search

puppetlabs / pupperware

Container fun time lives here.
Other
183 stars 67 forks source link

Enable modifications of auth.conf to persist #218

Open stahnma opened 4 years ago

stahnma commented 4 years ago

Use Case

I wanted to tell Puppet to re-read the files on disk for an environment, but to do that i have to modify auth.conf. First, I think oh, here's auth.conf right in /var/lib/docker/volumes/pupperware_puppetserver-config/_data/, but after some chatting with Charlie and Morgan, seems like that file isn't actually used (so maybe it should go away) and that we need the auth.conf that would mount into puppetserver's conf.d directory.

Describe the Solution You Would Like

Have a way to modify auth.conf rules (the one that is used) that persists across container restarts. This could a volume mounted, it could be ENV vars set and read in or something.

Describe Alternatives You've Considered

Additional Context

Probably should make the files either expose via volumes or values available in ENV vars.

stahnma commented 4 years ago

Another option here would be to just have an allow rule for the puppetserver container's cert to refresh envs int he default auth.conf setup.

Iristyle commented 4 years ago

For the auth.conf issue specifically, ENV vars are immutable once the container launches, so if it's something you think you want to change for a running container (rather than tearing down the container and starting up a new one), then the disk based solution is better. That said, a lot of the config is fairly opinionated at this point and not really designed to be modified by end users (partly b/c of a desire to interface with config in the Docker way and because we don't know all the additional things users really need to modify w/out feedback to tell us what those things are). I think your allow rule idea sounds like the right approach at the moment.

Related - I've been meaning to rework the VOLUME definitions in puppetserver to match the 4 volume setup in pe-puppetserver (or at least the first 3)

# generated certs, logs, restartcounter, filesync, reports, filebucket, facts.d
VOLUME /opt/puppetlabs/server/data/puppetserver \
# pe_repo packages
      /opt/puppetlabs/server/data/packages \
# code manager data, code-manager / filesync environment / staging, master code dir
      /opt/puppetlabs/server/data/code-manager \
# users should volume map in their id-control_repo.rsa. See 30-configure-ssh.sh
      /etc/puppetlabs/puppetserver/ssh

This is to make it easier to just swap in pe-puppetserver and point it to the same volumes as the open source version to "upgrade" and also because we figured out what config to tweak to make sure all the "data" lives in external volumes. This container has more of a legacy setup at this point.