do you know all of puppet?

Do you know all of Puppet?

Julien Pivotto (@roidelapluie)

Budapest DevOps Meetup

April 23, 2017

$::userJulien Pivotto

@roidelapluie on irc/github/twitter

Puppet user since 2011 (Puppet 0.24)

VoxPupuli member (& security officer)

inuits

Scope(Ab)using Puppet

The Puppet community

Puppet DSL tips and tricks

Why?Puppet present in lots of places

There are lots of new exciting features

But the puppet DSL has a strong trunk

Many don't use all of its capacities

Using PuppetCreative Commons Attribution 2.0 https://www.flickr.com/photos/jimmcd/4859841581

Custom factsFACTER_bootstrap=true puppet agent ­­test

Useful for 1-time facts, or overwriting existingfacts (e.g ipaddress) without code.

Custom facts (scripts)./mycustomscriptdatacenter=mydc

Custom facts (ruby)# Interrupt Remapping# http://www.novell.com/support/kb/doc.php?id=7014344# https://access.redhat.com/site/solutions/110053# https://access.redhat.com/site/solutions/722593

Facter.add("is_interrupt_remapping_broken") do  confine :kernel => "Linux"  setcode do    output = Facter::Util::Resolution.exec(    '/sbin/lspci ­nn | grep ­E    \'8086:(340[36].*rev 13|3405.*rev    (12|13|22))\'')    if output.nil? or output.empty?      result = false    else      result = true    end    result  endend

The Puppet resource face$ puppet resource file /home/u/.vimrcfile { '/home/u/.vimrc':  ensure  => 'file',  content => '{md5}d414e9800998ecf8427e',  ctime   => '2017­04­25 11:01:05 +0100',  group   => '1000',  mode    => '0644',  mtime   => '2017­04­25 15:02:03 +0100',  owner   => '1000',  type    => 'file',}$ puppet resource file .hushlogin mode=0755

PluginsyncIm modules:

lib/puppet/reports/prometheus.rblib/augeas/lenses/tmpfiles.aug

Share reports processors

Share augeas lenses

Share facts

Puppet as a CAEach Puppet agent has a certificate

It is used and maintained

It is easy to sign/generate

e.g.: The foreman

Tooling for your laptoppuppet parser validate

Built into puppet

find . -name "*.pp" -exec puppet parservalidate + ";"

Style and Best practicesPuppet-lint 2

Plugins:parameter_documentation

roles_and_profiles

package_ensure

unquoted_string

legacy_facts

many more...

The communityCreative Commons Attribution 2.0 https://www.flickr.com/photos/mrmystery/15868773733/

Puppet ModulesModules are awesome

They have clear API's

Easy to make code ready for everyone

Sharing is part of lots of Puppet usersmindset

The modules ecosystemPuppet Forge

Github

Puppet is agingLots of old, unmaintained modules

Modules not Puppet 4 compatibles

Modules untested

Modules without maintainers

The world evolves fastRuby versions, gems, change fast

Keeping an up to date public CI (with travis) ishard

But you don't need to change everymoduleseveryday ..

Vox PupuliCreative Commons Attribution-ShareAlike 4.0 https://github.com/voxpupuli/logos

What is Vox Pupuli?Vox Pupuli is a community

We are sysadmins/developers/... puppetusers

We share values

Started in 2014

What do we doWe share Puppet modules

We maintain them, improve them

We provide a nice home for Puppet modules

HowWe automate

We are experts (we use those modules)

We are an important group (98 people)

We enforce our Code of Conduct

Join us (with or without code)Open Pull requests (we have 118 repos)

Share your modules

Get in touch#voxpupuli on IRC

voxpupuli

http://github.com/voxpupuli

voxpupuli@groups.io

The Puppet DSLCreative Commons Attribution 2.0 https://www.flickr.com/photos/mujitra/4421810399

The Puppet DSLAwareness of its potential

Write less code

Avoid bad patterns

The File resourcefile { '/etc/motd'  ensure  => file,  content => 'foobarbarfoofoobar',}

content => file()file { '/etc/motd':  ensure  => file,  content => file("${module_name}/motd"),}

For small, text files (file content is in the catalog)

Since Puppet 3.7.0

validate_cmdfile { '/etc/corosync/corosync.conf':  ensure       => file,  validate_cmd => '/usr/sbin/corosync ­t %',}

Verify the file before replacing it

Since Puppet 3.5.0Alternative in stdlib for older versions

show_difffile { '/etc/app/secrets':  content   => 'my secret content',  show_diff => false,}

Since Puppet 3.2.1

replacefile { '/etc/installtime':  content => template('date.erb'),  replace => no,}

Since Puppet 0.19.0

backupfile { '/etc/hosts':  content => template('hosts.erb'),  backup  => '.bak',}

Since a very long time...

sourcefile {  '/etc/issue.net':    source => '/etc/motd'}

Since a very long time...

autorequiresDon't do:

file {  '/tmp':}

file {  '/tmp/foo':    require => File['/tmp'],}

because files auto-require their parents (andowners, groups...)

Since Puppet 0.10.2

other autorequiresExec, Cron require their users

Mount require its parents

Exec requires its File[cwd]

other autodependenciesresources types can implement autonotify andautosubscribe

(this is used in puppet-corosync)

Since Puppet 4.0.0

nooppackage {  'ntpd':    ensure => latest,    noop   => true,}

noop is not only a global setting - it is also ametaparameter that can be applied to anyresource

Present since a very long time...

purging resourcesresources {  'cron':    purge => true,    noop  => true,}

Present since Puppet 0.22.0Present since 3.5.0 (for cron resources)

exec triesexec {  '/bin/wget 127.0.0.1':    tries     => 10,    try_sleep => 1,}

Present since Puppet 2.6.0

arraysfile {  '/usr/bin/sometimesexecutable':    mode => ['0755', '0644'],}

Will accept both modes, and set 0755 if notmatching.Can be used with most of the properties.

Since Puppet 0.23.1

Requirementsdefine foo::bar {  Package['foo'] ­> Foo::Bar[$name]}

Is the same as:

foo::bar {'barfoo':  require => Package['foo'],}

AliasesInstead of:

file { "/tmp/foo/bar/bar.foo/foobar":  ensure => file,}

service { 'barfoo':  require => File['/tmp/foo/bar/bar.foo/foobar'],}

AliasesUse:

file {"/tmp/foo/bar/bar.foo/foobar":  ensure => file,  alias  => 'foobar',}

service {'barfoo':  require => File['foobar'],}

Since a very long time...

Loglevelexec {  '/bin/mybrokenexec':    loglevel => debug,}

Since Puppet 0.23.1

ConclusionCreative Commons Attribution 2.0 https://www.flickr.com/photos/wwworks/6320539775/

PuppetPuppet is in the sysadmins basic tools now

Tooling around it is great

Very active and mature community

Powerful DSL ; can handle many scenarios

Julien Pivottoroidelapluie

roidelapluie@inuits.eu

Inuitshttps://inuits.euinfo@inuits.eu

Contact