Puppet, profile picture
Uploaded byPuppet
PDF, PPTX3,141 views

What we Learned Implementing Puppet at Backstop

The document details the experiences and lessons learned by Bill Weiss regarding the management and deployment of servers at Backstop Solutions, particularly focusing on using Puppet for configuration management. It discusses challenges faced in server setup, including issues with global variables, file management, and monitoring, as well as the benefits of using Hiera for managing configurations. Weiss emphasizes the importance of automation and the efficiency gained through Puppet, while also acknowledging the need for continuous improvement and adaptation in their deployment processes.

Embed presentation

Download as PDF, PPTX
Puppet  at  Backstop   Learn  from  our  mistakes   (and  a  few  wins  along  the  way)  
Who  am  I?   •  Bill  Weiss  <bill@backstopsoluAons.com>   •  @BillWeiss   •  Wrote  a  bunch  of  the  coming  examples  of   what  not  to  do  here   •  As  you  can  tell,  not  a  designer  
What  is  Backstop?   I  promise  I’m  not  in  sales.  
  Rack  picture  from  hIp://en.wikipedia.org/wiki/File:Datacenter-­‐telecom.jpg  .    The  rest  should  be   obvious  who  owns  them  
•  Same  places  and  infrastructure,  but:  
Where  we  came  from   <@boss> Hey, we need another server to handle all these customers! <IT> Sure, we can just…
•  From  the  Dell  manual,  as  you  can  imagine  
•  hIp://www.centos.org/docs/5/html/5.2/InstallaAon_Guide/  
•  hIp://www.centos.org/docs/5/html/5.2/InstallaAon_Guide/s1-­‐diskpartsetup-­‐x86.html  
You  get  the  idea   But  wait,  there’s  more!  
centos5.1-­‐aerwork.txt   rpm --import http://dag.wieers.com/rpm/packages/RPM- GPG-KEY.dag.txt wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/ rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm yum -y install mod_ssl gcc yum-priorities ncurses- devel httpd-devel apr-devel apr-util-devel apr-devel zlib-devel openssl-devel readline-devel ruby gcc-c++ postfix chkconfig iptables off chkconfig cups off chkconfig ip6tables off
I’m  not  showing  the  whole  file,  I   promise   yum -y install ntp ntpdate 192.168.45.2 chkconfig ntpd on vi /etc/ntp.conf ############# Change server to (IP) if in the cage #################
wc  –l    ==  273   cd /usr/local/ scp -pr root@abe:/usr/local/instantclient-* . ln -s instantclient-10.2.0.4 instantclient cd instantclient ln -s libclntsh.so.10.1 libclntsh.so chmod 755 *.so* chmod 755 sqlplus chmod 755 genezi echo "/usr/local/instantclient" > /etc/ld.so.conf.d/ oracle.conf ldconfig cd /root
So…  that’s  it,  right?   •  Nope.    That’s  just  the  OS,  no  app.   •  Deploy  instrucAons  passed  down  from   developer  to  developer  as  lore  and  legend.  
So  it’s  really  
What  about  VMs?   •  Obviously  no  rack-­‐and-­‐stack,  but  otherwise   the  same   •  Sweet  master-­‐centos-­‐5.1-­‐java-­‐backstop.img   “gold”  file  
What  if  upstream  changes?   •  We  lose   •  Massive  dri  between  machines   “Remember  that  bobo  is  slow  to  run   email  imports”     •  I’m  just  not  going  to  talk  about  patching  
What  if  we  need  to  update  a  package?   $ for server in $(seq 1 254) ; do > ssh root@192.168.xx.$server > “yum update && yum upgrade thing” > done It’s  cool,  I’ll  just  type  that  password  a  lot…   (No  SSH  keys,  of  course)  
What  if  we  need  to  update  a  file?   $ for server in $(seq 1 254) ; do > scp file > root@192.168.xx.$server:/some/where > done Hope  the  files  don’t  differ  between  machines.   (They  do)  
Honestly,  that’s  more  like   $ for server in $(seq 1 254) ; do > ssh –t root@192.168.xx.$server > “vim /some/file” > done My  escape  key  is  strangely  worn  smooth.  
My  reacAon   •  Courtesy  THE  INTERNET   •  Specifically  hIp://www.reacAongifs.com/nope-­‐nope-­‐nope-­‐octopus/  
•  hIp://en.wikipedia.org/wiki/File:The_Scream.jpg  
I’ll  just  give  you  the  punchline  now   •  SAll  have  to  order  and  wait  for  shipping,   Puppet  doesn’t  do  that  (yet)   •  SAll  have  to  rack  the  silly  thing   •  PXE  boot  to  kickstart   •  Kickstart  installs  minimum  to  get  Puppet   running   •  puppet agent –onetime --no-daemonize  on  boot  
•  Jenkins  logo,  of  course,  courtesy  hIps://wiki.jenkins-­‐ci.org/display/JENKINS/Logo   •  “Push  buIon”  image  courtesy  hIp://onemansblog.com/2007/11/29/reinterpreAng-­‐hand-­‐ dryer-­‐symbols/push-­‐buIon-­‐receive-­‐bacon-­‐2/   •  Horrible  ediAng  courtesy  OS  X  Preview’s  “Annotate”  funcAon  
How  did  we  get  there?   •  ~5700  SVN  commits   $ (svn log old-puppet ; svn log puppet26/)| egrep '^r.*lines?$' | wc -l 5721 •  23  authors   $ (svn log old-puppet ; svn log puppet26/)| egrep '^r.*lines?$' | awk '{print $3}' | sort | uniq | wc –l 23 •  3  years,  1  month,  19  days  (as  of  March  13th)   If  anyone  wants  to  do  shell  golf,  I  bet  I  could  combine  those  into  one  command  line  to  get  #  of   commits  and  #  of  disAnct  authors.  
Let’s  talk  about  what  we  learned  
☹  #1  –  Global  variables   •  Once  we  started  configuring  Nagios  via   Puppet  (more  on  that  later),  we  needed  a  way   to  control  if  a  given  box  was  monitored.    Thus:     node /^ib3qad+.investorbridge$/ { $servertype = 'IB3' $serverenv = 'qa' $serverrole = 'frontend' $monitor = false
☹  #1  –  Global  variables   •  What’s  the  code  look  like  for  that?   if ($monitor == true) or ($monitor == 'true') or ($monitor == 'yes') or ($monitor == '') { class{ ‘bsgbase::monitor’: real_ensure => ‘present’, } } else { class{ ‘bsgbase::monitor’: real_ensure => ‘absent’, } }
☹  #1  –  Global  variables   •  Ok,  just  set  $monitor  =  false  anywhere  you   don’t  want  to  monitor.    Sure.   •  What  if  you  want  to  monitor  the  basic  stuff,   but  not  the  app  on  top  of  it?  (like  a  test  box)  
☹  #1  –  Global  variables   node /ib-test-d+/ { (stuff) $monitor_ib = false }
☹  #1  –  Global  variables   •  What  about  a  machine  that  you  don’t  care   about  load  average  on?   node ‘superbusy’ { $monitor = ‘true’ $monitor_load = ‘false’ }
☹  #1  –  Global  variables   •  Guess  what  that  code  looks  like?  
☹  #1  –  Global  variables   •  I’ll  spare  you.    It  has  to  check  $monitor  and   $monitor_load  and  do  the  right  thing.   •  Also,  it  didn’t  fit  in  a  slide.  
☹  #1  –  Global  variables  
