[Piuparts-devel] concerning master-slave packaging
Holger Levsen
holger at layer-acht.org
Sun Jun 17 18:01:23 UTC 2012
Hi,
On Freitag, 15. Juni 2012, Dave Steele wrote:
> None of our candidate solutions work out of the box, by design.
Huh, why not?
> Is something like Puppet available for the virtualization scenario?
you mean if DSA uses puppet? yes. see http://dsa.debian.org/ for more info.
(DSA are they fine folks who maintain piatti.d.o and many other debian
machines.)
> > (well, unless we implement auto discovery of slaves...)
> What are you thinking about here?
for example querying DNS if a hostname "piuparts" exist in the local domain :)
> development complexity, vs. install recipes and carrying around extra
> packages.
I think it will be a quite simple extra binary package, so the costs are
rather small.
> > yes, we know about this. how is this relevant here?
> As a thought experiment. It may be prudent to look at the level of
> trust placed in the code that piuparts runs, and package
> appropriately.
right. I think it's safest to recommend to run piuparts in an environment
considered untrusted. Master and report are probably more trustworthy, but
then it's code written with QA in mind, not with security...
> I question whether master/slave is the right dividing line for
> splitting up the packaging. Another candidate split is
> generate_daily_reports/http_docs vs everything else, separating
> less-trusted code execution from outward facing interfaces. Picking a
> line now may be premature optimization.
Sure. But I'm not striving for optimisation here, rather usability.
cheers,
Holger
More information about the Piuparts-devel
mailing list