<htmlxmlns="http://www.w3.org/1999/xhtml"><head><metahttp-equiv="Content-Type"content="text/html; charset=UTF-8"/><title>cdist-best-practice(7)</title><linkrel="stylesheet"type="text/css"href="docbook-xsl.css"/><metaname="generator"content="DocBook XSL Stylesheets V1.76.1"/></head><body><divxml:lang="en"class="article"title="cdist-best-practice(7)"lang="en"><divclass="titlepage"><div><div><h2class="title"><aid="id334078"></a>cdist-best-practice(7)</h2></div><div><divclass="author"><h3class="author"><spanclass="firstname">Nico</span><spanclass="surname">Schottelius</span></h3><codeclass="email"><<aclass="email"href="mailto:nico-cdist--@--schottelius.org">nico-cdist--@--schottelius.org</a>></code></div></div></div><hr/></div><divclass="toc"><p><strong>Table of Contents</strong></p><dl><dt><spanclass="section"><ahref="#_name">1. NAME</a></span></dt><dt><spanclass="section"><ahref="#_passwordless_connections">2. PASSWORDLESS CONNECTIONS</a></span></dt><dt><spanclass="section"><ahref="#_speeding_up_ssh_connections">3. SPEEDING UP SSH CONNECTIONS</a></span></dt><dt><spanclass="section"><ahref="#_multi_master_or_environment_setups">4. MULTI MASTER OR ENVIRONMENT SETUPS</a></span></dt><dt><spanclass="section"><ahref="#_seperating_work_by_groups">5. SEPERATING WORK BY GROUPS</a></span></dt><dt><spanclass="section"><ahref="#_maintaining_multiple_configurations">6. MAINTAINING MULTIPLE CONFIGURATIONS</a></span></dt><dt><spanclass="section"><ahref="#_multiple_developers_with_different_trust">7. MULTIPLE DEVELOPERS WITH DIFFERENT TRUST</a></span></dt><dt><spanclass="section"><ahref="#_see_also">8. SEE ALSO</a></span></dt><dt><spanclass="section"><ahref="#_copying">9. COPYING</a></span></dt></dl></div><divclass="section"title="1.NAME"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_name"></a>1.NAME</h2></div></div></div><p>cdist-best-practice - Practices used in real environments</p></div><divclass="section"title="2.PASSWORDLESS CONNECTIONS"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_passwordless_connections"></a>2.PASSWORDLESS CONNECTIONS</h2></div></div></div><p>It is recommended to run cdist with public key authentication.
This requires a private/public key pair and the entry
"PermitRootLogin without-password" in the sshd server.
See sshd_config(5) and ssh-keygen(1).</p></div><divclass="section"title="3.SPEEDING UP SSH CONNECTIONS"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_speeding_up_ssh_connections"></a>3.SPEEDING UP SSH CONNECTIONS</h2></div></div></div><p>When connecting to a new host, the initial delay with ssh connections
is pretty big. You can work around this by
"sharing of multiple sessions over a single network connection"
(quote from ssh_config(5)). The following code is suitable for
inclusion into your ~/.ssh/config:</p><preclass="screen">Host *
ControlPath ~/.ssh/master-%l-%r@%h:%p
ControlMaster auto
ControlPersist 10</pre></div><divclass="section"title="4.MULTI MASTER OR ENVIRONMENT SETUPS"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_multi_master_or_environment_setups"></a>4.MULTI MASTER OR ENVIRONMENT SETUPS</h2></div></div></div><p>If you plan to distribute cdist among servers or use different
environments, you can do so easily with the included version
control git. For instance if you plan to use the typical three
environments production, integration and development, you can
realise this with git branches:</p><preclass="screen"># Go to cdist checkout
cd /path/to/cdist
# Create branches
git branch development
git branch integration
git branch production
# Make use of a branch, for instance production
git checkout production</pre><p>Similar if you want to have cdist checked out at multiple machines,
you can clone it multiple times:</p><preclass="screen">machine-a % git clone git://your-git-server/cdist
machine-b % git clone git://your-git-server/cdist</pre></div><divclass="section"title="5.SEPERATING WORK BY GROUPS"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_seperating_work_by_groups"></a>5.SEPERATING WORK BY GROUPS</h2></div></div></div><p>If you are working with different groups on one cdist-configuration,
you can delegate to other manifests and have the groups edit only
their manifests. You can use the following snippet in
<spanclass="strong"><strong>conf/manifests/init</strong></span>:</p><preclass="screen"># Include other groups
sh -e "$__manifest/systems"
sh -e "$__manifest/cbrg"</pre></div><divclass="section"title="6.MAINTAINING MULTIPLE CONFIGURATIONS"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_maintaining_multiple_configurations"></a>6.MAINTAINING MULTIPLE CONFIGURATIONS</h2></div></div></div><p>When you need to manage multiple sites with cdist, like company_a, company_b
and private for instance, you can easily use git for this purpose.
Including a possible common base that is reused accross the different sites:</p><preclass="screen"># create branches
git branch company_a company_b common private
# make stuff for company a
git checkout company_a
# work, commit, etc.
# make stuff for company b
git checkout company_b
# work, commit, etc.
# make stuff relevant for all sites
git checkout common
# work, commit, etc.
# change to private and include latest common stuff
git checkout private
git merge common</pre><p>The following <spanclass="strong"><strong>.git/config</strong></span> is taken from a a real world scenario:</p><preclass="screen"># Track upstream, merge from time to time
# The "nico" branch will be synced with the remote nico, branch master
[branch "nico"]
remote = nico
merge = refs/heads/master
# ETH stable contains rock solid configurations used in various places
[branch "eth-stable"]
remote = eth
merge = refs/heads/stable</pre><p>Have a look at git-remote(1) to adjust the remote configuration, which allows</p></div><divclass="section"title="7.MULTIPLE DEVELOPERS WITH DIFFERENT TRUST"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_multiple_developers_with_different_trust"></a>7.MULTIPLE DEVELOPERS WITH DIFFERENT TRUST</h2></div></div></div><p>If you are working in an environment that requires different people to
work on the same configuration, but having different privileges, you can
implement this scenario with a gateway host and sudo:</p><divclass="itemizedlist"><ulclass="itemizedlist"type="disc"><liclass="listitem">
Create a dedicated user (for instance <spanclass="strong"><strong>cdist</strong></span>)
</li><liclass="listitem">
Setup the ssh-pubkey for this user that has the right to configure all hosts
</li><liclass="listitem">
Create a wrapper to update the cdist configuration in ~cdist/cdist
</li><liclass="listitem">
Allow every developer to execute this script via sudo as the user cdist
</li><liclass="listitem">
Allow run of cdist as user cdist on specific hosts on a per user/group base
</li></ul></div><p>For more details consult sudoers(5)</p></div><divclass="section"title="8.SEE ALSO"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_see_also"></a>8.SEE ALSO</h2></div></div></div><divclass="itemizedlist"><ulclass="itemizedlist"type="disc"><liclass="listitem">
cdist(1)
</li><liclass="listitem">
cdist-tutorial(7)
</li></ul></div></div><divclass="section"title="9.COPYING"><divclass="titlepage"><div><div><h2class="title"style="clear: both"><aid="_copying"></a>9.COPYING</h2></div></div></div><p>Copyright (C) 2011-2012 Nico Schottelius. Free use of this software is
granted under the terms of the GNU General Public License version 3 (GPLv3).</p></div></div></body></html>