each node should have only one class in Hiera, which should be a role
We have some parts of our infrastructure that assume each node has only a single role applied to it. Prometheus, in particular, assigns a class
label to each node which is in turn used by the main Grafana dashboard to filter the main view per role (more or less). This leads to confusing entries like this:
Now there are two ways of fixing this issue:
- make sure we include only one class from Hiera, and that that class should be a role
- create a new "role" field in Hiera that gets included as a class and used for classification in Hiera, then add an auxiliary "class" field that is used in the current way.
I favor the former, but I suspect we'll need the latter. For example, the roles::fde
class seems to be included on and off on various nodes, and it will not be possible to include it across the board until either all servers are converted to FDE (which is unlikely: Ganeti nodes are already backed by their parent's FDE) or the class be made smarter about how it works. Either way, this will probably not be fixed across the board - proliant
is another such example of classes being used to apply hardware-specific workarounds.
In either case, Hiera already needs a cleanup. Here's a few ideas:
-
alberti: roles::static_source
should be included inroles::ldapdb
-
archive-01.torproject.org: roles::archive_www_host
should includeroles::static_mirror
androles::fde
-
eugeni: make a roles::eugeni
that includesprofile::postfix::eugeni
andprofile::lists
-
mandos: include profile::fde
(notroles::fde
?) in profile::mandos (or make a role::mandos?) -
polyanthum: merge profile::bridges into roles::bridges? -
cleanup collector roles -
cleanup static mirror roles -
cleanup onionoo roles -
figure out the roles::fde
question -
nevii: fold roles::letsencrypt
intoroles::dns_primary
?
Here are some details of the cleanup steps...
The collector stuff needs cleaning up:
hiera/nodes/colchicifolium.torproject.org.yaml: - roles::weblog_sink
hiera/nodes/colchicifolium.torproject.org.yaml: - roles::collector_backend
hiera/nodes/colchicifolium.torproject.org.yaml: - roles::collector
hiera/nodes/corsicum.torproject.org.yaml: - roles::collector_backend
hiera/nodes/corsicum.torproject.org.yaml: - roles::collector
The static mirror stuff also needs cleanup:
hiera/nodes/hetzner-hel1-03.torproject.org.yaml: - roles::static_mirror_web
hiera/nodes/hetzner-hel1-03.torproject.org.yaml: - roles::static_mirror_onion
hiera/nodes/listera.torproject.org.yaml: - roles::static_mirror_web
hiera/nodes/listera.torproject.org.yaml: - roles::static_mirror_onion
hiera/nodes/listera.torproject.org.yaml: - profile::media
hiera/nodes/listera.torproject.org.yaml: - proliant
hiera/nodes/meronense.torproject.org.yaml: - profile::metrics
hiera/nodes/meronense.torproject.org.yaml: - roles::weblog_source
hiera/nodes/staticiforme.torproject.org.yaml: - roles::rbm_master
hiera/nodes/staticiforme.torproject.org.yaml: - roles::static_source
hiera/nodes/staticiforme.torproject.org.yaml: - roles::onion_master
hiera/nodes/staticiforme.torproject.org.yaml: - roles::www_master
hiera/nodes/static-master-fsn.torproject.org.yaml: - roles::static_master
hiera/nodes/web-cymru-01.torproject.org.yaml: - roles::static_mirror_web
hiera/nodes/web-fsn-01.torproject.org.yaml: - roles::static_mirror_web
hiera/nodes/web-fsn-02.torproject.org.yaml: - roles::static_mirror_web
Same with onionoo:
hiera/nodes/onionbalance-01.torproject.org.yaml: - onion::balance
hiera/nodes/onionoo-backend-01.torproject.org.yaml: - roles::onionoo_backend
hiera/nodes/onionoo-backend-02.torproject.org.yaml: - roles::onionoo_backend
hiera/nodes/onionoo-frontend-01.torproject.org.yaml: - roles::onionoo_frontend
hiera/nodes/onionoo-frontend-01.torproject.org.yaml: - roles::onionoo_hidden
hiera/nodes/onionoo-frontend-02.torproject.org.yaml: - roles::onionoo_frontend
hiera/nodes/onionoo-frontend-02.torproject.org.yaml: - roles::onionoo_hidden
hiera/nodes/oo-hetzner-03.torproject.org.yaml: - roles::onionoo_backend_old
Those are problematic and might be solved only with solution (2):
hiera/nodes/cache01.torproject.org.yaml: - roles::cache
hiera/nodes/cache-02.torproject.org.yaml: - roles::cache
hiera/nodes/cache-02.torproject.org.yaml: - roles::fde
hiera/nodes/hetzner-hel1-02.torproject.org.yaml: - bind::secondary
hiera/nodes/hetzner-hel1-02.torproject.org.yaml: - roles::fde
hiera/nodes/hetzner-nbg1-02.torproject.org.yaml: - roles::monitoring::external
hiera/nodes/hetzner-nbg1-02.torproject.org.yaml: - roles::fde