How do I prevent puppet interfering with manual server changes

puppet

A lot of our server configuration is managed via puppet. Puppet runs every 15 minutes via cron and applies configuration changes.

If a server has problems I sometimes need to change configuration manually on the server (e.g try different settings, enable more logging). The problem is that puppet then overwrites my manual changes whenever the cron job runs.

What would you recomment to handle this problem?

Maybe deactivate puppet while working on the servers? Could be the risk that I forget to reenable it and then have one server out of sync.


Solution 1:

What I normally do is the following

  • Manually stop puppet on that machine
  • Have a nagios or monitoring tool of your choice alert that will warn me when puppet hasn't been run for more than 2 hours
  • If you want to be extra cautious also make a pupet watchdog, one that checks that the /var/run file is in place, if you stop puppet properly it'll erase it, if the file is there but there's no process it died so it'll start up again

With #1 and #2 you'll cover 99% of your case scenarios, and if you want to maybe #3 will help you when puppet misbehaves (sometimes it did on me)

Good luck!

Solution 2:

What I do is simply make it part of the routine to check the Puppet Dashboard for hosts that haven't sent new reports recently, and disable Puppet while working. Dashboard has a section specifically for those hosts, which makes it pretty easy to identify them.

Alternatively, you could comment out the configuration for that node, or add a schedule to it that excludes the time you'll be working on it. In both cases you can still forget it, though the latter case the problem is mitigated.

Solution 3:

lynxman's answer is a good one. I would follow his advice.

In addition, I would look at what you are asking puppet to do.

For example, if you are asking puppet to copy a file over /etc/hosts, could you instead edit the file, adding/setting the definitions you need (via puppet-augeas)? If you needed to make other changes to the file for debugging on a host, so long as your changes weren't related to the ones puppet was making, puppet would then no-longer overwrite your work.

Related

Simulate network reset or failure in Windows
Ubuntu set hostname via hostnamectl with multiple virtual hosts
What does the "same as parent folder" mean in DNS?
Google Cloud Windows Server 2019 VM snapshoot unable to boot
Error getting the list of sites from the target environment: An invalid dn syntax has been specified
templating file with ansible to get different variable parts (through its index) for different hosts
How to locate bad login attempts on a domain account when source is unknown
3 router 2 networks want to see each other + share internet [closed]
Clear cached authentication for network share
Zero downtime with Kubernetes on top of GlusterFs on top of a ZFS raid - Is this the best solution?
Custom error page apache
How to make a folder accessible with remote domain url?