☹  #1  –  Global  variables   •  Seemed  like  a  good  idea  at  the  Ame.   •  How  do  we  get  rid  of  it?   •  Turns  out  Puppet  3  does  this  for  you!  
☺  #1  -­‐  Hiera   •  Hiera  to  the  rescue.   •  Our  hierarchy  looks  like:   :hierarchy: - %{fqdn} - %{operatingsystem} - %{location}/%{servertype}/%{serverenv}/% {serverrole} - %{location}/%{servertype}/%{serverenv} - %{location}/%{servertype} - %{location} - common
☺  #1  -­‐  Hiera   •  ProducAon  should  default  to  monitored,  but   other  locaAons  shouldn’t?   $ grep monitor: common.yaml ch3.yaml common.yaml:monitor: 'absent' ch3.yaml:monitor: 'present'
☺  #1  -­‐  Hiera   •  Developers  for  a  certain  app  don’t  want  load   monitoring?   $ grep monitor ch3/docsvc.yaml monitor: 'present’ monitor_load: ‘absent’  
☺  #1  –  Hiera   •  Anywhere  you’ve  got  $something  =   “something”  in  a  module,  think  about  if  it   needs  to  change  per-­‐environment.   •  If  so,  in  Hiera  it  goes!  
☺  #1  –  Hiera   •  Example  #2:  sshd_config   •  Most  machines  need  the  same  one,  but  a  few   get  something  radically  different.    How  do  you   include  a  different  file?  
☺  #1  –  Hiera   class ssh::install { $sshd_template = hiera('sshd_template', 'ssh/sshd_config.erb') file { '/etc/ssh/sshd_config': owner => 'root', group => 'root', mode => '0600', content => template($sshd_template), notify => Class['ssh::service'], } }
☺  #1  –  Hiera   hieradata/ $ ack template . ch3/IT/production/sshjumphost.yaml 3:sshd_template: 'sshjumphost/ sshd_config.erb'
☺  #1  –  Hiera   •  The  more  you  wait  on  installing  it,  the  more   you’ll  have  to  migrate  in.   •  Do  it  now,  even  if  not  everything  lives  in  there   day  one.  
☹  #2  –  Per-­‐something  files   •  Started  innocently  enough:     bweiss@rezal-evad-gib ~/repos/old-puppet $ svn diff -c 29 Index: manifests/nodes.pp ========================================================= --- manifests/nodes.pp (revision 28) +++ manifests/nodes.pp (revision 29) @@ -10,8 +9,14 @@ include rails include oracle include ib3 + $servertype = "IB3" + include sudo }
☹  #2  –  Per-­‐something  files   bweiss@rezal-evad-gib ~/repos/old-puppet $ svn diff -c 27 Index: modules/sudo/manifests/init.pp ========================================================= --- modules/sudo/manifests/init.pp (revision 26) +++ modules/sudo/manifests/init.pp (revision 27) @@ -1,7 +1,18 @@ class sudo { + case $servertype { + "IB3": { include sudo::ib3 } + "BB": { include sudo::bb } + default: { include sudo::default } + } +}
☹  #2  –  Per-­‐something  files   +class sudo::ib3 inherits sudo::common { + file { "/etc/sudoers": + owner => "root", + group => "root", + mode => 440, + source => "puppet:///modules/sudo/ib3-sudoers", + require => Package["sudo"], + } +}
☹  #2  –  Per-­‐something  files   •  Yikes.    I  got  a  liIle  more  clever,  and  this   became:  
☹  #2  –  Per-­‐something  files   file { "/etc/sudoers": owner => "root", group => "root", mode => 0440, source => [ "puppet:///modules/sudo/sudoers.$fqdn", "puppet:///modules/sudo/sudoers.$servertype", "puppet:///modules/sudo/sudoers" ], require => Package["sudo"] }
☹  #2  –  Per-­‐something  files   •  Well...  That’s  not  so  bad,  right?       modules/sudo/files $ ll | wc -l 20  
☹  #2  –  Per-­‐something  files   --------------------------------------------------------- r213 | bweiss | 2010-08-19 16:23:21 -0500 (Thu, 19 Aug 2010) | 1 line Added DevManager group to all systems (cut:  adding  the  same  line  to  20  files)  
☹  #2  –  Per-­‐something  files   •  No  global  “right”  answer.   •  For  this  specific  case,  please  go  download   Example42’s  sudo  module  from  the  Forge.  
☺  #2  –  Compose  those  files   •  You’ll  have  lots  of  cases  where  you  need  to   add  to  a  file  from  other  modules  (or  per-­‐ something).    Don’t  fall  into  the  trap  of   sudoers.${::fqdn}  
☺  #2  –  Compose  those  files   •  Approach  #1:  foo.d  directories   •  Sudo  supports  this  at  the  boIom  of  your     /etc/sudoers/:   #includedir /etc/sudoers.d •  Then  you  can  just  dump  config  snippets  in   /etc/sudoers.d/(whatever)  
☺  #2  –  Compose  those  files   •  Approach  #2:  puppet-­‐concat   •  hIps://github.com/ripienaar/puppet-­‐concat   •  Lets  you  fake  the  foo.d  style  by  gluing  your   file  fragments  together  at  puppet  Ame.   •  Used  like  this:  
☺  #2  –  Compose  those  files   •  Set  up  the  file:   concat{ ‘/some/file’: } •  Add  a  couple  of  blobs   concat::fragment{ ‘blob1’: target => ‘/some/file’, order => 5, content => “Yep, I’m #5”, }
☺  #2  –  Compose  those  files   concat::fragment{ ‘blob2’: target => ‘/some/file’, order => 10, source => ‘puppet:///(etc)/blob2’, } •  That’s  it,  /some/file will  contain  all  those   blocks  in  the  order  you  asked  for.   •  It  shouldn’t  be  your  first  stop,  but  it  works!  
☺  #2  –  Compose  those  files   •  When  all  else  fails,  get  templaAng.   •  It’s  just  Ruby,  you  can  do  this.  
☺  #3  –  Stored  Configs   •  These  look  super  confusing  at  first,  but  they’re   not  bad.   •  On  the  source,  you  do:   @@my_type{‘whatever’: normal => arguments, tag => ‘something’, }
☺  #3  –  Stored  Configs   •  Then,  wherever  you  need  those  resources  to   show  up,  you  do:   My_type <<| tag == ‘something’ |>> { } •  That’s  it.    How  do  you  use  it?  
☺  #3  –  Stored  Configs   •  The  fantasAc  built-­‐in  Nagios  types.   •  On  a  client:   @@nagios_service{“check_load_${::fqdn}”: ensure => ‘present’, (lots of parameters) tag => $::location, } •  $::location  is  something  we  wrote  to   contain  what  datacenter  you’re  in.    Don’t   worry  about  that  part.
☺  #3  –  Stored  Configs   •  On  the  Nagios  server:   Nagios_service <<| tag == $::location |>>{ notify => Class[‘nagios::service’], } (that’s  just  this  side  of  boilerplate)  
☺  #3  –  Stored  Configs   •  Once  the  client  checks  in,  and  then  the  Nagios   server  checks  in,  it’s  monitored.   •  That’s  it.   •  You’ll  need  some  machinery  to  determine   when  to  monitor  what  machine,  of  course,  but   it’s  as  easy  as  that.  
☺  #3  –  Stored  Configs   •  Big  wins  here.   •  Old  manually-­‐configured  Nagios:  ~600   services   •  Puppet-­‐configured  Nagios:  ~800  services   •  I  wonder  what  we  were  missing?  
