Download - Puppet without Root - PuppetConf 2013
Puppet Without RootSpencer Krum
UTi Worldwide Inc.
Books
Pro Puppet 2nd Ed.*
Beginning Puppet**
*With Jeff Mccune, James Turnbull, William Van Hevelingen, and Ben Kero
**With William Van Hevelingen, and Ben Kero
IntroUTi History
UTi Goals
DevOps Role
Limitations
Intro (cont.)Installing the Puppet client
Running the Puppet Client
Package, File, Service
Rootless Module
Intro (cont.)Installing Puppet Master as nonroot
Installing Apache as nonroot
Installing Passenger as nonroot
Upgrading Puppet as nonroot
UTi History
UTi Goals
DevOps Role
LimitationsNo Root Acess
Each devopser has a user
Sudo to the application user(appserv,webserv,swmgmt,tibco,fico)
Application user has limited sudo access
Limitations (cont)
Limited homedir space
/opt/app LVM volume, big, but not massive (20G)
Oracle Enterprise 5, not often updated
Few development libraries
Installing the Puppet clientLibyaml built from source, separate
Ruby built from source, separate
Puppet and facter from source, together
All installed using a --prefix
Installing the Puppet clientPuppet config in:
/opt/app/tibco/opt/puppet/etc/puppet/conf/puppet.conf
Ruby/yaml located in
/opt/app/tibco/opt/{ruby,yaml}
Installing the Puppet clientDrop the whole thing in via a tarball.
Massive sed -i on files.
Installing the Puppet clientEach client is in an environment
Conflate UTi environments and puppetenvironments
Puppet vardir, libdir, ssldir all under opt
No control over dns so set server = machinename
Running the Puppet ClientSource a bash file to set RUBYLIB,LD_LIBRARY_PATH
Run Puppet with --config argument to pick up theconfig file, forks to background
@reboot cron to fire it up if the machine bounces
Multi UserSometimes we want to run a service as the ficouser and a separate service as the tibco on thesame machine
Certname AbuseSet certname = user-hostname in puppet.conf:fico-devbuild1.go2uti.comTwo node definitions in site.pp now
Both users have puppet installed under
/opt/app/$USER/opt
Package, File, Service
PackageTwo basic methods:
Wrap an untar command in a defined type
Recursive file resource (Puppet Package Manger)
PackageWe use both
class uti_httpd::base { file { "${home_path}/httpd": ensure => directory, owner => $owner, group => $group, source => 'puppet:///modules/uti_httpd', recurse => remote } ...}
exec {"create-jdk-install-${install_root}": command => "/bin/tar xvzf ${tarball_directory}/${jdk_name}", cwd => $install_root, creates => "${install_root}/${jdk_create_dir}",}
FileFile Type works strangely when not running asroot
$owner, $group problem
Implementation around 'write' access.
File { owner => $owner, group => $group,}
file { $install_root: ensure => directory,}file { "${install_root}/keystore/": ensure => directory, require => File[$install_root]}
ServicePossibly the best handled in a rootlessenvironment
Can't use real init system.
Can use the binary,start,status,stop parameters togreat effect
I want to look at the path
service { 'icinga': ensure => running, provider => base, enable => true, hasstatus => true, hasrestart => true, start => "${home_path}/icinga/init/icinga-init start", stop => "${home_path}/icinga/init/icinga-init stop", restart => "${home_path}/icinga/init/icinga-init restart", name => 'icinga'}
Rootless Module
Rootless ModuleModule to provide types and facts to rootless persons
tarfile type
jdk type
facts for user, group, tempdir
new file type for rootless environments
$tempname = regsubst($name, '/', '-', 'G')file { "/var/tmp/${tempname}": ensure => file, content => $content,}exec { "copy-in-${name}": command => "cat /var/tmp/${tempname} > ${name}", subscribe => File["/var/tmp/${tempname}"], notify => $notify,}
Puppet Module Rootless
GitHub GoGo!
https://github.com/UTIWorldwide/puppet-module-rootless
puppet module install utiworldwide/rootless
Puppet Master as nonroot
3 Plabs Software
Puppet
Hiera
Facter
Puppet Master as nonroot
Other Software
Apache
Passenger
Libyaml
Libapr
Two generationsFirst Generation
Installed everything to /opt
Apache + libapr separate
Ruby, yaml separate
Puppet, facter, hiera conjoined
Two generationsProblems with first gen
No central log location
No way to upgrade
Conf files akwardly all over the place
Rack dir lived under puppet dir
Two generations
New generation
Everything rooted under a $HOME/local
BSD Ports style
Hiera, puppet, facter running from source
'init' scripts for everything in local/etc
Logs all go to local/var
Installation pointsUse a bash function to expose the puppet command
puppet () { . $FAKE_ROOT/bin/.ruby_setup.sh
$FAKE_ROOT/opt/puppet/bin/puppet $@\ --confdir=$FAKE_ROOT/etc/puppet
}
Installation pointsPassenger 4 reads your .bashrc, check for tty before
getting fancy
if `tty -s`; then if env | grep TMOUT >/dev/null; then exec env -u TMOUT bash fi fi
Installation pointsSet LD_LIBRARY_PATH and RUBYLIB at the last
possible second, in the puppet function or inetc/init.d/httpd
Installation pointsBuild passenger on an equivalent system and rsync it up,
its dependencies are many, and installing libcurl andopenssl from source is hard.
Installation pointsTry to keep your env as similar to a rooted environment as
you can.Tell lies to tell the truth.
Outro
Questions?
Spencer Krum
github.com/nibalizer
nibalizer on irc.freenode.net
Book from Apress
http://www.apress.com/9781430260400