11 KiB
role::base
This role is special in that it cannot be assigned to a system. It is meant to be included by all other roles and provide basic functionality that all roles need anyway.
Parameters
| Name | Type | Default |
|---|---|---|
| default_target | string | multi-user |
| default_enable_afs | bool | undef |
| default_enable_pmodules | bool | undef |
| default_pmodules_when_afs | bool | false, |
| default_local_homes | bool | undef, |
| default_enable_mta | bool | undef, |
| enable_afs | bool | hiera('base::enable_afs') |
| enable_autofs | bool | hiera('base::enable_autofs') |
| enable_epics | bool | hiera('base::enable_epics') |
| enable_filecopy | bool | hiera('base::enable_filecopy') |
| enable_ganglia | bool | hiera('base::enable_ganglia') |
| enable_icinga | bool | hiera('base::enable_icinga') |
| enable_iommu | bool | hiera('base::enable_iommu') |
| enable_kdump_client | bool | hiera('base::enable_kdump_client') |
| enable_local_homes | bool | hiera('base::local_homes', undef), |
| enable_mta | bool | hiera('base::enable_mta', undef), |
| enable_multipath | bool | hiera('base::enable_multipath') |
| enable_nfs_server | bool | hiera('base::enable_nfs_server') |
| enable_nomachine | bool | hiera('base::enable_nomachine') |
| enable_platform | bool | hiera('base::enable_platform') |
| enable_pmodules | bool | hiera('base::enable_pmodules') |
| enable_print_client | bool | hiera('base::enable_print_client') |
| enable_rhgb | bool | hiera('base::enable_rhgb') |
| enable_ssh_client | bool | hiera('base::enable_ssh_client') |
| enable_telegraf | bool | hiera('base::enable_telegraf') |
| enable_updatedb | bool | hiera('base::enable_updatedb') |
| include_aaa | bool | true |
| include_log_client | bool | true |
| include_rpm_repos | bool | true |
| package_groups | array | hiera_array('base::package_groups', []) |
| package_excludes | array | hiera_array('base::package_exclude', []) |
| pkg_group::* | array | hiera_array('base::pkg_group::...', []) |
| selinux_mode | string | hiera('base::selinux_mode', 'enforcing') |
| update_interval | enum | hiera('base::automatic_updates::interval', 'weekly') |
| update_type | enum | hiera('base::automatic_updates::type', 'security') |
| update_exclude | array | hiera_array('base::automatic_updates::exclude', []) |
| update_kernel | bool | hiera('base::automatic_updates::kernel', false) |
default_target
Specifies the systemd default target to configure. This does not
isolate the target (see systemctl(1)), but merely sets it so it will
become active after a reboot.
default_enable_afs
Allows the role programmer to define if AFS should be enabled or not
when there is no base::enable_afs Hiera setting and
parameter enable_afs is undefined (default).
default_enable_pmodules
Allows the role programmer to define if pmodules should be enabled or
not when there is no base::enable_pmodules Hiera setting
and parameter enable_pmodules is undefined (default).
default_pmodules_when_afs
Allows the role programmer to define if pmodules should be
automatically enabled together with AFS. should be enabled or not when
there is no base::enable_pmodules Hiera setting and
parameter enable_pmodules is undefined (default).
This requires the parameters default_enable_pmodules and
enable_pmodules to be undefined (default) and that there is
no base::enable_pmodules Hiera setting.
default_local_homes
Allows the role programmer to define if local homes should be used if not configured differently in Hiera. This is default on RHEL8.
default_enable_mta
Allows the role programmer to define if postfix should be enabled or
not when there is no base::enable_mta Hiera setting and
parameter enable_mta is undefined (default).
enable_afs
Determines whether to include the afs_client <../profiles/afs_client> profile to
enable AFS access. For the softioc role this is ignored,
respectively there is a separate softioc::enable_afs Hiera
settings.