☺  #3  –  Stored  Configs   •  We’re  working  on  code  to  configure  our  load   balancer  in  the  same  way.   •  Client:   @@load_balance{ “servicename_${::fqdn}”: port => 443, external_name => ‘www.backstopsolutions.com’, }
☺  #3  –  Stored  Configs   •  Then  the  load  balancer  can  just  grab  all  of   those  and  add  them  as  backends!  
☺  #3  –  Stored  Configs   •  Gotchas:   –  Resource  names  have  to  be  globally  unique.    Add   ${::fqdn}  everywhere.   –  You  have  to  have  a  database  to  dump  these  into.     Get  PuppetDB  running!   –  Be  willing  to  dig  in  the  database  to  debug  if   needed.  
☹  #3  –  Convergence  Ame   •  Early  on,  we  decided  to  run  Puppet  only  once   daily,  during  a  Ame  clients  aren’t  using  a   server.   –  Minimizes  the  chances  of  causing  an  outage.   •  Remember  the  order  those  stored  configs   have  to  happen  in?  
☹  #3  –  Convergence  Ame   •  Yep,  have  to  make  sure  all  clients  run  before   the  consumer  of  a  stored  config  does,  or  you’ll   be  out  of  sync.   •  Try  to  run  as  oen  as  possible.    This  reduces   the  amount  of  changes  to  make  per  run,   which  has  less  impact.  
☺  #4  -­‐  mcollecAve   Original  image:  hIp://xkcd.com/353/   Cheapo  ediAng  again  courtesy  OS  X  Preview  “Annotate”  
☺  #4  -­‐  mcollecAve   <dba> The app needs to be down in CH3 before we can do our DR test <IT> I can do that  
☺  #4  -­‐  mcollecAve   It  would  have  been   $ for server in $(seq 1 254) ; do > ssh root@192.168.xx.$server > “/etc/init.d/jboss stop” > done •  Elapsed  Ame,  an  hour  (if  you  type  fast)  
☺  #4  -­‐  mcollecAve   •  Instead:   $ mc-service –W jboss jboss stop   •  Elapsed  Ame:  0.34  seconds   –  I  tested  with  ‘status’,  not  ‘stop’,  to  get  that   number.    Don’t  worry,  it’s  async.  
☺  #4  -­‐  mcollecAve   <IT_1> We added a new DNS server, and we need traffic to go to it ASAP. We don’t want to wait for the puppet run. <IT_2> Sure.
☺  #4  -­‐  mcollecAve   It  would  have  been   •  Oh,  you  know.    Instead,  make  that  Puppet   change,  then:   $ mc-puppetd runonce –f
☺  #4  -­‐  mcollecAve   •  What  machine  has  MAC    90:B1:1C:04:44:3A?   It’s  generaAng  some  strange  traffic.   $ mco find -W macaddress=90:B1:1C:04:44:3A
☺  #4  -­‐  mcollecAve   <dev> Hey, now that VMs get spun up so quickly, I don’t know what all the machines I need to deploy to are. Can I get a list? $ mco find –W app1
☺  #4  -­‐  mcollecAve   •  You’ll  keep  finding  places  to  use  it.   •  To  get  the  full  value,  you’ll  need  to  write  some   code  around  it.    Even  without  that,  it’ll  pay  off.  
☹  #4  -­‐  environments   •  Sadly,  I  can  only  say  what  didn’t  work  here.   •  Puppet  config  is  in  svn   •  /etc/puppet/ is  a  checkout  of  that  on   each  Puppet  server   •  No  branching  strategy,  all  in  trunk  
☹  #4  -­‐  environments   •  Worked  at  first,  one  person  wriAng  manifests   •  Then,  two,  we  knew  what  the  other  person   was  working  on…   •  10  commiIers  this  month,  with  185  commits  
☹  #4  -­‐  environments   •  This  isn’t  a  new  problem.    If  you’re  at  a   development  shop,  you  probably  already  have   a  branching  strategy.    Do  that,  and  get   different  servers  into  different  environments.   •  This  would  also  let  you  have  one  server  for   mulAple  uses.  
☺  #5  –  think  business  terms   •  It’s  easy  to  do  the  normal  flow  in  Puppet  of   package  /  files  /  service.    That’s  useful.   •  BeIer  yet,  talk  about  things  the  business  need   or  wants!   •  Example:  
☺  #5  –  think  business  terms   •  InvestorBridge  hosts  a  website  per  client.     They’re  of  the  form  www.(clientname).com,   and  include  SSL  certs,  an  apache  vhost,   (eventually)  load  balancer  config,  etc.    How’s   that  look  in  Puppet?  
☺  #5  –  think  business  terms   ib3r192::clientsite{ 'backstopadvisors': lastOctet => 199, clientFqdn => 'www.backstopadvisors.com', seconddn => 'backstopadvisors.com', } •  A  liIle  ruby  could  clean  up  that  seconddn   part.    Eh.  
☺  #5  –  think  business  terms   •  That’s  it.    That  configures:   –  IP  for  the  client’s  vhost  (need  an  IP  since  we  have   SSL  certs)   –  Apache  vhost.d  file   –  SSL  cert  gets  dropped  in  the  right  place   –  (Soon)  Load  balancer  config   –  (Soon)  add  it  to  DNS   •  On  mulAple  hosts!  This  works  if  we  have  one   server  or  ten.  
☺  #5  –  think  business  terms   •  There’s  obviously  some  magic:   –  SSL  cert  has  to  be  named  same  as  the  client  name   •  And  a  bunch  of  code   –  6  Puppet  defines  back  there,  and  lots  of  built-­‐in   types   –  Stored  configs  for  the  load  balancer  and  DNS  
☺  #6  –Puppet  as  automaAon  glue   •  We  have  a  fair  number  of  jobs  that  generate  a   file  that  needs  to  go  out  somewhere.   –  DNS  zones   –  O-­‐menAoned  load  balancer  configs   •  Instead  of  wriAng  deploy  jobs  for  each…  
☺  #6  –Puppet  as  automaAon  glue   •  Write  the  files  into  the  puppet  repo  (checked   in)  and  let  it  drop  the  files.   •  You  get  change  tracking  for  free,  and  can  build   all  the  usual  tools  around  it   –  Restart  services  when  their  files  change   –  Test  syntax  before  restarAng  services   •  If  you’re  using  reports,  you’ll  even  find  out  if   things  go  wrong.  
☺  #7  –  VCS  pre-­‐commit  hooks   •  Since  your  Puppet  manifests  are  in  some  VCS   (right?),  and  a  bunch  of  config  files  are  there   as  well,  why  not  test  them?   –  SSL  certs  –  check  to  make  sure  keys  and  certs   match   –  Bind  files  –  check  that  serial  numbers  incremented   •  Heck,  run  named-­‐checkzone  against  them   –  Syntax  check  .pp  files!   –  Syntax  check  .erb  files  
☺  #8  –  don’t  reinvent  the  wheel   •  While  looking  for  code  to  put  in  this,  I  found  a   ton  of  modules  we  wrote  that  exist  in  the   Forge.   •  Those  are  probably  beIer  wriIen.   •  Certainly  beIer  tested.   •  Don’t  be  afraid  to  throw  code  away.  
☺  #8  –  don’t  reinvent  the  wheel   •  You  might  spend  some  Ame  digging  through   the  Forge  to  find  the  right  project.   •  Consider  it  early  payment  for  not  having  to   maintain  the  module  by  yourself.  
QuesAons?  

