Puppet Master ClassPuppet overview

About Me:

Miguel RodriguesDevOps

using puppet 3 yearslousy creator of slidesets

What is puppet CM tool - Bring running systems to consistent state;

Despite the starting point systems will end in the same point, in a repeatable and predictable way;

Other CM tools : Chef, Ansible, Salt, Capistrano…..

What is the need for a CM ?Admin one, two … servers is nice … do it on 1000 is awful

boring repeatable …..

To Err is Human; To Really Foul Things Up Requires a Computer…. image the mess in 100's or 1000's of computers

@WikiLovers Started by Luke Kanies in 2005founded Puppet LabsGPL Unix* and Windows Ruby Have one language (DSL) more details: Wiki for it ;-)

Declare where you want to be ( not how to get there ) - presenting Manifest’s

file: some_manifest.ppnode ‘some_name_or_ip’ {

….do_stuff_to_get_servers_where_You_want….

}puppet apply some_manifest.pp

Hold on … Are there any requisites ?

Need running system ( bootstrapping is another issue, more on that later )

puppet installed ( How2 and dependencies are OS specific )

Do Stuff

puppet apply classes to nodes classes are set of resources and resources are ….

Some Resources Examples

packagefile service

cronexec notify user …..

Full list of resources at https://docs.puppetlabs.com/references/latest/type.html

Facts: "that is life"We take decisions based on facts , so puppet can do it

Facts are variables to puppet environment facts others ( eg: this server is “yellow”) facts can ( should be ) used in classes

Confused ??

Ntp and Time, one classic example

ChallengeWhat time is it ?Systems need to be accurateupdate logs with timestamps do action based on time

Network Time Protocol (NTP) is a networking protocol for clock synchronization

Basic Ntp on a server (variables, resources and templates)

file: some_manifest.ppnode ‘some_name_or_ip’ {

$package_name= “ntp” $host_config = “xpto”$ntp1 = “ip_or_address_1”$ntp2 = “ip_or_address_2”package { $package_name: ensure => installed, } file { 'ntp_config_file':

ensure => file, path => '/etc/ntp.conf', require => Package[$package_name], content => template('ntp.conf.erb'), mode => '0644', owner => 'root', group => 'root',

}(variables in orange and resources in red)

service { 'ntpd': ensure => running, name => 'ntpd', enable => true, subscribe => File['ntp_config_file'],

}}

puppet apply some_manifest.pp

Templates … Files Files are used to configure services

The content can be static ;-( or should be based on environment

Templates can add Dynamic content

Based on variables

have ruby logic in it ( if/else, cycles, …. )

Ntp template (ntp.conf.erb)- template example

restrict default ignore<% if @host_config == "some_value" -%>

server <%= @ntp1 %><% else -%>server <%= @ntp2 %><% end -%>server 127.127.1.0 fudge 127.127.1.0 stratum 10driftfile /var/lib/ntp/driftbroadcastdelay 0.008keys /etc/ntp/keysrestrict 127.0.0.1

Not a clever way to code , Modules are here

Modules are self-contained bundles of code and data.

file: some_manifest.ppnode ‘some_name_or_ip’ {class { 'my_ntp_module':}}

file: ./modules/my_ntp_module/manifests/init.ppclass my_ntp_module {

…. same do_stuff ….file { 'ntp.conf': …. content => template('my_ntp_module/ntp.conf.erb'), .. }}

file:./modules/my_ntp_module/templates/ntp.conf.erb

puppet apply --modulepath ./modules/some_manifest.pp

Clever Modules … Arguments file: ./modules/my_ntp_module/manifests/init.pp

class my_ntp_module ($package_name, $host_config, $ntp1, $ntp2) {…. same do_stuff …. }

}file: some_manifest.pp

node ‘some_name_or_ip’ {class { 'my_ntp_module':package_name => “ntp”

host_config =>“xpto”ntp1 => “ip_or_address_1”ntp2 =>“ip_or_address_2”

}}

puppet apply --modulepath ./modules some_manifest.pp

Code and data “all together” :-(... welcome to backends (Hiera)

Purpose separate data ( values) from logic (code)support multiple data types (values, list, hash ….)

Hiera is a key/value lookup tool for configuration data

Hiera can use several different data backends, including two built-in backends ( yaml and JSON ) and other optional ones.

Data EncryptionWhy ?

Secrets should be kept … secret “someone” should know about Secrets

Backends may be encrypted when and where needed for a list of “trusted persons"

Modules with backend file: ./modules/my_ntp_module/manifests/init.pp

class my_ntp_module ($package_name, $host_config, $ntp1, $ntp2) {…. same do_stuff …. }

}file: some_manifest.pp

node default { hiera_include('classes')}node ‘same_name_or_ip’ {class { 'my_ntp_module':}}file: hieradata/backend.yaml

my_ntp_module::package_name: “ntp” my_ntp_module::host_config: “xpto”my_ntp_module::ntp1: “ip_or_address_1”my_ntp_module::ntp2: “ip_or_address_2”

puppet apply --modulepath ./modules --hiera_config hiera.yaml --some_manifest.pp

Where Manifests (and related stuff) are?

Manifests (and resources specified in it) must exist on the system at the time they are applied

They go there “by magic”:“Someone” send them to the system ( push

approach) fetched from some place ( eg: VCS like git, svn,

… ) (pull approach ) “just are there”

Bootstrapping Servers How ?

:-( “manually”CF/ AMI …. in AWS PXE boot ( in “DC”)Heat ( in Openstack) others ...

Bootstrapping Servers - Process (1)

1.Install OS2.“Hard” install

a.Set keys for VCS authorizationb.Set facts for the host

(product/env/role/location/… )c.Set hostname, and "basic stuff"

Bootstrapping Servers - Process (2)

3.“Soft” install a.Fetch manifests code and backend data from

VCS based on facts b.Apply puppet