hassle at all.