More Related Content

PDF
Ansible leveraging 2.0
bybcoca
 
PDF
More tips n tricks
bybcoca
 
PDF
Ansible for beginners ...?
byshirou wakayama
 
ODP
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
byBram Vogelaar
 
PDF
Hacking ansible
bybcoca
 
PDF
Puppet and the HashiStack
byBram Vogelaar
 
PDF
The Grand Puppet Sub-Systems Tour - Nicholas Fagerlund, Puppet Labs
byPuppet
 
PDF
How we use and deploy Varnish at Opera
byCosimo Streppone
 
Ansible leveraging 2.0
bybcoca
 
More tips n tricks
bybcoca
 
Ansible for beginners ...?
byshirou wakayama
 
Bootstrap your Cloud Infrastructure using puppet and hashicorp stack
byBram Vogelaar
 
Hacking ansible
bybcoca
 
Puppet and the HashiStack
byBram Vogelaar
 
The Grand Puppet Sub-Systems Tour - Nicholas Fagerlund, Puppet Labs
byPuppet
 
How we use and deploy Varnish at Opera
byCosimo Streppone
 

What's hot

PPTX
Troubleshooting Puppet
byThomas Howard Uphill
 
PPTX
Best practices for ansible
byGeorge Shuklin
 
PDF
BASH Variables Part 1: Basic Interpolation
byWorkhorse Computing
 
PDF
The Puppet Debugging Kit: Building Blocks for Exploration and Problem Solving...
byPuppet
 
PPTX
Using Ansible Dynamic Inventory with Amazon EC2
byBrian Schott
 
PDF
VUG5: Varnish at Opera Software
byCosimo Streppone
 
PDF
Memory Manglement in Raku
byWorkhorse Computing
 
PDF
Refactoring Infrastructure Code
byNell Shamrell-Harrington
 
PDF
V2 and beyond
byjimi-c
 
PDF
Ansible Meetup Hamburg / Quickstart
byHenry Stamerjohann
 
PDF
FreeBSD: Dev to Prod
bySean Chittenden
 
PDF
Puppet at janrain
byPuppet
 
KEY
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
bySV Ruby on Rails Meetup
 
PDF
Unit Testing Lots of Perl
byWorkhorse Computing
 
PPTX
Ansible fest Presentation slides
byAaron Carey
 
PPTX
DevOps with Fabric
bySimone Federici
 
PDF
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
byPuppet
 
PDF
Fabric workshop(1) - (MOSG)
bySoshi Nemoto
 
PDF
BSDM with BASH: Command Interpolation
byWorkhorse Computing
 
Troubleshooting Puppet
byThomas Howard Uphill
 
Best practices for ansible
byGeorge Shuklin
 
BASH Variables Part 1: Basic Interpolation
byWorkhorse Computing
 
The Puppet Debugging Kit: Building Blocks for Exploration and Problem Solving...
byPuppet
 
Using Ansible Dynamic Inventory with Amazon EC2
byBrian Schott
 
VUG5: Varnish at Opera Software
byCosimo Streppone
 
Memory Manglement in Raku
byWorkhorse Computing
 
Refactoring Infrastructure Code
byNell Shamrell-Harrington
 
V2 and beyond
byjimi-c
 
Ansible Meetup Hamburg / Quickstart
byHenry Stamerjohann
 
FreeBSD: Dev to Prod
bySean Chittenden
 
Puppet at janrain
byPuppet
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
bySV Ruby on Rails Meetup
 
Unit Testing Lots of Perl
byWorkhorse Computing
 
Ansible fest Presentation slides
byAaron Carey
 
DevOps with Fabric
bySimone Federici
 
Beaker: Automated, Cloud-Based Acceptance Testing - PuppetConf 2014
byPuppet
 
Fabric workshop(1) - (MOSG)
bySoshi Nemoto
 
BSDM with BASH: Command Interpolation
byWorkhorse Computing
 

Similar to What we Learned Implementing Puppet at Backstop

PPT
Dance for the puppet master: G6 Tech Talk
byMichael Peacock
 
PPTX
Learning Puppet basic thing
byDaeHyung Lee
 
PDF
Puppet fundamentals
byMurali Boyapati
 
PDF
Systems Automation with Puppet
byelliando dias
 
PDF
Using Puppet in Small Infrastructures
byRachel Andrew
 
KEY
20100425 Configuration Management With Puppet Lfnw
bygarrett honeycutt
 
PDF
Cobbler, Func and Puppet: Tools for Large Scale Environments
byViSenze - Artificial Intelligence for the Visual Web
 
PDF
Cobbler, Func and Puppet: Tools for Large Scale Environments
byMichael Zhang
 
PDF
Unix Automation using centralized configuration management tool
byTorrid Networks Private Limited
 
PDF
Unix Automation using centralized configuration management tool
byTorrid Networks Private Limited
 
PDF
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
byNETWAYS
 
PDF
Workflow story: Theory versus practice in Large Enterprises
byPuppet
 
KEY
Puppet for dummies - ZendCon 2011 Edition
byJoshua Thijssen
 
PDF
Setting Up a Cloud Server - Part 1 - Transcript.pdf
byShaiAlmog1
 
PPT
Deploying datacenters with Puppet - PuppetCamp Europe 2010
byPuppet
 
PDF
Puppet managed loadays
byloadays
 
PDF
PuppetCamp SEA 1 - Puppet & FreeBSD
byOlinData
 
PDF
The daemon in puppets
byEdward
 
PDF
PuppetCamp SEA 1 - Puppet & FreeBSD
byWalter Heck
 
PPTX
"Puppet at SpaceX" - Jok Thuau of SpaceX - PuppetCamp LA '12
byPuppet
 
Dance for the puppet master: G6 Tech Talk
byMichael Peacock
 
Learning Puppet basic thing
byDaeHyung Lee
 
Puppet fundamentals
byMurali Boyapati
 
Systems Automation with Puppet
byelliando dias
 
Using Puppet in Small Infrastructures
byRachel Andrew
 
20100425 Configuration Management With Puppet Lfnw
bygarrett honeycutt
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
byViSenze - Artificial Intelligence for the Visual Web
 
