puppet configuration management
TRANSCRIPT
Puppet Configuration Management
Credit: Miki Yoshihito https://flic.kr/p/7JNRuf
[email protected] simonhanmer
# whoami• Simon Hanmer– IT Consultant– Sysadmin, Infrastucture architect,
server wrangler.
[email protected] simonhanmer
[email protected] simonhanmer
Overview• Infrastructure as code!• Describe the configuration using
some ‘language’ – Deploy predictably– Deploy rapidly– Deploy often
[email protected] simonhanmer
Overview• Puppet– Deploy (first installations)– Enforce (Prevent changes)– Audit (Report changes)
• Like many tools, two versions– Open source, free as in beer– Enterprise – self hosted, with support
(about $100 per node per year)
[email protected] simonhanmer
Overview• Typically used to configure hosts
with installed OS, but can provision– Bare metal– Virtual– Cloud– Even non-server (F5 for example)
[email protected] simonhanmer
Deployment Models• Standalone– Single server enforcing own configuration
• Distributed– Master servers (single or multiple)– Clients– Secure – servers have to be registered with
masters and can only see their own configurations, communications encrypted with SSL.
• Can run as single-shot or at regular intervals
[email protected] simonhanmer
Architecture
Puppet Server
Puppet Client
Facts(information about client)
Manifests
Puppet Client
[email protected] simonhanmer
Facter[simon@webconfig ~]$ facter > facter.txtarchitecture => x86_64blockdevice_sda_model => VBOX HARDDISKblockdevice_sda_size => 8589934592blockdevice_sda_vendor => ATAdhcp_servers => {"system"=>"10.0.3.2", "enp0s8"=>"10.0.3.2"}domain => lrn2.co.ukfqdn => webconfig.lrn2.co.ukhostname => webconfiginterfaces => enp0s3,enp0s8,loipaddress => 192.168.56.20ipaddress_enp0s3 => 192.168.56.20ipaddress_enp0s8 => 10.0.3.15ipaddress_lo => 127.0.0.1is_virtual => truekernel => Linuxkernelmajversion => 3.10kernelrelease => 3.10.0-229.4.2.el7.x86_64kernelversion => 3.10.0macaddress => 08:00:27:4c:0a:12macaddress_enp0s3 => 08:00:27:4c:0a:12macaddress_enp0s8 => 08:00:27:70:b2:a7memoryfree => 1.13 GB
memoryfree_mb => 1155.09memorysize => 1.28 GBmemorysize_mb => 1310.63operatingsystem => CentOSoperatingsystemmajrelease => 7operatingsystemrelease => 7.1.1503os => {"name"=>"CentOS", "family"=>"RedHat", "release"=>{"major"=>"7", "minor"=>"1", "full"=>"7.1.1503"}}osfamily => RedHatphysicalprocessorcount => 1processor0 => Intel(R) Core(TM) i7-4600U CPU @ 2.10GHzprocessorcount => 1processors => {"models"=>["Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz"], "count"=>1, "physicalcount"=>1}selinux => trueselinux_enforced => trueselinux_policyversion => 28timezone => BSTuniqueid => a8c01438virtual => virtualbox
[email protected] simonhanmer
Hiera• Remember ‘Infrastructure as code’?–Most people start hard-coding
configuration– Lots of duplication– Separate code and config– Repo’s (tip: separate code & config)– Encrypt sensitive data
• Hiera to the rescue!
[email protected] simonhanmer
Hiera• Hierarchy
• Decreasing specialisation of information• Definitions override those lower in hierarchy, so
/hosts/somehost.com would override /production • Common definitions can be pushed further down the
hierarchy which leads to less duplication
:hierarchy:− "hosts/%{::fqdn}"− "environment/%{::environment}/%{::operatingsytem}"− "domain/%{::domain}"− "os/%{::operatingsystem}"− "environment/%{::environment}"− common
[email protected] simonhanmer
Hiera• Uses YAML or JSON files• Start with classes
classes:− component::webserver− component::mysql_server− component::git_repos− component::wordpress− cron
[email protected] simonhanmer
Hiera• Then dataweb::vhosts blog.anotherwordpress.com-ssl:servername: blog.anotherwordpress.com port: 443 docroot: /var/www/blog.anotherwordpress.com override: all ssl: true ssl_cert: /etc/ssl/certs/real_lfa.crt
wordpress: blog.anotherwordpress.com: docroot: /var/www/blog.anotherwordpress.com db_name: blog db_host: localhost db_user: blog_dba db_password:
ENC[PKCS7,mIIBeQYaKoZIhvcNAQc+oIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAD2Z15kvHip4y22WRm+aa+VCpXa08rKYxxMzEJNdGR9RpdEARXMcUhnuTeSdf/uDtk4QICN6D/yhEaoG6TotShlLQv2q1uNIeUyf9HHpuvdBwYgQkz1bSES5+alDh/X9H7IQdtcosNPM4L+2QGb8rygNOTAREALPasswordptH8cN7EDKjLuye4JiNoAKk22mxYTZCuvwq288HnSB/4Tn2iOyT+Ms3mjzOJ2RYYviMcD6BlmDpqbp2iG6iUILbvTzowNjJY9ijCIZISEyQMbxfTDBGeaaPrTomdNxpOX4/xEGUGgv7GFYTHMW4hDMHaJF/l8Y+mfBS9WlHKb+9Pb9iDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDKy7nvaZxyXwXO5cSjZXXwgBC9dNAU19EFHVTZiCoBKDAk]
[email protected] simonhanmer
Puppet resources• Dozen or so built-in resource types
• and define your own• Enforce ordering – i.e. install package
before enabling service
• cron• exec• file• group• host• interface• mailalias• package
• router• ssh_authorized_key• user• vlan+ others
[email protected] simonhanmer
Puppet Moduleclass component::wordpress {
user { 'wordpress' : ensure => present }
$wordpress = hiera_hash('wordpress')
create_resources(wordpress_site, $wordpress)}
# define wordpress resource typedefine wordpress_site($variables_go_here) {
wordpress::instance { "wordpress_$site" :
install_dir => $docroot,
wp_owner => apache,
wp_group => apache,
version => 'latest',
db_host => $db_host,
db_name => $db_name,
db_user => $db_user,
db_password => $db_password,
create_db => true,
create_db_user => true }
apache::vhost { $site:
port => '80',
docroot => $docroot,
docroot_owner => apache,
docroot_group => apache,
docroot_mode => '0777' }
}
[email protected] simonhanmer
Pros Cons• Free or paid support
although I’ve seen puppetlabs employees deliver free support through community
• Established (2005) but regular updates
• Deploy to bare metal, VMs or cloud
• open source modules via forge.puppetlabs.com – both PuppetLabs and individuals
• Good documentation – online and printed books
• Language is declarative, so by default order of implementation isn’t guaranteed
• Default deployment can only handle 10s of nodes, but easy to scale this (using Passenger)
[email protected] simonhanmer
What next?• puppetlabs.com
– Downloads– Documentation– Training VMs
• forge.puppetlabs.com–Module repository