Environment Isolation

Try Puppet

Introduction
Quick start guides
Puppet 4.10 release notes
Puppet agent release notes
Puppet Server 2.6 release notes
puppet-agent: What is it, what’s in it?
Where did everything go?
Deprecated features
Installing and upgrading
Configuration
Important directories and files
Environments
Modules
Puppet’s services and tools
Puppet Server
The Puppet language
Writing custom functions
Hiera: using configuration data
Resource types
Reports: Tracking Puppet’s activity
Extensions for assigning classes to nodes
Misc. references (settings, functions, etc.)
Man pages
HTTP API
SSL and certificates
Adding file server mount points
Details about Puppet’s internals
Experimental features

Expand all

Environment Isolation

Open Source Puppet — 4.10

This version is out of date. For current versions, see Puppet packages and versions.

Sections

Environment isolation

Environment isolation prevents resource types from leaking between your various environments.

If you use multiple environments with Puppet, you might encounter issues with multiple versions of the same resource type leaking between your various environments on the master. This doesn’t happen with Puppet’s built-in resource types, but it can happen with any other resource types.

This problem occurs because Ruby resource type bindings are global in the Ruby runtime. The first loaded version of a Ruby resource type takes priority, and then subsequent requests to compile in other environments get that first-loaded version. Environment isolation solves this issue by generating and using metadata that describes the resource type implementation, instead of using the Ruby resource type implementation, when compiling catalogs.

Note: Other environment isolation problems, such as external helper logic issues or varying versions of required gems, are not solved by the generated metadata approach. This fixes only resource type leaking. Resource type leaking is a problem that affects only masters, not agents.

Enable environment isolation with Puppet

To use environment isolation, generate metadata files that Puppet can use instead of the default Ruby resource type implementations.

On the command line, run puppet generate types --environment <ENV_NAME> for each of your environments. For example, to generate metadata for your production environment, run: puppet generate types --environment production
Whenever you deploy a new version of Puppet, overwrite previously generated metadata by running puppet generate types --environment <ENV_NAME> --force

Enable environment isolation with r10k

To use environment isolation with r10k, generate types for each environment every time r10k deploys new code. (Environment isolation is not supported with r10k in Puppet Enterprise.)

To generate types with r10k, use one of the following methods:
- Modify your existing r10k hook to run the generate types command after code deployment.
- Create and use a script that first runs r10k for an environment, and then runs generate types as a post run command.
If you have enabled environment-level purging in r10k, whitelist the resource_types folder so that r10k doesn’t purge it.

Note: In Puppet Enterprise, environment isolation is provided by Code Manager. Environment isolation is not supported for r10k with Puppet Enterprise.

Troubleshooting environment isolation

If the generate types command cannot generate certain types, if the type generated has missing or inaccurate information, or if the generation itself has errors or fails, you will get a catalog compilation error of “type not found” or “attribute not found.”

To fix these errors:

Ensure that your Puppet resource types are correctly implemented. Refactor any problem resource types.
Regenerate the metadata by removing the environment’s .resource_types directory and running the generate types command again.
If you continue to get catalog compilation errors, disable environment isolation to help you isolate the error.

To disable environment isolation in open source Puppet:

Remove the generate types command from any r10k hooks.
Remove the .resource_types directory.

To disable environment isolation in Puppet Enterprise:

In /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf, remove the pre-commit-hook-commands setting.
In Hiera, set puppet_enterprise::master::puppetserver::pre_commit_hook_commands: []
On the command line, run service pe-puppetserver reload
Delete the .resource_types directories from your staging code directory, /etc/puppetlabs/code-staging.
Deploy the environments.

generate types

When you run the generate types command, it scans the entire environment for resource type implementations, excluding core Puppet resource types.

The generate types command accepts the following options:

--environment <ENV_NAME>: The environment for which to generate metadata. If you don’t specify this argument, the metadata is generated for the default environment (production).
--force: Use this flag to overwrite all previously generated metadata.

For each resource type implementation it finds, the command generates a corresponding metadata file, named after the resource type, in the <env-root>/.resource_types directory. It also syncs the files in the .resource_types directory so that:

Types that have been removed in modules are removed from resource_types.
Types that have been added are added to resource_types.
Types that have not changed (based on timestamp) are kept as is.
Types that have changed (based on timestamp) are overwritten with freshly generated metadata.

The generated metadata files, which have a .pp extension, exist in the code directory. If you are using Puppet Enterprise with Code Manager and file sync, these files appear in both the staging and live code directories. The generated files are read-only. Do not delete them, modify them, or use expressions from them in manifests.