Cobbler, Func and Puppet: Tools for Large Scale Environments
byMichael Zhang
 
Unix Automation using centralized configuration management tool
byTorrid Networks Private Limited
 
Unix Automation using centralized configuration management tool
byTorrid Networks Private Limited
 
Workflow story: Theory versus Practice in large enterprises by Marcin Piebiak
byNETWAYS
 
Workflow story: Theory versus practice in Large Enterprises
byPuppet
 
Puppet for dummies - ZendCon 2011 Edition
byJoshua Thijssen
 
Setting Up a Cloud Server - Part 1 - Transcript.pdf
byShaiAlmog1
 
Deploying datacenters with Puppet - PuppetCamp Europe 2010
byPuppet
 
Puppet managed loadays
byloadays
 
PuppetCamp SEA 1 - Puppet & FreeBSD
byOlinData
 
The daemon in puppets
byEdward
 
PuppetCamp SEA 1 - Puppet & FreeBSD
byWalter Heck
 
"Puppet at SpaceX" - Jok Thuau of SpaceX - PuppetCamp LA '12
byPuppet
 

More from Puppet

PPTX
Puppet Community Day: Planning the Future Together
byPuppet
 
PPTX
The Evolution of Puppet: Key Changes and Modernization Tips
byPuppet
 
PPTX
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
byPuppet
 
PPTX
Bolt Dynamic Inventory: Making Puppet Easier
byPuppet
 
PPTX
Customizing Reporting with the Puppet Report Processor
byPuppet
 
PPTX
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
byPuppet
 
PPTX
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
byPuppet
 
PPTX
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
byPuppet
 
PDF
Puppet camp2021 testing modules and controlrepo
byPuppet
 
PPTX
Puppetcamp r10kyaml
byPuppet
 
PDF
2021 04-15 operational verification (with notes)
byPuppet
 
PPTX
Puppet camp vscode
byPuppet
 
PDF
Modules of the twenties
byPuppet
 
PDF
Applying Roles and Profiles method to compliance code
byPuppet
 
PPTX
KGI compliance as-code approach
byPuppet
 
PDF
Enforce compliance policy with model-driven automation
byPuppet
 
PDF
Keynote: Puppet camp compliance
byPuppet
 
PPTX
Automating it management with Puppet + ServiceNow
byPuppet
 
PPTX
Puppet: The best way to harden Windows
byPuppet
 
PPTX
Simplified Patch Management with Puppet - Oct. 2020
byPuppet
 
Puppet Community Day: Planning the Future Together
byPuppet
 
The Evolution of Puppet: Key Changes and Modernization Tips
byPuppet
 
Can You Help Me Upgrade to Puppet 8? Tips, Tools & Best Practices for Your Up...
byPuppet
 
Bolt Dynamic Inventory: Making Puppet Easier
byPuppet
 
Customizing Reporting with the Puppet Report Processor
byPuppet
 
Puppet at ConfigMgmtCamp 2025 Sponsor Deck
byPuppet
 
The State of Puppet in 2025: A Presentation from Developer Relations Lead Dav...
byPuppet
 
Let Red be Red and Green be Green: The Automated Workflow Restarter in GitHub...
byPuppet
 
Puppet camp2021 testing modules and controlrepo
byPuppet
 
Puppetcamp r10kyaml
byPuppet
 
2021 04-15 operational verification (with notes)
byPuppet
 
Puppet camp vscode
byPuppet
 
Modules of the twenties
byPuppet
 
Applying Roles and Profiles method to compliance code
byPuppet
 
KGI compliance as-code approach
byPuppet
 
Enforce compliance policy with model-driven automation
byPuppet
 
Keynote: Puppet camp compliance
byPuppet
 
Automating it management with Puppet + ServiceNow
byPuppet
 
Puppet: The best way to harden Windows
byPuppet
 
Simplified Patch Management with Puppet - Oct. 2020
byPuppet
 

Recently uploaded

PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
DMVPN Tunnels to multi sites in networks
byMahboabAliGhalib
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
DMVPN Tunnels to multi sites in networks
byMahboabAliGhalib
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Blue Futuristic Cyber Security Presentation.pptx
byrdelosreyes538795
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Lab 4.3 Automated security scans with Jenkins - 2nd Sight Lab Cloud Security ...
by2nd Sight Lab
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
API-First Architecture in Financial Systems
bycyy111112
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Lab 4.4 More Cloud Logging and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

