Architecture #8463
closedServer roles is a BIG mess causing inconsistencies and bugs
Description
OK, so the management of server roles is an über mess. I'm trying to sum-up everything going on the technical details, and I will link some example of existing bugs.
So, the main problems are:- the list of possible roles is never defined. You could say it is extensible/dynamic based on file defined somewhare, but on that case, half of code is not think for that ;
- names are complettly inconsistants, both on the use of prefixes (rudder, rudder.server-roles, role-rudder...), use of -/_, and role names themselves!
- most of the time, the roles lifecycle is bound to policy generation, but not always, creating unconsistancies.
We have has sources of server roles:
- /opt/rudder/etc/rudder-web.properties
- /opt/rudder/etc/server-roles.d/
- inventories (and roles are actually missing in JSON from API call)
- the webapp / generation process (base on some non documented behaviour, for example for root_server and policy_sever)
OK, so righ now, with all that ducplication, you can imagine the worst. And you are right!
- names in rudder-web.properties are not the same than names in /opt/rudder/etc/server-roles.d/
- in defaults install, names in /opt/rudder/etc/server-roles.d/ are not very clear: web and webapp, jetty...
- a relay don't have a /opt/rudder/etc/server-roles.d/[relay-top or relay-anything]
- names in rudder-web.properties, server-roles.d/ and rudder-server-roles.confuses "-", but cfengine classes use "_"
We have server roles generated in the following files:
/var/rudder/cfengine-community/inputs/rudder-server-roles.conf
- comes from system variable RUDDER_SERVER_ROLES (policy generation time)
- seems to be linked to what is rudder-web.properties and inventory, but only a sublist of them (only rudder-ldap, rudder-inventory-endpoint, rudder-db, rudder-web)
/var/rudder/cfengine-community/inputs/promises.cf
- comes from system variable NODEROLE (policy generation time)
- linked to a predefined list of roles (same as rudder-web.properties), plus policy_server & root_server.
/var/rudder/cfengine-community/inputs/common/1.0/site.cf
- predefined list, different from previous, value read at each runs of cf-agent and use files in server-roles.d/
- so basically, out of sync and not from the same origin than others (if you add a file in server-roles.d/, site.cf will update its value at the next run, but other information will stay the same until the next inventory+regeneration of policies..)
We should:
- use the same names everywhere (the ones from site.st ?)
- use the same /- everywhere (, to be compatible with cfengine ? Or at least "-" for file names, "_" everywhere else)
- use the same lifecycle everywhere (from the webapp, so that a given moment, all generated promises for the different part are consistant ?)
Updated by François ARMAND over 8 years ago
- Related to Bug #8197: rudder-server-roles.conf doesn't have proper hostname added
Updated by François ARMAND over 8 years ago
- Related to User story #8435: System techniques sometime trust the webapp role definition sometime not added
Updated by Nicolas CHARLES over 8 years ago
- Related to User story #6582: Simple relay should be a role added
Updated by François ARMAND over 8 years ago
To clarify concpets, we choose to clearly split the vocabulary between two words:
- server roles are what the machine declare to be. The are internal Rudder things, mainly used to manage packaging / init / init scripts (and solve chicken and egg problems in distributed set-up). They are declared with files in /opt/rudder/etc/server-roles.d/, and sent to Rudder server in the inventory. Based on them, and other external configuration, Rudder server can choose (or not) to expose service urls to other components of the infrastructure.
- service urls are connection point to resources needed to do something. For example, a node managed by Rudder need to know 3 services urls: one to get new policies from, one to send inventories to, and one to send compliance reports to. Service urls are location-dependant (two nodes may have a different reports url - and a relay get one other), and not all urls are exposed to all servers (of course).
Based on that new vocabulary, we can define the following roles:
- rudder-web: the WEB UI
- rudder-configuration-db: where directives/groups/etc are stored
- rudder-policy-generator: the part of the system that genererate policies from configuration
- rudder-policy-provider: the origin policy server (today, cf-serverd colocated with the Rudder web application)
- rudder-policy-relay: a relay for policies
- rudder-inventory-db: where inventories are stored
- rudder-inventory-processor: app able to get inventories and put them into inventory-db
- rudder-inventory-relay: a relay for inventories
- rudder-report-db: the store for compliance reports
- rudder-report-processor: app able to get reports and put them in report-db
- rudder-report-relay: a relay for reports.
A machine can have several roles. And for now, no specific role is defined for Rudder agent.
Then, we have the following service urls:
- rudder_web_url
- rudder_api_url
- rudder_report_db_url
- rudder_inventory_db_url
- rudder_configuration_db_url
- rudder_policy_url
- rudder_inventory_url
- rudder_report_url
The first two are not used today (well, by user / third party app). The last three are the service urls needed by a node to correctly talk with Rudder. The other ones are needed internally (so that Rudder know where to store things).
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 2.11.23 to 2.11.24
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 2.11.24 to 308
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 308 to 3.1.14
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.14 to 3.1.15
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.15 to 3.1.16
Updated by Vincent MEMBRÉ about 8 years ago
- Target version changed from 3.1.16 to 3.1.17
Updated by François ARMAND about 8 years ago
- Related to Bug #6405: Server roles overwritten regularly for unknown reason added
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.1.17 to 3.1.18
Updated by Vincent MEMBRÉ almost 8 years ago
- Target version changed from 3.1.18 to 3.1.19
Updated by François ARMAND over 7 years ago
- Related to Bug #9882: Missing server roles in debian 7 relay added
Updated by Benoît PECCATTE over 7 years ago
- Tracker changed from Bug to Architecture
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.19 to 3.1.20
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.20 to 3.1.21
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.21 to 3.1.22
Updated by Vincent MEMBRÉ over 7 years ago
- Target version changed from 3.1.22 to 3.1.23
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.23 to 3.1.24
Updated by Vincent MEMBRÉ about 7 years ago
- Target version changed from 3.1.24 to 3.1.25
Updated by Benoît PECCATTE about 7 years ago
- Target version changed from 3.1.25 to 4.1.9
Updated by Vincent MEMBRÉ almost 7 years ago
- Target version changed from 4.1.9 to 4.1.10
Updated by Benoît PECCATTE almost 7 years ago
- Target version changed from 4.1.10 to Ideas (not version specific)
Updated by Alexis Mousset almost 3 years ago
- Status changed from New to Rejected
Legacy server roles have been removed from 7.0, we now have a lighter model, based on server-side config and not on installed packages. Closing!