1. Your browser doesn't support the features required by impress.js, so you are presented with a simplified
version of this presentation.
For the best experience please use the latest Chrome or Safari browser. Firefox 10 (to be released soon) will
also handle it.
Integrating CloudStack With
Puppet
Jason Hancock
jsnbyh@gmail.com
@jsnby
http://geek.jasonhancock.com
May 2012
Goals:
Do NOT use Puppet's auto­signing
feature
Instances receive all config via Puppet
Minimize the number of CloudStack
templates
No manual intervention

2. Translation:
Make one API call to launch the VM,
the automation takes over and puts
the box into production.
Puppet's auto certificate signing
Allows you to automatically sign any
certificate from a given domain
Exposes a vulnerability because
anyone can now connect and have a
cert signed
Working around auto­signing:
We decided to seed a pre­signed
certificate into the templates. Ran into
a couple of issues though...
/etc/puppet/puppet.conf on the client:

3. [gn]
aet
..
.
crnm =cmue0
etae opt01
nd_ae=fce
oenm atr
nd_aefc =fd
oenm_at qn
The n d _ a e
o e n m and n d _ a e f c settings
oenm_at
were necessary because the Puppet client thought it's
node name was "compute001".
Had to modify /etc/puppet/auth.conf on the Puppet
master. Details about why and what to change found
in issue 2128:
#alwndst rtiv teronctlg
lo oe o eree hi w aao
#(etercniuain
i hi ofgrto)
#ah~^ctlg(^])
pt /aao/[/+$
#ehdfn
mto id
#lo $
alw 1
#Ti cag alw u t ueacmo
hs hne los s o s omn
#criiaears mlil nds
etfct cos utpe oe.
pt ~/aao/+
ah ctlg.
alw*
lo
Enable Puppet to run as soon as

4. the box starts:
Turn off splay!
chkconfig Puppet on!
Passing a $ : o e
: r l (and other facts)
to Puppet.
We use CloudStack's user­data to
store key=value pairs (up to 2KB) that
get loaded into facts on the client
Code to load user­data into facts is
available on Github.
Implementing $ : o e
: r l on the
Puppet side.

5. Everyone is a default node. We don't
have to worry about adding nodes to
site.pp, conforming to a host naming
convention, or adding meta­data to an
ENC.
Our simplified* site.pp:
ipr 'ae
mot bs'
nd dfut{
oe eal
icuebs
nld ae
}
*Irrelevant stuff omitted for clarity
Excerpts from base.pp:
casbs {
ls ae
..
.
#Icue ta apyt almcie
nlds ht pl o l ahns

6. ..
.
#rl-pcfcicue
oeseii nlds
cs $:oe{
ae :rl
'oeoe:{
smrl'
icuesmrl
nld oeoe
}
'terl' {
ohroe:
icueohroe
nld terl
}
}
}
What about $ : n i o m n ? Don't
:evrnet
forget dev/qa/staging nodes!
You can pass the environment the
same way we set $::role, by adding
another key/value pair to the user­
data. There is a catch though...
It is impossible to know during the
plugin­sync stage what environment a
node belongs to.

7. The node will default to whatever's
specified in puppet.conf (or to
production if not specified).
When is this a problem?
When testing new facts/modules.
Shifting gears...Let's talk about
cleanup!
You are using stored configurations to
automatically add nodes to Nagios
(right?)
But now we're working in the cloud.
So we destory/terminate that

8. instance...
And your phone is blowing up with
Nagios alerts
Compare hosts in Puppet's DB vs.
hosts running in the cloud, removing
any hosts from DB that are no longer
running in the cloud.
Removing from Puppet's DB:
Old way:
puppetstoredconfigclean.rb <hostname>
New way:
puppet node clean <hostname>
A script to call
puppetstoredconfigclean.rb based on

9. what's running in a CloudStack cloud
can be found on github.
That removed it from puppet's DB.
What about actually cleaning up the
Nagios host?
I have another script that connects to
puppet's DB and removes any host
configurations from the nagios server
that aren't in the DB.
There is a better way...(I just haven't
played with it yet).
"puppet node clean" has an option to
un­export any exported resources.
Un­export the resources and let them

10. clean themselves up!
This presentation is available at:
https://github.com/jasonhancock/presentation