What we Learned Implementing Puppet at Backstop

  • 1.
    Puppet  at  Backstop   Learn  from  our  mistakes   (and  a  few  wins  along  the  way)  
  • 2.
    Who  am  I?   •  Bill  Weiss  <bill@backstopsoluAons.com>   •  @BillWeiss   •  Wrote  a  bunch  of  the  coming  examples  of   what  not  to  do  here   •  As  you  can  tell,  not  a  designer  
  • 3.
    What  is  Backstop?   I  promise  I’m  not  in  sales.  
  • 5.
      Rack  picture  from  hIp://en.wikipedia.org/wiki/File:Datacenter-­‐telecom.jpg  .    The  rest  should  be   obvious  who  owns  them  
  • 6.
    •  Same  places  and  infrastructure,  but:  
  • 7.
    Where  we  came  from   <@boss> Hey, we need another server to handle all these customers! <IT> Sure, we can just…
  • 12.
    •  From  the  Dell  manual,  as  you  can  imagine  
  • 13.
  • 14.
  • 15.
    You  get  the  idea   But  wait,  there’s  more!  
  • 16.
    centos5.1-­‐aerwork.txt   rpm --importhttp://dag.wieers.com/rpm/packages/RPM- GPG-KEY.dag.txt wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/ rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm yum -y install mod_ssl gcc yum-priorities ncurses- devel httpd-devel apr-devel apr-util-devel apr-devel zlib-devel openssl-devel readline-devel ruby gcc-c++ postfix chkconfig iptables off chkconfig cups off chkconfig ip6tables off
  • 17.
    I’m  not  showing  the  whole  file,  I   promise   yum -y install ntp ntpdate 192.168.45.2 chkconfig ntpd on vi /etc/ntp.conf ############# Change server to (IP) if in the cage #################
  • 18.
    wc  –l    ==  273   cd /usr/local/ scp -pr root@abe:/usr/local/instantclient-* . ln -s instantclient-10.2.0.4 instantclient cd instantclient ln -s libclntsh.so.10.1 libclntsh.so chmod 755 *.so* chmod 755 sqlplus chmod 755 genezi echo "/usr/local/instantclient" > /etc/ld.so.conf.d/ oracle.conf ldconfig cd /root
  • 19.
    So…  that’s  it,  right?   •  Nope.    That’s  just  the  OS,  no  app.   •  Deploy  instrucAons  passed  down  from   developer  to  developer  as  lore  and  legend.  
  • 20.
  • 21.
    What  about  VMs?   •  Obviously  no  rack-­‐and-­‐stack,  but  otherwise   the  same   •  Sweet  master-­‐centos-­‐5.1-­‐java-­‐backstop.img   “gold”  file  
  • 22.
    What  if  upstream  changes?   •  We  lose   •  Massive  dri  between  machines   “Remember  that  bobo  is  slow  to  run   email  imports”     •  I’m  just  not  going  to  talk  about  patching  
  • 23.
    What  if  we  need  to  update  a  package?   $ for server in $(seq 1 254) ; do > ssh root@192.168.xx.$server > “yum update && yum upgrade thing” > done It’s  cool,  I’ll  just  type  that  password  a  lot…   (No  SSH  keys,  of  course)  
  • 24.
    What  if  we  need  to  update  a  file?   $ for server in $(seq 1 254) ; do > scp file > root@192.168.xx.$server:/some/where > done Hope  the  files  don’t  differ  between  machines.   (They  do)  
  • 25.
    Honestly,  that’s  more  like   $ for server in $(seq 1 254) ; do > ssh –t root@192.168.xx.$server > “vim /some/file” > done My  escape  key  is  strangely  worn  smooth.  
  • 26.
    My  reacAon   • Courtesy  THE  INTERNET   •  Specifically  hIp://www.reacAongifs.com/nope-­‐nope-­‐nope-­‐octopus/  
  • 27.
  • 28.
    I’ll  just  give  you  the  punchline  now   •  SAll  have  to  order  and  wait  for  shipping,   Puppet  doesn’t  do  that  (yet)   •  SAll  have  to  rack  the  silly  thing   •  PXE  boot  to  kickstart   •  Kickstart  installs  minimum  to  get  Puppet   running   •  puppet agent –onetime --no-daemonize  on  boot  
  • 29.
    •  Jenkins  logo,  of  course,  courtesy  hIps://wiki.jenkins-­‐ci.org/display/JENKINS/Logo   •  “Push  buIon”  image  courtesy  hIp://onemansblog.com/2007/11/29/reinterpreAng-­‐hand-­‐ dryer-­‐symbols/push-­‐buIon-­‐receive-­‐bacon-­‐2/   •  Horrible  ediAng  courtesy  OS  X  Preview’s  “Annotate”  funcAon  
  • 30.
    How  did  we  get  there?   •  ~5700  SVN  commits   $ (svn log old-puppet ; svn log puppet26/)| egrep '^r.*lines?$' | wc -l 5721 •  23  authors   $ (svn log old-puppet ; svn log puppet26/)| egrep '^r.*lines?$' | awk '{print $3}' | sort | uniq | wc –l 23 •  3  years,  1  month,  19  days  (as  of  March  13th)   If  anyone  wants  to  do  shell  golf,  I  bet  I  could  combine  those  into  one  command  line  to  get  #  of   commits  and  #  of  disAnct  authors.  
  • 31.
    Let’s  talk  about  what  we  learned  
  • 32.
    ☹  #1  –  Global  variables   •  Once  we  started  configuring  Nagios  via   Puppet  (more  on  that  later),  we  needed  a  way   to  control  if  a  given  box  was  monitored.    Thus:     node /^ib3qad+.investorbridge$/ { $servertype = 'IB3' $serverenv = 'qa' $serverrole = 'frontend' $monitor = false
  • 33.
    ☹  #1  –  Global  variables   •  What’s  the  code  look  like  for  that?   if ($monitor == true) or ($monitor == 'true') or ($monitor == 'yes') or ($monitor == '') { class{ ‘bsgbase::monitor’: real_ensure => ‘present’, } } else { class{ ‘bsgbase::monitor’: real_ensure => ‘absent’, } }
  • 34.
    ☹  #1  –  Global  variables   •  Ok,  just  set  $monitor  =  false  anywhere  you   don’t  want  to  monitor.    Sure.   •  What  if  you  want  to  monitor  the  basic  stuff,   but  not  the  app  on  top  of  it?  (like  a  test  box)  
  • 35.
    ☹  #1  –  Global  variables   node /ib-test-d+/ { (stuff) $monitor_ib = false }
  • 36.
    ☹  #1  –  Global  variables   •  What  about  a  machine  that  you  don’t  care   about  load  average  on?   node ‘superbusy’ { $monitor = ‘true’ $monitor_load = ‘false’ }
  • 37.
    ☹  #1  –  Global  variables   •  Guess  what  that  code  looks  like?  
  • 38.
    ☹  #1  –  Global  variables   •  I’ll  spare  you.    It  has  to  check  $monitor  and   $monitor_load  and  do  the  right  thing.   •  Also,  it  didn’t  fit  in  a  slide.  
  • 39.
    ☹  #1  –  Global  variables  
  • 40.
    ☹  #1  –  Global  variables   •  Seemed  like  a  good  idea  at  the  Ame.   •  How  do  we  get  rid  of  it?   •  Turns  out  Puppet  3  does  this  for  you!  
  • 41.
    ☺  #1  -­‐  Hiera   •  Hiera  to  the  rescue.   •  Our  hierarchy  looks  like:   :hierarchy: - %{fqdn} - %{operatingsystem} - %{location}/%{servertype}/%{serverenv}/% {serverrole} - %{location}/%{servertype}/%{serverenv} - %{location}/%{servertype} - %{location} - common
  • 42.
    ☺  #1  -­‐  Hiera   •  ProducAon  should  default  to  monitored,  but   other  locaAons  shouldn’t?   $ grep monitor: common.yaml ch3.yaml common.yaml:monitor: 'absent' ch3.yaml:monitor: 'present'