Puppet roles should not set this parameter as this overrides
base::enable_afs from Hiera. Please use
default_enable_afs instead to define the role
preference.
enable_autofs
Enable the autofs service. This is not
needed for automounts! It is only needed to support the
-hosts map as documented in auto.master. The -hosts map is
mounted on /net.
enable_epics
Enables the EPICS. TODO: more details...
enable_filecopy
Enable the filecopy profile, which allows deploying
arbitrary files from git.psi.ch through Hiera.
enable_ganglia
Determines whether to include the ganglia_client
<../profiles/ganglia_client>.
enable_ssh_client
Deploy global SSH client configuration, ie
/etc/ssh/ssh_config.
enable_telegraf
Enable the telegraf monitoring agent, which reports various system metrics to InfluxDB servers.
enable_icinga
Determines whether to include the icinga_client
<../profiles/icinga_client> profile, which installs the
client components necessary for Icinga-based monitoring.
enable_iommu
It enables the IOMMU support in the kernel on boot. The node needs to be rebooted for this change to become active.
enable_kdump_client
Determines whether to include the kdump_client <../profiles/kdump_client>
profile.
enable_local_homes
Configures local homes.
Puppet roles should not set this parameter as this overrides
base::enable_local_homes from Hiera. Please use
default_local_homes instead to define the role
preference.
enable_mta
Enables postfix.
Puppet roles should not set this parameter as this overrides
base::enable_mta from Hiera. Please use
default_enable_mta instead to define the role
preference.
enable_multipath
Enable the multipath profile for basic multipath
functionality.
enable_nfs_server
Enable the kernel NFS server and configure the exports(5) file. See the
nfs_server <../profiles/nfs_server> profile for
details.
enable_nomachine
Include the nomachine profile, which can install
NoMachine NX in various configurations.
enable_platform
Enable the platform profile, which installs and
configures hardware-specific tools and configurations.
enable_pmodules
Determines whether to enable the pmodules <../profiles/pmodules> profile. When
true, the necessary configuration is automatically sourced for all
normal users (ie UID >= 1000 and no -adm suffix) using
bash(1).
Requires AFS to work, as the required configuration files are stored on AFS.
Puppet roles should not set this parameter as this overrides
base::enable_pmodules from Hiera. Please use
default_enable_pmodules or even
default_pmodules_when_afs instead to define the role
preference.
enable_print_client
Enable and configure CUPS as a client. See the print_client
<../profiles/print_client> profile for details.
enable_rhgb
Determines whether the graphical boot screen is enabled.
enable_updatedb
Determines whether or not updatedb(8) (aka locate(1)) is enabled or not. When enabled, it is
still possible to exclude certain directories for indexing. This is also
supported directly by the mounter module.
include_aaa
Determines whether to include the aaa <../profiles/aaa> profile, which configures
authentication, authorization, and (partly) auditing.
include_log_client
Include the log_client <../profiles/log_client> profile.
This is only meant to allow roles customization of the log_client
<../profiles/log_client> profile.
include_rpm_repos
Determines whether to install the default RPM package repositories.
package_groups
The list of package groups to install. Package groups are defined in
Hiera using base::pkg_group::NAME.
pkg_group::NAME
An array defining the package group NAME. It contains
the package name with optionally one or more tags, separated by
:. Following tags are allowed:
| Tag | Description |
|---|---|
| latest | ensure the latest version of the package is installed |
| absent | ensure the package is not installed |
| os=redhat7 | install it only on this OS |
| os!redhat7 | install on any OS except this one |
package_excludes
An array with packages which are not made available on the system.
selinux_mode
The SELinux mode to use, one of enforcing,
permissive, and disabled. The
configured SELinux mode (ie the setting in
/etc/sysconfig/selinux) is changed immediately. The runtime
mode is changed as follows, as certain transitions are impossible
without a reboot:
| Current | Setting | New runtime |
|---|---|---|
| Enforcing | Disabled | Permissive |
| Enforcing | Permissive | Permissive |
| Permissive | Enforcing | Enforcing |
| Permissive | Disabled | Permissive |
| Disabled | Permissive | Disabled |
| Disabled | Enforcing | Disabled |
update_interval
How often should the automatic updates be installed. Valid options
are never, daily and weekly.
update_type
What type of package updates should be installed automatically,
either security for only security updates or
all for all updates.
update_exclude
List of packages which shall not be updated automatically. Wildcards like * are allowed. The kernel is excluded by default.
update_kernel
Marks if also the kernel package should be automatically updated. Note that the necessary reboot to run the new kernel needs to be done manually.
Examples
The most basic usage is:
class role::some_role () {
include role::base
...
}Most profiles that are included can be excluded when necessary:
class role::some_role () {
class {'role::base':
include_icinga => false,
}
...
}This can be used to customize some of the basic profiles:
class role::base () {
class {'role::base':
include_aaa => false,
}
class {'profile::aaa':
allow_sudoers_d => true,
}
...
}