Puppet/Cleanups
Our Puppet tree is continuously evolving. As such, it's normal that some enhancement doesn't immediately trickle into the wider Puppet tree. This page tracks some enhancements to possibly apply when updating a given Puppet module:
Redundant file ownerships for root
In https://gerrit.wikimedia.org/r/c/operations/puppet/+/809095/1 a default ownership for File resources was added (root for user/group). As such, an existing File definition like
file { '/usr/local/sbin/memcached-dump':
ensure => file,
mode => '0550',
owner => 'root',
group => 'root',
source => 'puppet:///modules/apereo_cas/memcached-dump.py',
}
can be simplified to
file { '/usr/local/sbin/memcached-dump':
ensure => file,
mode => '0550',
source => 'puppet:///modules/apereo_cas/memcached-dump.py',
}
In some corner cases it might still make sense to keep the explicit root ownership, e.g. if you want to be very explicit that some config file contains sensitive data or similar.
Installation of packages using ensure_packages
Packages can be installed via a package definition: https://www.puppet.com/docs/puppet/7/types/package.html. These definitions are not guarded against re-declaration, if e.g. apache gets installed by two classes applied to a role, this causes a redeclaration error in the second class. The cleaner solution is to use the ensure_packages define instead. It guards against declaring packages multiple times internally:
ensure_packages(['python3-flask', 'python3-semver'])
ensure_packages('rsync')
ensure_packages isn't well suited for packages which are dependent on an $ensure variable. While ensure_packages allows passing an ensure parameter, this would also needed to be passed from all ensure_packages call sites, as such for such a special case it's better to stick with a bare package declaration.