  • 43.
    ☺  #1  -­‐  Hiera   •  Developers  for  a  certain  app  don’t  want  load   monitoring?   $ grep monitor ch3/docsvc.yaml monitor: 'present’ monitor_load: ‘absent’  
  • 44.
    ☺  #1  –  Hiera   •  Anywhere  you’ve  got  $something  =   “something”  in  a  module,  think  about  if  it   needs  to  change  per-­‐environment.   •  If  so,  in  Hiera  it  goes!  
  • 45.
    ☺  #1  –  Hiera   •  Example  #2:  sshd_config   •  Most  machines  need  the  same  one,  but  a  few   get  something  radically  different.    How  do  you   include  a  different  file?  
  • 46.
    ☺  #1  –  Hiera   class ssh::install { $sshd_template = hiera('sshd_template', 'ssh/sshd_config.erb') file { '/etc/ssh/sshd_config': owner => 'root', group => 'root', mode => '0600', content => template($sshd_template), notify => Class['ssh::service'], } }
  • 47.
    ☺  #1  –  Hiera   hieradata/ $ ack template . ch3/IT/production/sshjumphost.yaml 3:sshd_template: 'sshjumphost/ sshd_config.erb'
  • 48.
    ☺  #1  –  Hiera   •  The  more  you  wait  on  installing  it,  the  more   you’ll  have  to  migrate  in.   •  Do  it  now,  even  if  not  everything  lives  in  there   day  one.  
  • 49.
    ☹  #2  –  Per-­‐something  files   •  Started  innocently  enough:     bweiss@rezal-evad-gib ~/repos/old-puppet $ svn diff -c 29 Index: manifests/nodes.pp ========================================================= --- manifests/nodes.pp (revision 28) +++ manifests/nodes.pp (revision 29) @@ -10,8 +9,14 @@ include rails include oracle include ib3 + $servertype = "IB3" + include sudo }
  • 50.
    ☹  #2  –  Per-­‐something  files   bweiss@rezal-evad-gib ~/repos/old-puppet $ svn diff -c 27 Index: modules/sudo/manifests/init.pp ========================================================= --- modules/sudo/manifests/init.pp (revision 26) +++ modules/sudo/manifests/init.pp (revision 27) @@ -1,7 +1,18 @@ class sudo { + case $servertype { + "IB3": { include sudo::ib3 } + "BB": { include sudo::bb } + default: { include sudo::default } + } +}
  • 51.
    ☹  #2  –  Per-­‐something  files   +class sudo::ib3 inherits sudo::common { + file { "/etc/sudoers": + owner => "root", + group => "root", + mode => 440, + source => "puppet:///modules/sudo/ib3-sudoers", + require => Package["sudo"], + } +}
  • 52.
    ☹  #2  –  Per-­‐something  files   •  Yikes.    I  got  a  liIle  more  clever,  and  this   became:  
  • 53.
    ☹  #2  –  Per-­‐something  files   file { "/etc/sudoers": owner => "root", group => "root", mode => 0440, source => [ "puppet:///modules/sudo/sudoers.$fqdn", "puppet:///modules/sudo/sudoers.$servertype", "puppet:///modules/sudo/sudoers" ], require => Package["sudo"] }
  • 54.
    ☹  #2  –  Per-­‐something  files   •  Well...  That’s  not  so  bad,  right?       modules/sudo/files $ ll | wc -l 20  
  • 55.
    ☹  #2  –  Per-­‐something  files   --------------------------------------------------------- r213 | bweiss | 2010-08-19 16:23:21 -0500 (Thu, 19 Aug 2010) | 1 line Added DevManager group to all systems (cut:  adding  the  same  line  to  20  files)  
  • 56.
    ☹  #2  –  Per-­‐something  files   •  No  global  “right”  answer.   •  For  this  specific  case,  please  go  download   Example42’s  sudo  module  from  the  Forge.  
  • 57.
    ☺  #2  –  Compose  those  files   •  You’ll  have  lots  of  cases  where  you  need  to   add  to  a  file  from  other  modules  (or  per-­‐ something).    Don’t  fall  into  the  trap  of   sudoers.${::fqdn}  
  • 58.
    ☺  #2  –  Compose  those  files   •  Approach  #1:  foo.d  directories   •  Sudo  supports  this  at  the  boIom  of  your     /etc/sudoers/:   #includedir /etc/sudoers.d •  Then  you  can  just  dump  config  snippets  in   /etc/sudoers.d/(whatever)  
  • 59.
    ☺  #2  –  Compose  those  files   •  Approach  #2:  puppet-­‐concat   •  hIps://github.com/ripienaar/puppet-­‐concat   •  Lets  you  fake  the  foo.d  style  by  gluing  your   file  fragments  together  at  puppet  Ame.   •  Used  like  this:  
  • 60.
    ☺  #2  –  Compose  those  files   •  Set  up  the  file:   concat{ ‘/some/file’: } •  Add  a  couple  of  blobs   concat::fragment{ ‘blob1’: target => ‘/some/file’, order => 5, content => “Yep, I’m #5”, }
  • 61.
    ☺  #2  –  Compose  those  files   concat::fragment{ ‘blob2’: target => ‘/some/file’, order => 10, source => ‘puppet:///(etc)/blob2’, } •  That’s  it,  /some/file will  contain  all  those   blocks  in  the  order  you  asked  for.   •  It  shouldn’t  be  your  first  stop,  but  it  works!  
  • 62.
    ☺  #2  –  Compose  those  files   •  When  all  else  fails,  get  templaAng.   •  It’s  just  Ruby,  you  can  do  this.  
  • 63.
    ☺  #3  –  Stored  Configs   •  These  look  super  confusing  at  first,  but  they’re   not  bad.   •  On  the  source,  you  do:   @@my_type{‘whatever’: normal => arguments, tag => ‘something’, }
  • 64.
    ☺  #3  –  Stored  Configs   •  Then,  wherever  you  need  those  resources  to   show  up,  you  do:   My_type <<| tag == ‘something’ |>> { } •  That’s  it.    How  do  you  use  it?  
  • 65.
    ☺  #3  –  Stored  Configs   •  The  fantasAc  built-­‐in  Nagios  types.   •  On  a  client:   @@nagios_service{“check_load_${::fqdn}”: ensure => ‘present’, (lots of parameters) tag => $::location, } •  $::location  is  something  we  wrote  to   contain  what  datacenter  you’re  in.    Don’t   worry  about  that  part.
  • 66.
    ☺  #3  –  Stored  Configs   •  On  the  Nagios  server:   Nagios_service <<| tag == $::location |>>{ notify => Class[‘nagios::service’], } (that’s  just  this  side  of  boilerplate)  
  • 67.
    ☺  #3  –  Stored  Configs   •  Once  the  client  checks  in,  and  then  the  Nagios   server  checks  in,  it’s  monitored.   •  That’s  it.   •  You’ll  need  some  machinery  to  determine   when  to  monitor  what  machine,  of  course,  but   it’s  as  easy  as  that.  
  • 68.
    ☺  #3  –  Stored  Configs   •  Big  wins  here.   •  Old  manually-­‐configured  Nagios:  ~600   services   •  Puppet-­‐configured  Nagios:  ~800  services   •  I  wonder  what  we  were  missing?  
  • 69.
    ☺  #3  –  Stored  Configs   •  We’re  working  on  code  to  configure  our  load   balancer  in  the  same  way.   •  Client:   @@load_balance{ “servicename_${::fqdn}”: port => 443, external_name => ‘www.backstopsolutions.com’, }
  • 70.
