Video meeting 14.11.2013

Participants

Ben Jones - CERN (chair)

Chris Walker - Queen Mary

Jan Engels & Yves Kemp - DESY

Pavel Wever - KIT

Christelle Eloto - IN2P3

Frederic Schaer - CEA

John De Stefano, Jason Smith - BNL

Kashif Mohammad - Oxford

Lukasz Kreczko - Bristol

Tim Skirvin - FNAL

Pierre-Francois Honore - CEA

Luis Alves -

Round the table, summary:

Most of the sites presenting use Puppet already to some extent, some in production for over one year. Noticeable exception is Queen Mary, which need to migrate from their current system and are looking for information.

Some sites have their complete configuration in Puppet (+ tools from the ecosystem like Hiera...) - others still use YAIM to configure the middleware software stack.

The status of sharing their own developed modules varies from "Develop everything in Github" to "no time to publish / no interest to publish". Most sites however state that they use many modules developed elsewhere.

Tools from the ecosystem were mentionned: Hiera, Foreman, Hiera, Cobbler, MCollective, ActiveMQ, RabbitMQ

Secret Management:

Many sites are concerned about secrets and secrets management in the round the table. It was agreed that no secrets (like any site specifics) should go into published modules.

Hiera can handle some level of secret management (hostnames, IP addresses), but is not a general tool for "more secret" secrets like password hashes.

DESY has reported that a student is currently working on a database backed tool which supports roles and integrates with Hiera to manage secrets like password hashes and keytabs.

Tim mentioned http://www.eyrie.org/~eagle/software/wallet/ that he has in the past used with success.

Cooperation between sites / within working group:

As many sites are using modules from other sources and some sites also share modules, the question is whether and how to coordinate module development.

The general consensus is that modules should be more shared and information about existing modules should be better communicated.

Different opinions exist how this should be realized. Some sites suggest to publish modules from day one of their development. The general agreement is however that a staged approach is preferable:

• For the daily work and initial development: Sites can have their own git repo. Others can access it at "best effort base".
• Have a more formal git repo where more polished modules go in - which could also be PuppetForge

Some sites with private repo have promised to open their repos and publish modules - at least some. Other sites have listed content of their repos for information purpose.

It is agreed that the WG Wiki should contain entry points to the different git repos (CERNOPS, puppet-hep, ...).

New development can be started in public, but it is clearly OK to start them in private and only publish once they are more elaborated. However, it would be good to inform the community e.g. by announcing on the WG mailing list.

Some middleware providers have asked whether and how they should provide puppet configuration. If the configuration is provided by the middleware developers, an entry point to the repo should also go on the WG wiki.

The WG should identify where puppet configuration is missing.

Development and documentation:

Most of the sites are using git to handle development processes. Some admins have expressed the which to have special documentation for git e.g. for publishing modules.

Ben agreed to provide such documentation.

Some people are using Eclipse+GIT for development.

Puppet Librarian is in use at CERN.

Action items:

• Share modules in use
• Communicate links to repos via Wiki
• Documentation on git
• Gap analysis

Next meeting is fixed for January, a date will be communicated.

-- YvesKemp - 15 Nov 2013