puppet configuration management

Puppet Configuration Management

Credit: Miki Yoshihito https://flic.kr/p/7JNRuf

https://flic.kr/p/7JNRuf

[email protected] simonhanmer

# whoami• Simon Hanmer– IT Consultant– Sysadmin, Infrastucture architect,

server wrangler.



Overview• Infrastructure as code!• Describe the configuration using

some ‘language’ – Deploy predictably– Deploy rapidly– Deploy often


Overview• Puppet– Deploy (first installations)– Enforce (Prevent changes)– Audit (Report changes)

• Like many tools, two versions– Open source, free as in beer– Enterprise – self hosted, with support

(about $100 per node per year)


Overview• Typically used to configure hosts

with installed OS, but can provision– Bare metal– Virtual– Cloud– Even non-server (F5 for example)


Deployment Models• Standalone– Single server enforcing own configuration

• Distributed– Master servers (single or multiple)– Clients– Secure – servers have to be registered with

masters and can only see their own configurations, communications encrypted with SSL.

• Can run as single-shot or at regular intervals


Architecture

Puppet Server

Puppet Client

Facts(information about client)

Manifests

Puppet Client


Facter[simon@webconfig ~]$ facter > facter.txtarchitecture => x86_64blockdevice_sda_model => VBOX HARDDISKblockdevice_sda_size => 8589934592blockdevice_sda_vendor => ATAdhcp_servers => {"system"=>"10.0.3.2", "enp0s8"=>"10.0.3.2"}domain => lrn2.co.ukfqdn => webconfig.lrn2.co.ukhostname => webconfiginterfaces => enp0s3,enp0s8,loipaddress => 192.168.56.20ipaddress_enp0s3 => 192.168.56.20ipaddress_enp0s8 => 10.0.3.15ipaddress_lo => 127.0.0.1is_virtual => truekernel => Linuxkernelmajversion => 3.10kernelrelease => 3.10.0-229.4.2.el7.x86_64kernelversion => 3.10.0macaddress => 08:00:27:4c:0a:12macaddress_enp0s3 => 08:00:27:4c:0a:12macaddress_enp0s8 => 08:00:27:70:b2:a7memoryfree => 1.13 GB

memoryfree_mb => 1155.09memorysize => 1.28 GBmemorysize_mb => 1310.63operatingsystem => CentOSoperatingsystemmajrelease => 7operatingsystemrelease => 7.1.1503os => {"name"=>"CentOS", "family"=>"RedHat", "release"=>{"major"=>"7", "minor"=>"1", "full"=>"7.1.1503"}}osfamily => RedHatphysicalprocessorcount => 1processor0 => Intel(R) Core(TM) i7-4600U CPU @ 2.10GHzprocessorcount => 1processors => {"models"=>["Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz"], "count"=>1, "physicalcount"=>1}selinux => trueselinux_enforced => trueselinux_policyversion => 28timezone => BSTuniqueid => a8c01438virtual => virtualbox


Process flowfacter node

classifier

hiera

puppet


Hiera• Remember ‘Infrastructure as code’?–Most people start hard-coding

configuration– Lots of duplication– Separate code and config– Repo’s (tip: separate code & config)– Encrypt sensitive data

• Hiera to the rescue!


Hiera• Hierarchy

• Decreasing specialisation of information• Definitions override those lower in hierarchy, so

/hosts/somehost.com would override /production • Common definitions can be pushed further down the

hierarchy which leads to less duplication

:hierarchy:− "hosts/%{::fqdn}"− "environment/%{::environment}/%{::operatingsytem}"− "domain/%{::domain}"− "os/%{::operatingsystem}"− "environment/%{::environment}"− common


Hiera• Uses YAML or JSON files• Start with classes

classes:− component::webserver− component::mysql_server− component::git_repos− component::wordpress− cron


Hiera• Then dataweb::vhosts blog.anotherwordpress.com-ssl:servername: blog.anotherwordpress.com port: 443 docroot: /var/www/blog.anotherwordpress.com override: all ssl: true ssl_cert: /etc/ssl/certs/real_lfa.crt

wordpress: blog.anotherwordpress.com: docroot: /var/www/blog.anotherwordpress.com db_name: blog db_host: localhost db_user: blog_dba db_password:

ENC[PKCS7,mIIBeQYaKoZIhvcNAQc+oIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAD2Z15kvHip4y22WRm+aa+VCpXa08rKYxxMzEJNdGR9RpdEARXMcUhnuTeSdf/uDtk4QICN6D/yhEaoG6TotShlLQv2q1uNIeUyf9HHpuvdBwYgQkz1bSES5+alDh/X9H7IQdtcosNPM4L+2QGb8rygNOTAREALPasswordptH8cN7EDKjLuye4JiNoAKk22mxYTZCuvwq288HnSB/4Tn2iOyT+Ms3mjzOJ2RYYviMcD6BlmDpqbp2iG6iUILbvTzowNjJY9ijCIZISEyQMbxfTDBGeaaPrTomdNxpOX4/xEGUGgv7GFYTHMW4hDMHaJF/l8Y+mfBS9WlHKb+9Pb9iDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDKy7nvaZxyXwXO5cSjZXXwgBC9dNAU19EFHVTZiCoBKDAk]


Puppet resources• Dozen or so built-in resource types

• and define your own• Enforce ordering – i.e. install package

before enabling service

• cron• exec• file• group• host• interface• mailalias• package

• router• ssh_authorized_key• user• vlan+ others


Puppet Moduleclass component::wordpress {

user { 'wordpress' : ensure => present }

$wordpress = hiera_hash('wordpress')

create_resources(wordpress_site, $wordpress)}

# define wordpress resource typedefine wordpress_site($variables_go_here) {

wordpress::instance { "wordpress_$site" :

install_dir => $docroot,

wp_owner => apache,

wp_group => apache,

version => 'latest',

db_host => $db_host,

db_name => $db_name,

db_user => $db_user,

db_password => $db_password,

create_db => true,

create_db_user => true }

apache::vhost { $site:

port => '80',

docroot => $docroot,

docroot_owner => apache,

docroot_group => apache,

docroot_mode => '0777' }

}


Pros Cons• Free or paid support

although I’ve seen puppetlabs employees deliver free support through community

• Established (2005) but regular updates

• Deploy to bare metal, VMs or cloud

• open source modules via forge.puppetlabs.com – both PuppetLabs and individuals

• Good documentation – online and printed books

• Language is declarative, so by default order of implementation isn’t guaranteed

• Default deployment can only handle 10s of nodes, but easy to scale this (using Passenger)


What next?• puppetlabs.com

– Downloads– Documentation– Training VMs

• forge.puppetlabs.com–Module repository

puppet configuration management

Technology

hiera hierarchy

overview puppet

client manifests puppet

server wrangler

repos component

sensitive data hiera

true selinux

separate code config