    ☺  #3  –  Stored  Configs   •  Then  the  load  balancer  can  just  grab  all  of   those  and  add  them  as  backends!  
  • 71.
    ☺  #3  –  Stored  Configs   •  Gotchas:   –  Resource  names  have  to  be  globally  unique.    Add   ${::fqdn}  everywhere.   –  You  have  to  have  a  database  to  dump  these  into.     Get  PuppetDB  running!   –  Be  willing  to  dig  in  the  database  to  debug  if   needed.  
  • 72.
    ☹  #3  –  Convergence  Ame   •  Early  on,  we  decided  to  run  Puppet  only  once   daily,  during  a  Ame  clients  aren’t  using  a   server.   –  Minimizes  the  chances  of  causing  an  outage.   •  Remember  the  order  those  stored  configs   have  to  happen  in?  
  • 73.
    ☹  #3  –  Convergence  Ame   •  Yep,  have  to  make  sure  all  clients  run  before   the  consumer  of  a  stored  config  does,  or  you’ll   be  out  of  sync.   •  Try  to  run  as  oen  as  possible.    This  reduces   the  amount  of  changes  to  make  per  run,   which  has  less  impact.  
  • 74.
    ☺  #4  -­‐  mcollecAve   Original  image:  hIp://xkcd.com/353/   Cheapo  ediAng  again  courtesy  OS  X  Preview  “Annotate”  
  • 75.
    ☺  #4  -­‐  mcollecAve   <dba> The app needs to be down in CH3 before we can do our DR test <IT> I can do that  
  • 76.
    ☺  #4  -­‐  mcollecAve   It  would  have  been   $ for server in $(seq 1 254) ; do > ssh root@192.168.xx.$server > “/etc/init.d/jboss stop” > done •  Elapsed  Ame,  an  hour  (if  you  type  fast)  
  • 77.
    ☺  #4  -­‐  mcollecAve   •  Instead:   $ mc-service –W jboss jboss stop   •  Elapsed  Ame:  0.34  seconds   –  I  tested  with  ‘status’,  not  ‘stop’,  to  get  that   number.    Don’t  worry,  it’s  async.  
  • 78.
    ☺  #4  -­‐  mcollecAve   <IT_1> We added a new DNS server, and we need traffic to go to it ASAP. We don’t want to wait for the puppet run. <IT_2> Sure.
  • 79.
    ☺  #4  -­‐  mcollecAve   It  would  have  been   •  Oh,  you  know.    Instead,  make  that  Puppet   change,  then:   $ mc-puppetd runonce –f
  • 80.
    ☺  #4  -­‐  mcollecAve   •  What  machine  has  MAC    90:B1:1C:04:44:3A?   It’s  generaAng  some  strange  traffic.   $ mco find -W macaddress=90:B1:1C:04:44:3A
  • 81.
    ☺  #4  -­‐  mcollecAve   <dev> Hey, now that VMs get spun up so quickly, I don’t know what all the machines I need to deploy to are. Can I get a list? $ mco find –W app1
  • 82.
    ☺  #4  -­‐  mcollecAve   •  You’ll  keep  finding  places  to  use  it.   •  To  get  the  full  value,  you’ll  need  to  write  some   code  around  it.    Even  without  that,  it’ll  pay  off.  
  • 83.
    ☹  #4  -­‐  environments   •  Sadly,  I  can  only  say  what  didn’t  work  here.   •  Puppet  config  is  in  svn   •  /etc/puppet/ is  a  checkout  of  that  on   each  Puppet  server   •  No  branching  strategy,  all  in  trunk  
  • 84.
    ☹  #4  -­‐  environments   •  Worked  at  first,  one  person  wriAng  manifests   •  Then,  two,  we  knew  what  the  other  person   was  working  on…   •  10  commiIers  this  month,  with  185  commits  
  • 85.
    ☹  #4  -­‐  environments   •  This  isn’t  a  new  problem.    If  you’re  at  a   development  shop,  you  probably  already  have   a  branching  strategy.    Do  that,  and  get   different  servers  into  different  environments.   •  This  would  also  let  you  have  one  server  for   mulAple  uses.  
  • 86.
    ☺  #5  –  think  business  terms   •  It’s  easy  to  do  the  normal  flow  in  Puppet  of   package  /  files  /  service.    That’s  useful.   •  BeIer  yet,  talk  about  things  the  business  need   or  wants!   •  Example:  
  • 87.
    ☺  #5  –  think  business  terms   •  InvestorBridge  hosts  a  website  per  client.     They’re  of  the  form  www.(clientname).com,   and  include  SSL  certs,  an  apache  vhost,   (eventually)  load  balancer  config,  etc.    How’s   that  look  in  Puppet?  
  • 88.
    ☺  #5  –  think  business  terms   ib3r192::clientsite{ 'backstopadvisors': lastOctet => 199, clientFqdn => 'www.backstopadvisors.com', seconddn => 'backstopadvisors.com', } •  A  liIle  ruby  could  clean  up  that  seconddn   part.    Eh.  
  • 89.
    ☺  #5  –  think  business  terms   •  That’s  it.    That  configures:   –  IP  for  the  client’s  vhost  (need  an  IP  since  we  have   SSL  certs)   –  Apache  vhost.d  file   –  SSL  cert  gets  dropped  in  the  right  place   –  (Soon)  Load  balancer  config   –  (Soon)  add  it  to  DNS   •  On  mulAple  hosts!  This  works  if  we  have  one   server  or  ten.  
  • 90.
    ☺  #5  –  think  business  terms   •  There’s  obviously  some  magic:   –  SSL  cert  has  to  be  named  same  as  the  client  name   •  And  a  bunch  of  code   –  6  Puppet  defines  back  there,  and  lots  of  built-­‐in   types   –  Stored  configs  for  the  load  balancer  and  DNS  
  • 91.
    ☺  #6  –Puppet  as  automaAon  glue   •  We  have  a  fair  number  of  jobs  that  generate  a   file  that  needs  to  go  out  somewhere.   –  DNS  zones   –  O-­‐menAoned  load  balancer  configs   •  Instead  of  wriAng  deploy  jobs  for  each…  
  • 92.
    ☺  #6  –Puppet  as  automaAon  glue   •  Write  the  files  into  the  puppet  repo  (checked   in)  and  let  it  drop  the  files.   •  You  get  change  tracking  for  free,  and  can  build   all  the  usual  tools  around  it   –  Restart  services  when  their  files  change   –  Test  syntax  before  restarAng  services   •  If  you’re  using  reports,  you’ll  even  find  out  if   things  go  wrong.  
  • 93.
    ☺  #7  –  VCS  pre-­‐commit  hooks   •  Since  your  Puppet  manifests  are  in  some  VCS   (right?),  and  a  bunch  of  config  files  are  there   as  well,  why  not  test  them?   –  SSL  certs  –  check  to  make  sure  keys  and  certs   match   –  Bind  files  –  check  that  serial  numbers  incremented   •  Heck,  run  named-­‐checkzone  against  them   –  Syntax  check  .pp  files!   –  Syntax  check  .erb  files  
  • 94.
    ☺  #8  –  don’t  reinvent  the  wheel   •  While  looking  for  code  to  put  in  this,  I  found  a   ton  of  modules  we  wrote  that  exist  in  the   Forge.   •  Those  are  probably  beIer  wriIen.   •  Certainly  beIer  tested.   •  Don’t  be  afraid  to  throw  code  away.  
  • 95.
    ☺  #8  –  don’t  reinvent  the  wheel   •  You  might  spend  some  Ame  digging  through   the  Forge  to  find  the  right  project.   •  Consider  it  early  payment  for  not  having  to   maintain  the  module  by  yourself.  
  • 96.